Table of Contents
Operation: MockingBird #
Use of ESP32 as a planted deauth device.
Reasoning #
Admittedly, the lightbulb didn’t go on the exact moment the existence of small affordable relatively concealable prototyping boards were learned of. Rather the idea arrived well after three such boards were purchased, and had collected dust from sitting around the house. The small size and portability of the device make it perfect for a plant. As it could easily be concealed in a expelled bag of potato chips or empty drink can, and it is small enough to be taped under a park bench, water meter cover, or desk drawer. Due to the affordability of the device, it also could be expendable if needed. So, all in all, the device is primed for fun.
Making the device #
There were hurdles to overcome in every part of making this thing. Some were to be expected, others were not. Here is what went down in chinatown.
Parts #
Here is what we used to create our "MockingBird"
- OffLabel ESP32-Wroom-D3 (3 for $15)
- Duct Tape
- Battery reclaimed from broken headlamp (output 3.7v)
- Standard polarity wifi "Rubber Duck" Antenna
- Elegoo Dupont Wires
- SMA crimp connector
- RG174 Coaxial wire
- Part of a cardboard box
Hurdles #
Yep, there were some hurdles to overcome, mainly how to power the device, and how to extend it's coverage.
Battery Power #
While this thing was being conceptualized, the first hurdle was how was the thing going to be powered. Thoughts of using an intricate solar panel / battery system was conceaved, but ditched due to the unneedless complexity of it. Then when we were set on using just batteries, it became a question of which batteries to use. Double "AA" batteries can be used to power the device, but the resulting voltage would not be optimum for the device, and would end up completely drained rather quickly by comparison. Three "AA" batteries generated too much voltage, and two "AA" batteries generated too little voltage to properly power the device. So rechargeable batteries became the best choice. Lipo batteries are more expensive, but overall provide a better discharge for the device. Lithium batteries a more affordable, but do not provide the same lifespan and reliablility as lipo.
Thankfully, the issue resolved itself when a lipo battery was reclaimed from a broken headlamp. The battery provided the exact voltage required for the build, and was of rather high quality. The battery holding chassis was also reclaimed from the headlamp, and once two dupont wires were soldered onto the contacts for the battery, the largest hurdle was easily overcome.
Necessity of adding an external antenna #
On our first test run, it was dicovered the range of the device was pathetic at best. So, something was going to need to be done to increase the range. Our board did not come with a means to connect an external antenna, so this was the first thing we would need to take care of.
Adding an external antenna to a ESP32-WROOM-D3 board is a rather simple process if you can work a soldering iron. There is the "Smart" way of doing it, and then there is the hackish way to do it. Furgality favors the later over the former, but in retrospect, the former is the best approach.
The intelligent approach would have been to order the correct sized sma female pcb edge mount connector for the board, and then simply solder and glue this to the board for a solid connection. Use of solder alone will not suffice to provide enough support to keep the connector in place, and could result in damaging the board beyond repair. Only both soldering and gluing would provide the support direly needed by the connector and the thin layer of copper which connects directly to the boards microcontroller, and will ensure the connection survives the daily tugging of the cable which would extend out from the board.
The frugal approach goes without the sma connector, and straight solders the coaxial wire directly to the board. Strong clear nonconductive epoxy will be needed afterward to prevent the thin copper lead wire from being ripped off the board. Trust us when we say this, as have we learned the hard way.
Either way you go, the process is mostly the same until it comes to your method of connecting the coaxial wire. You will want to use either some lightly abrasive sand paper, or a razor blade to gently remove the protective coating from the antenna leads on the board. It is essential that once the copper leads are exposed enough to form a connection, you cease from further applying abrasive force to the wire. This is as one would anticipate to protect as much of the copper leads to the processor as possible. Just to make sure the lesson is driven home, understand the copper lead to the processor is thinner than a sheet of paper, and can sever very easily.
Once the copper leads are exposed enough to solder, you will need to next disconnect what remains of the on board antenna to prevent interference. The best way to do this is with a razor blade. Simply take the razor blade, place it where the cut needs to be made, and press downwards in an diagnonal direction as to cut a wedge from the board. Again the key to doing this is to only remove the copper layer and leave the rest in order to ensure the leads remain perfectly intact and your board strong.
Once completed, clean the parts you desire to solder with some alcohol to remove any oils that might have accumulated on them. Then clean the parts again with either XXX steel whool, or preferably a piece of copper whool to smooth the surfaces over gently and remove anything else that might have build up on the points of connection. Most solder these days possess a core of flux, so you will not need to apply any flux to the parts before applying the solder. The only other thing you need to do after this is clean the tip of your iron to remove carbon build up, and ensure the iron is hot enough to begin soldering. Then solder away while remembering that the less solder you need to create a solid connection the better.
How to connect an sma connector to a piece of RF174 coaxial wire is beyond the scope of this post, and thankfully for us we had an extra one lying around.
You may want to refer to this page here for more insight on how to accomplish the job. Although, this tutorial is more informative.
Assembly #
There was no final test to the neatness of the device, it just had to work, and it only had to work for a short amount of time. So, our approach was very basic, very thrifty, and used what we could get our hands on in the next thirty seconds or so. So, we grabbed an box waiting to be discarded, cut the largest side off of it, and taped everything onto it using duct tape. This was then shoved into a black plastic garbage bag, and excess material of the bag was tied into knots in order to keep the antenna pointed upwards. This was then placed close to our target, and our testing began.
Results of tests #
Although mechanically everything ran well, two big issues were not forseen until testing began, and inevitably they prevented us from recieving success.
Software was not production ready #
There are numerous projects that provide deauth attack software for the ESP32-WROOM-D3 board. In our first unpublished tests, we utilized a project which was designed well in theory, but poorly implemented. In our second test was the external antenna, the project employed was not designed with the intent to be used in realistic scenarios. What is needed in these scenarios is a program that launches and performs the deauth attack automatically on boot of the device, that is as soon as the power is connected. The project implemented in the first tests did this beautifully, but it's method of attack was useless on the target. The project for the second tests required the attacker (us) to connect to the wifi of the device via a mobile device, login to a web framework, select which method we wanted to launch, and then launch the attack. These additional steps generate a significant risk to the success of the attacker, and jeopardizes disclosing what is happening to the target. It makes use of the software unnecessarily harzardous, and should have been avoided.
Signal still too weak #
Regardless of being exposed for an uncomfortable amount of time, the tests proved completely uneffective as the signal was still too weak to pick up the target 200yards or so away. Without the ability to pick up the target, testing immediately was canceled, and the device was recovered several hours laters with it's battery completely drained.
Ending #
There is still work to be done on this project and questions that need to be answered. We can assume that the external antenna did increase the range of the device, because of the other access points observed during our scans.