About me My standards Book Blog Video Blog
Menu
About me Kontakt

How to use the ESP8266 microcontroller for scanning WiFi networks? (video, 9 minutes)

ESP8266 WiFi monitoring IoT programming data library hacking Arduino technology

In the latest episode of Hak5, Alex Lind demonstrates how to use the inexpensive ESP8266 microcontroller to perform promiscuous Wi-Fi data scanning. This remarkably affordable component, which can be found for as low as $3 on sites like AliExpress, has a wide array of applications ranging from IoT devices to controlling custom hardware platforms and even executing simple Wi-Fi attacks. In the video, Alex showcases how to enable monitor mode, which allows for passive listening to all Wi-Fi data in the vicinity. This is akin to being in a room filled with people talking, where one can selectively listen to different conversations happening simultaneously.

Utilizing this mode enables the capture of packets on the 2.4 GHz spectrum, which allows for identifying device types or specific activities. The presenter references prior projects like ESPBUG, which feature this technology's capabilities. The episode also discusses the ESP Pro library by Ricardo Oliveira, a basic API that facilitates interaction with the ESP8266. Alex highlights how useful this library can be, as it can be applied to various tasks associated with Wi-Fi data capture.

To get started, viewers will need a computer with the Arduino IDE installed and an ESP8266. Alex guides them through cloning GitHub repositories required for the necessary software and code samples. Once the board is set up correctly, viewers are able to upload code to their ESP8266, which then outputs raw Wi-Fi data to the serial monitor. They can observe MAC addresses, packet types, and other insightful information.

Concluding the segment, Alex presents simple code demonstrations he has written for the ESP Pro library. One example includes an SD card data logger, which enables storing captured data into a CSV file. By structuring the code similarly to the original ESP Pro library, Alex makes modification and adaptation easy for viewers who wish to start their own projects. This empowers them with additional coding skills while applying the ESP8266 in diverse ways.

At the time of writing this article, the video from Hak5 has accrued 31,853 views and 1,136 likes. This enables the identification of activities such as deauthentication attacks and logs valuable data, making it an incredibly useful tool for technology enthusiasts. In future videos, Alex promises to reveal more uses for the ESP8266, which will intrigue many keen programmers and tech hobbyists, encouraging active participation in the Hak5 community.

Toggle timeline summary

  • 00:00 Introduction to promiscuous Wi-Fi scanning using a $5 microcontroller.
  • 00:05 Overview of ESP8266 as a Wi-Fi microcontroller.
  • 00:19 Discussion of use cases for the ESP8266 in IoT devices and simple Wi-Fi attacks.
  • 00:34 Mention of popular projects utilizing the ESP8266.
  • 00:41 Explanation of enabling monitor mode on the device.
  • 00:51 Analogy of monitor mode for capturing Wi-Fi data.
  • 01:07 Benefits of capturing packets on the 2.4GHz spectrum.
  • 01:16 Requirements to follow along: Arduino IDE, ESP8266, optional SD card logger.
  • 01:26 Introduction to ESP Pro library by Ricardo Oliveira.
  • 01:38 Reference to the Friend Detector project using the ESP Pro library.
  • 01:49 Cloning the GitHub repository for the ESP Pro library.
  • 02:06 Opening the .ino file for Arduino code demonstration.
  • 02:24 Description of live data capture to the serial monitor.
  • 02:38 Details on Wi-Fi packet types and captures.
  • 02:52 Reference to Wikipedia for Wi-Fi packet types.
  • 03:09 Example of identifying Wi-Fi attacks via packet captures.
  • 03:26 Setting up the Arduino IDE for code uploading.
  • 03:47 Uploading the code to the ESP8266.
  • 03:59 Observing incoming Wi-Fi packets on the serial monitor.
  • 04:15 Identifying new devices with the library.
  • 04:33 Demonstration of a simple SD card logger.
  • 04:54 Cloning GitHub repository for ESP Pro library demos.
  • 05:17 Introduction to two code demonstrations in the repository.
  • 06:18 Logging Wi-Fi data to a CSV file.
  • 07:37 Benefits of using CSV format for data storage.
  • 08:09 Conclusion on the versatility of the ESP8266 for logging and reconnaissance.
  • 08:30 Inviting viewer suggestions for future videos.
  • 08:41 Ending the video and expressing gratitude to viewers.

Transcription

Today, I'm going to show you how you can promiscuously scan Wi-Fi data on a $5 microcontroller, and also show you how to write your own Wi-Fi reconnaissance tools using the ESP8266. The ESP8266 is a Wi-Fi microcontroller that you can find for as cheap as up to $3 on sites like AliExpress, and it offers a wide range of use cases such as for IoT devices, controlling custom hardware platforms, or even just launching very simple Wi-Fi attacks. This device has been used in many popular projects such as Spacetoon's open source Wi-Fi deauthor, and is commonly found in lots of IoT devices like smart home light bulbs. In today's video, I'm going to show you how you can enable monitor mode on this device, which is a mode that comes on some Wi-Fi cards, allowing it to passively listen in to all the Wi-Fi data coming in around it. Now this is sort of like if I were in a room full of people talking and chose to selectively listen to parts of everyone's conversation at the same time. Using this mode means we'll be able to capture packets on the 2.4GHz spectrum, which will let us log device types or certain activity, which I found very useful in some of my previous projects like the ones I featured on this channel such as ESPBUG, and a few more demonstrations that I have upcoming in future videos. To follow along with today's video, all you're going to need is a computer with the Arduino IDE installed, an ESP8266, and an optional SD card logger. Today we're going to be looking at the ESP Pro library by Ricardo Oliveira, which is a basic API that allows us to interface with the ESP8266 and output captured Wi-Fi data to the serial monitor. Now you might have seen his Friend Detector project featured before, which uses this exact library to detect known nearby devices, and I've also used ESPPL across a few of my projects before since I find it super handy as a high-level interface for the ESP8266. To start, I'm going to go ahead and clone his GitHub repository to my computer. I'm going to copy the address and open up a terminal. And I'm just going to run git clone https://github.com/.ricardooliveira.esprolibrary. After it downloads, I'm going to go ahead and open the repository we downloaded, open ESPProLib, and open up this .ino file, which will contain the Arduino code demo that we're going to be looking at today. So basically what this will do is just dump a live raw data capture straight to our serial monitor, which will show us all of the promiscuous Wi-Fi data we're capturing. So as you can see here, it's a relatively straightforward setup, and this code makes calls directly to the ESPProLibrary's API, showing us information like what devices are sending Wi-Fi packets, where they're being delivered to, and also the specific type of Wi-Fi packet that we're dealing with. So this will basically let us look at things like deauthentication attacks, beacon frames, ESPPro requests, and all other types of Wi-Fi packets by their frame and subframe types. So you can actually reference this Wikipedia page that I'll have linked below if you want more information specifically on these frame types, but basically this will let us get a view of the Wi-Fi spectrum and Wi-Fi data around us on the 2.4 gigahertz spectrum. So this is going to let us identify things like Wi-Fi attacks going on. For instance, if you detected deauthentication attack, we can see phones that are looking for networks they've previously identified by probe requests, and a whole lot of other juicy information. So now I'm going to head back over to the Arduino IDE and plug in my ESP8266. After I've done that, I'm going to head over to tools and make sure that I have the correct board set up. So here you can see I've selected Wemos D1 Mini, which is the board I'm using, and I'm going to set the upload speed to 921600. So make sure you also have the rest of the settings here configured to what I have set up. And after you've done that, you can go ahead and just upload the code by using this button in the corner. So after the code flashes, I can go ahead and just pop open the serial monitor using Control-Shift-M, where you can see that it started a data capture. And sure enough, we can get a readout of these incoming Wi-Fi packets, so you can see things like the source and destination MAC address, Wi-Fi packet types, SSID, received signal strength, and a whole lot more. In a previously featured video on this channel, I actually used this library to basically identify and flag new devices for the ESP bug, so that way I could remotely and inconspicuously detect when certain people came in and out of an area, just based off the MAC address of their phone. So this library is obviously very useful and has a lot of use cases. So for the last part of this demonstration, I'm actually going to show you some basic code demonstrations I wrote for this library, since I find myself using it a lot. And today, the first one we're going to look at is just a simple SD card logger. So if you want to start making modifications to the ESP Pro library for your own projects, you'll have a basic place to start by looking at my GitHub repository. So heading over to the browser, I'm going to go over to my GitHub repo at alexlind slash ESP Pro library demos. I'm going to go ahead and copy this, and we're going to clone it, just like we did before. So git clone HTTPS, github.com slash alexlind slash ESP Pro library demos. So now I'm going to go ahead and open this in my files. I'm going to head back to ESP Pro library demos. And if you open this up, you'll see that I've actually already written two different demonstrations. One of them constructs a JSON file for creating post requests to a server, and the other one just basically logs it to a micro SD card. So I'm going to go ahead and open up this folder and click on this Arduino sketch. So if you take a look at the code I wrote, you can see that much of it is structured, basically the same as the raw ESP Pro library file that we took a look at, and this is because I basically just conflated it with an SD card logging program. But the only difference is that I just have it directing output from the serial monitor also into a comma separated value or CSV file. So if I just scroll down a little, you can see that I've constructed here a CSV file header, which will denote the data types we're working with. So for example, you can see frame type, subframe type, source MAC address, and so on and so forth. And if you look up here, you can just see the other code segments, which basically will pass data along into the SD card and log it with this delimiter, which is just separated by a comma. So since I'm using the D1 mini form factor, I can just go ahead and stack this SD card module, which mounts directly on top of the ESP8266, and it's just going to start working right away. But if you're using different hardware or a different ESP module that's not the D1 mini, you might have to look up the pinout on the internet somewhere. Otherwise, I'll link to this hardware in the description below, and I'll also cover the D1 mini form factor in future videos, as well as how to get started prototyping with it. So after I have my ESP plugged in and the SD card stack set up, I can just go ahead and flash the code to my board. So after flashing, I can just go ahead and pop open the serial monitor again. And as you can see, it's still pulling in Wi-Fi packets, which should now also be saving to the micro SD card. So I'm just going to give it a few more seconds to run to make sure that we have a decent data capture before unplugging and ejecting it. So now I'm going to go ahead and unplug the SD card. And if we head over to my computer, we should be able to get a look at that CSV file that it captured. So opening up my files, I can see that it created this log9.csv file, which I'm going to go ahead and click on. And as you can see, it immediately springs us into a spreadsheet. Now the benefit to using a CSV file like this is that the raw file is actually super compact since the values are just comma separated, as you can see in this raw CSV file that I have open here. But this format using just commas as a delimiter is basically enough to store most data. And it's a very ubiquitous format since it has a ton of applications for data logging. Promiscuous Wi-Fi scanning offers us a ton of insight to data around us, allowing us to flag certain activity, like if someone you know is nearby or if someone is running a really noisy Wi-Fi attack. The ESP8266 is a very cheap and easy way to get into logging different data sources, specifically over Wi-Fi and the D1 Mini form factor that we covered today offers a very versatile and useful platform that just allows you to interface with modules in a plug and play operation. In future videos, I'll show you more Wi-Fi reconnaissance proof of concepts with the ESP8266 and specifically how to use the D1 Mini to recreate a few of my projects that use this platform specifically. If you have any questions or suggestions for future videos you want to see, let us know in the comments below or feel free to reach out to me on Twitter at AlexLind. Thank you for watching and we'll see you next time on Hack5. Thanks for supporting Hack5. Find all our shows, community, and pen test products at hack5.org.

31853
https://www.youtube.com/watch?v=SPOCmnPj41E Published at 2021-08-20