mosart_sniff ============= Presentation ------------ **mosart_sniff** passively sniffs Mosart frames. It works with a `RFStorm Device `_, allowing to use the two implemented modes (promiscuous and normal) in order to capture frames. It can also export the sniffed data in a PCAP file (at the path given in the *PCAP_FILE* parameter). You can choose the channel to monitor thanks to the *CHANNEL* parameter. If you don't provide any channel (or set the *CHANNEL* parameter value to "auto"), the module will passively scan the channels in order to find your target. As a result, the module requires you to provide a target address (*TARGET* parameter). If you don't provide any target (or if you provide the value *"FF:FF:FF:FF"*), the module will accept every target. If you want to capture dongle packets, you must set the *DONGLE_PACKETS* parameter to **yes**. This option is disabled by default because the dongle packets are transmitted at an high frequency. There is a possiblity to limit the execution time with the *TIME* parameter (execution duration in seconds). If this parameter is set to an empty string (""), the execution doesn't automatically stop. .. note:: A basic wireshark dissector has been written during the development of this module and can be downloaded `here `_. Compatible devices ------------------ * `RFStorm Device `_ * `PCAP Files `_ Input parameters ----------------- +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | Name | Default value | Possible values | Description | +========================================+=======================================+=============================================================+===========================================================================================+ | INTERFACE | rfstorm0 | rfstormX | Interface to use | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | TARGET | | | Address of the target device | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | CHANNEL | auto | auto\| | Selected channel | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | LOCALE | fr | | Locale in use | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | TIME | 10 | | Execution duration | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ | TEXT_FILE | | | Collected keystrokes export file | +----------------------------------------+---------------------------------------+-------------------------------------------------------------+-------------------------------------------------------------------------------------------+ Output parameters ------------------ +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | Name | Possible values | Description | +========================================+=============================================================+======================================================================+ | TARGET | | Mosart address of the target | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | MOUSE_FILE | | Mouse movement export file | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | PCAP_FILE | | PCAP export file | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ | CHANNEL | | Last channel used by the target | +----------------------------------------+-------------------------------------------------------------+----------------------------------------------------------------------+ Usage ------ Basic Usage ^^^^^^^^^^^^ If you want to sniff a specific target, you have to provide the *TARGET* parameter : :: $ mirage mosart_sniff TARGET=F4:82:F7:16 [INFO] Module mosart_sniff loaded ! [SUCCESS] Channel found: 20 [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716460607060684b4a5 | x1=6 | y1=7 | x2=6 | y2=6 >> [PACKET] [ CH:20 ] << Mosart - Unknown Packet | address=F4:82:F7:16 | payload=f0f0f482f71680c8b4f843a5 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164d00ff000071ffa5 | x1=0 | y1=-1 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71647fcfcfdfddf6ba5 | x1=-4 | y1=-4 | x2=-3 | y2=-3 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164ff9fff8ff5053a5 | x1=-7 | y1=-1 | x2=-8 | y2=-1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71649f408f5083528a5 | x1=-12 | y1=8 | x2=-11 | y2=8 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164302050305d4fca5 | x1=2 | y1=5 | x2=3 | y2=5 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164b01000000238ba5 | x1=1 | y1=0 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164d01000000a646a5 | x1=1 | y1=0 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e0100000074a8a5 | x1=1 | y1=0 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164200ff0000889aa5 | x1=0 | y1=-1 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164600ff00008e13a5 | x1=0 | y1=-1 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164700ff0000dfb9a5 | x1=0 | y1=-1 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart | address=F4:82:F7:16 | payload=f0f0f482f7167a81a08a82a5 | button = left | state = pressed >> [PACKET] [ CH:20 ] << Mosart | address=F4:82:F7:16 | payload=f0f0f482f7167e01a0d245a5 | button = left | state = released >> [PACKET] [ CH:20 ] << Mosart | address=F4:82:F7:16 | payload=f0f0f482f7167f81a07a69a5 | button = left | state = pressed >> [...] If you don't know what is your target address, uses the following value as *TARGET* : :: $ mirage mosart_sniff TARGET=FF:FF:FF:FF [INFO] Module mosart_sniff loaded ! [SUCCESS] Channel found: 20 [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e1e002200b907a5 | x1=30 | y1=0 | x2=34 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716421cfe1dfdb0b2a5 | x1=28 | y1=-2 | x2=29 | y2=-3 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164ade04e00548c1a5 | x1=-34 | y1=4 | x2=-32 | y2=5 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164cf80301018dfaa5 | x1=-8 | y1=3 | x2=1 | y2=1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71645fc00fb007b2da5 | x1=-4 | y1=0 | x2=-5 