Author:raax (Member of Wireless Security Group)
Reviewed by:98 (Leader of Wireless Security Group)
Recruitment:The Wireless Security Group is looking for like-minded friends
A seemingly inconspicuous board may seem worthless to some, but others see its potential. When we give it new life, it will shine anew; the value of a tool depends on the person who wields it. The value it presents is determined by the value you assign to it.
Background:
The 802.11 WiFi protocol includes a Deauthentication feature, which is designed to disconnect users from the network. Attackers can use a spoofed source address from a wireless AP to send a Deauthentication attack packet to the transmitting station.
This protocol does not require encryption for the Deauthentication attack framework, nor even the establishment of a session. This vulnerability was proposed to be addressed in 802.11w-2009, but almost all manufacturers have set it to disabled by default.
In simpler terms, this device can make your connected devices drop their connection (disconnect) and also fail to reconnect to Wi-Fi, similar to a DOS attack.
Environment:
1. Arduino IDE (essential for the journey)
Including the following: esp8266 development environment
2. Python and esptool
Materials: (A certain level of hands-on ability is required for the following steps)
1. WeMoS ESP8266 NODEMCU development board (with 0.96 OLED and 18650 battery holder) * 1
2. 18650 battery * 1
3. Antenna (DB>5.5)
4. ESP-07 * 2
5. W25Q32 chip * 2
All materials are available on Taobao
Tools: (Note safety during use)
1. Soldering iron and hot air gun
2. Tweezers
3. Flux, solder, solder paste 🙂
Temperature:
Hot air gun and soldering iron can be set to 350-380 degrees
Steps
Step 1: Unboxing
Step 2: Handling ESP-07
Heat the ceramic antenna, the 0-ohm resistor (the black one near the antenna), and the flash with a hot air gun, and remove them with tweezers. (It’s best to follow my order)
When I first removed it, I accidentally blew up the LED and the board (you can see in the picture), the back cover needs a long heating time. Due to inexperience, I overheated, so it’s best to buy two, to get a feel for it the first time.
The second time was much better, very successful, then I replaced the W25Q32, and after heating, if it still doesn’t stick, add some solder yourself.
Friendly reminder: there is a small groove on the flash, just make sure the groove orientation matches.
Then stick the cover back on and test it!
Step 3: Handling ESP8266
First, blow off the OLED screen (blow from the back of the board)
Then remove the ESP8266
Then replace it with the ESP-07, it’s best to solder it after heating
Then power on to test
If the ESP-07 and onboard light are lit, it’s OK, just stick the screen back on
Step 4: Flashing Firmware
Connect to the computer and check the COM port in Device Manager
Use esptool to format the flash
esptool — port COM3 erase_flash
Most cases:
esptool.py — port COM3 erase_flash
Next, get the firmware, firmware address:
https://github.com/spacehuhn/esp8266_deauther
Then replace the attachment I provided (configuration supporting OLED screens)
Then compile and upload
Transmission parameters
Then you will encounter the following error
How to resolve it?
When uploading, connect the ESP-07’s GPIO00 to GND with a jumper wire
Actually, choosing WeMoS is fine, I mention the above method because most environment setup tutorials talk about that, which is more common, and the solution is also quite universal.
Next, the firmware has been successfully burned!
Here’s a running diagram of the detour
Is everything over??? NO, NO, NO
Test the functions, and you will find everything is normal, but there’s no actual attack effect!
Otherwise, how could it be called a detour? I spent an afternoon trying to find the reason. I found nothing, it may only support its own hardware better (available for sale by Chinese partners on Taobao)
What an awkward situation…….
There’s always a way out. You can check its previous versions.
Version 1.6 directly supports firmware for the sh1106 screen
How to use the bin file?
Just use esptool to burn the flash.
esptool –port COM3 –baud 460800 write_flash –flash_size=detect 0 esp8266_deauther_1mb_oled_sh1106.bin (replace esp8266_deauther_1mb_oled_sh1106.bin with the firmware filename)
Most cases:
esptool.py –port COM3 –baud 460800 write_flash –flash_size=detect 0 esp8266_deauther_1mb_oled_sh1106.bin (replace esp8266_deauther_1mb_oled_sh1106.bin with the firmware filename)
Let’s give it a try
Run normally, try the functions flood, deauth attack
Great, I can disconnect devices in 3 seconds! Also cloned a bunch!
Hey, hey, hey! I’ve had my eye on that wife of yours for a long time, let me help you!
Supports web management, Wi-Fi name pwned, password deauther!
There are many tutorials online that directly use ESP8266, without screens and buttons, you can control the attack via the web. Thus, everyone can buy WeMoS to burn, which also includes a screen and buttons, but without a gain antenna, it’s still weak! As for version 2.0, I have included the modified configuration files and firmware from Angel Master at w3bsafe in the attachment.
Summary:
This is my first attempt to build hack hardware, my first time playing with ESP, thanks to all the masters who helped me! Special thanks to Angel Master! If there are any mistakes, all masters are welcome to point them out!
Conclusion:
It still exploits vulnerabilities in the WiFi protocol; in some current attack methods, we can attack specific targets more covertly and conveniently, and often the “weapons” in the attackers’ hands cost significantly less than the damage caused by the attack. In other words, we can achieve maximum attack effectiveness with minimal cost. For security, the most terrifying danger is that which is invisible.
Related file address:
Link: https://pan.baidu.com/s/17Whj-85CUn5xK7gXojbyoA Password: 1eh6
