WiFi Pentesting In Your Pocket / ESP32 Marauder

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] Wi-Fi is everywhere it is all around us even now in this very room we use it for communicating with our friends our job even our medical doctor we use it for shopping for paying our taxes and managing our bank account and it is secure right this is Mara it is a custom firmware made for esp32 devices at stand alone or as a flipper seral module it will exploit the built-in Wi-Fi capabilities of an esp32 microcontroller and give you access to features such as creating a password snatching Wi-Fi hotspot spamming fake networks or even forcing devices to disconnect and sniffing packets that can be used to figure out the password of your network The Marauder firmware is made by this guy called just call me Coco and he also makes and sells these Standalone devices as well as these cool flipper modules but you can also load Mar on the default flipper Wi-Fi deboard and some other esp32 devices but let's start by taking a look at this Standalone device and then later on I'll tell you how you can potentially crack the password to your Wi-Fi network this is primarily a learning tool and you should only test it on networks you have permission to use it on the esp32 mar V 6 has a 3D printed enclosure and inside you find a touchcreen the sb32 chip a battery holder an SD card reader and a USBC connection for charging and controlling the device through a cal connection as well as a few buttons and LEDs and finally an SMA connector for connecting external antennas esp32 is a relatively cheap off the-shelf programmable microcontroller with built-in Wi-Fi and Bluetooth capabilities it is found in a multitude of Hest as well as commercial products it's more powerful than an adreno but not as powerful as a full-blown raspberry piie by pressing the button on the side of the mara V6 once it turns it on and by pressing it twice it turns it off there are four kinds of attacks that Mara can do that I want to talk about in this video but let's start with the simplest number one BL spamming modern phones and computers can use Bluetooth low energy for lower energy loow data rates and short distance communication we can emulate some of these package causing unwanted popups that interfere with normal operation although mostly it's just a bit of an annoying number two Wi-Fi Beacon spamming and rig rolling marota can send out the same Beacon packets that the Wi-Fi access point uses to announce its presence but we can name them whatever we want we can make a bunch of random names we can imitate in the existing network name making it difficult to figure out which one is the correct one or we can make some custom ones like the lyrics for the hit Rick asley song Never Going To Give You Up number three evil portal marod can function as an actual access point and a web server if you start up our free Wi-Fi access point and try to connect to it we are met with an integrated login page requiring us to enter username and password before supposedly being able of using this network to go online if we do so nothing apparently happens but at that moment on the back end our username and password has been sent to the order and is saved on the SD card as well you can make your own HTML login page or find a bunch of different pre-made ones online that are made convincingly to imitate official login pages and finally we get to the attack that can potentially crack the password of your Wi-Fi network here's a simplified explanation of how that is even possible modern Wi-Fi networks are encrypted even if we save the raw data package floating around us at this moment we cannot read most of them because of this encryption when a device connects to your access point a so-called four-way handshake occurs where the device and the access point agrees on a unique encryption key for that specific device which is derived from your Wi-Fi password the master key think of it as if your laptop and Wi-Fi access point are meeting for the first time they're showing each other how the padlock they're going to lock their messages with is constructed we can use Marauder to take a copy of that padlock and bring it home and inspect it further it could take a long time though before a device is connecting to the network we're monitoring but Mar is also capable of sending deauthentication package which will force already connected devices to disconnect and now we stand ready to capture those padlock exchanges as all the devices come rushing to reconnect to the access point let us try and attack our very secure access point here first we need to go into the device settings and enable Force pmk ID to enable automatic deauthentication package during the the scan then we go into sniffers and pick EAP o/ pmk ID scan we need to pick the channel our access point is set to and we should start seeing our laptop disconnecting from the network and the handshake package piling up on our marer all the functionality of the standard loone Mar devices are also available on a flipper Sero if you connect an esp32 board like this Sleek one from just call me Coco or you can also use the default flip a Wi-Fi Dev board you can use the ESP flasher app to load the marauder firmware onto the board directly from The Flipper zero and then use the companion Marauder app to control the board through the flipper in many ways I actually prefer this over the Standalone device not only is it physically more compact but some of the menus are easier to control with buttons than a touch screen and I find that you get even more information about what's going on the procedure for sniffing handshakes in The Flipper is as following open the Wi-Fi marota companion application scan for access points for a while go back to list APS and find your access point noting the number in the front go to select a piece and enter the number from before now go back and down to sniff choose pmk ID and select targeted active active meaning that you will send the authentication packets as well during the sniffing you will see the file name of the pcap file that your captures will be saved to as well as if any packets have been captured once we've captured a fair amount of package on either device we stop the sniffing take out the SD card and move over to the computer we now have our digital padlock but we don't have the key for it using the application called hashcat we can try a bunch of different keys to see if any of them will fit the padlock first of all we need to convert the pcap file into a format called HC 22,000 that hashcat can understand then we need a word list a word list is a large file full of different passwords if we want to be successful in cracking the password it needs to be one of those inside our word list this is why choosing an uncommon password password is essential in ensuring that no one can break into your Wi-Fi network and while testing the security of your Wi-Fi against such word lists is a good idea there are plenty of online sources for good word lists and I'll link some below once we're ready we type out the command to start hashcat on our HC 220005 using our word list this can take a few seconds or it can take many hours depending on the complexity of the password the size of your word list and the power of your computer if you have a PV graphics card this can speed up the process eventually hashcat will either find the password or not in this case it took only a few seconds to find out a very secure password now you could try and Brute Force the password by trying every combination of numbers and letters and sequence instead of using a word list however this would take an extremely long time if you don't have at least some knowledge of how the password is constructed but why does it matter your my desk who cares if someone gains access to to your Wi-Fi network every website today uses SSL encryption so your information is safe right well once an attacker is inside the worlds of your network he will have much more intimate access to your local devices your laptop might have a vulnerable piece of software that your Ro a previously prented direct access to maybe your TV smart home devices surveillance cameras or even network drives can be proved for vulnerabilities by the attacker or perhaps the attacker will simply use your internet connection to perform illegal online activities there are lots of good reasons to keep your network secure Mara has other interesting features such as detecting if a deauthentication attack is happening or the probe request sniffer which will look for package from devices that are trying to connect to access points that they are usually connected to this is valuable information because most access points physical location in the world has been mapped on sites such as wiggle. net so knowing what access points a device is trying to connect to will tell you when the world that device is usually located back in the day I was riding my bike around the neighborhood with a laptop in my backpack scanning for open Wi-Fi networks this is called W driving you can m a GPS into the marot V6 and this enables a w driving feature which locks access points and the GPS positions you can also share this information with online databases such as wigle.net marota can also be operated with a command line interface through USB serial connection on your computer this will give you direct full access to all of M's capabilities check out the wikip page and the Mora GitHub for detailed description of the different commands there are some caveats to using Mar though first of all the esp32 microcontroller only supports 2.4 GHz networks so you will be unable to attack 5 GHz networks with more water secondly some newer Wi-Fi access point will have protection against the authentication attacks although in some cases you can attack the clients instead there are far more technologically advanced Wi-Fi penetration tools out there and even a laptop with a Wi-Fi adapter can do a lot more but what's interesting about marala is that it runs off cheap and pocketable microcontrollers even if it isn't as capable as other tools I hope I've given you a small insight into what ESP Marauder and Wi-Fi security is all [Music] about [Music] y
Info
Channel: sn0ren
Views: 37,087
Rating: undefined out of 5
Keywords:
Id: ilxOgEAHrdc
Channel Id: undefined
Length: 10min 34sec (634 seconds)
Published: Thu Jan 04 2024
Related Videos
What is the HackRF One Portapack H2+
sn0ren
476K
Meshtastic Problems - And Another Off Grid Messaging System
sn0ren
32K
THE Definitive Guide to JustCallMeKoKo's ESP32 Marauder!! From The Stand-Alone to the Flipper Zero!!
Talking Sasquach
108K
I HACKED my Internet Service Provider's router. So I could get rid of it.
Tomaž Zaman
1.2M
How to use Flipper Zero WiFi Developer Board Part 1! Setting up Flasher!
Mr.ExtraRandom
5.7K
2600? How Phreaking Really Worked
Connections Museum
173K
14 BANNED GADGETS YOU STILL CAN BUY ON AMAZON
TechZone
10M
Both Microsoft and Apple are ditching their board seats at OpenAI...
Wes Roth
37K
Linux in your pocket / SQFMI Beepy
sn0ren
67K
Don't be Fooled!! This Cheap Yellow Display Can Do a LOT!!
Talking Sasquach
16K
The Most Hackable Radio / Quansheng UV-K5(8) / UV-K6 / UV-K5
sn0ren
83K
Try these 16 Brilliant ESP32 projects!!!
ToP Projects Compilation
549K
Dangerous Hacking Gadgets in 2024 #hacker #tools
Hacker Joe
464K
Should you get a Talkpod a36plus?
sn0ren
5.8K
I Broke My HackRF Portapack! Here's How Not to
sn0ren
16K
3 Levels of WiFi Hacking
NetworkChuck
1.7M
AWOK's Dual ESP32 Marauder Boards I'm Not Supposed to Talk About! Flipper Zero GPIO Board Gone Wild!
Talking Sasquach
26K
Hack Wifi from $1.80
David Bombal
291K
The Idiots Guide To Meshtastic - Long Range Comms!
Ringway Manchester
843K
Remotely Control Any Phone and PC with this Free tool!
Loi Liang Yang
790K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.