ESP32 RIG tutorial
Tutorial and pictures made by @PierreAdams, Thx a lot to him !
I'm a fan of the projects led by 7h30th3r0n3, and when I came across his Evil M5 Project, I instantly fell for it and bought one.
A few weeks later, after thoroughly playing around with the Evil, I came across this page on his wiki:
https://github.com/7h30th3r0n3/Evil-M5Project/wiki/Wardriving-Master and
https://github.com/7h30th3r0n3/Evil-M5Project/wiki/Handshake-Master
The project looked crazy, but it was still very lightly documented.
After having some good discussions with him about what the tool was capable of, I was inspired to build my own homemade Handshake Master.
At the time, I had no idea of all the adventures that would follow...
- Power Bank
- PCB Board kit
- ESP32 nano C3 with antena (Beware to choose with antenna)
I received the equipment, so I can get started :
Soldering the mounts to hold the ESP32:
In order to power all the ESP32s simultaneously using a single power source, you need to connect all the 5V pins together and all the grounds together like this:
It’s a bit unclean but functional :
Important : Make sure to test continuity with a multimeter at each step (to avoid having to redo everything at the end).
Once that’s done, we can start soldering our ESP32s onto the board. We will solder them on the power/ground side, as shown in this diagram:
Soldering the ESPs onto their mounts:
Here’s the work once finished (relatively straight)
Power test to check if all the ESPs are properly powered:
Its Works!!!
Now let's move on to 3D printing to make sure our toy is stable during use.
These are the STL files I use :
I didn’t take many photos of the 3D printing process itself, but here’s what I managed to capture :
For the code, here’s how I proceeded:
- 7 ESP sniffers on the 2.4 GHz band (each on different channels) capturing all EAPOL frames
- Specifically, each ESP listens on its channel and waits for 4 EAPOL frames plus a beacon frame, then switches to channel 1 to send the data via ESPNow to the Cardputer.
- 1 ESP that deauthenticates all clients on the Wi-Fi channels it scans.
ESP 1 => Sniffer canal 1
ESP 2 => Sniffer canal 3
ESP 3 => Sniffer canal 6
ESP 4 => Sniffer canal 9
ESP 5 => Sniffer canal 11
ESP 6 => Sniffer canal 13
ESP 7 => Sniffer canal hopping (canal 2, 4, 5, 7, 8, 10, 12, 14)
ESP 8 => Deauther
The LEDs on the sniffers blink when sending frames to the Cardputer and stay off once they have sent their packets.
For the deauther, each blink corresponds to a packet being sent.
Operational analysis:
If we open our Wireshark with this filter:
(wlan.fc.type == 0)&&(wlan.fc.type_subtype == 0x0c)
We can see the ESP spoofing the MAC address of the AP to disconnect devices using FF:FF:FF:FF:FF:FF :
To view EAPOL frames during reconnections :
Best part, is now : transferring the file(s) to my machine to start the brute-force.
in SD card go to handshake :
And run this script in same repo where located your pcap file(s) to extract hccapx :
https://github.com/7h30th3r0n3/Evil-M5Project/blob/main/utilities/pcap2hccapx
python pcap2hccapx.py
cd hccapx
cat *.hccapx > all.hccapx
hashcat -m 22000 all.hccapx wordlist.txt
# or :
hashcat -m 22000 all.hccapx -r rules/best64.rule wordlist.txt
And now, wait for the magic to happen...
Big Thx to @Nefast for STL files and pictures !
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
- EVIL-M5STACK-Slave-bottomBOX.stl
- EVIL-M5STACK-Slave-bottomESP.stl
- EVIL-M5STACK-Slave-GPSatom.stl
- EVIL-M5STACK-Slave-Lego Pin .stl
- EVIL-M5STACK-Slave-topBOX.stl
- EVIL-M5STACK-Slave-TopESP.stl
Big Thx to @hosseios for pictures !
