This is a partial implementation of Bastille's MouseJack exploit. See mousejack.com for more details. Full credit goes to Bastille's team for discovering this issue and writing the libraries to work with the CrazyRadio PA dongle. Also, thanks to Samy Kamkar for KeySweeper, to Thorsten Schroeder and Max Moser for their work on KeyKeriki and to Travis Goodspeed. We stand on the shoulders of giants.
To our knowledge, it should work on all Microsoft and Logitech devices based on the NRF24L01-series RFICs.
We tested with the following hardware:
- Microsoft Wireless Mouse 1000
- Microsoft All-In-One Media Keyboard
- Microsoft Sculpt Ergonomic Mouse
- Logitech Wireless Touch Keyboard K400r
- Logitech Marathon M705 Mouse
- Logitech Wave M510 Mouse
- Logitech Wireless Gaming Mouse G700s
Tested on Windows 8.1, Windows 10 and macOS 10.11. Let us know if it works or doesn't work on your device.
Note: JackIt may not work if you have applied the Logitech firmware update or KB3152550.
We work in the security industry and often it is necessary to demonstrate risk in order to create action. Unfortunately, these kinds of issues don't show up on Nessus scans, so we wrote an exploit. Please use this code responsibly.
To use these scripts, you will need a CrazyRadio PA adapter from Seed Studio. You will also need to flash the firmware of the adapter using Bastille's MouseJack research tools. Please follow their instructions for updating the firmware before continuing.
After installing the firmware, you can install the Python 2 requirements via:
sudo pip install -r requirements.txt
Once your CrazyRadio PA is ready, you can launch JackIt via:
sudo ./jackit.py
Let the script run and detect the nearby devices, then press Ctrl-C to start your attack. The workflow is similar to Wifite. By default, it will only monitor for devices. If you would like to inject, specify a Duckyscript payload file using --script. The payload should be in plain text, not compiled using the Duckyscript encoder.
If you have no idea what Duckyscript is, see the Hak5 USB Rubber Ducky Wiki.
For practical usage instructions and gotchas, check on the Wiki page.
This implementation was written by phikshun and infamy. Our code is all BSD license. All the files in the lib directory were written by Bastille's research team and are GPLv3 license.