Cloud C2 makes it easy for penetration testers and IT security teams to deploy and manage Hak5 gear from a simple self-hosted cloud managed platform. Cloud C2 allows you to maintain access for engagements, continually monitor and assess environments with Hak5 gear implants.

Cloud C2 currently supports several Hak5 devices including the WiFi Pineapple, LAN Turtle, Packet Squirrel, Signal Owl, ScreenCrab, Shark Jack and the KeyCroc.

Self-Hosting Cloud C2 in AWS – Step by Step Guide

Step 1 – Signup for AWS

Sign-up and Create your AWS hosting account.

https://portal.aws.amazon.com/billing/signup?refid=em_127222&redirect_url=https%3A%2F%2Faws.amazon.com%2Fregistration-confirmation#/start

Step 2 – Creating & Configuring a Lightsail Instance

In this setup of Cloud C2, we will utilize a single Amazon Lightsail instance for $5 a month to run our public Cloud C2.

Step 2.1:  Create your instance in Amazon Lightsail

Next, create and instance by selecting the instance “location/region” that works best for you, and select a “Linux/Unix” platform as an "OS Only" option. In this blog, we will be utilizing the latest Ubuntu LTS release and naming the instance to identify our LightSail resource (especially helpful, if you are running numerous instances in Lightsail).  See screenshot below for details.

Step 2.2: Configure Lightsail Instance for Cloud C2

In the next steps, we will configure our Lightsail instance to allow network communications from our Hak5 devices to properly communicate to the Cloud C2 platform. Please keep in mind, using stricter network rules can prevent public facing instance exposure, but for this blog post we are not restricting IP Addresses.  In a controlled assessment, we would highly recommend utilizing a restricted IP address list, or VPN relay to access the Cloud C2 portal during engagements.

Step 2.2.1: Attach Static IP to Lightsail Instance

Select the networking tab, and create a static IP you can assign to your instance. Next, select your instance, and add an identifier name for the static IP. See screenshot below for details.

Step 2.2.2: Configure Lightsail Firewall Rules

In this step, we will configure the proper firewall rules on our Cloud C2 instance to allow our Hak5 devices to properly communicate.  Please remember as stated before, it is always best practice to utilize restricted IP addresses or VPN access for public instances to reduce your attack surface. For this demonstration, we are leaving this instance public. To configure firewall rules, select the Networking tab and navigate to the firewall.  Scroll down and click the "+ Add rule" to configure rules. We will add several rules to our firewall. Add HTTPs, Custom TCP port 2022 and 8080. See screenshot below for details on port configuration.

Step 3 – Setting up Cloud C2

Step 3.1:  Accessing Lightsail Instance

To quickly access your Lightsail instance, click on the “connect” tab in the top left. Then select Connect securely using your browser by “Connect Using SSH”. This will connect you to your instance via a SSH webshell. You can also configure your own SSH client as well.  See screenshot below.

Step 3.2: Install Cloud C2 with a Bash Script

During these steps, we will have to install UnZip, since it is not natively installed on the AWS Lightsail Unbuntu Instance.  We will also utilize a Cloud C2 bash script that will automagically install the latest version of Cloud C2.  Once you are in the “Connect” console, copy and paste the script below to install Cloud C2.  Remember, you will have to register to get a valid license key from Hak5 which can be obtained free on the Hak5 website - https://shop.hak5.org/products/c2#c2-versions. See bash install script below.

3.2.1:  Install UnZip

sudo apt install unzip

3.2.2: Cloud C2 Install Bash Script:

wget https://c2.hak5.org/com -q -O c2.zip && unzip -qq c2.zip && \

IP=$(curl -s https://checkip.amazonaws.com) && \

echo "Copy the below setup token and browse to http://\)IP:8080" && \

./c2_community-linux-64 -hostname $IP

Step 3.3: Activating and Setting up Cloud C2

Once the script is complete, you will get a setup token and a browse path where your Cloud C2 instance is running. Next, navigate to your Cloud C2 instance, and finish the activation process.

3.3.1:  Setup Cloud C2 Account

In this setup process, you will be prompted to enter your valid “License Key” that would have been sent to you after your Hak5 Cloud C2 registration process. Check your email for the “Hak5 Cloud C2 Download & License” from step 3.2 – Obtaining an active Cloud C2 License ( https://shop.hak5.org/products/c2#c2-versions ). The setup token will be provided if the script runs successful.

Step 3.4: Logging into your Cloud C2 Instance.

Once your account has been setup, you can navigate to your C2 Cloud instance, and login with the newly created Username and Password that was created during the setup process.

Step 4 – Enjoy! Happy Hacking…

Start adding Hak5 approved devices such as WiFi Pineapple, LAN Turtle, Packet Squirrel, Signal Owl, ScreenCrab, Shark Jack and the KeyCroc to your Cloud C2 instance. Adding devices to Cloud C2 getting started guide can be found [at] https://docs.hak5.org/hc/en-us/articles/360014295634-Adding-Devices-to-Cloud-C2

Cloud C2 Dashboard

References:

• [1]. Cloud C2 Downloads –  https://shop.hak5.org/products/c2#c2-versions

• [2]. Hak5 Devices – https://shop.hak5.org/

• [3]. Cloud C2 Installation and Setup Guides – https://docs.hak5.org/hc/en-us/articles/360012947534-About-Cloud-C2

• [4]. Adding Devices to Cloud C2  – https://docs.hak5.org/hc/en-us/articles/360014295634-Adding-Devices-to-Cloud-C2

Prt.2 – Hak5 Cloud C2 SSL Setup on AWS - (Coming Soon!)

Hardware List

• Raspbery Pi 400

• Micro SD Card

• PowerSupply

• Ethernet/Rj45 Cord

• Mouse ~{- )

Installing Kali Linux on your Raspberry Pi 400

1. To begin, we need to first download the latest Kali linux image from the official Kali arm downloads page.
   On the kali download page select the latest image "Kali Linux RaspberryPi 2 (v1.2), 3 and 4 (64bit)" from their website.

   

2. Writing your Kali image to an SD card, we can utilizing a software called "Etcher".
   Etcher is a piece of software that allows your to easily flash OS images to SD cards & USB drives easily.

   

3. Begin by opening up the Etcher software application on your device. With Etcher click the "Select Image" button and navigate to your Kali image "kali-linux-2020.3b-rpi3-nexmon-64.img" file location.

   

4. Next, click on the select target "SD Card" that is ready to be flashed with latest image.

   

5. To write the image to your selected SD card, click on "Flash!"  The flash process can take some time, be patient as it validates and writes the image to your SD Card.

Once this process has been completed, your SD card will have the latest Kali ARM image installed. Insert the SD card into the Pi400, and follow the bootup order instructions on the Raspberry Pi400.

Kali Linux Interface Defaults

1. Kali is a linux distribution that is primarily designed for ethical hacking. It was first released back in March 2013 and is still developed and maintained by Offensive Security.  If you are unaware of the Kali linux distribution I highly recommend doing research to learn more about the capabilities and features that exist within the distribution.

2. The Kali linux distribution for the Raspberry Pi comes with a GUI, so you are not required to interact with it purely using SSH, but that option is always available. Once you boot the Pi400, it will load the Kali operating system, you will be greeted by the following login screen.  You can use the default username "kali" and the password "kali" - all lowercase

   

3. Upon logging into Kali linux on your Raspberry Pi 400, you will land on the default desktop interface. From this interface, you can easily interact to find all the available applications that are installed on Kali by default. Feel free to explore kali to learn all the things Kali.

4. Also, remember the first thing you want to do after logging into your Raspberry Pi 400 is to change the default credentials from "kali" to your designated credentials. To do this, you will need to run the following command:

   passwd

   After, running this command, you will be prompted to change your current password on the current account you are authenticated into.

5. Now you are all setup and running kali on your Raspberry Pi400. Enjoy!

References:

• [1]. Kali ARM linux Image - https://www.offensive-security.com/kali-linux-arm-images/

• [2]. Raspberry Pi 400 - https://www.raspberrypi.org/products/raspberry-pi-400/

• [3]. Etcher Flash Software by Balena - https://www.balena.io/etcher/

• [4]. Kali Linux Distro - https://www.kali.org/

What is CyberChef?

