insecurityofthings / jackit Goto Github PK

I want to prefix this by stating I'm not a Python programmer or jackit expert. However, it appears to me that if pings fail to the radio I'm noticing that jackit does not run on "all channels" in an attempt to "hail mary".

In my amateur attempt to fix this I added the code below.
# for channel in channels:
for channel in range(2,84):
I used the range of (2,84) which I pulled from the mousejack.py file.

I may be missing something here. Please let me know.

It has got to be something simple...works fine with mousejack - flashed a nRF24LU1+

getting - can't find 'main' module in 'jackit'

any thoughts?

I'm gonna buy a mousejack vulnerable wireless keyboard/mouse for testing purposes, so that I can practice attacking it, but I'm not sure which one I should buy. I know there are lists out there of vulnerable keyboards, but I'm looking for what's the best option of those listed keyboards to buy for testing.

Does anyone have a recommendation as to which vulnerable keyboard/mouse to buy?

Also, if I happened to buy one and it comes with an updated firmware that's already patched, can it be downgraded back to a vulnerable state?

It is not clear how the keylogging should work. I have successfully injected keystrokes using a payload. But shouldn't I be able to attack a system via Keylogging with or without injecting anything? Just capture the keystrokes.
POC. Send keystrokes to lock the system then keylog the user entering credentials.

Hi, thank you for your fantastic script

I've some problem regarding on title.
For example ,when write a string "(8080)" into duck script and inject keystroke to vulnerable mouse, the string will be "(808)" which is unexpected result (my workaround solution is store set of problem string into variable)

I tried jackit with a flashed Unifying adapter and with an selfmade USB-AVR-NRF24L01+ adapter.
In both cases I cannot inject keystrokes. Ping and sending packets works but the target Linux-PC doesn't receive any keystrokes.

Logitech M510 firmware 062.000.00013
Adapter C-U0008 version RQR24.01_B0023 / 024.001.00023

Traceback (most recent call last):
File "/usr/local/bin/jackit", line 252, in
cli()
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 700, in call
return self.main(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 680, in main
rv = self.invoke(ctx)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 873, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/usr/local/lib/python2.7/dist-packages/click/core.py", line 508, in invoke
return callback(*args, **kwargs)
File "/usr/local/bin/jackit", line 182, in cli
raise e
usb.core.USBError: [Errno 110] Operation timed out

I'm sure this isn't the right forum to contact you guys, but I couldn't find any other way. I've been playing around with jackit, and have a few questions. If I want to contact you guys and get on board, what is the best way to do that? I'm new to github in general so forgive me :)

I was able to grab some of the devices that Bastille lists as vulnerable on their website. Currently, I have:

• Lenovo 500
• Microsoft Wireless Mouse 4000
• Amazon Wireless Mouse mg-975
• Logitech G900

Thanks,

Logitech dongles support bidirectional communication. We should add the ability to exfiltrate data through the dongle, and a reverse shell using NRF24 comms only.

Hello :)
I have Kali 2016.2 on my netbook and when i wakeup from standby and run a injection it works most of the time.
But after the first injection i get nearly everytime a ping failed :(
Then i close the netbook, wait some seconds and open it again, login and run injection again, then it works like before.
Any idea?
Maybe there is something in the ram which is cleaned when it goes to standby?
Unplug and replugging the crazy stick does not solve the problem. Only a "go to standby and wakeup again".

I tested with Logitech K400r and MK260, both worked first time perfect and then only after the standby method.

Edit:
Ok forget that.
When i constantly move the mouse on the target, every injection fully works.
When i dont move the move the mouse constantly only the first part of the ducky script is transmitted or nothing.
Maybe its a timeout of the connection or something like that.

Allow logging of detected devices, and attacked devices to a file.

Hi,

Please see the error below. i followed your guide but this is the error i receive

$sudo jackit
Traceback (most recent call last):
File "/usr/local/bin/jackit", line 6, in
exec(compile(open(file).read(), file, 'exec'))
File "/opt/jackit/bin/jackit", line 14, in
from jackit import mousejack
File "/usr/local/lib/python2.7/dist-packages/jackit/mousejack.py", line 5, in
from jackit.lib import nrf24, nrf24_reset
ImportError: No module named lib

I can't send a CTRL+ALT+DEL. Is this not supported?

