Add to A32u4 memory card

[stratm0r]

Good day. Can you add to the code connecting a memory card in the A32u4 for download and upload data?

[justcallmekoko]

I am not sure what it is you are asking for. What do we need to connect and memory card to the A32u4 for?

[stratm0r]

In order to be able to use it as an external memory for copying information from tested devices.

[justcallmekoko]

So do you mean having the computer see the A32u4 as a mass storage device or do you mean have the A32u4 take info from a computer and store it on an SD card?

[stratm0r]

As it will be easier for you. However, it is better for the PC to see the A32u4 as a mass storage device.

[stratm0r]

If the first is realized, then the second will be possible.

[justcallmekoko]

Understood. I will see if I can get that working then. Do you have an example code already prepared for the A32u4

[stratm0r]

I haven't thought about it yet. But I can think about it with you) (sorry for the bad English, I'm Russian).

[justcallmekoko]

Your english is much better than my russian so don't worry about it. After a quick google, it looks like it is a bootloader I will have to burn onto the a32u4. I will do some more research but as long as I can still get it to run the BadUSB firmware I already have on it, this should not be a problem.

[justcallmekoko]

actually this bootloader would make programming REALLY convenient. It looks like you just drop a new FLASH.BIN file onto the root of the storage drive that spawns when you plug in the a32u4.

[stratm0r]

Maybee great idea) Although I thought it would be easier to solder a separate memory card to the A32u4 and edit the sketch accordingly.

[stratmor]

[justcallmekoko]

The main reason I would not do that is because that would have to be a 3rd party modification to the marauder hardware itself and I don't want to include more firmware for unofficial hardware features in the project.

If the storage is really needed, the a32u4 can take in the data from the PC, pass it to the ESP32 over UART, and the ESP32 can write it to the SD card it is already connected to.

I think this bootloader idea would be great as long as the a32u4 can still function as a keyboard. I have a feeling it might not work though because I don't think the a32u4 can appear as a mass storage device AND a HID as the same time.

If you want to try it out, try flashing this bootloader to an arduino pro micro or something and upload a USB Rubber Duck code or something. I would do it myself right now but I am not home at the moment.

That is probably one of the coolest DIY marauders I have seen so far! That is awesome! Would you mind if I shared that picture on my social media accounts. I want to encourage others to do the same thing you did.

[stratmor]

As you wish) Now I'll try to flash the bootloader ...

[justcallmekoko]

Excellent let me know how it works. Also would you mind sharing a picture of the back of your project? I am curious to see what it looks like.

[stratmor]

Now it looks like this)

[justcallmekoko]

hahaha oh my god that thing is packed with capabilities. That is cool

[stratmor]

Be careful with that firmware. Now I will try to restore the A32u4 bootloader after it.

[justcallmekoko]

what happened with the bootloader?

[stratm0r]

Probably something with a fuse. The microcircuit is not detected by USB and does not open the bootloader port.

[justcallmekoko]

Did you short RST to GND when you connected the USB?

[stratm0r]

Sure. She's completely dead. For now)

[justcallmekoko]

That is interesting. I am still going to try when I get home. I was just reading the README on the page and it said you have to short RST to GND when you first plug it in for the computer to see it as mass storage.

[stratmor]

Let me know whether it worked or not, please) I do not have. But I restored the microcircuit.

[justcallmekoko]

I got it to work

[stratm0r]

Please describe your actions. Perhaps I missed something. How was the A32u4 programmed?

[justcallmekoko]

I used a USBASP just as they said in the repo but it can be done with Arduino as ISP probably.

The hex file that was included in the "precompiled" directory did not work so I followed the steps to build it from source. I think that is what worked.

[justcallmekoko]

The next thing I have to check is if I can run a demo ducky script on it

[justcallmekoko]

@stratm0r let me know if you are able to get it working. I am happy to answer any other questions

[stratm0r]

Sorry, we have early morning) I still don't think well ... Yes, probably the fact is that you compiled and I did not. I'll collect the sources and try again. The memory card is very important. By the way - does the keyboard work?

[justcallmekoko]

I was not able to try the keyboard yesterday. I had to do a live stream and I ran out of time to test. I will probably give it a try today.

Before I compiled the bootloader from source, I did try the precompiled bootloader and it DID NOT work. If you are not able to compile it from source yourself, I can send you the bootloader I compiled

[stratm0r]

I would be very grateful to you) There is no way to compile the sources at work (.

[justcallmekoko]

Gotcha. I am also at work at the moment and I won't be home for another 8 hours. If you haven't compiled it by the time I get home, I will send you the file.

[stratm0r]

Ok, thanks and have a nice day)

[justcallmekoko]

Thanks you too. Also do you have an Instagram I can tag when I post the pictures of your DIY marauder? I would like to give you credit

[stratm0r]

Yes, i never hid from anyone) https://www.instagram.com/asbest712300/

[justcallmekoko]

Here is the bootloader

[stratm0r]

Many thanks!)

[justcallmekoko]

You're welcome. I found out it order to get it to run the uploaded firmware like Blink for example, you have to go into file manager and eject the atmega32u4.

I don't think this will be a good solution

[stratm0r]

We will probably have to find some other solutions.

[justcallmekoko]

Yes you are correct

[stratm0r]

Didn't create a separate ticket. However, I would like to emphasize. There is some problem in the AP scanner. The scanner does not correctly identify the AP channel. And the attack is made on the adjacent (previous) channel with the AP. As a result, it is ineffective.

[stratm0r]

I added a bit to the Scanner AP code to be able to see the channels and RSSI and saw this problem. But I have not yet understood why this is happening.

[justcallmekoko]

Are you referring to the scan that is executed when you select "Scan AP" on the menu?

If that is the case, I would argue that this scan function works as expected. The channel of the access point is derived from the beacon frame itself so it is actually the access point telling the marauder what channel it is on.

I can also confirm after testing against two separate access points I own, the correct channels were set when attacking them. I can also confirm when sending a probe request attack, I was able to sniff probe request responses from the target networks using wireshark.

[stratm0r]

My point is that we can improve the result if we uniquely identify the channel on which the target access point is operating. Today I tested the device at one of these points. She was on channel 10. The frame was captured from the 9th. The marauder's scanner detected it on channel 9, although it worked on channel 10. As a result, we lost 1 key from the handshake. The other three were received and saved. And the duplicate sniffer got and saved all 4. The result was obtained both there and there - but I suppose we could improve the accuracy of the marauder. And what do you think? Now I will show with an example what I mean ...

[justcallmekoko]

Gotcha I understand. I would appreciate an example. Also could you open a new issue and include the code change you are talking about?

[stratmor]

I could not understand in any way the reason of not frequent failures in obtaining EAPOL of interest to me. After you published the AP scanner, I made minor edits there for my own convenience. They concerned the display of the AP channel (there is no point in publishing this). And I was surprised by what you can see in the picture. In this case, the UKrtelecom access point operates on channel 7. But the marauder shows 6. Keenetic at 13 - but the marauder shows 12. I may be wrong, I'm a beginner - but, as I understand it, the data received by the scanner and sniffers of the marauder have the same working mechanism. This means that the EAPOL Sniffer also receives data from adjacent channels and not from the channel on which the AP is operating. Can it be so?

[stratmor]

The data of a separate scanner in the upper right corresponds to the truth (these are my access points and I myself chose the channels for them)).

[justcallmekoko]

Some access points send broadcast frames on channels adjacent to their normal channel if I understand my reading correctly. I would double check the beacon frames of those access points with wireshark and see if they still show up on channel 6 AND 7. But like I said earlier, the marauder display the channel is found the beacon on. It could be that the channel tuning of the ESP32 is garbage in which case we would have to maintain some sort of buffer for each network found and set its channel to which ever channel received the most beacon frames for that network.

I have actually implemented something like this here in my "deauth all" firmware

// CLASS TO BUILD ACCESS POINT OBJECTS
class AccessPoint
{
  public:
    String essid;
    signed rssi;
    uint8_t bssid[6];
    bool lim_reached = false;
    bool found = false; // VARIABLE FOR RE-SCAN
    int channel;
    int packet_limit = 500;
    int channels[14] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; // ARRAY TO HELP DETERMINE ACTIVE CHANNEL
    // ARRAY TO STORE CLIENTS
    // int clients[20][6] = {};
    // THANKS spacehuhn
    uint8_t deauthPacket[26] = {
      /*  0 - 1  */ 0xC0, 0x00, //type, subtype c0: deauth (a0: disassociate)
      /*  2 - 3  */ 0x00, 0x00, //duration (SDK takes care of that)
      /*  4 - 9  */ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,//reciever (target)
      /* 10 - 15 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, //source (ap)
      /* 16 - 21 */ 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, //BSSID (ap)
      /* 22 - 23 */ 0x00, 0x00, //fragment & squence number
      /* 24 - 25 */ 0x01, 0x00 //reason code (1 = unspecified reason)
    };
};

[stratmor]

I can make a .pcap file, if it can be useful to you) What to do?

[justcallmekoko]

I won't be able to open a pcap file since I don't have wireshark at work.