CyberChef is a simple, intuitive web application for analyzing and decoding data without having to deal with complex tools or programming languages.  It is also known as the “Cyber Swiss Army Knife” and encourages both technical and non-technical people to explore data formats, encryption and compression.

Why use CyberChef?

Data sets come in all shapes, sizes and formats in the modern digital landscape and CyberChef helps make sense of this data in an easy to use web application.

How does it work?

As stated above the CyberChef web application interface is very intuitive and straight forward.  It takes the trivial work out of complex data sets and quickly performs a wide range of data manipulation functions called “operations”. A sequence of operations is called a “Recipe”.

Useful Operations: (CyberChef has over 300+ Operations and is rapidly growing)

From/To Hex Regular Expressions Strings All the Hashes From/To Base64 XOR Brute Force Zip/Unzip Script Beautify URL Encode/Decode Encrypt/Decrypt Tar/Untar Render Image Decode Text HTTP Request Syntax Highlighting Extract EXIF CSV to JSON Public Key Conversions To/From Punycode Extract File paths JSON to CSV Detect Filetype Scan Embedded Files YARA Rules

CyberChef UI:

The user interface is very robust and powerful, I highly recommend hosting your own internal web app for private research and jumping in the public version to get a feel for the platform beforehand. Please see the screenshot below that outlines some of the high-level features.

CyberChef Default Key Bindings:

Command Shortcut (Win/Linux) Shortcut (Mac) Place cursor in search field Ctrl+Alt+f Ctrl+Opt+f Place cursor in input box Ctrl+Alt+i Ctrl+Opt+i Place cursor in output box Ctrl+Alt+o Ctrl+Opt+o Place cursor in first argument field of the next operation in the recipe Ctrl+Alt+. Ctrl+Opt+. Place cursor in first argument field of the nth operation in the recipe Ctrl+Alt+[1-9] Ctrl+Opt+[1-9] Disable current operation Ctrl+Alt+d Ctrl+Opt+d Set/clear breakpoint Ctrl+Alt+b Ctrl+Opt+b Bake Ctrl+Alt+Space Ctrl+Opt+Space Step Ctrl+Alt+' Ctrl+Opt+' Clear recipe Ctrl+Alt+c Ctrl+Opt+c Save to file Ctrl+Alt+s Ctrl+Opt+s Load recipe Ctrl+Alt+l Ctrl+Opt+l Move output to input Ctrl+Alt+m Ctrl+Opt+m Create a new tab Ctrl+Alt+t Ctrl+Opt+t Close the current tab Ctrl+Alt+w Ctrl+Opt+w Go to next tab Ctrl+Alt+RightArrow Ctrl+Opt+RightArrow Go to previous tab Ctrl+Alt+LeftArrow Ctrl+Opt+LeftArrow

How will we use it in the blog post?

The focus of this blog post is to show a brief overview of how CyberChef can aid in analysis when you are attempting to decode or decipher pieces of the puzzle.  Below is two example encoding techniques that are commonly utilized by attackers to evade detection.

Example 1 – Percentage-Based URL Encoding to Bypass Email Gateways in Phishing Attacks:

In this example breakdown it shows a percent-based URL encoded phishing email that is used to fool the basic URL and domain checks by perimeter devices that we often see threat actors utilize to deliver malicious payloads. We can utilize CyberChef to easily decode these phishing emails during analysis.

As you can see in code listed below, the true destination of the hyperlink is not immediately obvious to the untrained eye and the same holds true for many perimeter security gateways.  We see the URL percent-based encoding it being utilized to redirect us to a specific URL that is encoded in the first code snippet area labeled encoded URL. After decoding the URL encoding in CyberChef we can see the malicious redirect is actually pointing to a different domain in the decoded URL section.

Encoded URL:

Hxxps://www.google.lv/url?q=%68%74%74%70%73%3A%2F%2F%67%64%61%6e%6b%2e%63%6f%6d%2F%6f%66%66%6c%63%65%2e%6f%2F%6d%69%63%72%6f%73%6f%66%74%2F%6f%66%66%69%63%65%&sa=D&sntz=1&usg=AFQjCNFP\_u6aiJIlXvPgImlhRFP0w5nYlg

Decoded URL depicted in green above:

hxxps://gdank[.]com/offlce.o/microsoft/office%&sa=D&sntz=1&usg=AFQjCNFP_u6aiJIlXvPgImlhRFP0w5nYlg

Example 2 - Ransomware using PowerShell to delete Shadow Copy:

In this example breakdown you will see a tactic that is commonly used in many PowerShell related attacks to evade detection.  Attackers often use base64 encoding to hide malicious attributes or strings within invoked PowerShell commands. As you can see below when the base64 is decoded you observe a command input that is utilizing PowerShell to delete shadow copies. Oftentimes these encoded PowerShell commands can be used to download malicious payloads or other nefarious actions.

