Synergy Security | Protocol Profile: Tracking Keyboard and Mouse Activity
Many computers users are grateful for Synergy, a piece of software that enables a single mouse and keyboard to seamlessly work across multiple machines. As is often the case, convenience comes at the cost of security. For round seven of our recent Network Forensics Puzzle Contest at DEFCON 22, we captured some Synergy network traffic with a clue hidden inside (so stop reading if you have yet to solve that round!) Now we will explore in-depth the revealing data contained in the Synergy protocol.
In order to keep two computers in sync, Synergy must maintain steady communication between server and clients about where the mouse point is located and what keys are being pressed. Synergy has its own protocol for the purpose of this communication. To the network forensic analyst, this means all of this information will be contained in a packet capture of Synergy traffic. If you want to take a look at the capture yourself, here is amazon.pcap for download from round seven of this year’s Network Forensics Puzzle Contest.
In order to narrow down this sizable capture into just what interests us, filter for “synergy.” Click on any of the filtered packets. In the packet details, there’s a header that reads “Synergy Protocol.” Click the arrow to expand it. Depending on the packet, it may say “Keep Alive,” “No Operation,” “Mouse Moved,” “Mouse Button Pressed,” “Key Pressed,” or a number of other actions. Locate a packet that says “Key Pressed,” and expand the details. The first detail, “Key Id,” provides an extremely valuable piece of information: the ASCII value of the key pressed by the Synergy user.
A quick glance at an ASCII table shows that 97 is the decimal representation of the letter ‘a.’ Wireshark does a lot of the work for you, but if you’re interested you can look at the hex characters in the bottom panel. If you click on “Key Pressed,” Wireshark will highlight a hex string starting with “44 4b 44 4e.” If you look at other “Key Pressed”-labeled packets, you’ll observe that all contain this string. This is the designated hex value Synergy uses to tell connected machines that a key is being pressed. The two following bytes represent the ASCII value of the key. The packet shown here contains the hex value 00 61, or 97 in decimal. For regular alphanumeric characters, the first byte after the magic number is 00; for special keys like Backspace and letters with accents, this byte is ef.
Keystroke logging is a powerful, dangerous ability. With your unencrypted Synergy traffic, a malicious actor could obtain all the usernames and passwords you type. To streamline the process of sifting through packets, click on a Synergy packet in Wireshark and select Analyze > Follow TCP Stream.
Select Hex Dump as the format and save the file. You can also download round7hex here. Then download and run keystrokes.py (compatible with Python 3) with the hex file as an argument (or write some code of your own!) The script will print out the keystrokes typed in the console. Special characters, as identified by the ef byte, are represented with tildes. The script also prints out the ASCII values of all special characters for reference.
Synergy tracks mouse movements in addition to keyboard activity. If you look at a few packets that say “Mouse Moved” under “Synergy Protocol,” you’ll notice the packet contains the hex string “44 4d 4d 56.” The two bytes following this magic number represent the x-coordinate of the mouse’s location, and the next two bytes represent the y-coordinate.
You can also locate “Mouse Button Pressed” packets, which contain the hex string “44 4d 44 4e 01,” and “Mouse Button Released” packets, which contain “44 4d 55 50 01.” A visual representation is the best way to make sense of mouse movements, so download and run mouse-movements.py with the hex file you already saved from Wireshark. The script outputs a graph called mouse-movements.png in your working directory. Mouse movement patterns are mapped in blue, with green dots representing clicks and red dots representing releases.
This capture was taken using the most recent version of Synergy, 1.5.0. Synergy offers optional encryption, which was clearly not in use here. If you are a Synergy user, enabling encryption can’t hurt. However, keep in mind that Synergy’s encryption has been known to be vulnerable. Especially if your machines connect to Synergy wirelessly, enable further security measures like an encrypted virtual private network (VPN) or a tool like Tcpcrypt.