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164c020100001b40a5 | x1=2 | y1=1 | x2=0 | y2=0 >> [...] You can select a specific channel to monitor thanks to the *CHANNEL* parameter : :: $ mirage mosart_sniff CHANNEL=20 TARGET=F4:82:F7:16 [INFO] Module mosart_sniff loaded ! [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164c00000000439aa5 | x1=0 | y1=0 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart | address=F4:82:F7:16 | payload=f0f0f482f7167381a01b1ca5 | button = left | state = pressed >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164502fc00006449a5 | x1=2 | y1=-4 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164df7f3f8f6c151a5 | x1=-9 | y1=-13 | x2=-8 | y2=-10 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71647f4fff7ffc578a5 | x1=-12 | y1=-1 | x2=-9 | y2=-1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164ffa09fa0aa640a5 | x1=-6 | y1=9 | x2=-6 | y2=10 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716490003000044e0a5 | x1=0 | y1=3 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164a03040000da10a5 | x1=3 | y1=4 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164b0405030287a9a5 | x1=4 | y1=5 | x2=3 | y2=2 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716450a0208021f9da5 | x1=10 | y1=2 | x2=8 | y2=2 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164d0bfa0bfa3198a5 | x1=11 | y1=-6 | x2=11 | y2=-6 >> [...] You can also ask to capture dongle packets by setting the *DONGLE_PACKETS* parameter to **yes**: :: $ mirage mosart_sniff CHANNEL=20 TARGET=F4:82:F7:16 DONGLE_PACKETS=yes [INFO] Module mosart_sniff loaded ! [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >> [...] If you want to export the collected data to a PCAP file, uses the following command: :: $ mirage mosart_sniff CHANNEL=20 TARGET=F4:82:F7:16 PCAP_FILE=/tmp/mosart_out.pcap [INFO] Module mosart_sniff loaded ! [SUCCESS] PCAP file successfully loaded (DLT : 149) ! [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164f00030004456da5 | x1=0 | y1=3 | x2=0 | y2=4 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71649050405030716a5 | x1=5 | y1=4 | x2=5 | y2=3 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71643080002001b1ca5 | x1=8 | y1=0 | x2=2 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164a04fd04fc63dea5 | x1=4 | y1=-3 | x2=4 | y2=-4 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164406fe07ffc3c0a5 | x1=6 | y1=-2 | x2=7 | y2=-1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164c030000009f01a5 | x1=3 | y1=0 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646050303042f2ca5 | x1=5 | y1=3 | x2=3 | y2=4 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e02020001e94da5 | x1=2 | y1=2 | x2=0 | y2=1 >> [PACKET] [ CH:20 ] << Mosart - Unknown Packet | address=F4:82:F7:16 | payload=f0f0f482f71680c8b4f843a5 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646020000008531a5 | x1=2 | y1=0 | x2=0 | y2=0 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e05fb05fc40a0a5 | x1=5 | y1=-5 | x2=5 | y2=-4 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164805fe06ff05e3a5 | x1=5 | y1=-2 | x2=6 | y2=-1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716420301020306afa5 | x1=3 | y1=1 | x2=2 | y2=3 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164a030402051d26a5 | x1=3 | y1=4 | x2=2 | y2=5 >> [PACKET] [ CH:20 ] << Mosart - Unknown Packet | address=F4:82:F7:16 | payload=f0f0f482f71680c8b4f843a5 >> [...] Performing a replay attack ^^^^^^^^^^^^^^^^^^^^^^^^^^^ This module can be combined with `mosart_inject `_ in order to perform a replay attack: :: $ sudo mirage "mosart_sniff|mosart_inject" mosart_sniff1.CHANNEL=20 mosart_sniff1.TARGET=F4:82:F7:16 mosart_sniff1.PCAP_FILE=/tmp/replaymosart.pcap mosart_sniff1.TIME=5 [INFO] Module mosart_sniff loaded ! [INFO] Module mosart_inject loaded ! [SUCCESS] PCAP file successfully loaded (DLT : 149) ! [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164cf9fff9ffb38ea5 | x1=-7 | y1=-1 | x2=-7 | y2=-1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646f802f704d162a5 | x1=-8 | y1=2 | x2=-9 | y2=4 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164eff03ff04488fa5 | x1=-1 | y1=3 | x2=-1 | y2=4 >> [...] [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e03fb02fd6f0ea5 | x1=3 | y1=-5 | x2=2 | y2=-3 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164801fa01fa063ca5 | x1=1 | y1=-6 | x2=1 | y2=-6 >> [INFO] Extracting packet stream from PCAP ... [SUCCESS] PCAP file successfully loaded (DLT : 149) ! [SUCCESS] Packet stream successfully extracted ! [INFO] Injecting ... [SUCCESS] Injection done ! [INFO] Mirage process terminated ! Capturing and displaying the mouse movements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This module can be combined with `mouse_visualizer `_ in order to generate an animated GIF displaying the mouse movement: :: $ mirage "mosart_sniff|mouse_visualizer" mosart_sniff1.CHANNEL=20 mosart_sniff1.TARGET=F4:82:F7:16 mosart_sniff1.MOUSE_FILE=/tmp/mosart.cfg mosart_sniff1.TIME=5 mouse_visualizer2.GIF_FILE=/tmp/mosart.gif [INFO] Module mosart_sniff loaded ! [INFO] Module mouse_visualizer loaded ! [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164cf9fff9ffb38ea5 | x1=-7 | y1=-1 | x2=-7 | y2=-1 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646f802f704d162a5 | x1=-8 | y1=2 | x2=-9 | y2=4 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164eff03ff04488fa5 | x1=-1 | y1=3 | x2=-1 | y2=4 >> [...] [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e03fb02fd6f0ea5 | x1=3 | y1=-5 | x2=2 | y2=-3 >> [PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164801fa01fa063ca5 | x1=1 | y1=-6 | x2=1 | y2=-6 >> [SUCCESS] Sniffed mice datas are saved as /tmp/mosart.cfg (CFG file format) [INFO] Importing mice datas from /tmp/mosart.cfg ... [INFO] Mirage process terminated ! It produces a GIF animated file similar to the following one: .. image:: mousevisualizer_example.gif