Page 1 of 7 123 ... LastLast
Results 1 to 10 of 61

Thread: HID Keyboard Attack development

  1. #1
    Member
    Join Date
    Jan 2014
    Posts
    71

    HID Keyboard Attack development

    I like this attack so how can we upgrade/develop this?
    I think we need to make lot keyboard support, and how we can add more command? like persistence, or disable UAC without notification?

    Where i need to start? i want to add hungarian keyboard support/layout, and Binky said we need to edit sdcard/files/modules/keyseed.py but i dont know how .. :/

  2. #2
    Junior Member
    Join Date
    Sep 2014
    Posts
    23
    Hi,

    I am looking for implementing French keyboard layout.
    To achieve this, what I plan to do as POC is to change the hid-keylog line 39:
    $scancode = $getKey::MapVirtualKey($vkey, $MAPVK_VSC_TO_VK_EX)
    To use the MapVirtualKeyEx that allow to set a locale:
    http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx

    My 2 cents on this, I have not tested already.

    Edit: Simply inputting the correct scancode depending on the localle wanted in sdcard/files/modules/keyseed.py should work but seems heavy (but inevitable though)
    Last edited by aemaeth2501; 2014-10-02 at 04:10 PM.

  3. #3
    Hi aemaeth2501,

    Keep us posted on your progress!

  4. #4
    Junior Member
    Join Date
    Sep 2014
    Posts
    23
    Hi muts,

    I will for sure but:
    - I could only look at this lightly for the next 2 weeks since my OSCP exam is the october 17th
    - I am far from being an expert, but will be highly interested in contributing to this awesome project !

    Keeps you posted

  5. #5
    Junior Member
    Join Date
    Sep 2014
    Posts
    23
    Hi all,
    I managed to compile a quick SDL program that retrieve the scancode according to a keystroke.
    From there I got the scancode list for the keyseed.py file for french layout.
    Regarding this, what would be the best way to manage multiple locales in this file? Harcode switches by layout value? Use the java hashtable equivalent in python ?
    Once this is defined, i'll add a locale list to the PHP file that calls the keyseed.py.
    I might be able to send the SDL (and excel file) to anyone willing to implement another keyboard layout support. Just PM me.

  6. #6
    Hi aemaeth2501, this is great news!
    I suspect that adding a drop-down to the web interface where users can select their layouts would be the best idea. We will be swapping out the web interface soon, but having all the scripts and logic in place will help us when we port the web interface to a native anrdoid app... Please feel free to share the code!

  7. #7
    Junior Member
    Join Date
    Sep 2014
    Posts
    23
    Hi muts,

    Here is the keyseed.py script modified. It has not been tested fully from the interface but by forcing the locale in the script it works well (needs to adjust the AltGr modifier key scancode though), since I'm not familiar with all the chain from php to this script in order to pass the right argument. As this was the more tedious task I prefer to give out the code, in case of someone has time in the next week to have a look to.

    Also, the code for the SDL application outputing the correct scancode is attached. Beware : A and a will output the same scancode value. The modifier needs to be added in the keyseed.py.
    keyseed.zip
    Source.zip
    Note:
    On a french keyboard, the Ctrl+Alt+Key is required to type in some special characters (ex: []@\`). The modifier I used before does not seems to work. I removed those to avoid inputting trash. Though, considering the possibility for multiple layout, it has to be taken in account that all characters might not be acceptable for HID typing on different layout than US (unless, for the french layout case, that someone came up with the right scancode for the AltGr key).
    Last edited by aemaeth2501; 2014-10-08 at 03:17 PM. Reason: Changed keyseed.py after bug resolution (tests on FR system)

  8. #8
    Member
    Join Date
    Jan 2014
    Posts
    71
    Hy aemaeth250!

    Can you make this foe hungarian layout pls? or can you make a tutorial or video how to make it for more layout?
    Last edited by beloadjoker; 2014-10-09 at 09:53 PM.

  9. #9
    Junior Member
    Join Date
    Sep 2014
    Posts
    23
    Hi,

    Unfortunately I got no more time since I have to prepare a certification exam (beside my actual job work).
    Though, I can give you my methodology.

    DISCLAIMER: I know that this seems tedious, I might not have used the best methodology, and using excel and such might seem lame but it does work

    Refer to the excel file in attachment :printable_ascii.zip
    - Compile the SDL source code, with SDL2.0 or later
    - Open the Excel file
    - The column SymbolUS indicates which character you have to type in the SDL executable windows
    - It will output a scancode value that you should enter in the "Returned scancode" field
    - If a modifier key is required (Shift, Alt or other), indicate it in the "Modifier Needed" column (keep the formatting and case)

    From there, the "Scancode FR" and "New dict" column will be automatically calculated. Beware : I only implemented the Shift and AltGr modifier (the latter will return a void scancode since I did not already find the modifier code).

    Once done, copy the content of the "New dict" column and add the following to the keyseed.py (replace XX by the layout identifier)
    dict_XX = {
    (Content of the "New dict column", with the latest comma removed)
    }

    Add the following line in findinlist method:
    Code:
            elif locale=="XX" : print '''echo -ne "''' +dict_XX[byte]+ '''" > /dev/hidg0'''
    And If needed, add the following line in the win7cmd_elevated method (the "X" should be raplaced by the input key in US format used to confirm execution)
    Code:
    elif locale=="XX" : print '''echo --left-alt X | hid-keyboard /dev/hidg0 keyboard'''
    For the moment, I only changed the win7cmd_elevated method, but same treatment will be applied to the other ones.

    To test the overall, you need to change the keyseed.py (remove the local argument from methods, force the locale value to be the one you want to test) and you can use the following file (output on the computer should be the same as input).hid-cmd.conf.zip
    Last edited by aemaeth2501; 2014-10-10 at 07:14 AM.

  10. #10
    NetHunter Master
    Join Date
    Sep 2014
    Posts
    176
    aemaeth2501,

    Great write up! I've uploaded the excel file here:
    https://docs.google.com/a/nethunter....gid=1163672638

    For those who are a bit nervous/paranoid/scared about opening excel files...

    Thank you for taking the time to do that and to provide detailed instructions on how you were able to port over the language.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •