- Saved searches
- Use saved searches to filter your results more quickly
- Releases: 0xchocolate/flipperzero-wifi-marauder
- Marauder companion v0.5.1
- Marauder companion v0.5.0
- Marauder companion v0.4.0
- Contributors
- Marauder companion v0.3.5
- Marauder companion v0.3.4
- Contributors
- Marauder companion v0.3.3
- Marauding Wi-Fi Networks With The Flipper Zero
- Installing Marauder to the Wi-Fi Development Board
- Adding Wi-Fi Functionality To The Flipper Zero
- Marauder Menu
- Scanning Access Points
- Listing Access Points
- Selecting An Access Point
- Rick Roll Attack
- Wi-Fi De-Authentication Attack
- Probe Attack
- Sniffing
- Conclusions
- Настройка ESP32 для запуска WiFi Marauder на Flipper Zero
- Настройка ESP32 для запуска Wi-Fi Marauder на Flipper Zero
- Прошивка ESP32
- Подключение к Flipper Zero
- Заключение
Saved searches
Use saved searches to filter your results more quickly
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session.
Releases: 0xchocolate/flipperzero-wifi-marauder
Marauder companion v0.5.1
ESP32 flasher updates: added options to flash other files with hardcoded addresses (plus ESP32-S3 support!). Also locked out exit button while flashing to prevent the app from hanging.
The FAP is now built automatically for dev and release channels of both official and unleashed firmware. Download the artifact corresponding to your firmware version here: https://github.com/0xchocolate/flipperzero-wifi-marauder/actions/runs/5483088678
Marauder companion v0.5.0
The start of ESP32 flashing in-app!
The app now contains a work-in-progress of an ESP32 flasher (close to the bottom of the menu). Use at your own risk. This hardcodes addresses for non-S3 ESP32 chips, and you’ll need to source your own bootloader, partition table, and application bin files. (Psst. I attached the bin files that I used for testing. Note that blackmagic is only intended for the official dev board.)
If you use it, make sure you put your board into reflash mode first (generally by pressing RESET while holding BOOT).
This process will improve with future updates! 🙂
The FAP is now built automatically for dev and release channels of both official and unleashed firmware. Download the artifact corresponding to your firmware version here: https://github.com/0xchocolate/flipperzero-wifi-marauder/actions/runs/5425439549
Marauder companion v0.4.0
Added Signal Monitor (thanks @justcallmekoko!) to support new sigmon command in Marauder v0.10.5: https://github.com/justcallmekoko/ESP32Marauder/releases
Added keyboard and +5V support from unleashed (thanks @xMasterX!)
The FAP is now built automatically for dev and release channels of both official and unleashed firmware. Download the artifact corresponding to your firmware version here: https://github.com/0xchocolate/flipperzero-wifi-marauder/actions/runs/5105780409
Contributors
Marauder companion v0.3.5
Added sniffpmkid submenu to support new options in Marauder v0.10.4: https://github.com/justcallmekoko/ESP32Marauder/wiki/sniffpmkid
Updated to API 26 to remain compatible with latest official dev firmware.
Copy the FAP file into the apps directory of your flipper’s sd card.
May not be compatible with alternative firmware distributions, but those will usually have this app preinstalled.
Marauder companion v0.3.4
Scripts are here! Thanks to @tcpassos (yes, the same one that brought PCAPs to the flipper sd card), you can now add, edit, remove, and run automation stages from the Scripts menu in the app. The scripts are saved in the «apps_data/marauder/scripts» folder as JSON files.
Have fun, and let us know of any issues!
Updated to API 23 to remain compatible with latest official dev firmware.
Copy the FAP file into the apps directory of your flipper’s sd card.
May not be compatible with alternative firmware distributions, but those will usually have this app preinstalled.
Contributors
Marauder companion v0.3.3
Supports saving console logs to flipper’s sd card! «View Log from start» can be used to view saved logs. The app will ask if you want to enable saving pcaps and logs when you first boot up. You can change the setting anytime in the app by selecting «Save to flipper sdcard» at the bottom of the main menu.
Also maybe fixed some longstanding intermittent corruption bugs and packet drops? Let me know if anything’s unstable! (tech notes: I increased the uart rx buffer size and app stack size, and I changed save file creation to happen before sending the command so that it wouldn’t get in the way of receiving packets.)
Updated to API 20 to remain compatible with latest official dev firmware.
Copy the FAP file into the apps directory of your flipper’s sd card.
May not be compatible with alternative firmware distributions, but those will usually have this app preinstalled.
Marauding Wi-Fi Networks With The Flipper Zero
Hello world and welcome to Haxez, today I’m going to be talking about using your Flipper Zero to attack Wi-Fi networks. By default, the Flipper Zero doesn’t have Wi-Fi capabilities. However, with the addition of the Wi-Fi developer board, you can add this functionality. The Wi-Fi developer board is rocking an ESP32-S2 module. With this module, you can perform Wi-Fi penetration testing such as probing attacks, de-authentication attacks, SSID rickrolling, and more.
Installing Marauder to the Wi-Fi Development Board
The Wi-Fi developer board can be purchased from the Flipper Zero website for $29.00. Obviously, As I’m in the UK I purchased mine from Joom for £36.60 excluding VAT and shipping (Ouch). As mentioned previously, the board adds Wi-Fi functionality to the Flipper Zero but you need to do a bit of work beforehand.
First, you need to download the Marauder firmware and flash it to the developer board. I would recommend using the UberGuidoZ Flipper repository to make the process easier. Unzip the zip archive and locate the flash.bat file. Then, while holding down the boot button, connect the Wi-Fi development board to your computer via USB and hold the boot button down for 3 seconds.
Your computer should recognize the device. Now, double-click the batch file. You may get a Windows security alert, if that is the case click show more and then run anyway. This should spawn a command prompt window similar to the one below. Furthermore, it should have a number of options including the ability to flash the Marauder firmware. Select option 1 and wait patiently for it to install.
Adding Wi-Fi Functionality To The Flipper Zero
Unfortunately, Flipper Zero doesn’t have the functionality to use the Marauder Firmware out of the box. However, you can install some custom firmware that contains the Marauder tools in order to use it. Although, That is going to be outside the scope of this post but feel free to click the image below to read my article on installing the RogueMaster firmware. Once you’ve read that, come back here and finish the article.
Marauder Menu
Now that you have Maurader and RogueMaster installed, you should have access to the Marauder menu on your Flipper Zero. In order to access it, head to Applications > GPIO > [ESP32 WiFi Marauder]. After selecting Marauder you should have a number of options including View Log from, Scap AP, SSID, List, Select, Clear List, Attack, Beacon Spam, Sniff, Sniff PMKID on channel, Channel, Settings, Update, Reboot, and Help. Some of these options have sub-options that can be accessed by pressing left or right on your Flipper.
Scanning Access Points
One of the first options in Marauder is Scan AP. This option lets you scan for access points within your nearby area. Furthermore, the results of these scans can be used with other attacks such as de-authentication and probe attacks. The image below shows that I have started a scan for local access points. The results will be displayed below and saved to the AP list.
Listing Access Points
The next option in the list is to list the access points that you have just scanned. This is a convenient feature as it assigns a number to each of the access points. This number can be used later to select the access point you want to attack. The image below shows the results of running the list command after running the Scan AP command. As you can see, it shows 5 access points (0 to 5). However, the list can be scrolled on indefinitely depending on the number of access points.
Selecting An Access Point
The select option allows you to select an access point based on the list. At least, that’s what I hope it is doing. Regardless, the option presents a keyboard that allows you to type in the access point you want to select. Once selected, you can then launch attacks against the selected access point.
Rick Roll Attack
The first attack that I’m going to talk about is the Rick Roll attack. That’s right, you can rickroll people but not in the conventional sense of sending them the Youtube URL. This attack is mostly harmless but is a cool party trick. By selecting the Rick Roll attack method, you send data out from the Flipper Wi-Fi board and create a bunch of dummy access points named in accordance with the lyrics from the song. As you can see from the image below, I have launched the attack and there are a number of new access points available.