Encoded PowerShell command: 

[SYSMON EVENT TYPE 1 – RANSOMWARE USING POWERSHELL TO DELETE SHADOWCOPY]
Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine powershell -e

RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
CurrentDirectory C:\Users\port\AppData\Local\Temp\
ParentImage C:\Users\port\AppData\Local\Temp\rpr1l7q0.exe
ParentCommandLine “C:\Users\port\AppData\Local\Temp\rpr1l7q0.exe”

Decoded base64 depicted in green above:

Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}

Conclusion

CyberChef is a powerful tool for any blue or red teamers arsenal.  The possibilities with CyberChef capabilities are endless. Researchers have utilized this tool to bake up some great recipes to include breaking down group policy preference password decryption, decoding and reversing strings and character substitutions, using Yara rules with deobfuscated malicious scripts and much more.  I highly recommend checking out CyberChef and trying to figure out ways it can enhance or fit into your analysis workflow.

References:

• [1].  CyberChef Project - https://gchq.github.io/CyberChef/

• [2]. Threat Actors Use Percentage-Based URL Encoding to Bypass Email Gateways -  https://cofense.com/threat-actors-use-percentage-based-url-encoding-bypass-email-gateways/

• [3].  Malware examples from our friends over at BroadAnalysis - https://broadanalysis.com/

Shodan is a search engine that allows researchers to explore and discover a wide range of devices that are connected to the internet, where they are located and who is using them. Shodan is a very powerful reconnaissance tool that can be used to see the bigger picture of internet-connected/public-facing devices such as Smart TVs, refrigerators, Webcams, SCADA and much more [1]. Shodan has servers located around the world that crawl the internet 24/7 to provide the latest internet connected device intelligence.  Using this intelligence can tell you a wide array of information, like where devices are located geographically, what types of technology and versions are present on the devices discovered.

Why use Shodan:

Shodan is of particular use for security research that is focused around internet connected devices such as Internet of Things (IoT). The number of devices connected to the internet has surpassed 26+ billion worldwide according to Statista consumer data reports conducted in 2018 [2].  As IoT devices become more popular in our daily lives, we can expect these numbers to increase drastically over the next several years. The state of IoT connected devices are projected to grow 10% according to” iot-analytics” global research market breakdown [3].

As we see internet-connected devices increase, Shodan can be a great reconnaissance tool for researchers and organizations alike.  This search engine can help organizations discover internet-connected devices and provide global insight into an organization attack surface.  Also, with Shodan’s vast internet-scale data researchers can conduct large scale research quickly. This is one of my go-to tools when conducting attack surface profiling.

Getting Started with Shodan

Basic Shodan UI Overview

The new Shodan UI is broken down into two primary columns, the left column focuses on several core areas such as total results returned, top ports, organizations, products and operating systems discovered.

The center column focuses on the data returned based on the search query filter. This area brings back the specific details related to returned results such as the IP address, location, technology, organization, certificates, response codes and other important information.

If you click on a specific IP address/hostname within Shodan, it will drill into a full information view that breaks down the raw data into sections based on General Information, Web Technologies, Vulnerabilities, Open Ports, etc.  The Shodan website UI is very intuitive and user-friendly.  If you have issues or want to learn more about the Shodan UI you can visit the help navigate the website at the following link: https://help.shodan.io/the-basics/navigating-the-website

Shodan Basic Filters & Syntax

Below is a list of general search filters that can be utilized for the Shodan search engine. In addition to general search filters, combinations and customized search queries can be performed to get more granular search results faster. See example filters and searches area below.

Basic search filters you can use:

• city: search for devices in a particular city by using the name of the city

• country: search for devices in a particular country by using 2-letter country code

• http.title: search for the title of the website

• net: search based on an IP or /x CIDR

• org: search for the name of the organization that owns the IP space

• geo: discover devices via geo coordinates (longitude/latitude)

• hostname: searches values that match a specified hostname

• os: search based on operating system discovered

• port: search for exposed ports that are open and running services

• product: search for the name of a product or technology stack

 **“**All filter references can be found documented on the Shodan website at [5]: https://beta.shodan.io/search/filters.”

Example Filters & Searches

• Discover Apache products: product:Apache
  Discover Webcams: Server: SQ-WEBCAM

• Discover Windows XP Operating System in San Francisco: city:"San Francisco" os:"Windows XP"

• Discover RDP exposed in New Orleans: city:"New Orleans" port:3389

• Discover exposed Citrix NetScaler’s: http.waf:”Citrix NetScaler”

• Discover Elastic Search host: port:9200 all:"indices" all:"production"

• Discover Routers with Default Credentials: "admin+1234"

Report & Data Exports:  You can create reports or export your search results in Shodan by clicking on “create report” or “download results” to export data based on your needs. The download results allow you to export data as CSV, JSON or XML.

New Features:

• New Beta Search Engine: Shodan beta search engine adds additional intelligence across the search platform.  It gives more data-drive view of the technology and vulnerabilities that could be impacted on the devices discovered in a newer UI interface [6].

• Shodan Monitor: Shodan network monitor allows an organization to keep track of the devices that they have exposed to the internet. You can easily setup monitoring and notifications to show complete visibility into what you have connected [7].

• Shodan Exploits: Shodan exploits is a search engine that pulls known exploits back to from several sources such as ExploitDB and Metasploit in an easy to navigate UI [8].

References:

• [1].  You should also check out shodan at https://www.shodan.io/, and the blog at https://blog.shodan.io.

• [2].  Statista, 2019 reporting - https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

• [3].  State of the IoT 2018: Number of IOT devices connected and accelerating growth metrics - https://iot-analytics.com/state-of-the-iot-update-q1-q2-2018-number-of-iot-devices-now-7b/

• [4].  Shodan help navigate the website - https://help.shodan.io/the-basics/navigating-the-website

• [5].  Shodan Filter references - https://beta.shodan.io/search/filters

• [6]. Shodan Beta Search - https://monitor.shodan.io/

• [7]. Shodan Monitor - https://beta.shodan.io/

• [8]. Shodan Exploits - https://exploits.shodan.io/

To block incoming file types see methods and policies outlined below.

It is important to spend some time testing these rules before implementing any policies in your organization and do so with caution! In some cases clients have had all of their mail blocked when using some methods and these policies can take hours to propagate across an organization. This is why testing rules before implementation is HIGHLY recommended.

Office 365 – Block Incoming File Types (Instructions)

• Log into your office 365 “Administrator portal”

• From the top bar, select, "Admin", then select "Exchange"

• From the Left Side bar, select "Mail Flow"

• From the top bar select "Rules"

• Click on the "+" icon and select "Create A New Rule"

• First, Click on the "More Options" link at the bottom of the screen

• Back, to the top of the screen, In the "Name" box, give the rule a name, Something like Incoming "Incoming Executable Extension Block Rule"

• From the "Apply this rule if..." drop down box, hover the mouse over "Any attachment" and from the pop out box, select "file extension includes these words"

• In the "Specify words or phrases" box, enter each extension you wish to block individually and without a . in front of the extension and click the "+" icon after each (A sample list is below) - To remove one, select the extension and use the "-" icon. - Once complete, select "OK"

• Next, from the "Do the following." drop down box, hover the mouse over "Block the message" and form the pop out box, select any applicable action. The best one to use is "reject the message and include an explanation" - you will be asked to specify a rejection reason, here you would typically have a basic explanation "Our organization does not permit certain attachments, for more information email helpdesk@companyxyz.com" or whichever email provides support at your organization.

• Next, you can if you wish further configure the rule for exceptions and auditing, this is not necessary but optional. When finished click on the "save" button.

• It will take some time for the rules to propagate and come into effect, typically leave it about an hour before testing from an external email account.

Exchange – Blocking incoming File Types (Instructions)

• Sign in to the “Exchange Admin Center”

• Go to Mail Flow > Rules

• Select + (New) and then select create new rule.

• In the Name box, specify a name for the rule and then select “More Options”.

• Select the conditions and actions you want.

These file types are intended as a sample only and not a recommendation as to what you should block at your own organization. As stated in the above article; please use with caution and testing is HIGHLY recommended.

Files Types – (Sample File Types)

.asp

.bat

.cmd

.crt

.csh

.dll

.exe

.exe+

.gadget

.hlp

.hta

.inf

.js

.mag

.mam

.maq

.mar

.mas

.mat

.mau

.mav

.maw

.mda

.mdb

.mde

.mdt

.mdw

.mdz

.msc

.msi

.pif

.reg

.scf

.scr

.tmp

.vb

.vbe

.vbs

.vsmacros

.wsf

References:

https://support.office.com/en-us/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372

http://social.technet.microsoft.com/wiki/contents/articles/24715.office-365-block-incoming-attachments-cryptolocker-and-other-email-transit-virus.aspx

http://nickwhittome.com/2014/10/16/blocking-executable-attachments-even-in-zip-files-on-office-365/

https://technet.microsoft.com/en-us/library/jj919236(v=exchg.150).aspx

This blog will focus on setting up MouseJack on the Crazyradio by flashing the firmware.  Inorder to do this follow the steps below.

The hardware required is a Crazy Radio – \(28 - \)35 USD

Go to github:  https://github.com/BastilleResearch/mousejack/

***Please see the Bastille github pages for the latest release and updates related to MouseJack Research and installation documentation.

The First steps are Install dependencies on Ubuntu:

sudo apt-get install sdcc binutils python python-pip

sudo pip install -U pip

sudo pip install -U -I pyusb

sudo pip install -U platformio

The following hardware has been tested and is known to work and is the current supported hardware list at the time of this blog.

• *CrazyRadio PA USB dongle (We are using CrazyRadio for this test)

• SparkFun nRF24LU1+ breakout board

• Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)

Second step is to initialize the Submodule:

git submodule init

git submodule update

Third step is to Build the fireware:

cd nrf-research-firmware

make

Fourth step is to Flash over USB:

nRF24LU1+ chips come with a factory programmed bootloader occupying the topmost 2KB of flash memory. The CrazyRadio firmware and RFStorm research firmware support USB commands to enter the Nordic bootloader.

Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares:

• Nordic Semiconductor Bootloader

• CrazyRadio Firmware

• RFStorm Research Firmware

To flash the firmware over USB:

cd nrf-research-firmware

sudo make install

To get additional information on MouseJack capabilities and tools visit the github listed above.

Once your CrazyRadio PA is ready, you can launch JackIt via:

sudo jackit

JackIt Setup—

After installing the firmware, you can install JackIt via:

git clone https://github.com/insecurityofthings/jackit.gitcd jackitpip install -e .

Once your CrazyRadio PA is ready, you can launch JackIt via:

sudo jackit

Prt.3 – How to Attack Vulnerable Peripherals with MouseJacking! - (Coming Soon!)

Published by @portslug & @Wolfe409

References:

https://github.com/BastilleResearch/mousejack/

https://github.com/insecurityofthings/jackit

MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice (Bastille, 2016). These peripherals are 'connected' to a host computer using a radio transceiver, commonly a small USB dongle (Bastille, 2016). Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim's computer by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands (Bastille, 2016). It is therefore possible to perform rapidly malicious activities without being detected. The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer (Bastille, 2016). Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them(Bastille, 2016).

Bastille MouseJack Youtube Video:

https://youtu.be/3NL2lEomB_Y

What should you do to protect yourself?

• Do not use a vulnerable peripheral that this attack can be carried out against. You should check your product vendor to make sure you are not using a vulnerable device.  Bastille has a list of vulnerable devices that it knows about on the website in the references section below. Also keep firmware updated on peripheral devices.

• Always lock your computer when you step away. This should be done regardless of mousejacking threats as this should be best practice.

• Do not allow unauthorized USB devices in the environment. There are many device control products in the market that allow you to whitelist specific devices and block access to unauthorized devices.

Prt.2 – How to Setup MouseJack and JackIt.

Published by @portslug & @Wolfe409