Today, we will be going over using MouseJack and Jackit to inject keystrokes to compromise a Windows workstation.
First, this has been covered before, but I feel like it hasn’t gotten the attention it deserves so decided to do my own PoC and show it off. Also, I do not condone hacking anything that isn’t yours without permission from the owner. BE ETHICAL!
Great work from Bastille. You can see more about MouseJack here: https://www.mousejack.com/ and see the known affected devices here: https://www.bastille.net/research/vulnerabilities/mousejack/affected-devices
Also, great work from Insecurity of things to build on this and creating Jackit.
tl;dr You can insert keystrokes into someone else’s wireless keyboard so that it types into their computer. Using this, you can take over their PC.
Alright, now that we’ve given credit where credit is due, here is a PoC.
Windows 7 x64
git clone https://github.com/BastilleResearch/mousejack
apt-get install sdcc binutils python python-pip
pip install -U pip
pip install -U -I pyusb
pip install -U platformio
Make sure you’re in the mousejack directory.
git submodule init
git submodule update
At this point, make sure your Crazyradio PA is plugged in.
Navigate to the nrf-research-firmware directory.
Write firmware onto the Crazyradio PA
Unplug the Crazyradio PA dongle
Plug Crazyradio PA dongle back in
git clone https://github.com/insecurityofthings/jackit.git
Navigate to the jackit directory.
pip install -e .
Here’s where you would scan and run a duckyscript (Hak5 – used for rubbyduckies).
This is the script I use:
The command you would run is:
jackit –script test
You’ll then CTRL+C when you’ve seen your keyboard. Then you can select which keyboard you want to attack.
Whew. So what do you guys think? Still going to use wireless keyboards? I’m not 100% on the range, but let’s just say I don’t have to sit next to you for it to work. When I did the scanning at work, I was getting everyone’s keyboard on the list 🙂
In this example, I only wrote to a notepad. But we could use this to connect back to Metasploit and get more pwnage or anything you’d like. Just look at this wiki: https://github.com/insecurityofthings/jackit/wiki
Tell me what you think!
Ask questions if you’d like 🙂