Scribd
Upload
121 views31 pages

Blackhat Eu19 Arsenal

DroneSploit is a pentesting framework for hacking drones. It provides a Metasploit-like console interface and plugin architecture to automate attacks against drones. The document outlines DroneSploit's objectives, architecture, modules for common drones like the Hobbico C-me and Flitt, and ideas for further extending the tool's capabilities to new drone types and attacks.

Uploaded by

BUEN ABAD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
121 views31 pages

Blackhat Eu19 Arsenal

DroneSploit is a pentesting framework for hacking drones. It provides a Metasploit-like console interface and plugin architecture to automate attacks against drones. The document outlines DroneSploit's objectives, architecture, modules for common drones like the Hobbico C-me and Flitt, and ideas for further extending the tool's capabilities to new drone types and attacks.

Uploaded by

BUEN ABAD
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Hacking drones with DroneSploit

A pentesting console framework dedicated to drones

By Alexandre D’Hondt and Yannick Pasquazzo


Hacking drones with DroneSploit

• Introduction
• Background
• Quick start
• Module creation
• Scenarios
• Conclusion
Hacking drones with DroneSploit

• Introduction
• Scope
• Objectives
• Background
• Quick start
• Module creation
• Scenarios
• Conclusion
Hacking drones with DroneSploit

Introduction > Scope

• Currently : WiFi-controlled light commercial drones

• Soon : Radio-controlled light commercial drones

• Future : More complex drones


Hacking drones with DroneSploit

Introduction > Objectives


Usually available

1. Gather and share knowledge

2. Assess drone security Drone analysis

3. Automate attacks
Added value

Expected : All-in-one framework Exploit Framework


script module
Hacking drones with DroneSploit

• Introduction
• Background
• Drone architecture
• WiFi attacks
• Common security issues
• Quick start
• Module creation
• Scenarios
• Conclusion
Hacking drones with DroneSploit

Background > Drone architecture

• Architecture : AP – WiFi client


Hacking drones with DroneSploit

Background > Drone architecture

• OS :
• Busybox
• Toybox
• Fly control App :
• APK
• IPA
• Protocols :
• Fly control (proprietary / MAVLink / …)
• RTSP (video streaming)
• FTP (for file/update transfer)
• Telnet
Hacking drones with DroneSploit

Background > WiFi attacks

• Deauthentication
• Can be sent by an AP to a rogue station
• Can also be spoofed for deauthenticating a target station
• Can cause a new WPA handshake

• WPA2 PSK password guessing


• Starts with a deauth
• When WPA handshake capture, offline guessing attack
• Toolkit : Aircrack-NG
Hacking drones with DroneSploit

Background > Common security issues

• Weaknesses (not exhaustive) :


• Default (weak) hardcoded credentials (CWE-798)
• Lack of identification of the pilot station (CWE-862)
• No enforcement of a single pilot
• Lack of integrity check of update file (CWE-353)
• Uneeded service left open
• Hardware debug port left on production board
• Clear text protocols
Hacking drones with DroneSploit

• Introduction
• Background
• Quick start
• Startup
• Scanning
• Password guessing
• Using modules
• Module creation
• Scenarios
• Conclusion
Hacking drones with DroneSploit

Quick start > Startup

DroneSploit :
• Based on Sploitkit
• Metasploit-like
• Easy to use
(extended auto-completion and validation)

• OO plugin architecture
Hacking drones with DroneSploit

Quick start > Startup

• Start : Terminal

• Actions :
1. Start the framework
$ python3 main.py

2. Get help
dronesploit > help

• End State :
DroneSploit started
Hacking drones with DroneSploit

Quick start > Startup

DEMO TIME
Hacking drones with DroneSploit

Quick start > Scanning

• Start : DroneSploit (root)

• Actions :
1. Set iface in monitor mode
dronesploit > toggle wlp4s0

2. Scan on iface in monitor mode


dronesploit > scan wlp4s0

• End State :
 Interface in monitor mode
 Targets acquired
Hacking drones with DroneSploit

Quick start > Scanning

DEMO TIME
Hacking drones with DroneSploit

Quick start > Password guessing

• Start : DroneSploit (root)

• Actions :
1. Enter the cracking module
dronesploit > use
auxiliary/wifi/wpa2psk_crack

2. Run the attack


Dronesploit auxiliary(…) > run

• End State :
 Password guessed
 Connected to target
Hacking drones with DroneSploit

Quick start > Password guessing

DEMO TIME
Hacking drones with DroneSploit

Quick start > Using modules

• Start : DroneSploit (root)

• Actions :
1. Connect to a target
dronesploit > connect [target]
2. Enter a module
dronesploit > use …
3. Show options
dronesploit exploit(…) > show options
4. Run it
dronesploit exploit(…) > run

• End State :
 Module’s output
Hacking drones with DroneSploit

Quick start > Using modules

DEMO TIME
Hacking drones with DroneSploit

• Introduction
• Background
• Quick start
• Module creation
• Options/functionalities
• Structuring
• Writing
• Scenarios
• Conclusion
Hacking drones with DroneSploit

Module creation > Options/functionalities

• Options & functionalities inheritance :


• The followings can be shared among subclasses through the same proxy class :
• Configuration
• Requirements
• Docstring
NB: Precedence goes to subclasses
Hacking drones with DroneSploit

Module creation > Structuring

Sploitkit
• Proxy classes :
• Holding shared configuration options
• Implementing common functionalities

• Subclasses :
• Holding specific options
• Model-specific particularities
DroneSploit
Hacking drones with DroneSploit

Module creation > Writing

• Imports :
• Sploitkit : from sploitkit import Config, Option
• DroneSploit : from lib.[drones|wifi] import …

• Methods:
• Before loading / after unloading the module : .preload() / .postload()
• Before / after running the module : .prerun() / .postrun()
Hacking drones with DroneSploit

• Introduction
• Background
• Quick start
• Module creation
• Scenarios
• Hobbico C-me
• Hobbico Flitt
• DJI Tello
• Conclusion
Hacking drones with DroneSploit

Scenarios > Hobbico C-me

DEMO TIME
Hacking drones with DroneSploit

Scenarios > Hobbico Flitt

DEMO TIME
Hacking drones with DroneSploit

Scenarios > DJI Tello

DEMO TIME
Hacking drones with DroneSploit

• Introduction
• Background
• Quick start
• Module creation
• Scenarios
• Conclusion
• Objectives
• Further work
Hacking drones with DroneSploit

Conclusion > Objectives

1. Gather and share knowledge


 Convenient console interface
 OO plugin architecture

2. Assess drone security


 Use experience like in popular pentesting frameworks

3. Automate attacks
 WiFi attacks
 Drone-specific attacks
Hacking drones with DroneSploit

Conclusion > Further work

1. Extend to new light commercial drones

2. Extend scope to radio-controlled drones

3. Extend scope to heavier/better-designed drones

4. Leverage some new features of Sploitkit (storage, …)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy