MouseJack: From Mouse to Shell – Part 2

This is a continuation of Part 1 which can be found here.

New/Fixed Mice

Since the last blog post, I’ve done some additional testing and it looks like most of the newer wireless mice are not vulnerable to MouseJack. I tested the best-selling wireless mouse on Amazon (VicTsing MM057), Amazon’s choice (AmazonBasics), and one of my favorites (Logitech M510). All three mice were not vulnerable to MouseJack. If you have a wireless mouse that cannot be patched or you are not sure how to patch it, and the mouse is older than 2017 buy a new mouse/keyboard. If you bought and tested a new mouse against MouseJack, please let me know so I can update this post.

Accept the Risk or Fix the Issue?

I’m still curious on how organizations are going to remedy this vulnerability across their environment. To my knowledge, you can identify the manufacturer and model from Device Manager, but because we don’t have a list of all known vulnerable mice, it’s hard to say if a particular mouse is vulnerable or not. For example, I have an old Logitech M510 that isn’t patched and a brand new Logitech M510 that is patched. From the OS level, how do we detect the difference? It would be almost impossible to validate vulnerable wireless mice/keyboards across a 60k seat enterprise. What are you doing to remedy this vulnerability or are you accepting the risk? Please comment below or reach out to me directly.

From Mouse to Shell – Undetected by Defender

See Part 1 to setup JackIt and CrazyRadio PA. This time, we will use JackIt and a tool known as SILENTTRINITY. SILENTTRINITY was created by Marcello Salvati (@byt3bl33d3r) in 2018. Here’s a talk Marcello gave at DerbyCon and here’s a link to his GitHub. 

Black Hills (BHIS) did a Webcast a few weeks ago where they did a deep dive on SILENTTRINITY, which can be found here. I won’t go into how this exactly works, but please check out the BHIS Webcast or the DerbyCon talk above for more info.

Installing Dependencies

  1. Install Kali
  2. cd /opt
  3. git clone GitHub URL
  4. cd impacket
  5. pip install -r requirements.txt
  6. python setup.py install
    • I ran into issues running this command due to the wrong version of ldap3 (see screenshot below). To fix this, run the following commands:
      • pip2 install ldap3==2.5.1
      • pip2 uninstall ldap3==2.5.2
      • reboot?
      • re-run step 6, it should now install successfully

Installing SILENTTRINITY

  1. apt install python3.7 python3.7-dev python3-pip
  2. cd /opt
  3. git clone GitHub URL
  4. cd SILENTTRINITY/Server
  5. python3.7 -m pip install -r requirements.txt

If all went well, SILENTTRINITY should be installed.

Running SILENTTRINITY

Start up SILENTTRINITY by running – python3.7 st.py

Run the help command to see our options

Review listener options

Setup the listener

Create the stager – I’m using powershell here, wmic is detected by Defender and msbuild requires msbuild.exe on the attack system.

The stager is located in /opt/SILENTTRINITY/Server

Move the stager to a HTTPS location where the file can be downloaded. Make sure you use HTTPS and not HTTP, as at least one AV vendor accidentally identifies this stager as Sparc shellcode (wtf?). Using HTTPS bypasses this Snort signature.

Download and execute the stager using JackIt

Once you have your session you can run modules against the compromised system. Type modules and then type list.

These modules are quite powerful and allow you to run mimikatz (make sure you’re running in an elevated process), enumeration scripts, powershell, cmd, winrm, inject shellcode, exfil via github, etc.

Here is an example of hostenum – which grabs sys info, av check, user groups, env variables, ipconfig, netstat and current processes.

Summary:

Using JackIt with SILENTTRINITY we are able to bypass Defender. I’d like to note that downloading stager.ps1 through the browser caused Defender to block the download but was able to bypass Defender by downloading and running the stager in memory. I was actually quite surprised this bypassed Defender, so I had to try it on a few other systems.

I was able to bypass all 3 AV/EDR vendors using this technique; although, at least one EDR system, detected suspicious powershell usage (i.e., powershell downloaded something and ran it). Therefore, if you are able to deliver the stager another way such as say, over smb, you may be able to bypass at least a few AV/EDR.

I didn’t cover the msbuild stager during this post, but if you really wanted to bypass AV/EDR try this type of stager. As long as msbuild.exe is installed on the attack system, you should be good to go (at least for now :)).

In Part 3, I’ll cover the blue team side of this, as far as what to look for and how to detect SILENTTRINITY. Unfortunately, there is not an easy way to detect JackIt AFAIK. If you know of a detection mechanism for JackIt/MouseJack, please contact me so I can include it in Part 3.

Sources

hunter2 gitbook

impacket GitHub

SILENTTRINITY

DerbyCon

BHIS Webcast

JackIt GitHub

Featured Image – Bastille

Leave a Reply