There is no keymapping for Numpad1, Numpad2, Numpad3 etc.
So it is impossible to load code, where this symbols included. Add to keymap or explain how to run it please

I'm using a ducky script that involves the use of TAB and F6 keys. The jackit script is unable to process those lines. Any fixes?

CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... F6
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... F6
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB
CAN'T PROCESS... TAB

I'm trying to run the basic script that opens up notepad and writes "test complete" (instead of hello world or whatever the default is). As far as I can tell things are working, because my terminal output says that it is finding the device, sending the attacks over the correct channel, and then says attacks are completed. But when I check the target machine (a windows 7 box), notepad isn't open and I don't see signs that anything happened. Any guesses as to what is going wrong? Or steps I should take to troubleshoot?

Could someone please clarify what's up with the G700s? It is listed as tested device in the readme. Was it tested positive or negative? Afaik there is no firmware update for the G700's dongle as there is for the other affected Logitech mice, right? It is not using the universal receiver.

The code is currently more of a PoC. We need to improve radio transmission reliability. We should tune various radio and timing parameters based on testing.

I'm not sure why, but JackIt is not working on Kali Nethunter on my Nexus 5. I've followed all the same steps to setup and install everything that I did on my Linux laptop (JackIt works fine on there), but on Nethunter it just says cannot find Crazy PA USB dongle.

Channel scanning would go a lot better if there were multiple adapters allowed. Add code to divide the scanning between them.

Support for the Logitech Unifying dongle as per https://github.com/BastilleResearch/mousejack#flash-a-logitech-unifying-dongle

Hi,
After pip install -e .
user should also run python setup.py install before executing sudo ./jackit.

I am not sure how to submit an updated README.md so it goes here as an issue.

I'd really like to simply send the key-down key-up of the shift key once, however, no matter what I try, the pydecoder will not accept it

if I try

GUI

or

SHIFT

or

CTRL

nothing happens, but if I pair them with a key, it works. unfortunately, SHIFT CTRL fails the same way.

Could you add funtionality so that you could press/depress GUI, CTRL, SHIFT etc. ?

Br,
Martin

DOWNARROW and REPEAT are not recognized.

I have jackit running fine on my laptop but i thought i'd see if it was possible to get it up and running on a WiFi Pineapple Nano.

I've installed all of the correct dependencies on the Nano:

• click
• pyusb
• six
• tabulate

I've confirmed the Nano recognises the Crazy PA:

lsusb
Bus 001 Device 005: ID 1915:0102 Nordic Semiconductor ASA 

I've installed jackit correctly but when i attempt to run jackit, i receive the following:

[!] Cannot find Crazy PA USB dongle.
[!] Please make sure you have it preloaded with the mousejack firmware.

Is there anything that i'm missing?

Hi guys ， i have a problem with jackit on nethunter.
Make sure i plug my Crazyradio PA in my nethunter use a usb dongle, and i install jackit on my nethunter , but when i run jackit , it report

Cannot find CrazyPA USB Dongle,Please make sure you have it preloaded with the mousejack firmware

(my nethunter phone is oneplus one, i flash offical nethunter kernel and chroot already, and i make sure my Crazy PA has been flash mousejack firmware ),

I have an issue and not sure if it's hardware related or a matter of that the keyboard I use is not vulnerable any more/fixed. The whole process of installing the mousejack firmware and using jackit, seems to run perfectly but there is no result on my target machine, I use a Microsoft wireless desktop set (both mouse and keyboard set), as far as I can read this should not be patched by the Windows update. Since everything looks like it should be working ok, I would say ok the keyboard must have been fixed, the only thing is that I bought the hardware via eBay from Ching for about usd 8. That is ofcource not a genuine crazyradio pa. so is that likely to be the problem? Maybe my crazyradio is not working? But jacket reports ping successful, so something must be transmitted from my crazyradio pa. what would your suggestion be? Find a different keyboard or buy a proper crazyradio? Or is mouse jack more or less dead?

Btw the keyboard is this
https://www.amazon.co.uk/Microsoft-Wireless-Desktop-Keyboard-Layout/dp/B0055JDLVG
And is a blue box saying it used a secured data connection, I can see there is an older version in a red box. Have Microsoft updated the hardware?

Hi this is not an issue

I was wondering if anyone have an hex for an old vunerable firware.. all i can find is the 028 version and its path.

