mosart_sniff

Presentation

mosart_sniff passively sniffs Mosart frames. It works with a RFStorm Device, allowing to use the two implemented modes (promiscuous and normal) in order to capture frames. It can also export the sniffed data in a PCAP file (at the path given in the PCAP_FILE parameter).

You can choose the channel to monitor thanks to the CHANNEL parameter. If you don’t provide any channel (or set the CHANNEL parameter value to “auto”), the module will passively scan the channels in order to find your target. As a result, the module requires you to provide a target address (TARGET parameter). If you don’t provide any target (or if you provide the value “FF:FF:FF:FF”), the module will accept every target.

If you want to capture dongle packets, you must set the DONGLE_PACKETS parameter to yes. This option is disabled by default because the dongle packets are transmitted at an high frequency.

There is a possiblity to limit the execution time with the TIME parameter (execution duration in seconds). If this parameter is set to an empty string (“”), the execution doesn’t automatically stop.

Note

A basic wireshark dissector has been written during the development of this module and can be downloaded here.

Compatible devices

Input parameters

Name

Default value

Possible values

Description

INTERFACE

rfstorm0

rfstormX

Interface to use

TARGET

<Mosart adress>

Address of the target device

CHANNEL

auto

auto|<integer>

Selected channel

LOCALE

fr

<language>

Locale in use

TIME

10

<integer>

Execution duration

TEXT_FILE

<file path>

Collected keystrokes export file

Output parameters

Name

Possible values

Description

TARGET

<Mosart address>

Mosart address of the target

MOUSE_FILE

<file path>

Mouse movement export file

PCAP_FILE

<file path>

PCAP export file

CHANNEL

<integer>

Last channel used by the target

Usage

Basic Usage

If you want to sniff a specific target, you have to provide the TARGET parameter :

$ mirage mosart_sniff TARGET=F4:82:F7:16
[INFO] Module mosart_sniff loaded !
[SUCCESS] Channel found: 20
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716460607060684b4a5 | x1=6 | y1=7 | x2=6 | y2=6 >>
[PACKET] [ CH:20 ] << Mosart - Unknown Packet | address=F4:82:F7:16 | payload=f0f0f482f71680c8b4f843a5 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164d00ff000071ffa5 | x1=0 | y1=-1 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71647fcfcfdfddf6ba5 | x1=-4 | y1=-4 | x2=-3 | y2=-3 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164ff9fff8ff5053a5 | x1=-7 | y1=-1 | x2=-8 | y2=-1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71649f408f5083528a5 | x1=-12 | y1=8 | x2=-11 | y2=8 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164302050305d4fca5 | x1=2 | y1=5 | x2=3 | y2=5 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164b01000000238ba5 | x1=1 | y1=0 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164d01000000a646a5 | x1=1 | y1=0 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e0100000074a8a5 | x1=1 | y1=0 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164200ff0000889aa5 | x1=0 | y1=-1 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164600ff00008e13a5 | x1=0 | y1=-1 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164700ff0000dfb9a5 | x1=0 | y1=-1 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart <Mouse Click Packet> | address=F4:82:F7:16 | payload=f0f0f482f7167a81a08a82a5 | button = left | state = pressed >>
[PACKET] [ CH:20 ] << Mosart <Mouse Click Packet> | address=F4:82:F7:16 | payload=f0f0f482f7167e01a0d245a5 | button = left | state = released >>
[PACKET] [ CH:20 ] << Mosart <Mouse Click Packet> | address=F4:82:F7:16 | payload=f0f0f482f7167f81a07a69a5 | button = left | state = pressed >>
[...]

If you don’t know what is your target address, uses the following value as TARGET :

$ mirage mosart_sniff TARGET=FF:FF:FF:FF
[INFO] Module mosart_sniff loaded !
[SUCCESS] Channel found: 20
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e1e002200b907a5 | x1=30 | y1=0 | x2=34 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716421cfe1dfdb0b2a5 | x1=28 | y1=-2 | x2=29 | y2=-3 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164ade04e00548c1a5 | x1=-34 | y1=4 | x2=-32 | y2=5 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164cf80301018dfaa5 | x1=-8 | y1=3 | x2=1 | y2=1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71645fc00fb007b2da5 | x1=-4 | y1=0 | x2=-5 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164c020100001b40a5 | x1=2 | y1=1 | x2=0 | y2=0 >>
[...]

You can select a specific channel to monitor thanks to the CHANNEL parameter :

$ mirage mosart_sniff CHANNEL=20 TARGET=F4:82:F7:16
[INFO] Module mosart_sniff loaded !
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164c00000000439aa5 | x1=0 | y1=0 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart <Mouse Click Packet> | address=F4:82:F7:16 | payload=f0f0f482f7167381a01b1ca5 | button = left | state = pressed >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164502fc00006449a5 | x1=2 | y1=-4 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164df7f3f8f6c151a5 | x1=-9 | y1=-13 | x2=-8 | y2=-10 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71647f4fff7ffc578a5 | x1=-12 | y1=-1 | x2=-9 | y2=-1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164ffa09fa0aa640a5 | x1=-6 | y1=9 | x2=-6 | y2=10 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716490003000044e0a5 | x1=0 | y1=3 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164a03040000da10a5 | x1=3 | y1=4 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164b0405030287a9a5 | x1=4 | y1=5 | x2=3 | y2=2 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716450a0208021f9da5 | x1=10 | y1=2 | x2=8 | y2=2 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164d0bfa0bfa3198a5 | x1=11 | y1=-6 | x2=11 | y2=-6 >>
[...]

