WiFi Penetration Testing With An ESP32

WiFi is one of those technologies that most of us would have trouble living without. Unfortunately, there are several vulnerabilities in the underlying 802.11 standards that could potentially be exploited. To demonstrate just how simple this can be, [risinek] developed the ESP32 Wi-Fi Penetration Tool that runs on cheap dev boards and can execute deauthentication and Denial of Service attacks, and capture handshakes and PMKIDs.

The main challenge in this project is to implement these attacks while using the ESP-IDF development framework. The closed source WiFi libraries of the ESP-IDF block specific arbitrary frames like deauthentication frames. To get around this [risinek] used two different approaches. The first is to bypass the declaration of the blocking function at compile-time, which is borrowed from the esp32-deauther project. The second approach doesn’t require any modifications to the ESP-IDF. It works by creating a rogue access point (AP) identical to the targeted access point, which will send a deauthentication frame whenever one of the devices tries to connect to it instead of the real AP.

WPA/WPA2 handshakes are captured by passively listening for devices connecting to the target network, or running a deauth attack and then listening for when devices reconnect. PMKIDs are captured from APs with the roaming feature enabled, by analyzing the first message of a WPA handshake. ESP32 Wi-Fi Penetration Tool will also format the captured data into PCAP and HCCAPX files ready to be used with Wireshark and Hashcat. To manage the tool, it creates a management access point where the target and attack type is selected, and the resulting data can be downloaded. Pair the ESP32 with a battery, and everything can be done on the go. The project is part of [risinek]’s master’s thesis, and the full academic article is an educating read.

None of these attacks are new, they have been running on Raspberry Pis for a while. The Pwnagotchi is a popular example, which can run on the Pi Zero.

13 thoughts on “WiFi Penetration Testing With An ESP32

  1. Oh, can´t wait to read the usual offended whining comments “But this is illegal, it is not responsible for HaD to publish something about thiiiis”. They likely prefer security by obscurity and no testing ever.

    1. Everything fun is illegal today (or makes you fat)…

      BTW, good luck hacking my wifi, it is so secured i can’t even use it myself.

      (disabled in the router as i don’t need it)

    2. If it is shared spectrum, and keeps to the appropriate power levels, I don’t think anyone will complain.

      Real hackers run their own Cat 5 or 6 to the panel next to their bed head anyway.

  2. I swear there was a github project that was reverse engineering the closed wifi library — i found it when i was looking into the ESP8266 mesh network router project and they had the same issues being caused by the drivers being not open sores.

  3. newbie alert:) Guys so let me get this straight…. This will allow me to capture the handshake and download it on my computer. Then i can either analyze it and hope to find the password or upload the file to an online hash crack? THX

    1. Yes, it will capture handshake and you can then download it and pass it to Hashcat (or something else) to crack the password. But the success rate of cracking part depends on complexity of the password.

  4. Please add wps (pixie dust attack) with it, im from Bangladesh , there is 95% router has default WPS enabled, i think many countries has it too, so please add this option…

  5. I don’t see it working well, the target is not affected at all after the attack. Maybe it’s because my ESP32 was cheap (about $3). Using this tool caused my ESP32 to freeze and disconnect from wifi…haha

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.