esb_prx¶
Presentation¶
esb_prx simulates a PRX device’s behaviour. It is a core module for the framework, allowing to quickly build recurrent behaviours during a security audit. If a scenario is provided, the module is launched in “scenario” mode, with events given as callbacks on specific packet types, allowing to implement complex interactions. Otherwise, it is launched in “interpreter” mode, opening a CLI for the user.
Compatible devices¶
Input parameters¶
Name |
Default value |
Possible values |
Description |
|---|---|---|---|
INTERFACE |
rfstorm0 |
rfstormX |
Interface to use |
TARGET |
<ESB address> |
Target address |
|
SCENARIO |
<scenario> |
Scenario to use |
Scenario signals¶
The behaviour of this module can be modified using scenarios. If you need more details about Mirage scenarios, their usage is described here. The following signals are generated by this module if a scenario is provided using the SCENARIO input parameter :
Signal |
Parameters |
Activation |
Default behaviour |
|---|---|---|---|
onStart |
when the module starts its execution |
nothing is executed |
|
onEnd |
when the module stops its execution |
nothing is executed |
|
onKey |
key |
when a key is pressed |
nothing is executed |
onIncomingPacket |
packet |
when an incoming packet is received (from PTX) |
nothing is executed |
You can manually stop the module’s execution by calling the method stopScenario:
self.module.stopScenario()
Commands¶
The following commands are available in the CLI interface :
clear : clears the screen
channel : displays the current channel
channel <channel> : moves to the provided channel
scan : calls the esb_scan module to list near ESB devices
scan <duration> : calls the esb_scan module for the specified duration to list near ESB devices
scan <duration> <start_channel> <end_channel> : calls the esb_scan module for the specified duration on the specified channel range to list near ESB devices
address : displays the address currently selected
address <ESB address> : changes the address to the one provided
show : displays the received frames
auto_ack : enables or disables the auto ACK mode
send <payload> : sends an acknowledgement payload to the PTX (if the auto ACK mode is enabled, the frame will be transmitted when a new frame is received)
send <payload1>,<payload2>,… : sends multiple acknowledgment payloads to the PTX (if the auto ACK mode is enabled, the frames will be transmitted when new frames are received)
exit : ends the execution
Usage¶
CLI mode¶
If you want to use this module in CLI mode, just calls the module without input parameters :
$ mirage esb_prx
[INFO] Module esb_prx loaded !
[PRX|71]:
You can easily scan the devices using the scan command :
[PRX|47]: scan
┌────────────────┬──────────┬──────────┐
│ Address │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 8,14 │ logitech │
└────────────────┴──────────┴──────────┘
[...]
┌────────────────┬───────────────────────────────────────┬──────────┐
│ Address │ Channels │ Protocol │
├────────────────┼───────────────────────────────────────┼──────────┤
│ E8:46:F9:2F:A4 │ 32,65,35,36,69,71,8,74,44,45,14,17,62 │ logitech │
└────────────────┴───────────────────────────────────────┴──────────┘
Then, you can select a specific address using address :
[PRX|98]: address E8:46:F9:2F:A4
[PRX|98|E8:46:F9:2F:A4]:
You can set the channel using channel command :
[PTX|98|E8:46:F9:2F:A4]: channel 8
[PTX| 8|E8:46:F9:2F:A4]:
You can automatically transmit ACK frames using the auto_ack command :
[PRX| 8|E8:46:F9:2F:A4]: auto_ack
[INFO] Auto ACK enabled !
You can monitor the received frames using the show command :
[PRX| 8|E8:46:F9:2F:A4]: show
[INFO] Received frames: (Ctrl + C to exit)
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
[PACKET] [ CH:8 ] << ESB - Logitech Keepalive Packet (logitech) | address=E8:46:F9:2F:A4 | timeout=85 >>
Finally, you can easily transmit ACK payloads using send:
[PRX| 8|E8:46:F9:2F:A4]: send 0f0f0f
[INFO] The specified ACK payloads will be transmitted automatically when a new frame is received.
Customizing the behaviour using scenarios¶
If you want to use a scenario, you can use the create_scenario command in order to generate a basic code :
$ mirage --create_scenario
[QUESTION] Scenario's name : esb_prx_test
[SUCCESS] Scenario master_test successfully generated : /home/user/.mirage/scenarios/esb_prx_test.py
[INFO] Mirage process terminated !
Then, you can modify the code as you want.
If you want to use this scenario, just provide its name as the value of the input parameter SCENARIO :
$ sudo mirage esb_prx SCENARIO=esb_prx_test
[INFO] Module esb_prx loaded !
[INFO] Scenario loaded !
[...]
[INFO] Mirage process terminated !