Thanks

Check the list of keywords, and that we parse them correctly. To increase overall ducky script like syntax support.

how to solve?

I am experimenting with the Mousejack / jackit attack. I have a crazyradio that I have upgraded the firmware on successfully. When I start jackit.py I can see the nearby dongles, but when I try to inject keystrokes it always says Target is not injectible. I have tried several dongles and the latest attempt was on an Amazon Basics mouse that is on the affected devices list for the mousejack vulernability.

All of that boils down to my question, can I take that error face value or am I not doing something right?

Hi,

Can you also include other Mouse Types here. Currently it only covers logitech and microsoft. Dell would be a nice one to have.

Hello,

I've been testing the vulnerability on the keyboard but I'd like to know wich vendor you used to test this.
Is there something you forgot to upload?

Thank you!

Hi. The Injection works now perfect for Microsoft products. But with Logitech products, an injection of 3k keys does miss a few characters (on random positions). Is it possible to improve the code for Logitech products? Thanks R8o

We are utilizing this process to identify afflicted devices in our environment of around 100 users. I have successfully used JackIt to identify a significant number of vulnerable devices, but cannot track the device back to a specific end user. I have been injecting a text doc that asks the user to call support, but as you may imagine, not all users respond. I have scoured the device manager of a known vulnerable device and turned up nothing that corresponds to the data captured by JackIt. Does the address captured in the data displayed correspond to an identifier in Windows somewhere? Any other suggestions or assistance anyone can offer would be greatly appreciated!

I'm using a crazyradio and have it configured based on instructions. I can see the devices show up in the list and their associated addresses/packet/channels/etc but when I hit Ctrl-C and start the injection(s) (testing against MS and Logitech) I receive a lot of "Ping failed" on the Logitech's. I have a co-worker that is telling me that it worked for him on the same Logitech product.

In debug, when the injection occurs I get a "Sending attack to xx:xx:xx:xx:xx:xx [Logitech HID] on channel xx" (K270) and "Sending: xx:xx:xx:xx:xx" or "Ping failed, trying all channels". Even though it looks like it should be successful nothing happens on the target machine.

I've recompiled and reflashed and no change in results. Any suggestions on what to try/configure? Been running debug looking for anything off but nothing so far.

I have checked for the patches and they are NOT installed.

Script run:
STRING test

Hi. The injection on Logitech M325 always stuck on STRING command. For example, i'm injecting command that open up the Run Dialog Box to open up the notepad and type 'Hello World'. Then it will stuck either when typing at Run Dialog Box or at notepad. it goes like;
notepaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
or
hello woooooooooooooooooooooooooooooooooo
and it goes on typing like that for quite some time repeating the last letter it get stuck on. what could be the issue?

So I see keylogging is supported for the Microsoft 800 keyboard. Would it be possible to support wireless keyboards that use the MOSART semiconductor? According to BastilleResearch these keyboards use no encryption when sending wireless keystrokes. They even have a tool that identifies those keyboards as well as another vulnerable model: https://github.com/BastilleResearch/keysniffer .

I am currently testing a lot of different keyboards. One thing that I have noticed is that all of the Microsoft keyboards (Microsoft Wireless 900 Desktop, MS Wireless 2000 and the Sculpt specifically) have an issue where, no matter the channel that is detected they are xmitting on, jackit will send the attack on channel 29. According to the testing done by Bastille at a minimum the 900 and 2000 are vulnerable. For example, I'll have something like this:

Key  Address        Channel   Count   Seen      Type                   Packet
1  AA:1D:6F:99:68  70,50       3   0:00:02 ago   Microsoft HID    08:90:27:01:DB:20:40:00:02:00:00:00:00:00:00:00:00:00:F8

Ping success on channel 29
Sending attack to AA:1D:6F:99:68 [Microsoft HID] on channel 29

The attack finishes but nothing happens. This happens on 3 different MS keyboards (always channel 29).

Update:
Finally got an attack where the MS combo was on channel 29 and the attack was sent to the same channel. The attack looks like it should have worked but nothing happened on the victim box.

