Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks.

Overview

ESP32 Wi-Fi Penetration Tool

This project introduces an universal tool for ESP32 platform for implementing various Wi-Fi attacks. It provides some common functionality that is commonly used in Wi-Fi attacks and makes implementing new attacks a bit simpler. It also includes Wi-Fi attacks itself like capturing PMKIDs from handshakes, or handshakes themselves by different methods like starting rogue duplicated AP or sending deauthentication frames directly, etc...

Obviously cracking is not part of this project, as ESP32 is not sufficient to crack hashes in effective way. The rest can be done on this small, cheap, low-power SoC.

Logo

Features

  • PMKID capture
  • WPA/WPA2 handshake capture and parsing
  • Deauthentication attacks using various methods
  • Denial of Service attacks
  • Formatting captured traffic into PCAP format
  • Parsing captured handshakes into HCCAPX file ready to be cracked by Hashcat
  • Passive handshake sniffing
  • Easily extensible framework for new attacks implementations
  • Management AP for easy configuration on the go using smartphone for example
  • And more...

Demo video

Demonstration Youtube video

Usage

  1. Build and flash project onto ESP32 (DevKit or module)

  2. Power ESP32

  3. Management AP is started automatically after boot

  4. Connect to this AP
    By default: SSID: ManagementAP and password: mgmtadmin

  5. In browser open 192.168.4.1 and you should see a web client to configure and control tool like this:

    Web client UI

Build

This project is currently developed using ESP-IDF 4.1 (commit 5ef1b390026270503634ac3ec9f1ec2e364e23b2). It may be broken on newer version.

Project can be built in the usual ESP-IDF way:

idf.py build

Legacy method using make is not supported by this project.

Flash

If you have setup ESP-IDF, the easiest way is to use idf.py flash.

In case you don't want to setup whole ESP-IDF, you can use pre-build binaries included in build/ and flash them using esptool.py (requires Python).

Example command (follow instructions in esptool repo):

esptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin

On Windows you can use official Flash Download Tool.

Documentation

Wi-Fi attacks

Attacks implementations in this project are described in main component README. Theory behind these attacks is located in doc/ATTACKS_THEORY.md

API reference

This project uses Doxygen notation for documenting components API and implementation. Doxyfile is included so if you want to generate API reference, just run doxygen from root directory. It will generate HTML API reference into doc/api/html.

Components

This project consists of multiple components, that can be reused in other projects. Each component has it's own README with detailed description. Here comes brief description of components:

  • Main component is entry point for this project. All neccessary initialisation steps are done here. Management AP is started and the control is handed to webserver.
  • Wifi Controller component wraps all Wi-Fi related operations. It's used to start AP, connect as STA, scan nearby APs etc.
  • Webserver component provides web UI to configure attacks. It expects that AP is started and no additional security features like SSL encryption are enabled.
  • Wi-Fi Stack Libraries Bypasser component bypasses Wi-Fi Stack Libraries restriction to send some types of arbitrary 802.11 frames.
  • Frame Analyzer component processes captured frames and provides parsing functionality to other components.
  • PCAP Serializer component serializes captured frames into PCAP binary format and provides it to other components (mostly for webserver/UI)
  • HCCAPX Serializer component serializes captured frames into HCCAPX binary format and provides it to other components (mostly for webserver/UI)

Hardware

This project was mostly build and tested on ESP32-DEVKITC-32E but there should not be any differences for any ESP32-WROOM-32 modules.

Hw components

On the following pictures you can see a battery (Li-Pol accumulator) powered ESP32 DevKitC using following hardware:

  • ESP32-DEVKITC-32E (cost 213 CZK/8.2 EUR/9.6 USD)
  • 220mAh Li-Pol 3.7V accumulator (weights ±5g, cost 77 CZK/3 EUR/3.5 USD)
  • MCP1702-3302ET step-down 3.3V voltage regulator (cost 11 CZK/0.42 EUR/0.50 USD)
  • Czech 5-koruna coin for scale (weights 4.8g, diameter 23 mm, cost 0.19 EUR/0.23 USD)

Hw components Hw components

Altogether (without coin) this setup weights around 17g. This can be further downsized by using smaller Li-Pol accumulator and using ESP32-WROOM-32 modul directly instead of whole dev board.

This setup cost me around 300 CZK (± 11.50 EUR/13.50 USD). Using the modul directly that costs around 80 CZK (± 3 EUR/3.5 USD) we can get to price of 160 CZK (± 6.5 EUR/7.5 USD) which makes this tool really cheap and available to almost everybody.

Power consumption

Based on experimental measurements, ESP32 consumes around 100mA during attack executions.

