0xchocolate / flipperzero-wifi-marauder Goto Github PK

Describe the bug.

FAP is outdated after compared to recent Flipper Marauder update. There are missing options and controls, to include items such incorrect file timestamps and multiple flipper device crashes.

Reproduction

1. update flipper esp32-devboard with latest Flipper Marauder release.
2. Reboot Flipper
3. Navigate to [ESP32] WiFi Marauder.
4. 50/50 chance of Flipper crashing with message "NULL pointer dereference". If not, then observe missing new features/capabilities options on-screen.

Target

No response

Logs

No response

Anything else?

No response

Hey,

I just wanted if it was possible to edit the ESP32_WiFi_Marauder.fap file to change the rickroll by anything else ?

Load failed GPIO/es32_wifi-_marauder.fap
Found unsatisfied imports

running latest extreme build

Description of the feature you're suggesting.

Instead of adding an additional sdcard slot to the breakout board could we potentially save pcaps's to the flipper's sdcard?

Anything else?

No response

Describe the bug
When adding a script and you press 'Save' from the UI Keyboard on the Flipper Zero, it causes a complete freeze of the UI, no button inputs work, the system requires a hard reboot by holding Left + Back to function again.

To Reproduce
Steps to reproduce the behavior:

1. Open ESP32Marauder
2. Scroll to 'Scripts'
3. Select '[+] ADD SCRIPT'
4. Enter a file name with the UI Keyboard
5. Press 'save'
6. App Freezes

Expected behavior
A script template should be created and the UI should return to the previous menu.

Marauder (please complete the following information if applicable):

• Firmware version: v0.13.5
• Hardware version: Flipper Zero Wifi Dev Board

Additional context
Flipper Zero is running Unleashed Firmware 'unlshd-065'

After the Hard Reboot the Script is created and can be edited, so I assume the crash happens after the app creates the Script '.json' file.

For some reason when I flash the fw for LDDB marauder doesn't work. I am using the esp flasher app on the flipper

To make possible that the log collected by the app contains a compatible format with wigle.net

Here is the format https://api.wigle.net/csvFormat.html

Hello! Your [ESP32] WiFi Marauder app version 7.0 fails to build with the SDK version 0.98.0-rc f7. Please update the app in your repository and create a new pull request to the catalog repository with the updated manifest file.

IMPORTANT: Don’t forget to update the app version and commit version in the manifest file.

View logs

          I am encountering the exact same issue, and tried copying the `index.html` file at various locations on the Flipper Micro SD card, at:

• /index.html
• /apps_data/index.html
• /apps_data/marauder/index.html

None of these seem to work, error persists.

Then I noticed I initially missed an important note in docs: https://github.com/justcallmekoko/ESP32Marauder/wiki/evil-portal-workflow#important-note

Not very experienced on the topic but could it be that /apps_data/marauder/ap.config.txt is read from the Flipper Zero SD Card, while /index.html is read from the root of the ESP32 SD Card ?

Note: That would require extra hardware enabling the ESP32 SD card capabilities, using either a SD adapter board or a MicroSD Breakout according to the following instructions: https://github.com/justcallmekoko/ESP32Marauder/wiki/flipper-zero#sd-card-modification

@bitterbuick did I get this right ?

Originally posted by @opskovitch in #28 (comment)

Opening the text input when adding a new Script still does contain text from other text inputs on V0.6.5

Reproduction
1.SSID add rand (others do work too)
2.Go to "Scripts"
3.Add script
-> The text from SSID add rand is still inside the text box
4. Go Back on step
5. Add script
-> Now the text is properly deleted.

I want to edit on the computer and then import flipper zero. However, the relevant list file was not found in the location shown below.

Thank you very much for this project

The App can use some kind of scripts.

From v0.3.4 changelog:
" Scripts are here! Thanks to [@tcpassos 2]
...
The scripts are saved in the “apps_data/marauder/scripts” folder as JSON files."

Where could one find the documentation or examples of the scripts?

Hey everyone!

Is it possible to perform a deauth attack while sniffing to save pcaps with handshakes on sd card? Maybe i am wrong, but as i understand its not possible in the latest fw.