Wi-Fi De-Authentication Attack
The next attack I want to talk about is the Wi-Fi de-authentication attack. This attack can be useful when trying to capture handshakes. Wireless handshakes will contain the hashed password for the access point. Capturing the hash would allow you to crack it and then access the access point. The de-authentication attack works by sending de-authentication frames to the wireless access point. This packet is usually spoofed from the client and forces them to disconnect.
Probe Attack
Probes are sent out by devices when not connected to a wireless access point. They send probes for access points that they have previously connected to in order to see if the access point responds. A probe attack is essentially spamming probe requests to the select access point. I believe the desired output of this attack is to confuse the access point and potentially consume resources leading to a denial of service conditions. Don’t quote me on that though as I’m not 100% sure and am just going off of the articles I’ve read so far. I will update this if I get any more insight into the purpose of this attack.
Sniffing
The Wi-Fi developer board with Marauder also has a number of sniffing options including sniffing de-authentication packets, pwnagatchi packets, beacon packets, esp packets, and pmkid packets. I haven’t played with the sniffing options too much but it doesn’t seem like you can run both attack payloads and sniffing payloads at the same time. I will look into these options further at a later date.
Conclusions
There is a lot more to the Marauder firmware than I’ve covered in this post. it has the ability to sniff packets and other things that I haven’t explored yet. However, I wanted to make a post about it as there aren’t many posts about it. Hopefully, this should get you up and running with the Marauder firmware and more people will make content about it. Anyway, the firmware and Wi-Fi development board are excellent additions to the Flipper Zero if you’re looking to increase its functionality. I can’t wait to see what other things people make.
Настройка ESP32 для запуска WiFi Marauder на Flipper Zero
В предыдущей статье мы говорили про использование Flipper Zero в качестве BadUSB. Сегодня продолжим и рассмотрим настройку ESP32 для запуска Wi-Fi Marauder на Flipper Zero.
Настройка ESP32 для запуска Wi-Fi Marauder на Flipper Zero
Началось с того, что я, в целях экономии, купил Flipper Zero без каких-либо дорогущих, дополнительных модулей. Но, как вы знаете у Flipper Zero нет внутреннего чипа Wi-Fi, поэтому, чтобы сделать мое устройство более универсальным, мне пришлось прикрутить к нему дешевый WiFi. Для этой цели сгодился ESP32.
За каких-то 3,72$ я заказал ESP32 с версией WROOM. Он подходит для некоторых атак Wi-Fi, и работает с приложением Wi-Fi Marauder Flipper Zero.
Прошивка ESP32
Прежде всего, убедитесь, что установили драйвер вашего ESP32. Мой ESP32, для подключения модуля с USB к компьютеру, использует драйвер CH340. Если вы используете ту же версию ESP32, вы можете скачать прошивку отсюда.
Также, убедитесь, что ваш компьютер обнаружил модуль подключенный по USB. В диспетчере устройств должно появится новое устройство — последовательный порт USB (COM x). Если необходимо, обновите драйвер.
ШАГ 1: Скачайте бинарник Flipper Zero Wi-Fi Marauder.
ШАГ 2: Распакуйте архив zip (Marauder_WROOM_v1.10.zip).
ШАГ 3: В моем случае скрипт FZ_Marauder_Flasher не работал, поэтому я делал все вручную, для этого скачал Flash Download Tools.
ШАГ 4: В командной строке запустите flash_download_tool_xxx.exe и отметьте следующие настройки.
Добавьте bin-файлы, так, как это показано на скрине ниже.
Подключите ESP32 по USB, а затем нажмите START.
После этого, на ESP32, в течение секунды удерживайте кнопку BOOT, пока не появится следующее.
Через пару секунд появится сообщение FINISH.
Настройка ESP32 завершена. Можете отсоединить ESP32 от компьютера.
Подключение к Flipper Zero
Выключите Flipper Zero удерживая кнопку BACK.
Ставьте джампера по этой схеме:
ESP32 -> Flipper Zero
TX0 —> RX
RX0 —> TX
GND —> GND
3v3 —> 3v3
После включения Flipper Zero, вы сможете использовать WiFi Marauder для атак на сети WiFi.
Заключение
На этом все. Надеюсь статья была полезна. В следующий раз я покажу, как использовать Flipper Zero для взлома WiFi, а пока рекомендую познакомиться с интересными пейлоадами Flipper Zero.