Contributing

Feel free to contribute. Don't hestitate to refactor current code base. Please stick to Doxygen notation when commenting new functions and files. This project is mainly build for educational and demonstration purposes, so verbose documentation is welcome.

Disclaimer

This project demonstrates vulnerabilities of Wi-Fi networks and its underlaying 802.11 standard and how ESP32 platform can be utilised to attack on those vulnerable spots. Use responsibly against networks you have permission to attack on.

License

Even though this project is licensed under MIT license (see LICENSE file for details), don't be shy or greedy and share your work.

Comments
  • working with wemos mini s2?

    working with wemos mini s2?

    Hi, I am trying to flash a wemos s2 mini using the esp download tool

    1. bootloader 0x1000
    2. partitiontable 0x8000
    3. esp wifi penetration tool 0x10000 40 MHz DIO 1152000 and in my case com 10 (?) just got a esp32 first time today. Not sure what is wrong. It says sync but nothing happens. I tried resetting with 0 hold, reset hold , release 0 Help is greatly appreciated
    opened by yentzee 3
  • Decrease index page size

    Decrease index page size

    What:

    • Gzipping index.html before converting to header file.
    • Storing page in page_index.h as a byte array.
    • Serving index.html as a gzipped file.

    Why:

    • Decrease size of index.html from 15531 bytes to 3378 bytes (~21.8% of original size).
    • Gzipping and writing to byte array removes need to manually parse each escape character.
    opened by dkbnz 3
  • Is it possible to use the wsl bypass with platformio?

    Is it possible to use the wsl bypass with platformio?

    I would like to build a similar project which will require the installation of ESP-IDF v4.1 and the use of the wsl bypass method shown in this repo?

    Do you know if it is possible to accomplish this using Platformio? I have doing quite a bit of research and going down quite a few rabbit holes but have found no solution.

    opened by justcallmekoko 3
  • Flashing via Arduino and Hardware doubt

    Flashing via Arduino and Hardware doubt

    hello, I am new to programming firmware to esp32 and can you tell the libraries and components we need to flash this and will this work without the battery and only on a micro-USB connection like a pocket hacking machine. there are 3 bin files and i have no idea which i need to flash and in which format please help thank you @risinek @dkbarrett

    opened by morpheuslord 1
  • while building and flashing

    while building and flashing

    \esp32-wifi-penetration-tool-master\build' doesn't seem to be a CMake build directory. Refusing to automatically delete files in this directory. Delete the directory manually to 'clean' it.

    opened by premoswal 1
  • esp82xx compatibility?

    esp82xx compatibility?

    I think I checked all the documentation and information and didn't found a esp8266 (or esp8285) mentioned everywhere.

    Is it possible (in theory) or are their unsolvable issues hardware or software wise to make this working on a esp82xx?

    opened by rradar 1
  • Move backlog from Gitlab to Github

    Move backlog from Gitlab to Github

    This repo was originally in Gitlab so there is also a backlog of known issues, ideas for improvements, new approaches, refactors "ticket" etc. It will be worth to move them here to make future plans more transparent.

    opened by risinek 0
  • PCAP file downloads fine but HCCAPX file not

    PCAP file downloads fine but HCCAPX file not

    As title says, I can download pcap file just fine but it is empty, but when download HCCAPX it just loads forever.

    Wifi RSSI is too low (-93), could it be due to this or it might be that the handshake cannot be captured?

    opened by rOcKoN92 0
  • The plugin 2500 is deprecated and was replaced with plugin 22000.

    The plugin 2500 is deprecated and was replaced with plugin 22000.

    Hello,

    Please add support for the new format 22000 as hashcat returns this error and never tries to start cracking:

    "The plugin 2500 is deprecated and was replaced with plugin 22000."

    Otherwise - Awesome tool, thanks!!

    feature-request 
    opened by toto99303 5
  • Ultra long range handshake transmission

    Ultra long range handshake transmission

    Hi, kind of an interesting idea, the new LoRa devices, like the TTGO T-Beam, use eps32's and can communicate with other devices using LoRa, which can communicate miles. Any chance your project could be combined with the Meshtastic firmware to capture handshakes, then transmit them to another LoRa device?

    opened by SpeedGP 0
Releases(v1.0)
Owner
Information Technology Security student, Mobile QA & Automation
null
Exploring the Design Space of Page Management for Multi-Tiered Memory Systems (USENIX ATC'21)

AutoTiering This repo contains the kernel code in the following paper: Exploring the Design Space of Page Management for Multi-Tiered Memory Systems (

Computer Systems Laboratory @ Ajou University 19 Nov 14, 2022
Shader Playground is a website for exploring shader compilers.

Shader Playground is a website for exploring shader compilers. Visit website Supported backends Compilers ANGLE Clspv DXC FXC Glslan

Tim Jones 442 Dec 2, 2022
Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack

Resources for DFIR Professionals Responding to the REvil Ransomware Kaseya Supply Chain Attack Yesterday Sophos and Huntress Labs identified that Kase

Cado Security 171 Nov 18, 2022
King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

KingHamlet Process Ghosting Tool - 64 bits Only! King Hamlet is a simple tool, which allows you to perform a Process Ghosting Attack

null 144 Nov 9, 2022
🎮 Plants vs. Zombies multiplayer battle, developed via reverse engineering, inline hook and dynamic-link library injection. Two online players defend and attack as the plant side and zombie side respectively.

Plants vs. Zombies Online Battle This project has two original repositories: https://github.com/czs108/Plants-vs.-Zombies-Online-Battle https://github

Liugw 71 Oct 14, 2021
Phantom Attack: Evading System Call Monitoring

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations.

Rex Guo 52 Nov 11, 2022
Living off the Land Attack in Linux, load an anonymous file in memory.

ELFMemoryLoader Living off the Land Attack in Linux。 Linux场景下的核心载荷不落地攻击。 Loader get elf data from remote server, then use file descriptor to run elf i

null 5 Sep 24, 2022
This is Script tools from all attack Denial of service by C programming

RemaxDos Paltfrom Attack RemaxDos This is Script tools from all attack Denial of service Remax Box Team !. Features ! Cam overflow Syn Flooding. Smurf

null 7 Sep 11, 2022
Implementation of the key recovery attack against GEA-1 keys (Eurocrypt 2021)

GEA1_break This tool implements the attack against the GEA-1 described in Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2. GEA-1 is on

null 47 Sep 21, 2022
Patch for Titanfall 2 that helps prevent disconnects while the servers are being attacked by a DoS attack.

Titanfall2 DeltaBuf patch This patch for Titanfall 2 helps prevent disconnects while the servers are being attacked by a DoS attack. Disclaimer This i

null 5 Nov 23, 2022
Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds.

Ramp Ramp is a HID attack program that steals all connected WiFi passwords within 13 seconds. Tested Windows 10 Warning Ramp has been created for the

Md. Ridwanul Islam Muntakim 21 Oct 21, 2022
null 295 Nov 29, 2022
Allows for multiple SwitchBot buttons and curtains to be controlled via MQTT sent to ESP32. ESP32 will send BLE commands to switchbots and return MQTT responses to the broker. Also supports Meter/Temp Sensor

SwitchBot-MQTT-BLE-ESP32 Switchbot local control using ESP32. no switchbot hub used/required. works with any smarthub that supports MQTT https://githu

null 332 Nov 26, 2022
AnalogWrite for ESP32 and ESP32-S2 with LEDC PWM. Includes PWM Phase Control, DAC and Smart GPIO resource management.

analogWrite() ESP32 Installation Instructions This library was tested using using the ESP32 Arduino IDE Boards Manager installation method. Stable rel

null 32 Nov 26, 2022
ESP32 + GitHub Actions + Husarnet. A boilerplate project for ESP32 allowing in-field firmware update using GitHub Actions workflow.

esp32-internet-ota ESP32 + GitHub Actions + Husarnet. A boilerplate project for ESP32 allowing in-field firmware update using GitHub Actions workflow.

Husarnet 31 Sep 22, 2022
A secure backup communication system. Doesn't use screens. Doesn't rely on cellular networks.

Secure Backup Communication Network (SEBCOM) A secure backup communication system. Doesn't rely on cellular networks. Doesn't use screens. What is it?

null 2 Oct 10, 2022
DUHOME AIOT platform based on du1906 and esp32

1. Example of ESP32-Korvo-DU1906 board This example shows how to use ESP32-Korvo-DU1906 board working with DuHome AIOT Voice Platform (度家-AIOT语音平台).Th

Baidu 14 Jun 6, 2022
A cross platform shader language with multi-threaded offline compilation or platform shader source code generation

A cross platform shader language with multi-threaded offline compilation or platform shader source code generation. Output json reflection info and c++ header with your shaders structs, fx-like techniques and compile time branch evaluation via (uber-shader) "permutations".

Alex Dixon 285 Nov 16, 2022
Espressif ESP32 implementation of ANSI-ESTA E1.11 DMX-512A

This library allows for transmitting and receiving ANSI-ESTA E1.11 DMX-512A using an Espressif ESP32. It provides control and analysis of the packet configuration and allows the user to read synchronously or asynchronously from the DMX bus. This library also includes tools for data error-checking to safely process DMX commands.

null 115 Nov 28, 2022