When you load a bigger size html, followed by a smaller size html there appears to be some kind of buffer overflow bug.

Has been duplicated by everyone I've asked to confirm. Load stock Matrix html then load Soectrum html to test for results matching mibe (see above pic)

Using the new Marauder firmware that includes Evil Portal. Not sure if issue exists in dual boot version.

Describe the bug.

when i run scan ap i get 150+ networks. if i go to list to select an ap the listing starts at number ~70. and i cannot scroll up to to see scanned aps 1-70.

Reproduction

1. run scan ap in a metropolitan area with large number of wifis
2. scan 150+ wifis
3. list aps
4. verify that the list starts at around number 70 and aps 1-60 are not shown

Target

No response

Logs

No response

Anything else?

No response

New firmware is out 0.78.1

Can you please update support? thanks

I'm trying to install the Marauder firmware on my Flipper dev board, and even after the binary has been flashed, a red light appears after boot.
I tried to install it several times, but there was no success.

The flipper seems to soft-lock and requires forcefully rebooting it if you try to edit wifi marauder stages. It doesn't seem to be a issue with the devboard since the behaviour is the same with or without it plugged in.

Reproduction
1.Open wifi marauder
2.Go to "Scripts"
3.Create a new script
4.Add a scan stage
5.Edit the scan stage
6.Edit "timeout" from 15 seconds default to 30 seconds for example
7.Press "save" while in the timeout-editor
8.The flipper becomes unresponsive.

Hi Led of on S2 MINI (ESP32) not work.
(WiFi Marauder companion 0.7.0)

Describe the bug.

All captured PCAP files are blank 0 bytes.

Reproduction

Sniff
Capture
Saved file is 0 bytes

Target

No response

Logs

No response

Anything else?

No response

Description of the feature you're suggesting.

Integrate/modify the following CLI commands

Integrate:

command: sniffraw
description:
Sniff raw WiFi traffic including data frames. Outputs source MAC address to display

Modify:

command: attack -t deauth [-s <src_addr>] [-d <dst_addr>]
description:
Users will have the option to specify a source MAC address and/or a destination MAC address when executing a deauthentication attack. If the user wishes to specify an address, they will be expected to format it as follows...
xx:xx:xx:xx:xx:xx or XX:XX:XX:XX:XX:XX. All other functionality of the attack command remains unchanged

Anything else?

No response

Hello! Your [ESP32] WiFi Marauder app version 6.6 fails to build with the SDK version 0.98.2-rc f7. Please update the app in your repository and create a new pull request to the catalog repository with the updated manifest file.

IMPORTANT: Don’t forget to update the app version and commit version in the manifest file.

View logs

I can scan for aps and list them but when I go to select it does not save and then screen does not go back. When going back the selected ap number is gone. Am I not following the correct procedure ?

Describe the bug.

When using the Sniff PMKID ap option on the Flipper the majority of packets captured, including EAPOLS, are not from the targeted ap.

I'm also wondering, what's the difference between using the Sniff option with selected and using Sniff PMKID option right below it with ap selected? The only thing I can tell is that the Sniff PMKID ap option also sends deauths, if you have that setting enabled, while the Sniff option does not.

Also, I thought one of the main advantages of the newer PMKID attack was that it doesn't require deauths, or even any connected clients at all, it sends an association request to grab the PMKID straight from the AP. So why does the Sniff PMKID option send deauths at all? It seems to be sending deauths and trying to grab the hash at the EAPOL stage, which is not a PMKID attack as the name of the option on the Flipper would imply.

Reproduction

Simply run Sniff PMKID ap

Target

No response

Logs

No response

Anything else?

No response

Description of the feature you're suggesting.

Hi there! I was wondering if console logging to a text file on the flipper could be added to the Wifi Marauder Companion plugin? That way any data data captured like the PMKID is saved and full logs are backed up to the SD card without needing to solder to the dev board.

Anything else?

No response

Hi, after flashing the latest version (without _sd_serial) as it does not support microSD, I tried to capture beacons in the Sniff->Beacon option, but the PCAP file is empty. I was using v0.12.0 FW and MC v0.6.2.

Also, I've tried to capture the Sniff -> RAW but without success, the PCAP file was still empty.

Hello! Your [ESP32] WiFi Marauder app version 7.0 fails to build with the SDK version 0.98.1-rc f7. Please update the app in your repository and create a new pull request to the catalog repository with the updated manifest file.

IMPORTANT: Don’t forget to update the app version and commit version in the manifest file.

View logs

In wifi marauder, after scanning, we select an access point using the "select -a" command.
For example, after scanning, I have "list -a" in which there are 40 access points. And I want to pick a few.
Wifi murader supports multi-selection, you can write several numbers separated by commas like this "select -a 3,6,8,15,19,22,23" and all these points will be selected, you will not need to open the "select" item in menu every time and enter new number.

But the problem is that in the keyboard that is used in the application, as I understand it is a stock keyboard, there is no comma, there is also no dash, to add a parameter, for example, choosing "Sniff PKMID on channel", I want to add the -d parameter, so that it would be like this "sniffpkmid -c 11 -d", so that deauthentication is also performed. Also no colon to enter mac address

Perhaps you can somehow modifie keyboard in the application?

It would be very convenient if the app could play a sound whenever arbitrary event happens - new beacon detected, new PMKID sniffed, or anything else basically. Especially useful in those cases when you need to wait for said event for a while to happen or when it's simply impractical to have your eyes glued to screen all the time. Of course, it should be a configurable and optional feature.

• it's probably because i did it wrong
• whenever i click anything in the menu, all it says is-
  Press BACK to send stopscan
• help

If I open the plugin, start the rickroll attack, stop the attack, exit the app, and then restart the app again, the flipper crashes and restarts due to "NULL pointer dereference".

Tested on Eng1n33r's Unleashed firmware, build un1-12a629.

Hi there
This could just be me being a bit dense.
But I when I go to use the Evil Portal function in the ESP32 Marauder application, it says that it can't find /index.html.

I have sample files ready to go, but I am just not sure where to place them.

Summary:
Sniff PMKID mode spams broadcast deauth packets from every AP it sees even when selecting any of the "passive" modes in the flipperzero menu.

Steps to reproduce:
Flipperzero running Unleashed Firmware 069e with version 0.6.6 of the wifi-marauder companion app.
ESP32 wifi dev board running the ESP32 Marauder firmware installed using FZEasyMarauderFlash
Nearby computer with wifi interface in monitor mode
(optional: phone attached to wifi network)

On the nearby computer, open a wireshark session on the wifi interface in monitor mode, and observe raw wifi traffic. Set the wireshark filter to "wlan.fc.type_subtype == 0x000c" to filter for deauth frames.

On the flipperzero, navigate to the wifi marauder app, select "sniff" for PKMID, then select "Passive".

EAPOL messages should start appearing on the flipperzero.
Deauth Broadcast Frames appear in wireshark.

Expected Behaviour:
Passive mode should not be expected to transmit any signals to other devices. It should be listen only. Sending deauth frames should be under the "Active" option.

Description of the feature you're suggesting.

This would be a helpful feature to utilize.

Anything else?

Love the program!

ESP32Marauder: esp32_marauder_v0_13_1_20231014_multiboardS3.bin

flipperzero-wifi-marauder: v0.6.3

It would be very practical to have Sniff button right bellow Attack button because for EAPOL you need to death and then sniff raw...

Would it be possible to add this change to new release or could you point me out where should I change the source code and rebuild it myself? Thanks for the response!

beacon spam using a selected list of SSIDs only produces one beacon using first SSID name in list. Selecting multiple SSID names using select -s 0,1,2,etc. Does not result in any SSID beyond the one at [0] index being created when running #attack -t beacon -l

Hello!

Your [ESP32] WiFi Marauder app version 7.0 fails to build with the SDK version 0.99.0-rc f7. Please update the app in your repository and create a new pull request to the catalog repository with the updated manifest file.

IMPORTANT: Don’t forget to update the app version and commit version in the manifest file.

View logs

Flipper Team