I have a very simple script that just types two letters then delays and repeats a few times. It will only get past the first or second delay before it stops injecting letters. I added a print statement to jackit.py to see what was going on:

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

a{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

a{'char': '', 'hid': 0, 'sleep': '1000', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

{'char': 'b', 'hid': 5, 'sleep': 0, 'frames': [[[0, 193, 0, 5, 0, 0, 0, 0, 0, 58], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

{'char': '', 'hid': 0, 'sleep': '1000', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

{'char': 'c', 'hid': 6, 'sleep': 0, 'frames': [[[0, 193, 0, 6, 0, 0, 0, 0, 0, 57], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

{'char': '', 'hid': 0, 'sleep': '1000', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

{'char': 'd', 'hid': 7, 'sleep': 0, 'frames': [[[0, 193, 0, 7, 0, 0, 0, 0, 0, 56], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

You can see it prints the first two a's and the script continues as if it's working but nothing is injected. After some testing I found that anything over DELAY 75 will cause problems. I tried stacking two DELAY 75s and this was the result:

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

a{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

a{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

a{'char': 'b', 'hid': 5, 'sleep': 0, 'frames': [[[0, 193, 0, 5, 0, 0, 0, 0, 0, 58], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

b{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0} 

{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

{'char': 'c', 'hid': 6, 'sleep': 0, 'frames': [[[0, 193, 0, 6, 0, 0, 0, 0, 0, 57], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

{'char': 'd', 'hid': 7, 'sleep': 0, 'frames': [[[0, 193, 0, 7, 0, 0, 0, 0, 0, 56], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

a{'char': 'e', 'hid': 8, 'sleep': 0, 'frames': [[[0, 193, 0, 8, 0, 0, 0, 0, 0, 55], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

e{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0} 

{'char': 'a', 'hid': 4, 'sleep': 0, 'frames': [[[0, 193, 0, 4, 0, 0, 0, 0, 0, 59], 12]], 'mod': 0} 

a{'char': 'f', 'hid': 9, 'sleep': 0, 'frames': [[[0, 193, 0, 9, 0, 0, 0, 0, 0, 54], 12], [[0, 193, 0, 0, 0, 0, 0, 0, 0, 63], 0]], 'mod': 0} 

f{'char': '', 'hid': 0, 'sleep': '75', 'frames': [], 'mod': 0}

After the two delays it cuts out but then comes back. This is with a Logitech keyboard. Any thoughts?

Hi guys, just wanted to confirm that it works against Logitech K400r.

P.S. There were some issues with the Ducky parser while injecting
STRING powershell .....
I will dig on it ASAP.
Cool job!

I have Crazyradio without PA, when I want to inject scrypt nothing happens on the other computer.
[+] Select target keys (1-1) separated by commas, or 'all': [all]: 1
[+] Ping success on channel xx
[+] Sending attack to xx:xx::xx:xx [Microsoft HID] on channel xx
[+] All attacks completed
Script:
GUI r
DELAY 200
STRING notepad
ENTER
What is differences between Crazyradio and Crazyradio PA.
Thank YOU

Need to add more debug output, maybe use the logging subsystem, so we can log it to a file...

So I just bought a Microsoft Wireless Keyboard 800 to test with JackIt. and JackIt is detecting packets from it, but no matter how many packets it collects the Type is always listed as Unknown.

EDIT: Also, if I use --address *keyboard address* --vendor Microsoft --keylogging I can capture sporadic bunches of keystrokes from the device, but it just will not detect the device type during scans so I can't even begin to try injections. I've also tried the --address --vendor options during scans but that doesn't seem to do anything.

EDIT2: Holy crap I just amazed myself! LOL. I fixed it myself! I really didn't think my Python code skills would be up to the task of finding and fixing an issue like this, but I did it. The issue was the Microsoft_enc.py plugin was looking for a packet length of 19 under the fingerprint section, and with my Microsoft Wireless 800 keyboard it is actually using packets of 8 or 16 length! So I changed the if len(p) == 19 and p[0] == 0x0a line to if len(p) == 8 or len(p) == 16 and p[0] == 0x0a and that allowed the scans to detect the device. Then, to get injections working, I edited the line self.payload_template[4:18] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0] and changed it to self.payload_template[4:15] = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]. Making these changes also fixed the sporadic keylogging issue. Now it captures every single keystroke during logging (before there would be large gaps of missing keys).

Is there a way to identify devices beforehand, such as in Device Manager on Windows and tie it back to the Address column listed under jackit script so one would know which device they are "attacking"?

Hi. Other Keyboard layouts then English would be nice for the injection.