{"id":13773948,"url":"https://github.com/iamckn/mousejack_transmit","last_synced_at":"2025-05-11T06:31:42.643Z","repository":{"id":85609013,"uuid":"62539357","full_name":"iamckn/mousejack_transmit","owner":"iamckn","description":"Wireless mouse/keyboard attack with replay/transmit poc","archived":false,"fork":false,"pushed_at":"2016-07-10T14:10:36.000Z","size":36,"stargazers_count":84,"open_issues_count":0,"forks_count":33,"subscribers_count":12,"default_branch":"master","last_synced_at":"2024-11-17T09:38:23.597Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iamckn.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-07-04T07:05:34.000Z","updated_at":"2024-11-12T03:06:43.000Z","dependencies_parsed_at":"2023-03-13T06:02:09.775Z","dependency_job_id":null,"html_url":"https://github.com/iamckn/mousejack_transmit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamckn%2Fmousejack_transmit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamckn%2Fmousejack_transmit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamckn%2Fmousejack_transmit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iamckn%2Fmousejack_transmit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iamckn","download_url":"https://codeload.github.com/iamckn/mousejack_transmit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253528362,"owners_count":21922623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:22.240Z","updated_at":"2025-05-11T06:31:42.369Z","avatar_url":"https://github.com/iamckn.png","language":"Python","funding_links":[],"categories":["\u003ca id=\"58b6684347a223e01d4d76d9ca185a88\"\u003e\u003c/a\u003eReplay\u0026\u0026重播"],"sub_categories":[],"readme":"This is code extending the mousejack tools https://github.com/RFStorm/mousejack.  \nReplay/transmit tools have been added to the original tools.  \nPOC packets based on a **Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse** are included in the logs folder.  \nMore details available here https://www.ckn.io/blog/2016/07/09/hijacking-wireless-mice-and-keyboards/\n\n#Usage\n\n## scanner\n\nPseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets. \n\n```\nusage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]\n\noptional arguments:\n  -h, --help                          show this help message and exit\n  -c N [N ...], --channels N [N ...]  RF channels\n  -v, --verbose                       Enable verbose output\n  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)\n  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix\n  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds\n```\n\nScan for devices on channels 1-5\n\n```\n./nrf24-scanner.py -c {1..5}\n```\n\nScan for devices with an address starting in 0xA9 on all channels\n\n```\n./nrf24-scanner.py -p A9\n```\n\n\n## sniffer\n\nDevice following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. \nThis version has also been modified to log the packets to a log file\n\n```\nusage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] \n\noptional arguments:\n  -h, --help                                 show this help message and exit\n  -c N [N ...], --channels N [N ...]         RF channels\n  -v, --verbose                              Enable verbose output\n  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)\n  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels\n  -o OUTPUT, --output OUTPUT                 Output file to log the packets\n  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds\n  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250\n  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]\n```\n\nSniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log\n\n```\n./nrf24-sniffer.py -a 8C:D3:0F:3E:B4 -o logs/output.log\n```\n\n## replay/transmit\n\nReplay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.\n\n```\nusage: ./nrf24-replay.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] \n\noptional arguments:\n  -h, --help                                 show this help message and exit\n  -c N [N ...], --channels N [N ...]         RF channels\n  -v, --verbose                              Enable verbose output\n  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)\n  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels\n  -o INPUT_FILE, --input INPUT_FILE          Input file that has the packets to sned\n  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds\n  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250\n  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]\n```\n\nSend packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel \n\n```\n./nrf24-replay.py -a 8C:D3:0F:3E:B4 -i logs/keystroke.log\n```\n\n## network mapper\n\nStar network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list. \n\n```\nusage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]\n\noptional arguments:\n  -h, --help                                 show this help message and exit\n  -c N [N ...], --channels N [N ...]         RF channels\n  -v, --verbose                              Enable verbose output\n  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)\n  -a ADDRESS, --address ADDRESS              Known address\n  -p PASSES, --passes PASSES                 Number of passes (default 2)\n  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250\n  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]\n```\n\nMap the star network that address 61:49:66:82:03 belongs to\n\n```\n./nrf24-network-mapper.py -a 61:49:66:82:03\n```\n\n## continuous tone test\n\nThe nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.\n\nThis script will cause the transceiver to transmit a tone on the first channel that is passed in. \n\n```\nusage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]\n\noptional arguments:\n  -h, --help                          show this help message and exit\n  -c N [N ...], --channels N [N ...]  RF channels\n  -v, --verbose                       Enable verbose output\n  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)\n\n```\n\nTransmit a continuous tone at 2405MHz\n\n```\n./nrf24-continuous-tone-test.py -c 5\n```\n\n## Packet generator script\n\nThis uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log.\nIt will accept input until Ctrl+C is pressed.\n\n```\nusage: ./keymapper.py \n```\n\n# Log files\n\nThe folder **logs** contains various pre-saved packets for various keyboard operations.  \n**Shell.log** is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.  \n\nThe file **keys.log** serves as a reference where various key presses and combinations are mapped to their equivalent packets.\n\n# Demo\n\nA demo of exploiting a Windows machine can be found here https://www.youtube.com/watch?v=YLzUeK1IvJs\u0026feature=youtu.be\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiamckn%2Fmousejack_transmit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fiamckn%2Fmousejack_transmit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fiamckn%2Fmousejack_transmit/lists"}