2. Flipper Add‐On: Marauder ‐ Marauder Spoof

How Flipper Add-On Marauder - Marauder Spoof's technologies work?

Marauder

The ESP32 Marauder is a WiFi and Bluetooth analysis tool. It hosts a suite of capabilities for frame capture, device enumeration, and frame transmission. It is intended to serve as a portable device to stand in for physically larger traffic capturing tools and to provide captured data for post-op analysis.

MagSpoof

MagSpoof, Based on SamyKamkar's work, emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it's being swiped.

For learn more about MagSpoof or card magnetic stripes visit:

• Electronic Cats MagSpoof Wiki
• Flipper Add-On: MagSpoof Section

Flipper Add-On: Marauder

This Add-On unlocks a powerful toolset for the Flipper, fueled by the ESP32-S3 module and meticulously crafted for offensive and defensive maneuvers in the WiFi and Bluetooth realms.

ESP32-S3 supports 2.4 GHz Wi-Fi (802.11 b/g/n) with 40 MHz of bandwidth support. The Bluetooth Low Energy subsystem supports long-range through Coded PHY and advertisement extension. It also supports higher transmission speed and data throughput, with 2 Mbps PHY. Both Wi-Fi and Bluetooth LE have superior RF performance that is maintained even at high temperatures.

Tech Specs

ESP32-S3

• Xtensa® dual-core 32-bit LX7 microprocessor,up to 240 MHz.
• 384 KB ROM
• 512 KB SRAM
• Secure boot
• Bluetooth LE: Bluetooth 5, Bluetooth mesh.
• IEEE 802.11b/g/n-compliant.

Schematics

Find the Marauder schematics here: flipper-shields/Marauder

Flipper Add-On: Marauder Spoof

This Add-On emerges from the fusion of our renowned MagSpoof variant with the ESP32-S3 module, seamlessly infused with the Marauder.

This Add-On incorporates the renowned MagSpoof functionality into the Flipper system. Leveraging identical components and enhancements that define our distinct MagSpoof iterations, these elements have been expertly adapted to seamlessly integrate with the Flipper platform.

Tech Specs

ESP32-S3

• Same as Flipper Add-On: Marauder

MagSpoof

• TC4424 (Dual High-Speed Power MOSFET driver)
  • High Peak Output Current: 3A.
  • Wide Input Supply Voltage Operating Range:4.5V to 18V.
  • High Capacitive Load Drive Capability: 1800 pF in 25 ns.
  • Short Delay Times: <40 ns (typ).
  • Low Output Impedance: 3.5ohms (typ).

Schematics

Find the Marauder Spoof schematics here: flipper-shields/MARAUDER_SPOOF

Marauder Spoof case

@Gino-Tonic has shared with us his 3D-designed case ready to be printed. You can find and download the STL file HERE. Go and thank Gino!

Understanding Flipper Add-On: Marauder and Flipper Add-On: Marauder Spoof

Marauder is not just firmware for the ESP32; it's a suite of powerful tools that unlocks its full potential as a WiFi and Bluetooth powerhouse for both offensive and defensive security purposes. Offering a variety of capabilities:

• Offensive Arsenal:

  • Network Scanning and Sniffing: Scan for nearby Wi-Fi networks, identify connected devices, and even capture network traffic to understand data flow.
  • Vulnerability Assessments: Test the security of Wi-Fi networks and devices by probing for weaknesses like WPS vulnerabilities, open ports, and outdated firmware.
  • Deauth Attacks: Disrupt wireless connections by injecting deauthentication packets, effectively "kicking" devices offline.
  • Packet Injection: Craft and inject custom packets into wireless networks for advanced manipulation and exploration.
  • Man-in-the-Middle Attacks: Intercept and modify communication between devices on a network, potentially gaining access to sensitive information.

• Defensive Shield:

  • Wireless Intrusion Detection: Monitor your own network for suspicious activity and identify potential threats like unauthorized devices or hacking attempts.
  • Packet Capture and Analysis: Capture and analyze network traffic to understand data flows, identify anomalies, and troubleshoot network issues.
  • Penetration Testing: Simulate real-world attacks on your own network to identify and address vulnerabilities before attackers do.
  • Wireless Forensics: Analyze captured network traffic for traces of past activity, potentially aiding in investigations or incident response.

Important

ONLY MARAUDER SPOOF:

What can MagSpoof do:

• Store all of your credit cards and mag stripes in one device.
• Works on traditional mag stripe readers wirelessly (no NFC/RFID required).
• Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously.
• Simulates the swiping of a magnetic stripe card, either in one direction or in the opposite direction.
• MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a mag stripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.

