new: hid.inject now supports non visible devices (talking directly to the dongle) via the hid.force.type parameter

modules/hid/build_microsoft.go

@@ -36,6 +36,10 @@ func (b MicrosoftBuilder) frameFor(template []byte, cmd *Command) []byte {
 }
 
 func (b MicrosoftBuilder) BuildFrames(dev *network.HIDDevice, commands []*Command) error {
+	if dev == nil {
+		return fmt.Errorf("the microsoft frame injection requires the device to be visible")
+	}
+
 	tpl := ([]byte)(nil)
 	dev.EachPayload(func(p []byte) bool {
 		if len(p) == 19 {

modules/hid/builders.go

@@ -16,3 +16,22 @@ var FrameBuilders = map[network.HIDType]FrameBuilder{
 	network.HIDTypeAmazon:    AmazonBuilder{},
 	network.HIDTypeMicrosoft: MicrosoftBuilder{},
 }
+
+func availBuilders() []string {
+	return []string{
+		"logitech",
+		"amazon",
+		"microsoft",
+	}
+}
+
+func builderFromName(name string) FrameBuilder {
+	switch name {
+	case "amazon":
+		return AmazonBuilder{}
+	case "microsoft":
+		return MicrosoftBuilder{}
+	default:
+		return LogitechBuilder{}
+	}
+}

modules/hid/hid.go

@@ -5,6 +5,7 @@ package hid
 
 import (
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -29,6 +30,7 @@ type HIDRecon struct {
 	writeLock    *sync.Mutex
 	sniffAddrRaw []byte
 	sniffAddr    string
+	sniffType    string
 	pingPayload  []byte
 	inSniffMode  bool
 	inPromMode   bool
@@ -121,6 +123,13 @@ func NewHIDRecon(s *session.Session) *HIDRecon {
 		"500",
 		"Time in milliseconds to automatically sniff payloads from a device, once it's detected, in order to determine its type."))
 
+	builders := availBuilders()
+
+	mod.AddParam(session.NewStringParameter("hid.force.type",
+		"logitech",
+		fmt.Sprintf("(%s)", strings.Join(builders, "|")),
+		fmt.Sprintf("If the device is not visible or its type has not being detected, force the device type to this value. Accepted values: %s", strings.Join(builders, ", "))))
+
 	mod.parser = DuckyParser{mod}
 	mod.selector = utils.ViewSelectorFor(&mod.SessionModule, "hid.show", []string{"mac", "seen"}, "mac desc")
 

modules/hid/hid_inject.go

@@ -46,19 +46,30 @@ func errNoKeyMap(layout string) error {
 }
 
 func (mod *HIDRecon) prepInjection() (error, *network.HIDDevice, []*Command) {
-	// we can only inject onto visible connections
+	var err error
-	dev, found := mod.Session.HID.Get(mod.sniffAddr)
+
-	if found == false {
+	if err, mod.sniffType = mod.StringParam("hid.force.type"); err != nil {
-		return errNoDevice(mod.sniffAddr), nil, nil
+		return err, nil, nil
 	}
 
-	// get the device specific protocol handler
+	dev, found := mod.Session.HID.Get(mod.sniffAddr)
-	builder, found := FrameBuilders[dev.Type]
 	if found == false {
-		if dev.Type == network.HIDTypeUnknown {
+		mod.Warning("device %s is not visible, will use HID type %s", tui.Yellow(mod.sniffType))
-			return errNoType(mod.sniffAddr), nil, nil
+	}
+
+	var builder FrameBuilder
+	if found {
+		// get the device specific protocol handler
+		builder, found = FrameBuilders[dev.Type]
+		if found == false {
+			if dev.Type == network.HIDTypeUnknown {
+				return errNoType(mod.sniffAddr), nil, nil
+			}
+			return errNotSupported(dev), nil, nil
 		}
-		return errNotSupported(dev), nil, nil
+	} else {
+		// get the device protocol handler from the hid.force.type parameter
+		builder = builderFromName(mod.sniffType)
 	}
 
 	// get the keymap from the selected layout
@@ -102,11 +113,16 @@ func (mod *HIDRecon) doInjection() {
 		}
 	}
 
+	devType := mod.sniffType
+	if dev != nil {
+		devType = dev.Type.String()
+	}
+
 	mod.Info("sending %d (%s) HID frames to %s (type:%s layout:%s) ...",
 		numFrames,
 		humanize.Bytes(uint64(szFrames)),
 		tui.Bold(mod.sniffAddr),
-		tui.Yellow(dev.Type.String()),
+		tui.Yellow(devType),
 		tui.Yellow(mod.keyLayout))
 
 	for i, cmd := range cmds {