While my Grid Computing Library (GridMan) has been updated and is now performing a brute-force on the WPA which i intend to use later to POC i started working on a 1Tool to rule them all on ESP.
GridMan Manager App on iPhone
I noticed that when i play with pen-testing i always have hard time to decide and setup on the tools i will be using. So i figured out i might be actually able to try to utilise ESP8266 at it’s max to do most of the ‘dummy’ work for me either acting as a throwie or simply having him in my pocket.
Most of the times i need to run Kali, play with the shell scripts and this is painful as it always requires me to hook up the keyboard, find out the scripts which i already forgot about and basically, it takes too long.
I needed something quick, where i just choose an option, start and leave it for results.
That is how RazorEvzr was born, which is basically my Swiss army knife tool for pen-testing. The idea behind this tool is that i power it up, i select a plugin and let it go. If power is loss, it auto resumes when plugged in again. All that kind of stuff had to work automatically, plugins should be easy to develop and that’s how i got it after few days of playing.
So far i have made 3 basic plugins for a pen-testing start so far.
- EvilTwin attack – which basically clones the victim AP and kicks off the captiva portal by redirecting all DNS queries to the ESP. Captiva is there to grab the password by forcing eventual victim connected to provide an AP password (as it was upgraded) – when input is sent, ESP tries to connect with provided password and if succeeds stores it.
- MIMi – that’s something i wanted initially as more complex solution but became a simple tool to sniff for the DNS queries. It’s a MIM, so i need to have an access already to play it. What it does is connects to AP, fires off own DNS server, fires off own DHCP server that offers own pool of addresses with a DNS server set to ESP, for DNS Queries logging. The rest of the DHCP Addresses stay the same (gateway, netmask,…) only DNS is set to ESP, to allow traffic to flow to the proper gateway/router but DNS queries to be sent to ESP.
- MIMI2 – where we basically use the lwip library to start ESP as a NAT router. What it does? You just select an AP you wish ESP to connect to, let’s say a public AP somewhere in the city center. ESP connects obtains ip addresses, internet works fine – but then it starts also AP mode (so all in all AP_STA). You wait for the victim to join ESP AP, and log the traffic down to a file while routing it to the public available WiFi – thanks to this, a simple WiFi Proxy allows for a great MIM in public places.
Just go there, fire off ESP – it will create a public network, connect to a WiFi hotspot already existing, but will advertise with some catchy name (either with A at the beginning to be first on the list) or anything else you can think of.
- To Come – Probes are still alive, so a good example of a plugin would be to sniff for probes in the air and setup/respond with beacons and immediately setup the AP for the client devices to think that the network they Probe for is in range. Why? Well besides POC, it is a good technique to play with to see how many devices will actually connect, and if that works use MIMI2 to start sniffing for the traffic in the MIM manner.
- Will rewrite more of the previous examples i had (i.e Bruteforcers )
All of the plugins store data in a central log file on the SPIFFS that i can review later on when device let’s me know something good happened. I hooked up a LED so it blinks when plugin returns success i.e EvilTwin has password stored or MIMI2 has clients connected.
Unfortunately ESP8266 is heavily limited by Espressif. It would be a great open hardware for security research but it’s not even half way through. With a limited functionality of the packet sniffer, possibility to craft and send own 802.11 packets – we’re left with what they give and try to use it as much as possible. There would be much more security tools made on this hardware but not much more can be done. Imagine if we could sniff and inject the packets freely.
Hack the planet.