Mousejack and Crazy Radio 2 are a key combination for testing keyboards and mice vulnerabilities on most common manufactures. Bastille found different kind of vulnerabilities against these wireless devices, it is possible to execute different types of attacks.

Type of Attacks

  • Keystroke Injection
  • Force Pairing
  • Fake Mouse
  • Denial-of-Service

Manufactures Affected

  • Amazon Basics Keyboards
  • Microsoft Keyboards
  • Dell
  • Lenovo
  • Contact Me on Discord for More

Hardware

  • CrazyRadio USB Dongle
  • CrazyRadio Firmware
  • nRF24LU1+ Chips

Crazy Radio Keyboard and Mices under Attack

Flashing USB Dongle to support promiscuous mode

First we will change our crazyradio-firmware from our device allowing us to sniff and inject keystrokes into keyboards devices. The crazyflie-firmware is courtesy of Bastille Research and can allow the USB dongle to promiscuous mode.

Install Dependencies

Wse need a few packages in order to effectively use the USB dongle.

sudo apt-get install sdcc binutils python python-pip git

Install Pip

Pip is a package manager for Python language it is necessary to install it to manage all dependencies related to USB stack.

sudo pip install -U pip

Install PyUSB

Here we need to pay attention to pyusb version used, some versions are incompatible with most attacking tools.

sudo pip install -U -I pyusb

Install Platformio

sudo pip install -U platformio

How to Install MouseJack

Mousejack have a pack of research tools created in Python by Bastille to test the USB dongle functionality, it is possible to flash the firmware and sniff raw data or even send raw tons. First we will flash our usb dongle and test if ready to sniff data.

How to Install MouseJack
How to Install MouseJack

Mousejack is avaiable at GitHub

Clone The Repo

kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/mousejack.git
kali@rpi3:~$ git submodule init

Flash Radio Dongle

Now lets compile our firmware and update crazyradio firmware with the new one.

Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares:

  • Nordic Semiconductor Bootloader
  • CrazyRadio Firmware
  • RFStorm Research Firmware
kali@rpi3:~$ cd nrf-research-firmware
kali@rpi3:~$ make

Flash the firmware over USB

kali@rpi3:~$ sudo make install

NRF24 Scanner

usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix
  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds

NRF24 Sniffer

usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA 
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

NRF24 Network Mapper

usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA 
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

NRF24 Continuous Tone Test

usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA 

How to Install JackIt

kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/jackit.git
kali@rpi3:~$ cd jackit
kali@rpi3:~$ sudo pip install -e .

Sniff Wireless Keyboards using JackIt

kali@rpi3:~$ sudo jackit

CVEs List

MouseJack Announced by Bastille in 2016

How To install rtl_433

After

Categorized in:

Wireless Hacking,

Tagged in: