Menu

Pwn Palace

Helpful Links

O.MG Cable Resources

Purchase Cable

O.MG Setup

Firmware

Developer Blog

O.MG Slack Channel


Defense

NMAP - O.MG Detection Script


Developer Updates

3/13/2020 - Testing is currently underway to resolve missed keystrokes issue

Blog Posts

O.MG! Never trust a phone charger again

 

Hey guys, I just wanted to share my experience with getting this cable set up and running. First, I just want to say i'm extremely disappointed that Hak5 released this device without proper documentation or support. Absolutely nothing on docs.hak5.org

I digress. I am going to share my experience with the O.MG cable, and try to lay out some questions that i've either had myself, or have seen come up in other forums. Please note, I don't work with the developer MG, so I may not be able to answer some questions. So here's what i've learned so far........

How to set up

So like most people, I don't read the little cards that come with the products. I unwrap, head to docs.hak5.org and jump in. Well, with the O.MG cable, READ the card. It shows you the site to go to in order to get started

https://o.mg.lol/setup/

Make sure to download the firmware

https://github.com/O-MG/O.MG_Cable-Firmware/releases

So I downloaded and ran the setup script using defaults. Plugged it into the windows machine, opened my wifi settings on my phone to connect annnnndddd.... nothing

Turns out, to connect you actually have to select the "AP" option during setup, and NOT STATION. Guess what? This was actually in the README.md lol. So moral of this story... READ THE DOCUMENTATION AS DIRECTED

USAGE

So I tried again. Plugged the cable into the victim machine and tried to connect to it through my phone. Voila, i'm connected. Then just surf to 192.168.4.1 on your phone browser to get to the interface. 

SCRIPTS

So, apparently the O.MG cable doesn't come with any useful scripts preloaded. While in the O.MG interface, I went to LOAD > Example Scripts. Nothing particularly useful. They are exactly what they claim to be... just samples of scripts. But if you know powershell or cmd, then by studying the scripts you can figure out how to write your own. Just remember that anything you want typed into the terminals/command prompts, has to be proceeded by the word STRING as shown in the example scripts. 

I GOT 99 PROBLEMS, AND LAUNCHING CMD IS ONE

So launching an example script the first time worked. It opened a run box, ran some powershell, then disconnected. Awesome. So I decided to modify one line of the script to just launch cmd.exe and run ipconfig. Annnnnddd... didn't work. As many times as I tried, running the script didnt launch the cmd. You hear the windows "error beep". Run script again, same thing. Reboot pc, run script, it works the first time, then again get the windows error beep. This is one piece thats not only annoying, but I really cant figure out why it does it. Ill provide my sample script below. Give it a try. It runs IPCONFIG, stores the results in a text file.

CUSTOM SCRIPT

  • GUI R
  • DELAY 2
  • STRING cmd.exe
  • DELAY 1
  • ENTER
  • STRING ipconfig /all > C:\tools\test.txt
  • ENTER
  • DELAY 3
  • STRING exit
  • ENTER

All scripts should be entered within the O.MG web interface

 

FAQ

So you've made a custom script, and its not executing or somethings not quite right. Have you checked the following?

1. My script won't run in an administrative context - The user that is currently logged on must have administrative privileges.

2. Windows won't launch the run dialog, and the script keeps continuing in the wrong context - Tbh, this is one that I haven't really figured out. It seems that if the focus isn't on the desktop itself, it's hit or miss when invoking the run box.

3. Windows won't launch the run dialog at all - Try using different commands. By default, the scripts use "GUI R" to launch the run dialog or terminal windows. First, ensure that the commands you're using are actually for the OS you're attacking. Second, you can replace GUI R with WINDOWS to launch the start menu and type from there. See example below:

DEFAULT

  • GUI R
  • Delay 1
  • STRING cmd.exe
  • ENTER

TRY THIS

  • DELAY 1
  • WINDOWS
  • DELAY 1
  • STRING cmd.exe
  • ENTER

4. When running a script, sometimes a single key is entered multiple times when typing - This is a weird bug that I keep experiencing, and theres no response yet (at least not one that i've noticed) in regards to this issue. An example of this would be the cable launches a terminal or cmd window. Instead of typing ipconfig /all, it'll type ipconnnnnnnnnnnnnnnnnnnnnnnnnnnn. Not sure why this happens, but its a known issue. When this happens, consider the rest of your attack hosed. There's no abort button, so yank that cable, and walk away whistling with your hands in your pocket.....

5. Does the cable have internal storage? So far, the answer seems to be no. Any scripts you want to run can be ran from within the devices application. Those scripts can be saved into one of the empty slots on the device. To save the script, just click "SAVE" at the bottom of the app, and select a slot to save your custom script. From my understanding, there's not enough storage to exfiltrate date. The storage is just large enough to store your payloads, not exfiltrate data. So if you want to exfiltrate anything, you must direct the payload to send the data to an external source

6. My script is too long, and it doesn't allow me to finish it within the application - The cable has its limitations. To remedy this issue, you could save a custom script onto a site like github. Then from within the cables app, write a script to download and invoke it externally (wget on powershell?)

7. I can't flash the firmware! To flash the firmware, you MUST have the developer hardware. Please make sure to purchase the O.MG cable programmer along with the cable itself. You can get it at https://shop.hak5.org/products/o-mg-cable?variant=31269901926513. Simply plug the cable into the programmer, then plug the programmer into your computer. Download the firmware, and run the binary or script as appropriate. Alternatively, you can update the firmware from within the web interface as shown below

8. My cable types so slow.... my rubber ducky can type the same things in a flash! Well, then go buy a rubber ducky. Not all tools will run the same. Also, this cable is brand new to the market and has a lot of bugs to work out. To be honest, i'm ok with the speed at which it types. It allows me to see where my scripts are failing, and notice things such as the "sticky key" effect. If you're worried about the speed, you can do two things. Either keep your target busy (a little conversation can buy you a lot of time), or write a shorter script that invokes the rest of your script.

9. Does this support 5 GHz? No

10. Can I attack the mobile phone that the cable is attached to? The short answer is no, the cable isn't designed for this. Thats not to say that you cant use it to download a mobile device payload (such as meterpreter) and attack the device. But youll have to be creative and make your zombie PC do the work. However, success will depend on the phones security settings (TURN OFF USB DEBUGGING PEOPLE!) and whether or not you can directly interface with it using the victims PC.

11. When setting Delays, what do the numbers denote? The number you specify when invoking delays are in seconds, NOT milliseconds

12. Will the cable charge the victims phone? Yep. The cable acts as any off-the-shelf charging cable. It'll both charge and allow for data transfers. The cable itself is completely stealth.

13. When running the scripts, will the victim see the commands being sent? Yes, absolutely. Which is why its imperative that you keep them busy when executing them ;)

14. When cable is plugged in, the "Driver installing" notification says "O.MG Cable Per developer, try modifying/manually setting the MFG/PRO/SER attributes in your payload. These can be modified with the VID/PID syntax. You can lookup custom VID/PIDs here http://the-sz.com/products/usbid/

15. Can the cable grab passwords from the cell phone it's attached to?  No. The device is designed to compromise the PC it's attached to, not the cellular device. The cable is designed to look like a phone charger for the purpose getting users to trust the device enough to plug it into their PC. You may however, be able to develop a payload that will leverage the compromised PC to relay attacks to the cellular device. There's no active payload out there for that yet, so you must develop it on your own at the moment

16. Do I need to be present to run payloads? To execute payloads, you must be within WiFi range

CONCLUSION

In summary, this cable is a neat little device. Just be careful when using it until all the bugs are worked out. Ill add more to this page as information becomes available. In the meantime, comment below with any other tips or questions, and ill try to address them as I have time.

- EnkOde


RESOURCES

Cable Setup - https://o.mg.lol/setup/

Firmware - https://github.com/O-MG/O.MG_Cable-Firmware/releases

VID/PID Lookup - http://the-sz.com/products/usbid/

 

INSTRUCTIONS (from developers github)

To flash the O.MG Cable:

  • Plug in the programmer to computer
  • Plug in the cable to programmer
  • Run one of the flashers and follow the menu to build a new firmware with your chosen wifi settings
    • flash_[linux/OSX/win64.exe] - a binary for those who want to do the lease amount of work
      • for linux & osx, make sure you set the file as executable. ex: chmod +x flash_osx before you run it: ex ./flash_osx
    • flash.py - for those who know how to execute python scripts, but want the script to automatically install some dependencies.
    • flash_alternative.py - for only the most 1337 hacker who knows about pip install and wants to do everything themselves
  • pay attention to the dialog, you might have to install a driver!
  • When finished, unplug the programmer and plug the cable into a USB port.
  • Wait a bit for all of the services to start up (usually 60 seconds is plenty)

Connect to the O.MG Cable:

NOTE:

  • If you have issues with any of the flasher, make sure you are running a current OS and have followed any of the dialog presented by the flasher.
  • The flasher script requires that you have python 3.7 or higher & with the pyserial module installed. To install pyserial use python3 -m pip install pyserial
  • There are os specific compiled binary flashers for OS X/Linux/Windows. flash_win64.exe, flash_osx, flash_linux. They are static and do not require python3 or pyserial but still require the firmware files. The OS X & Linux bins require an executable flag. e.g. chmod +x flash_linux && ./flash_linux.
  • If you're looking to use http://OMG_LASTSIXOFMACID.local rather than an ip address, your macid is shown to you while flashing the firwmare.
  • If the programmer is not detected, you may need to install the drivers for CP210X USB bridge: https://www.silabs.com/products/development-tools/software/usb-to-uart-bridge-vcp-drivers

SYNTAX

Below is a syntax reference for writing custom payloads for use with the O.MG Cable. Your script should be entered on the run screen as shown below

  • STRING - Type a sequence of letters
  • ENTER - Send the Enter key
  • DELAY # - Delay next step for x seconds
  • USB ON/OFF - Turn USB on/off
  • VID - Set vendor ID
  • PID - Set product ID
  • MAN - Set manufacturer length (max 40 chars)
  • PRO - Set product info (max 40 chars)
  • JIGGLER ON/OFF - Turn jiggler on or off
  • FS - Make MacOS terminal full screen. Sends ctrl+cmd+f
  • SELF-DESTRUCT - Erases flash. WARNING: THIS WILL DESTROY THE CABLE
  • NEUTER - Erases file system and all data on the chip
  • GUI/WINDOWS - Uses Windows key or Mac CMD key
  • ALT - Uses ALT key
  • CTRL - Uses CTRL key
  • SHIFT - Uses SHIFT key
  • TAB - Uses TAB key
  • SPACE - Uses SPACE key
  • CAPSLOCK - Uses CAPS LOCK key
  • DELETE - Uses DELETE key
  • HOME - Uses HOME key
  • INSERT - Uses INSERT key
  • NUMLOCK - Uses NUMLOCK key
  • PAGEUP/PAGEDOWN - Uses PAGE UP or PAGE DOWN keys
  • SCROLLLOCK - Uses SCROLL LOCK key
  • PAUSE/BREAK - Uses PAUSE or BREAK keys
  • ESC/ESCAPE - Uses ESCAPE key
  • RIGHT/RIGHTARROW/LEFT/LEFTARROW/UP/UPARROW/DOWN/DOWNARROW - Uses ARROW keys
  • A-Z - Uses letter keyboard keys
  • F1-F12 - Uses specified FUNCTION keys

Heads Up Display (HUD)