You can also ask to capture dongle packets by setting the DONGLE_PACKETS parameter to yes:

$ mirage mosart_sniff CHANNEL=20 TARGET=F4:82:F7:16 DONGLE_PACKETS=yes
[INFO] Module mosart_sniff loaded !
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[PACKET] [ CH:20 ] << Mosart - Dongle Packet | address=F4:82:F7:16 | payload=f0f0f482f716112261a5 >>
[...]

If you want to export the collected data to a PCAP file, uses the following command:

$ mirage mosart_sniff CHANNEL=20 TARGET=F4:82:F7:16 PCAP_FILE=/tmp/mosart_out.pcap
[INFO] Module mosart_sniff loaded !
[SUCCESS] PCAP file successfully loaded (DLT : 149) !
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164f00030004456da5 | x1=0 | y1=3 | x2=0 | y2=4 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71649050405030716a5 | x1=5 | y1=4 | x2=5 | y2=3 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71643080002001b1ca5 | x1=8 | y1=0 | x2=2 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164a04fd04fc63dea5 | x1=4 | y1=-3 | x2=4 | y2=-4 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164406fe07ffc3c0a5 | x1=6 | y1=-2 | x2=7 | y2=-1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164c030000009f01a5 | x1=3 | y1=0 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646050303042f2ca5 | x1=5 | y1=3 | x2=3 | y2=4 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e02020001e94da5 | x1=2 | y1=2 | x2=0 | y2=1 >>
[PACKET] [ CH:20 ] << Mosart - Unknown Packet | address=F4:82:F7:16 | payload=f0f0f482f71680c8b4f843a5 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646020000008531a5 | x1=2 | y1=0 | x2=0 | y2=0 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e05fb05fc40a0a5 | x1=5 | y1=-5 | x2=5 | y2=-4 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164805fe06ff05e3a5 | x1=5 | y1=-2 | x2=6 | y2=-1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f716420301020306afa5 | x1=3 | y1=1 | x2=2 | y2=3 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164a030402051d26a5 | x1=3 | y1=4 | x2=2 | y2=5 >>
[PACKET] [ CH:20 ] << Mosart - Unknown Packet | address=F4:82:F7:16 | payload=f0f0f482f71680c8b4f843a5 >>
[...]

Performing a replay attack

This module can be combined with mosart_inject in order to perform a replay attack:

$ sudo mirage "mosart_sniff|mosart_inject" mosart_sniff1.CHANNEL=20 mosart_sniff1.TARGET=F4:82:F7:16 mosart_sniff1.PCAP_FILE=/tmp/replaymosart.pcap mosart_sniff1.TIME=5
[INFO] Module mosart_sniff loaded !
[INFO] Module mosart_inject loaded !
[SUCCESS] PCAP file successfully loaded (DLT : 149) !
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164cf9fff9ffb38ea5 | x1=-7 | y1=-1 | x2=-7 | y2=-1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646f802f704d162a5 | x1=-8 | y1=2 | x2=-9 | y2=4 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164eff03ff04488fa5 | x1=-1 | y1=3 | x2=-1 | y2=4 >>
[...]
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e03fb02fd6f0ea5 | x1=3 | y1=-5 | x2=2 | y2=-3 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164801fa01fa063ca5 | x1=1 | y1=-6 | x2=1 | y2=-6 >>
[INFO] Extracting packet stream from PCAP ...
[SUCCESS] PCAP file successfully loaded (DLT : 149) !
[SUCCESS] Packet stream successfully extracted !
[INFO] Injecting ...
[SUCCESS] Injection done !
[INFO] Mirage process terminated !

Capturing and displaying the mouse movements

This module can be combined with mouse_visualizer in order to generate an animated GIF displaying the mouse movement:

$ mirage "mosart_sniff|mouse_visualizer" mosart_sniff1.CHANNEL=20 mosart_sniff1.TARGET=F4:82:F7:16 mosart_sniff1.MOUSE_FILE=/tmp/mosart.cfg mosart_sniff1.TIME=5 mouse_visualizer2.GIF_FILE=/tmp/mosart.gif
[INFO] Module mosart_sniff loaded !
[INFO] Module mouse_visualizer loaded !
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164cf9fff9ffb38ea5 | x1=-7 | y1=-1 | x2=-7 | y2=-1 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f71646f802f704d162a5 | x1=-8 | y1=2 | x2=-9 | y2=4 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164eff03ff04488fa5 | x1=-1 | y1=3 | x2=-1 | y2=4 >>
[...]
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164e03fb02fd6f0ea5 | x1=3 | y1=-5 | x2=2 | y2=-3 >>
[PACKET] [ CH:20 ] << Mosart - Mouse Movement Packet | address=F4:82:F7:16 | payload=f0f0f482f7164801fa01fa063ca5 | x1=1 | y1=-6 | x2=1 | y2=-6 >>
[SUCCESS] Sniffed mice datas are saved as /tmp/mosart.cfg (CFG file format)
[INFO] Importing mice datas from /tmp/mosart.cfg ...
[INFO] Mirage process terminated !

It produces a GIF animated file similar to the following one:

_images/mousevisualizer_example.gif