123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233 |
- package hid
- import (
- "fmt"
- "strings"
- "sync"
- "time"
- "github.com/bettercap/bettercap/modules/utils"
- "github.com/bettercap/bettercap/session"
- "github.com/bettercap/nrf24"
- )
- type HIDRecon struct {
- session.SessionModule
- dongle *nrf24.Dongle
- waitGroup *sync.WaitGroup
- channel int
- devTTL int
- hopPeriod time.Duration
- pingPeriod time.Duration
- sniffPeriod time.Duration
- lastHop time.Time
- lastPing time.Time
- useLNA bool
- sniffLock *sync.Mutex
- writeLock *sync.Mutex
- sniffAddrRaw []byte
- sniffAddr string
- sniffType string
- pingPayload []byte
- inSniffMode bool
- sniffSilent bool
- inPromMode bool
- inInjectMode bool
- keyLayout string
- scriptPath string
- parser DuckyParser
- selector *utils.ViewSelector
- }
- func NewHIDRecon(s *session.Session) *HIDRecon {
- mod := &HIDRecon{
- SessionModule: session.NewSessionModule("hid", s),
- waitGroup: &sync.WaitGroup{},
- sniffLock: &sync.Mutex{},
- writeLock: &sync.Mutex{},
- devTTL: 1200,
- hopPeriod: 100 * time.Millisecond,
- pingPeriod: 100 * time.Millisecond,
- sniffPeriod: 500 * time.Millisecond,
- lastHop: time.Now(),
- lastPing: time.Now(),
- useLNA: true,
- channel: 1,
- sniffAddrRaw: nil,
- sniffAddr: "",
- inSniffMode: false,
- inPromMode: false,
- inInjectMode: false,
- sniffSilent: true,
- pingPayload: []byte{0x0f, 0x0f, 0x0f, 0x0f},
- keyLayout: "US",
- scriptPath: "",
- }
- mod.State.Store("sniffing", &mod.sniffAddr)
- mod.State.Store("injecting", &mod.inInjectMode)
- mod.State.Store("layouts", SupportedLayouts())
- mod.AddHandler(session.NewModuleHandler("hid.recon on", "",
- "Start scanning for HID devices on the 2.4Ghz spectrum.",
- func(args []string) error {
- return mod.Start()
- }))
- mod.AddHandler(session.NewModuleHandler("hid.recon off", "",
- "Stop scanning for HID devices on the 2.4Ghz spectrum.",
- func(args []string) error {
- return mod.Stop()
- }))
- mod.AddHandler(session.NewModuleHandler("hid.clear", "",
- "Clear all devices collected by the HID discovery module.",
- func(args []string) error {
- mod.Session.HID.Clear()
- return nil
- }))
- sniff := session.NewModuleHandler("hid.sniff ADDRESS", `(?i)^hid\.sniff ([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}|clear)$`,
- "Start sniffing a specific ADDRESS in order to collect payloads, use 'clear' to stop collecting.",
- func(args []string) error {
- return mod.setSniffMode(args[0], false)
- })
- sniff.Complete("hid.sniff", s.HIDCompleter)
- mod.AddHandler(sniff)
- mod.AddHandler(session.NewModuleHandler("hid.show", "",
- "Show a list of detected HID devices on the 2.4Ghz spectrum.",
- func(args []string) error {
- return mod.Show()
- }))
- inject := session.NewModuleHandler("hid.inject ADDRESS LAYOUT FILENAME", `(?i)^hid\.inject ([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2})\s+(.+)\s+(.+)$`,
- "Parse the duckyscript FILENAME and inject it as HID frames spoofing the device ADDRESS, using the LAYOUT keyboard mapping.",
- func(args []string) error {
- if err := mod.setInjectionMode(args[0]); err != nil {
- return err
- }
- mod.keyLayout = args[1]
- mod.scriptPath = args[2]
- return nil
- })
- inject.Complete("hid.inject", s.HIDCompleter)
- mod.AddHandler(inject)
- mod.AddParam(session.NewIntParameter("hid.ttl",
- fmt.Sprintf("%d", mod.devTTL),
- "Seconds of inactivity to consider a device as not in range."))
