Marauding Wi-Fi Networks With The Flipper Zero

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign hello world and welcome to hacks in this video I'm going to be talking about how you can upgrade your flipper Zero's functionality and use it as a Wi-Fi penetration testing tool by default The Flipper 0 doesn't have any Wi-Fi capabilities however with the addition of the Wi-Fi developer board you can add this functionality the Wi-Fi developer board is rocking an esp32 hyphen S2 module and with that module you can perform Wi-Fi penetration tests such as probing attacks the authentication attacks SSID broadcasting including Rick Rowland and a bit more the Wi-Fi developer board can be bought from the official flippers store if you're in the US 29 however it's currently sold out but as I'm in the UK I purchased mine on Doom for 37 18 plus bat and delivery by default The Flipper zero Wi-Fi developer board does come with firmware installed however we want to flash Marauder to it to give us some more functionality in order to do this I would recommend heading over to this GitHub repository Uber guidos flipper and you can see there's a quick and easy flasher updater for Marauder on the Wi-Fi Dev board all you need to do is scroll down and go to the download zip file and then that will start downloading the zip then once that's downloaded you need to extract it and locate The Flash dot bat file now take your Wi-Fi developer board and press and hold the boot Button then plugs the USBC into the developer board and to your computer and hold the boot Button for three seconds with your Wi-Fi developer board plugged in and recognize head back over to the files that you extracted and double-click the flash.bat you'll see the windows protection pop-up if you just click on more info and click run anyway it will run the program you'll see now that you now have the marauder script up and running if it hasn't recognized your Wi-Fi developer board you won't see the options but you should see four options flash Marauder update Marauder save flipper Blackmagic Wi-Fi settings flash flipper Blackmagic the option we're going to go for is option one if you just hit that and press enter what will happen now is it will erase the firmware and go through writing the new Marauder firmware to your Wi-Fi developer board and as you can see it says that we can now close the window it's important that you wait for this bit to finish and say that it's nice safe to close the window to make sure that everything's been written to the device properly it should now be safe to disconnect your developer board and plug it into your flipper zero it's fairly easy to do one side has eight pins one side has 10 pins just make sure the chip is on the same side as the screen and plug it in now before we go any further what you'll need to do is install a different firmware for your flipper zero in order to give you Marauder functionality so while the marauder firmware has been flashed to your Wi-Fi developer board chipset you still need the tools on your flipper 0 in order to use the Wi-Fi developer board and Marauder in my opinion the best firmware for this at the moment is either the Unleashed firmware or the Rogue Master firmware I have videos on my channel explaining how to install both of those different firmware's onto the flipper zero so I'm not going to cover it here but feel free to go and watch one of those videos and then come back to where you were okay so now that you've got Rogue master or the Unleashed firmware installed on your flipper zero and you've got Marauder installed on your Wi-Fi developer board it's time to go in and look at the different tools available to us that we can use now with our upgraded flipper zero so in order to access the tools we're just going to go to the main menu and go down until we find applications from applications we go into gpio and you can see there wi-fi Marauder I will admit it's pretty hit and miss sometimes when I click this button it crashes The Flipper but then other times it doesn't so I'm going to hit it now and see what happens so looking for the various options we have a view log form we have Scan AP we have SS ID we have list and it's good to note that these have sub menus as well so pressing left to right will allow you to list AP or List SSID we then have the option to select AP or SSID and this is important when launching attacks because you first need to select the AP or SSID that you want to attack you then have the option to clear the list so once you've scanned the access points it puts them into a list and if you want to clear this list you click on clear list then we have the different attack types we have the authentication attack a probe attack a Rick Roll attack then we have the beacon spam AP list SSID list and random then we have a bunch of sniffing options we've got the beacon the de-authentication the ESP pmkid pone and we have a sniff PK pm kid Channel and we have get Channel or search channel and we have some display settings or restore settings or Force PKM ID Force probe save pcap other and then we've got update reboot and help okay let's test out some other functionality starting with scan and access points so what this will do is if you click scan AP it will launch a scan and look for all access points in your local area and you can see that I'm starting to get packets back from the different access points if I just press up should be able to see the SSID names see there's like a virgin media one there starting vm12 got mine there where it says Joe Zone 2 gigahertz and what this will do is this will scan all the access points get all the ssids and pop them into a list for you and again the longer you leave it running the more access points it will find provided that those access points are in range it shows you like their beacon number the RSSI the name of it yeah very good information and again this will put it into a list which you can then use later to attack devices so once you finish scanning the access points what you can do is you can press back and then you can go to list I'm just going to change this to list access points rather than SSID and you should see that all the access points that it's find now if you notice there are numbers next to each of the access points you've got four there which is my sort of separate Wi-Fi network another one for virgin media you've got another of my Wi-Fi access point style number six number seven and it's important to remember the numbers granted trying to remember the names can be a bit annoying if you were trying to go after the access point via the name or via the SSID but thankfully the developers of the marauder firmware have put them into a list and given you numerical digits to remember them by rather than actually having to try and remember the ssids so yeah that's the list this list is populated from the scanner AP attack that we did a moment ago and then once you've got all this information you can then use it to launch attacks against these specific access points so now that we have a list of access points let's select one so first of all I'm just going to go through the list and I'm going to find my access point which is number four then I'm going to press back and go to select AP and then I'm just going to click up and click for click save now I'm going to press back and back again then I'm going to go into list access points and if we go down the list what you should see now is that 4 has selected next to it meaning that we've successfully selected the access point that we want to attack now again I did it via the numerical value you didn't have to type in the name at all then what we can do is now that we've selected it we can go on to launch attacks against that access point if you wanted to unselect the access point all you have to do is go back in and go up to the same number type M4 which was the access point click save press back press back again and then you can go to list access points and you'll see that my Wi-Fi network is no longer selected okay moving on to the good stuff let's start looking at the attacks so first of all we're going to list our APS and I'm going to see that I have my network of four Joseph Wi-Fi network because you shouldn't be attacking other people's networks on this again that would be illegal without the permission of the person that you're attacking so I need to select four so I'm just going to go back and select AP Poppin number four click save back out that's going to go into my list and check that I have the right access point selected which I do because again you don't want to tag somebody that you don't have permission to attack now I'm going to head down to attack and the first attack I'm going to do is a Rick Roll attack now I'm not sure why you need to have an access point selected for this one you do have to have one selected otherwise the attack doesn't start but this doesn't actually attack a specific access point as far as I know I used to have a standalone sort of chipset which you could power into like a portable battery bank and it had the same functionality and it had this attack and what this attack does is it creates a lot of ssids just by broadcasting SSID data and what it would do is it will broadcast the lyrics of the song Never Going To Give You Up by whatever it's called Rick Astley you know the Rickroll everybody talks about but yeah I don't know why you need an access point selected for this attack but if I click Start the attack you can see there press back to send a stop scan attacking hyphen T Rick Roll start Stark Brit roll so on and so forth so now what it's doing is it's broadcasting the lyrics of uh Never Gonna Give You Up by Rick Astley out to the internet out to the local area where everyone can see it so anybody who picks up their phone trying to connect to an access point now will get rickrolled by the ssids what I will do is I'll put a screenshot and an overlay of this video to show you what the sort of ssids all look like but yeah that is the Rick Roll attack now that we're done Rick Rolling people all you have to do is just send the back signal button and what we're going to look at next is the de-authentication attack so first of all I need to go back to my list and make sure that my Wi-Fi is still selected fantastic and now I'm going to go down to attack and change it to the authentication or d-off attack and what you'll see there is it will start sending packets to the access point the authentication attacks are used in Wireless attacking um they can be considered a type of jamming technique but the way it's happening is it's sending the authentication packets to the access point now normally I thought you'd have to spoof the do authentication pack from the client in order to tell the access point that is de-authenticating and the reason why you would do that in Wireless hacking is so that you can capture the handshake when a client attempts to connect to a wireless access point they do a four-way handshake and in that packet that it sends to the wireless access point it will contain a hash of the password that you use to connect to the access point so when you do a de-authentication attack you disconnect a client from the wireless network and then they have to reconnect sending the authentication to the wireless access pointer Gap then you intercept that communication allowing you to intercept the hash which you can then take the hash and crack it offline which could give you access to the wireless access point so looking at the actual GitHub repository is called a Dior flood and it says the esp32 is capable of transmitting specifically crafted Wi-Fi packets before executing a Dior flood on the esp32 marauder you must build a list of available access points which we did and select which access point to Target see scan APS and select APS for more details on how to build a Target list okay so we selected our access point once the proper Target list has been built a Dior flood can be executed by simply selecting the menu option the packet transmission rate will be displayed on the screen the attack can be ended by touching the screen now the more Target Network selected the less effective the attack will be more networks means more time must be taken in order to send the package to each Network point so it doesn't elaborate that much on what is trying to do no criticism at all again I love this tool and it's been great in my experience I haven't actually been able to de-authenticate a device from my network using this tool and I only have one network selected and it's a Wi-Fi to 2 gigahertz and I have my laptop connected to my network and I use the Dior flood but at no point did it ever disconnect I'm not sure if I need to run the attack longer but again I had it running for a very long time and it didn't de-authenticate so perhaps I'm missing something here but that is the de-authentication attack I believe it's used to try and jam the access point and de-authenticate clients from it but I've not had much luck with it so far so the next attack we're going to talk about is the probe request flood the esp32 is capable of transmitting specifically crafted Wi-Fi packets before executing the probe request flood on the sp32 marauder you must build a list of available access points and select which access point to Target C scan AP and select APS for more details on how to build a Target list once a proper Target list has been built a probe request flood can be X executed by simply selecting the menu option the packet transmission rate will be displayed will be displayed on screen the attack can be ended by touching the screen note that more targets same as the deal authentication attack and what this attack does is it mimics a signal that's sent from devices when they want to connect to an access point so imagine your phone is just sat there and it isn't connected to a Wi-Fi network if you have Wi-Fi on what it will do is it will automatically send out probe requests for Wi-Fi network status remembered and previously connected to then if one of these Wi-Fi access points that is remembered responds back it initiates the handshake and that can presume Communications again I'm probably butchering the explanation of the actual process and how the packets work but that's essentially what a probe request is and in order to launch a probe request attack from The Flipper zero with the Wi-Fi developer board we have to do is go back and then go to your list and make sure that you have the correct access point selected and in this case case I have my two gigahertz Network selected then we're going to go down to attack and we're going to choose probe attack and we're going to click Start I believe that this attack is just to try and confuse the access point and tie up resources there could be more to it than that but reading into it that's all I appear to have found on it so far but yeah that is the probe attack there are more things to talk about that I'm not going to cover for instance the sniffing you have the ability to sniff packets for various different types of Hardware um you can sniff a pony gotchi you can sniff for the de-authentication packets that we mentioned earlier in Pro packets earlier and I believe there's a way to actually save them into a p-cap which you can then take off of The Flipper zero and do some sort of inspection on them or if you've captured a handshake perhaps you can try and crack it on your rip the installation process is really simple and it took about 10 to 20 minutes to get used to navigating around the menu and actually selecting an access point and launching an attack so it's very intuitive active and very simple there's a lot more I have to learn about Wireless types of attacks to fully understand what it's attempting to do and what's going on and again I can look at the way that it's sort of crafting the packets in the GitHub repository to try and identify a bit more but that's some research I'm going to do in my own time to better understand why if I attacks is something I'm still learning I know about the different types of attacks like evil twin and I know roughly how the sort of interaction between device and wireless access point works but I want to know them a bit more intimately to have a better understanding that is the Wi-Fi developer board for the flipper Zero running the marauder firmware because it's got a lot of functionality and it's fun and I can't thank the developers enough for sort of getting it to the point where it actually works on The Flipper zero let me know what you think do you have one do you have any tips or tricks for me do you haven't even share of anybody let post it down in the comments also let me know if you like this video by giving me a thumbs up and maybe you could subscribe but that's all I've got for you today I do hope you liked it thank you very much and kind regards

Info

Channel: HaXeZ

Views: 117,856

Rating: undefined out of 5

Keywords: Flipper Zero, Wifi, Wireless, Wi-Fi, Marauder, Firmware, Hacking, Deauthe, Wi-Fi Deauthentication Attack, Wi-Fi Probe Attack, Wi-Fi Rick Roll Attack, cybersecurity, learn, programming, coding, capture the flag, analysis, how to learn cybersecurity, beginners hacking, hacker, hacking tutorial, ethical hacking, cyber security, pentester, infosec how to, offensive security, how to start hacking

Id: 1ftcESq-pNY

Channel Id: undefined

Length: 16min 30sec (990 seconds)

Published: Thu Nov 10 2022