search

markszabo / drone-hacking

This is the write-up of my research presented at the Ethical Hacking Conference Budapest in May 2016
110 stars 28 forks source link

LH19sw, hello #1

Closed famjaes closed 4 years ago

famjaes commented 7 years ago

Hello, I hope can i help me my problem, im follow yours project as guide and i'm trying hack a Lhx19wfm Quadcopter, but when scan ports with nmap from ubuntu he say next message "All 1000 scanned port on 192.168.0.1 are closed, this dron apparently use a ip 192.168.0.1 and 192.168.0.2, i can control the dron with Wifi UFO andorid App movile, but a want also i can controling fron the PC, thanks for any help...

markszabo commented 7 years ago

Hello.

Can you share the exact model of your quadrocopter, as I could not find it with google?

Also it might uses UDP for control, and then your current nmap scan will not come up with the open ports. You are probably running nmap with nmap 192.168.0.1 which will only scan for the top 1000 TCP ports. You can try nmap -p- 192.168.0.1 to scan for all TCP ports, and nmap -sU -p- 192.168.0.1 to scan for all UDP ports. However keep in mind, that UDP scanning can take very long and can be unreliable, so I'd suggest to only scan for the top 1000 UDP ports with nmap -sU 192.168.0.1.

An other approach would be to capture the packets sent from the phone to the drone and then recreate them with your computer. For this you'll need to connect your computer to the drone's wifi, start wireshark (make sure that the wifi interface is set to promiscuous mode) and then control the drone with the mobile app. This way you should see the control packets sent from the mobile to the drone.

Can you share the wireshark capture file together with the current IP of your phone?

If you need any help with the above steps, or something does not work out, let me know.

Cheers, Mark

famjaes commented 7 years ago

Hello markszabo tankyou for helping me, I did wath you said, the Wifi off Dron with model: lead honor lhx19wf with addres ip 192.168.0.1, assign the 192.168.0.3 to Movile phone (WifiUfo App) and 192.168.0.2 to the Desk PC, using the comands in root sudo "nmap -sU 192.168.0.1" launch next information: PORT 67/udp STATE: open/filtered SERVICE: dhcps and, PORT: 49153 STATE:open/filtered SERVICE: uknown MAC Address: 08:EA:40:46:BF:DC (Unknown)

and using wireshark in promiscuous mode, obtaeing the capture data fund in file save with wireshark: Lhx19wf.zip.

markszabo commented 7 years ago

The capture file is rather strange, there is no communication between the phone and the drone as I can see. Can you share a link to your drone and a link to the android app you are using?

famjaes commented 7 years ago

yes, I do not know if I am doing something wrong in the wireshark, I activate the promiscuous mode, although, I do not want to activate the monitor mode, thank you very much for the help, this is the dron: https://www.google.com.mx/search?dcr=0&biw=1164&bih=602&tbm=isch&sa=1&ei=zyD3Wf7GCsP4jwT9io7gDg&q=+Lhx19wf&oq=+Lhx19wf&gs_l=psy-ab.3..0i24k1.20129.20129.0.20319.1.1.0.0.0.0.113.113.0j1.1.0....0...1.1.64.psy-ab..0.1.112....0.FLZCbyxgAO4#imgrc=jBOPjBAnsRmjoM:

this is the App: https://play.google.com/store/apps/details?id=com.lewei.multiple.lewei&hl=es

markszabo commented 7 years ago

Hm, could you try to capture the traffic on your phone and post the capture file? If you have root, try this one: https://play.google.com/store/apps/details?id=lv.n3o.shark if not, you can try this: https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture (though I have no experience with them, they seem to be okay).

famjaes commented 7 years ago

thank you for attention, I appreciate the help, was ver hard but i can do made root my phone, and used other App android call Wifi FPV for controling the dron and used Shark App androdi to capture packages used parms -vv -s 0, can dowload Shark file in the next link:
shark_dump_1509646190.zip

I thank you again for your attention and help

markszabo commented 7 years ago

Hm, based on this capture this is what I can tell:

To try to resend packets from your pc, you can try the following. Filter in wireshark for ip.src_host == 192.168.0.2, this will display only packets from the phone. Look at the Data part of the UPD packets:

screen shot 2017-11-03 at 11 03 23

Compare the Data in multiple packets. Up to packet nr 2392 I can only see 2 types of data: 63:63:01:00:00:00:00 and 63:63:0a:00:00:10:00:cc:80:80:00:7e:00:7e:33:66:80:80:00:7e:00:7e:99. From that point on the end of the longer packets seems to change rapidly, eg. 63:63:0a:00:00:10:00:cc:78:83:00:7e:00:85:33:66:78:83:00:7e:00:85:99 . It seems to me, that you have given some commands to the drone at that point (eg. to take off) and that's the reasons for the changed content.

Now you want to resend these packets with scapy. Make sure that your computer is connected to the wifi of the drone and that your phone is not connected.

This script will construct the packet with data 63:63:0a:00:00:10:00:cc:78:83:00:7e:00:85:33:66:78:83:00:7e:00:85:99 and send it out 20 times.

from scapy.all import *
from time import sleep

srcIP = '192.168.0.2' # spoofed source IP address - your phone's address
dstIP = '192.168.0.1' # destination IP address - the drone's address
srcPort = 40739 # source port
dstPort = 40000 # destination port

print "Sending spoofed packets"

for i in range(1, 20):
    payload = "\x63\x63\x0a\x00\x00\x10\x00\xcc\x78\x83\x00\x7e\x00\x85\x33\x66\x78\x83\x00\x7e\x00\x85\x99"
    spoofed_packet = IP(src=srcIP, dst=dstIP) / UDP(sport=srcPort, dport=dstPort) / payload
    send(spoofed_packet)
    sleep(0.1)

print "Packets sent"

While running the script run Wireshark on your computer, and then compare the packets sent out by your script with the packets captured earlier on the phone. They should be exactly the same.

Hopefully the drone will do something when you run the script above. Now you will need to figure out which data corresponds to which action. So start capturing the traffic on your phone, then give one command to the drone via the app, stop the capture and check the data part of those packets. Modify the above script to match the new data you have seen (simply change the payload variable), and run the script. Repeat these steps for all commands (eg. take off, turn left/right, move forward, backward etc.).

Let me know how it works out.

famjaes commented 7 years ago

hello the first packges file i sending with Wireshark App android during captured in the phone app i mov throttle up and control rigth and lefth, in yours code python wich shared me i ran the script and dron not reacting, usualy the ligths blink and change the color when linking, but thas no hapening and not rotors moved. this is the printing during run the scritp test and attached file capture fiel Wireshark python test cap.zip

root@jes-Aspire-one:/home/jes/Escritorio/a# python test.py WARNING: No route found for IPv6 destination :: (no default route?) Sending spoofed packets . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. . Sent 1 packets. Packets sent root@jes-Aspire-one:/home/jes/Escritorio/a#

wemgiraldo commented 6 years ago

any updates on this issue?

OrShemesh1992 commented 5 years ago

i have eachine e58 with same problem you can help please :) thnks for help