- mod.AddParam(session.NewBoolParameter("hid.lna",
- "true",
- "If true, enable the LNA power amplifier for CrazyRadio devices."))
- mod.AddParam(session.NewIntParameter("hid.hop.period",
- "100",
- "Time in milliseconds to stay on each channel before hopping to the next one."))
- mod.AddParam(session.NewIntParameter("hid.ping.period",
- "100",
- "Time in milliseconds to attempt to ping a device on a given channel while in sniffer mode."))
- mod.AddParam(session.NewIntParameter("hid.sniff.period",
- "500",
- "Time in milliseconds to automatically sniff payloads from a device, once it's detected, in order to determine its type."))
- builders := availBuilders()
- mod.AddParam(session.NewStringParameter("hid.force.type",
- "logitech",
- fmt.Sprintf("(%s)", strings.Join(builders, "|")),
- fmt.Sprintf("If the device is not visible or its type has not being detected, force the device type to this value. Accepted values: %s", strings.Join(builders, ", "))))
- mod.parser = DuckyParser{mod}
- mod.selector = utils.ViewSelectorFor(&mod.SessionModule, "hid.show", []string{"mac", "seen"}, "mac desc")
- return mod
- }
- func (mod HIDRecon) Name() string {
- return "hid"
- }
- func (mod HIDRecon) Description() string {
- return "A scanner and frames injection module for HID devices on the 2.4Ghz spectrum, using Nordic Semiconductor nRF24LU1+ based USB dongles and Bastille Research RFStorm firmware."
- }
- func (mod HIDRecon) Author() string {
- return "Simone Margaritelli <evilsocket@gmail.com> (this module and the nrf24 client library), Bastille Research (the rfstorm firmware and original research), phikshun and infamy for JackIt."
- }
- func (mod *HIDRecon) Configure() error {
- var err error
- var n int
- if mod.Running() {
- return session.ErrAlreadyStarted(mod.Name())
- }
- if err, mod.useLNA = mod.BoolParam("hid.lna"); err != nil {
- return err
- }
- if err, mod.devTTL = mod.IntParam("hid.ttl"); err != nil {
- return err
- }
- if err, n = mod.IntParam("hid.hop.period"); err != nil {
- return err
- } else {
- mod.hopPeriod = time.Duration(n) * time.Millisecond
- }
- if err, n = mod.IntParam("hid.ping.period"); err != nil {
- return err
- } else {
- mod.pingPeriod = time.Duration(n) * time.Millisecond
- }
- if err, n = mod.IntParam("hid.sniff.period"); err != nil {
- return err
- } else {
- mod.sniffPeriod = time.Duration(n) * time.Millisecond
- }
- if mod.dongle, err = nrf24.Open(); err != nil {
- return fmt.Errorf("make sure that a nRF24LU1+ based USB dongle is connected and running the rfstorm firmware: %s", err)
- }
- mod.Debug("using device %s", mod.dongle.String())
- if mod.useLNA {
- if err = mod.dongle.EnableLNA(); err != nil {
- return fmt.Errorf("make sure your device supports LNA, otherwise set hid.lna to false and retry: %s", err)
- }
- mod.Debug("LNA enabled")
- }
- return nil
- }
- func (mod *HIDRecon) forceStop() error {
- return mod.SetRunning(false, func() {
- if mod.dongle != nil {
- mod.dongle.Close()
- mod.Debug("device closed")
- }
- })
- }
- func (mod *HIDRecon) Stop() error {
- return mod.SetRunning(false, func() {
- mod.waitGroup.Wait()
- if mod.dongle != nil {
- mod.dongle.Close()
- mod.Debug("device closed")
- }
- })
- }
|