Project “AirCrack1” : Warflying

If we can put the business and some fun together, so why the hesitation? For a while, I’m playing with flying toys. I already played with different models of RC helicopters and recently, I switched to another category: I bought a quadcopter. The idea to mix the technology of drones with WiFi audits popped up in my mind for a while. First of all, this is not something news. Darren from Hak5 had the same crazy idea before me (see the episode 1520). But there is a difference between watching a cool video and doing the same in real life. Thus, I decided to experiment the same! And if I could use it to perform WiFi assessments or pentest, it’s even more cool!

My choice was the DJI Phantom FC40. Phantom’s are great quadcopters. Very easy to pilot using the built-in Naza-M V2 module and they are able to cary stuff! In most cases, drones cary a camera but pretty much any other type of goods can be carried (even pizza ;-). And which device is the best choice to play with WiFi networks? A Pineapple of course! I’ve a Mark5 (the latest generation) and trust me, it is uber cool… What else do you need?

• Some power
• Internet connectivity

To connect to Internet, I’m using a USB 3G modem with a data-only SIM card. The Mark5 supports out of the box common 3G devices. To provide power, my initial idea was to use the drone battery but the risk to have electromagnetic issues between the drone and the Pineapple was too high. Thus, I choose to use a dedicated battery (and this won’t affect the drone autonomy!). First, I used a Pineapple Juice 1800 battery but I was afraid of the weight and volume. I decided to go to another type of battery: a LiPo 900. LiPo batteries are very common in the aeromodelling landscape and have an excellent ratio weight/size VS performance. This battery is enouh for flying arround and sniffing for some traffic. To connect the Lipo to the Pineapple, a simple cable to convert the LiPo connector to a “jack” connector is required. If the goal is to fly the drone to your target, land on a roof and spend more time overthere, i think that I’ll use the Pineapple juice model. To be investigated…

The choice of the DJI Phantom “FC40” was very important. Why? This model operates at 5.8gHz for communication between itself and its remote controller. This frees up the classic 2.4gHz band used by the camera to communicate via WiFi with a smartphone (to provide the FPV or “First Person View“). The Pineapple uses the same band and will not interfere with the remote controller.

The total weight to cary (Pineapple, USB Modem, LiPo battery and cables) is 225 grams. This is totally acceptable for a Phantom! Everything fits under the drone and is secured with Velcro bands. I was afraid of the gravity center but it fits perfectly! The following pictures show you the Phantom ready to fly:

Another issue could be the sensitivity of the drone while flying. Two important things to keep in mind:

• By carying more stuff, you add weight and this may affects the pilot’s sensations (ask this to pilot of helicopters!)
• By carying electronic devices, you increase the risk of electromagnetic perturbations. A good example is antennas which are located along the landing legs (GPS & remote controller).

The drone found its GPS position as usual and was able to fly safely, keeping its position thoughout the flight. I just had the feeling that the drone was a little bit slower to respond. Of course the autonomy is greatly reduced.

How to keep an eye on the WiFi tools? The PineApple has built-in support for autossh. When it boots, it connects to Internet via the 3G modem and SSH to one of my servers and establish a remote tunnel with the “-R” flag. With this technique, I’m able to connect safely to the PineApple and follow the operations directly on my iPhone screen as seen on the following picture. It’s very difficult to keep an eye on the drone and on the screen at the same. I would recommend two persons to conduct the attack: the pilot and a “WiFi operator” (with a classic laptop for more conviviality)

This was a successful experience! Data was captured without problem. My Pineapple config is the following:

• wlan0 : karma + sslstrip (to capture credentials)
• wlan1 : airodump (to capture traffic for later use)

Of course, all the attacks that can be launched from a Pineapple can be done from the sky! Think about the WiFi jammer infusion ;-). What’s next?My plans are to script some kind of “flying scanner” which will detect and connect to open networks to perform a Nmap scan.

Disclaimer: this is done for research purposes only and it’s better to have a “Get Out of Jail” card if you use this setup in pentests…