Hackaday Prize Entry: A WiFi Swiss Army Knife

WiFi is all around us, but if you want to work with this ubiquitous networking protocol, you’ll need to pull out a laptop or smartphone like a caveman. [Daniel] has a better idea. It’ s a simple, compact tool for cracking WiFi passwords or sending deauth packets to everyone at the local Starbucks. It’s an ESP Swiss Army Knife, and a great entry for the Hackaday Prize.

As you would expect, this WiFI Swiss Army Knife is powered by the ESP8266 and features a tiny OLED display and a bunch of buttons for the UI. With this, [Daniel] is able to perform a deauth attack on a network, kicking anyone off the network, provided this device already has the MAC address of the victim.

This tiny wireless tool also has an SD card, making it possible to collect authentication frames for later decryption on a device that actually has the power to crack a network. With a LiPo charge controller and a sufficiently large battery, this tiny device could be left in the corner of an office collecting authentication packets for days until it’s later retrieved, opening up the network to anyone with a sufficiently fast computer. It’s a great build and very useful, making this a great entry for The Hackaday Prize.

18 thoughts on “Hackaday Prize Entry: A WiFi Swiss Army Knife

    1. In my opinion, definitely yes. Security should not work by making the attacks hard. The attacks should be, at best, impractical. Thats the only way that something will change.

      Think back to around 2011. Almost no website was using HTTPS/TLS. Then firesheep / droidsheep came around and suddenly you didn’t need “mad console haxx0r skills” anymore to spoof ARP and hijack your friends Facebook session. You could just start an app and click on an entry in list to open a browser where you were logged in as whomever.
      I’m pretty sure that the practicality for such attacks have helped, or even triggered the wide spread of HTTPS we see today.

    1. Technically definitely possible. However, the device is not really designed as headless unit. You may drop it anywhere but you definitely want to pick it up later. And then you can just access the collected data from the SD card.

      Maybe a headless counterpart would be an interesting idea. However, for this design (the case I want to use) I can put a 240mAh battery in there, at best. So the runtime is only around >2h anyways. It’s not designed as a drop and forget device.

      1. Stuff like the Sheevaplug exist as a nice, inconspicuous headless unit. With a bit of work you could probably disguise it even better than it already is (looks like a power adaptor with a few suspicious sockets on it). Actually if it were me I’d have a socketless version for a real disguise, and maybe make it a bit smaller, you should be able to fit the bare essentials, something like the Broadcom chip in the Raspi, and a Wifi chip, inside a USB power adaptor, and it could even supply power.
        Have it unscrew to mess with the SD card.

        I suppose unscrewing the case though would bring liability issues with the mains inside. Perhaps not, if they double-insulated the mains part within the case.

    2. Oh, and the project is completely open-source BTW. So feel free to send a PR or fork it.

      I’m going to publish the libs I’m writing for this Project separately and pull them as git-submodules. I just have to extract them once they are relativley complete.
      I maybe try to push some into the “official” ESP8266 Arduino Repository. I’m thinking about ICMP Ping, which could be really useful sometimes. e.g. If you want to check if a host is up.

      However, all is still WIP.

    3. Not a terrible idea, but if it’s meant to collect keys for another system to crack, there may not be an open network to get on… dns tunneling is only good if you’re on a network you can communicate to, like a pay-walled airport or hotel network.

      OTOH, having it look for your little portable wifi AP that you could put on a phone or raspi or laptop every so often when you get in range, and upload that way…

    1. Haha, this annoys everyone. But (or because of that) I developed a habit to leave everything with protective cover, stickers, etc until I’m done with the project and it sits in its housing. Then the last thing I do is peel off those things. Feels great, like a way to celebrate your project.

        1. I’m the type of guy who stops dead on the street, look over my shoulder and then discretely peel off the protective plastic on bicycle mudguards and return borrowed electronics without the stickers. Even when i take out the trash, if there’s an old VCR with the plastic film on, I peel it off. A friend pointed me to this youtube video: https://www.youtube.com/watch?v=320ge4M8MBg

          I get hot and shimmering watching it!
          Sadly it has no peeling sounds!

    1. I agree. Not a fan if this is used maliciously.
      I don’t really want to see this device popularized.

      But I did read the description on the IO page. It has a disclaimer about legal use…

      1. Guys, this is Hackaday. The entire point of the site is to publish interesting hacks like this one. The legal responsibility is always on the user of the hack, not the website that publishes an article about it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s