Buttons on Flipper Add-On: Marauder and Marauder Spoof

The buttons on the Add-On are only useful to reset the ESP32 module and enter the bootloader mode.

Note

Resetting the board is possible using the option Reboot in the Marauder menu.

Enter Bootloader mode

Entering bootloader mode is useful when updating the ESP32-S3 firmware. To enter bootloader mode follow the next buttons sequence:

1. Tap and hold the BOOT/GPIO button.
2. While pressing the BOOT/GPIO button tap and release the RESET button.
3. Release the BOOT/GPIO button.

First steps with Marauder

To use the Flipper Add-Ons you must flash unleashed firmware to the Flipper Zero and Marauder firmware to the ESP32-S3.

Important

The ESP32-S3 module comes with the Marauder firmware pre-flashed.

Flash firmware on the ESP32-S3 module.

Important

Keeping the ESP32-S3 updated to the latest Marauder or Evil Portal firmware version ensures the correct functionality.

As in other applications, the ESP32-S3 module is not the main MCU when using it with a flipper. This means that the firmware updates should be done using the USB-C port on the Add-On and not through the Flipper's USB.

Follow the next steps to flash the firmware:

1. Go to the ESPWEBTOOL.

2. Attach the Marauder/ Marauder Spoof Add-On to the Flipper.

3. Plug the USB cable into the USB-C port on the Add-On, enter the ESP32-S3 module in bootloader mode.

4. Click connect on ESPWEBTOOL. A pop-up menu will appear, select the correct board and port.

5. Use the following table to select the appropriate files and place them at the corresponding addresses.

bin	Register
Bootloader	0x0
Partitions	0x8000
Boot App	0xE000
Firmware	0x10000 Marauder or Evil Portal

Important

You must use either Marauder or Evil Portal firmware file depending on the application you will perform.

6. Click on PROGRAM. A confirmation pop-up window will appear, click on CONTINUE.

7. The update will start immediately. Do not disconnect the USB cable or detach the Add-On from the flipper while updating.

8. Once the update has been finalized, press the reset button.

Now you can unplug the USB cable and you are ready!

Examples

Evil Portal

Evil Portal turns your Marauder/Marauder Spoof Add-On into an open access point. When users try to connect ot this access point they will be served a fake login screen. User credentials are sent to the Flipper and logged on the SD card.

Warning

Disclaimer: Use this for educational purposes only. We are not responsible for any damage caused.

Evil Portal workflow

1. Flash Evil Portal firmware.
2. Download the evil_portal_sd_folder from the releases section of ElectronicCats/flipper-zero-evil-portal repository.
3. Put the evil_portal folder into the apps_data folder on your SD card. This is an example of your Flipper SD card if done correctly.

apps_data/
  evil_portal/
    ap.config.txt
    index.html
    logs/
      <empty>

4. Open the app on the Flipper and press Start portal on the main menu.

The AP will take the name that is in the ap.config.txt file located on your Flipper in the apps_data/evil_portal/ folder.

When you connect to the AP a web page will open after a few seconds. This web page contains the HTML located in the index.html file located on your Flipper in the apps_data/evil_portal/ folder.

You can stop the portal by pressing Stop portal on the main menu. The LED should turn blue.

You can manually save logs using the Save logs command. Logs will be stored in the logs folder that is in your apps_data/evil_portal/ folder.

Logs will automatically be saved when exiting the app or when the current log reaches 4000 characters.

Visit ElectronicCats/flipper-zero-evil-portal repository for learn more!

Marauder

Marauder application has different options and menus that may be confusing, here you will find a brief description of each option in the Marauder application. Some option names explain the function itself.

First let's get into the Marauder application, go to Apps > GPIO > [ESP32] WiFi Marauder, you can visualize these steps in the Finding the Apps section.

Important

To save the changes use the save button on the flipper keyboard!

Menus

1. View Log from

With this option, you can see the log of the attacks, configuration, and more you have made using the Marauder app.

2. Scan

Does a scan of wireless access points and saves them to a list to be used in future operations.

3. SSID

Generate or remove SSIDs for beacon spam attacks. In this menu you will have three additional options:

• add rand: which stands for add random, generate random SSIDs, and add them to the SSID list.

^{_{Example: Generates 4 random SSIDs}}

• add name: generates an SSID with the name defined and adds it to the list.

