Results 1 to 2 of 2

Thread: HID Keyboard attack issues

  1. #1
    Join Date

    HID Keyboard attack issues

    Hello all, I am having a couple of issues with the HID attack in Nethunter on my Nexus 5.

    1. It has been stated that MTP must be disabled for the attack to work, however in my experience the attack has only been responsive when MTP is enabled. It would be nice to hear how you guys are getting it to work without MTP; for me when MTP is off the attack claims to have run on the phone, but no keystrokes occur on the target machine. This issue has been mentioned in another thread and is not my main problem, I am just including it for informational purposes because I am not sure if it is related to my main problem.
    2. The main problem is that when the HID attack successfully runs (with MTP enabled), escalation does not work. Every other keystroke goes through fine, but no UAC bypass even though the box is checked in the Web UI (Just a guess, but it seems that the ctrl-shift-enter to run as admin is not getting passed). How can I get escalation to work properly?

    I would primarily like to find an answer to #2, but the whole process has also got me interested in creating/editing macros. If I were able to create my own macros, I would be able to just build a fresh macro to do what I want. If anyone has messed with macro creation/editing I would love to hear about your experiences with it...

    Last edited by ahkarhul; 2014-11-16 at 03:11.

  2. #2
    Join Date
    I have been tinkering with the problem and have a partial solution for anyone who is experiencing similar difficulties. I dug around and found the file in /sdcard/files/modules. Inside this file is a bunch of keystroke configuration stuff for the python script; the particular line of interest in the file was this (inside the win7cmd_elevated() block):

    print '''echo --left-ctrl --left-shift --return | hid-keyboard /dev/hidg0 keyboard'''

    This line should tell cmd to run as admin, the following line confirms the UAC prompt:

    print '''echo --left-alt y | hid-keyboard /dev/hidg0 keyboard'''

    For some reason, these lines are not firing off when the admin box is checked on my web UI, I tried the commands manually while in the /system/xbin directory (the location of the hid-keyboard program). I found that the commands worked fine in this fashion, except I had to add a preliminary ./ to the filename (as expected).

    echo --left-ctrl --left-shift --return | ./hid-keyboard /dev/hidg0 keyboard

    When I did this it ran just fine and executed the currently entered program in admin mode. I was also able to confirm the UAC dialog in this way. This made me think that perhaps I needed a full path to HID keyboard in the keyseed file. I modified the hid-keyboard path to be absolute, but it did not help, so I switched it back.

    So in conclusion, I am not sure why the automated Web UI is not properly launching UAC escalation, but the hid-keyboard program should be sufficient to write any number of short bash scripts to get the job done; then launch these however you please. Quick and dirty, but seems to be working; I welcome any pros out there to school me on the right way to do it

    I'll wrap up with a short bash example:

    echo --left-meta | /system/xbin/hid-keyboard /dev/hidg0 keyboard
    echo c m d | /system/xbin/hid-keyboard /dev/hidg0 keyboard
    echo --left-ctrl --left-shift --return | /system/xbin/hid-keyboard /dev/hidg0 keyboard
    echo --left-alt y | /system/xbin/hid-keyboard /dev/hidg0 keyboard

    {Evil stuff here, run as admin}

Similar Threads

  1. HID Keyboard Attack development
    By beloadjoker in forum NetHunter Development
    Replies: 60
    Last Post: 2015-11-18, 15:27
  2. HID Keyboard Attack
    By beloadjoker in forum NetHunter General Questions
    Replies: 3
    Last Post: 2014-09-27, 22:45

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts