insecurityofthings / uc_mousejack Goto Github PK

Mousejack for ATmega32u4

Makefile 2.54% C++ 82.04% C 6.21% CSS 7.90% XSLT 1.31%

uc_mousejack's Introduction

μC Mousejack

Microcontroller Mousejack is a project to get Mousejack attacks into a small embedded device, with the form factor of a key chain.

Our first iteration uses an Adafruit Feather 32u4 protoboard and a SPI-based NRF24L01+ module.

Building the device is straight-forward, and the code provides a tool to use Duckyscript to launch automated keystroke injection attacks against Microsoft and Logitech devices.

Construction

To build your own device you'll need the following components:

Adafruit Feather 32u4 protoboard or another Arduino-compatible board of your choice.
An SPI-based NRF24L01+ module. Buying an amplified NRF24 module with an external antenna is highly recommended.
A LiPo battery. A 500mAh battery will run for about 20 hours.
A case to house the components. A Hammond 1551KTBU works nicely. You can usually buy these at your local electronics store.
A 10μF and a 0.1μF capacitor to help stabilize the voltage for the NRF24 module (it's finicky).
Double-sided adhesive tape, or mounting hardware. Depending on how polished you'd like the final product to be.
Tools: Wire strippers, side cutters, a good soldering iron.
Basics, such as solder, polyamide tape, small flexible multicolor wire.

The Fritzing diagram below shows the wiring layout used in the prototype design:

The capacitors shown above are 10μF and 0.1μF. Also note that soldering the NRF24 module directly into the Feather protoboard helps keep things compact.

Building

To build the software, download and install the PlatformIO IDE. It sucks much less than the Arduino IDE.

Before building the software, be sure to modify the attack.h file using the attack_generator.py script:

uC-mousejack $ cd tools
tools $ ./attack_generator.py ducky.txt

In the example above, the ducky.txt file contains our Duckyscript. The attack_generator.py script will "compile" the ducky script into the attack.h file, which is included in main.cpp. This simplifies the code and makes it more compact.

Using

Once you power the device on, the internal LED connected to pin 13 (called ledpin in the code), will blink two times for each pass over the entire channel range. When it sends an attack, the LED will glow solid.

If you monitor the serial port using the PlatformIO IDE, you will see a lot of debugging information being printed while scanning and during attack.

Warning: No interaction is required to initiate an attack. Be careful where you use this device. We do not accept any responsibility for how this tool is used.

Future

Our next iteration will feature a micro-Python version using the ESP8266-based Adafruit Huzzah module. This will provide the capability to load new attacks and obtain diagnostic information using your smartphone (via Wifi).

It's also possible (and fairly easy) to adapt our code to use an OLED display, microSD card, or any other interaction you can think of. Feel free to fork the code and make something cooler.

uc_mousejack's People

Contributors

Stargazers

Watchers

uc_mousejack's Issues

Loop on "starting channel sweep"

Hi,
Said that I am testing against a Logitech K400r which is vulnerable and already proved with the CrazyRadioPA...
I built exactly your project (step by step).
It compiled and uploaded successfully with PlatformIO on the Feather.
But somehow is stuck in loop on "starting channel sweep".
Seems like is unable to find the keyboard around(despite the fact I am even generating traffic by typing with it).
I have even tried to different NRF24L01+ I bought.

Do you know a way I can see if the connection between Feather and NRF module is fine?
Is there a way I can communicate with th NRF module throught the serial and get some sort of ACK that it is alive?
Moreover, looking at your circuit scheme, I see the NRF's GND is not attached to the GND of the Feather. Might that be also an issue?

Any suggestion on how to troubleshoot my issue is more than welcome :)

Thanks mate!
Luca

no payload

finally got around to building this after it's been sitting on my bench for a year. have everything wired up and installed the firmware using default payload. if i turn on and hook up to computer to use putty to monitor the serial output , i just get "starting channel sweep" output everytime the red light blinks but no green confirmation or payload notification. using a logitech dongle and keyboard that work with the crazyusb and custom firmware logitech dongle when using JackIt normally from a computer.
~~the only difference in build is im using 2 cylindrical electrolytic capacitors vs. a 1 cylindrical electrolytic and ceramic. anything i should test or change?~~

switched to a .1 micro farad ceramic capacitor today but no change

can't find any devices

Hi,

i have tried to bild this project on a breadboard. The Firmware was compiled well and the serial monitor from platformio says in a loop: starting channel sweep
but it did not find any vulnerable device. I tried it wth different devices wich are vulnerable by "JackIt". Perhaps I did something wrong and perhaps you guys have an idea? I have even already setup an attackscript. Do I have to flash the nrf24 Module with rfstorm, too?

syntax error in vs code

When I try to run attack_generator.py - immediately I get this issue:

File "/home/leatherdaddy/Downloads/uC_mousejack/tools/attack_generator.py", line 155
(print) "CAN'T PROCESS..." %s % line
^^^^^^^^^^^^^^^^^^
SyntaxError: invalid syntax

The debugger has shown a few more I can show but this is the first major hurdle.

Running python 3.11.4

Adafruit substitute

Hi,
Having said I am not an arduino guru... Wondering how hard would be to port your aeduino code to a Arduino Mini Pro since it uses the same atmega pic of the adafruit's one?
I was thinking something like this one:
http://s.aliexpress.com/AFFBZfq2

LiPo battery does not charging

Hi phiksun,

some time ago since my last question. No I have all stuff from the project assembled and it works pretty good with an power bank connected to the micro usb. But unfortunately it did not work with the LiPo battery. I have exactly the same battery from Adafruit. I have bought three of them because I thought that the first one was broken. Interestingly, the charging LED works well while attaching Power to the Micro USB Port. But even when I charge it >24 hours and disconnect the power cable it seems that the LiPo did not take over....

Is there something to change in the code? BTW: I have not the newest main.cpp. I saw it just right now that you have improved the code.... I have the version before.

Or is there a mistake in the wiring picture, I have even consulted the adafruit learning page for the feather board (https://learn.adafruit.com/adafruit-feather-32u4-basic-proto/power-management) and did not find out what is wrong, Perhaps you've got an idea?

I hope you can help. Thanks in advance.

m3m0r3x

Address and Physical Device

Is there a way to identify devices beforehand, such as in Device Manager on Windows and tie it back to the Address column listed under jackit script so one would know which device they are "attacking"?

ESP32 Support

Hello!

Have you tried to use uc_mousejacking with ESP32?

I tried to implement this but it seems that the application tries to write to an invalid memory address.

Attached is a screenshot of the serial monitor

Thanks!

Wiring scheme do not reflect the text.

Hey!
Cool implementation! I was thinking to make something like that with a Cactus Micro [1]
One thing I have noticed, from the prototype scheme are missing the LEDs wiring and also the capacitors.
Morevoer, about flashing the NRF24 I guess you flashed with:
platformio run --project-dir teensy-flasher --target upload

[1] https://www.tindie.com/products/AprilBrother/cactus-micro-rev2-arduino-compatible-plus-esp8266/

Visual Studio error

When I open the folder in VS I get this:

Nrf24l01+pa+lna and arduino nano

I tried it using nrf24l01+pa+lna and arduino nano with 22uF capacitor but it doesnt find any channels or doesnt even transmit :(, i also has pro Micro 5v