^{_{Example: Generates an SSID named “ecats” and adds it to the list}}

• remove: remove the SSID in the defined index number from the list of SSIDs.

^{_{Example: Removes SSID at index 2 from the list of SSIDs}}

4. List

Get the full list of access points scanned or SSIDs added with ssid. Each access point, ssid or station listed is linked to a list number, this will allow us to select an item from a list for future attacks. In this menu you will have three additional options:

• ap: list of access points.
• ssid: list of ssids added with ssid.

^{_{Example: ecats SSID listed previously added with ssid}}

• station: list of stations.

5. Select

Select or deselect access points and/or stations for targeted attacks. You must provide a comma-separated list of indices of the desired access points and/or stations from list. Same as list you can select an item in the AP, SSIDs or stations lists.

^{_{Example: ecats SSID selected by indicating position 0 in the SSID list, then unselected by indicating the same number}}

6. Clear list

Clears the list of scanned access points or SSIDs from Scan, and ssid. It is important to note if the list of access points is cleared, the list of stations will be cleared as well.

7. Attack

Transmit WiFi frames with specific targets or broadcasts. In this menu you will have three additional options:

• deauth: in a de-authentication attack, a target access point is specified as the source address of each de-authentication frame sent. The destination address of these frames is set to broadcast. The intention is for all stations connected to the target access point to be removed from that network. Before executing a deauth flood attack on the ESP32 Marauder, you must build a list of available access points and select which access points to target. See Scan and select for more details on how to build a target list.

Once a proper target list has been built, a deauth attack can be executed.

• probe: It broadcasts a lot of probe requests with a selected AP or SSID. This can be used to confuse probe request sniffers. Before executing a probe request flood attack on the ESP32 Marauder, you must build a list of available access points and select which access points to target. See Scan and select for more details on how to build a target list.

Once a proper target list has been built, a probe request flood can be executed.

• rickroll: broadcasts a lot of access points with sections of the well-known song.

8. Evil Portal

Evil Portal provided in the Marauder suit will not work, go to Evil Portal Section for more information.

9. Beacon Spam

List Beacon Spam is a method of beacon spam where beacon frames are constructed from a list of AP or SSIDs provided by the user and then broadcasted to all stations in range. In this case, the MarauderSpoof will spam a list of AP using the names in AP list, SSID list, or a random list.

10. Sniff

Marauder automatically cycles through channels to capture as much traffic as possible. In this menu you will have eight additional options:

• beacon: Sniffs and displays information on beacon frames transmitted from access points. Beacon frames contain important information about access points.
• deauth: Sniff and display de-authentication frames on the screen.
• pmkid: Sniffs and displays captured pmkid/eapol frames sent during WiFi authentication sessions. Unlike other sniffing functions, the raw frame data is displayed on screen.
• probe: Sniff and display captured WiFi traffic and harvest probe requests sent from surrounding WiFi clients against any network.
• pwn: Sniffs and displays information from beacon frames sent by the Pwnagotchi. The Pwnagotchi sends beacon frames to advertise its presence to other Pwnagotchis. These packets contain information about the Pwnagotchi.
• raw: Sniffs and displays information of transmitted frames with no format.
• bt, skim: uses Bluetooth and is not supported by the Flipper Marauder app.

11. Signal monitor

Shows changes in signal strength as long as the RSSI value changes by 5. Only access points marked as "selected" will be tracked. While scanning, channels are hopped once every second.

12. Channel

Gets or sets the channel of the WiFi interface.

• get: shows the current channel.
• set: Set the channel to the defined.

13. LED

Not working for Flipper Add-On Marauder Spoof.

14. Settings

Display and manage settings for the ESP32 Marauder firmware. For more information on the available settings, see Marauder Settings.

15. Update

Not working for Flipper Add-On Marauder Spoof.

16. Reboot

Soft reset of the ESP32.

17. Help

Shows the full list of commands and their available arguments.

18. Scripts

Write your scripts to perform multiple Marauder functions and run them with a simple click.

19. Save to flipper sdcard

Allow to save the logs in the flipper SD card, recommended to activate both options.

Marauder workflow examples

Here you will find a set of examples showing the capabilities of the Marauder Spoof, however, you can try using the different menus in the Marauder app to get more play out of Marauder.

Rickroll

1. Go to attack and select rickroll.

2. Open the WiFi settings on another device and you'll find networks created by Marauder named after snippets of lyrics from the song Never Gonna Give You Up.

Beacom spam AP list

1. Scan the AP near to you using Scan > ap

2. Go to Beacon Spam > ap list