{"id":13539131,"url":"https://github.com/matheus-garbelini/esp32_esp8266_attacks","last_synced_at":"2025-04-05T00:10:28.525Z","repository":{"id":77157904,"uuid":"206106300","full_name":"Matheus-Garbelini/esp32_esp8266_attacks","owner":"Matheus-Garbelini","description":"Proof of Concept of ESP32/8266 Wi-Fi vulnerabilties (CVE-2019-12586, CVE-2019-12587, CVE-2019-12588)","archived":false,"fork":false,"pushed_at":"2019-09-08T06:09:11.000Z","size":21353,"stargazers_count":807,"open_issues_count":1,"forks_count":69,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-04-04T09:07:32.601Z","etag":null,"topics":["crash","esp32","esp8266","hijack","vulnerabilities"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Matheus-Garbelini.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-09-03T15:08:49.000Z","updated_at":"2025-04-01T02:14:40.000Z","dependencies_parsed_at":null,"dependency_job_id":"2cfc1683-18d1-4a29-97ba-2f669eb4f12d","html_url":"https://github.com/Matheus-Garbelini/esp32_esp8266_attacks","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Matheus-Garbelini%2Fesp32_esp8266_attacks","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Matheus-Garbelini%2Fesp32_esp8266_attacks/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Matheus-Garbelini%2Fesp32_esp8266_attacks/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Matheus-Garbelini%2Fesp32_esp8266_attacks/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Matheus-Garbelini","download_url":"https://codeload.github.com/Matheus-Garbelini/esp32_esp8266_attacks/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247266565,"owners_count":20910836,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crash","esp32","esp8266","hijack","vulnerabilities"],"created_at":"2024-08-01T09:01:20.584Z","updated_at":"2025-04-05T00:10:28.504Z","avatar_url":"https://github.com/Matheus-Garbelini.png","language":"C","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"d4efda1853b2cb0909727188116a2a8c\"\u003e\u003c/a\u003e未分类-WiFi"],"sub_categories":["\u003ca id=\"39931e776c23e80229368dfc6fd54770\"\u003e\u003c/a\u003e无线\u0026\u0026WiFi\u0026\u0026AP\u0026\u0026802.11","\u003ca id=\"37ca6907aa42dfd32db5973ff9eec83d\"\u003e\u003c/a\u003e新添加的"],"readme":"## ESP32/ESP8266 Wi-Fi Attacks\n**This repository is part of a research outcome from the [ASSET Research Group](https://asset-group.github.io/).**\n![attack_logo](docs/attack_logo.png)\n\nThis repository demonstrates 3 Wi-Fi attacks against the popular ESP32/8266 IoT devices:\n\n* **[Zero PMK Installation (CVE-2019-12587)](https://matheus-garbelini.github.io/home/post/zero-pmk-installation/)** - Hijacking ESP32/ESP8266 clients connected to enterprise networks;\n* **[ESP32/ESP8266 EAP client crash (CVE-2019-12586)](https://matheus-garbelini.github.io/home/post/esp32-esp8266-eap-crash/)** - Crashing ESP devices connected to enterprise networks;\n* **[ESP8266 Beacon Frame Crash (CVE-2019-12588)](https://matheus-garbelini.github.io/home/post/esp8266-beacon-frame-crash/)** - Crashing ESP8266 Wi-Fi devices.\n\n**Follow the links on each vulnerability for more details and Espressif's patches.**\n\nThis vulnerabilities were found in SDKs of ESP32 and ESP8266. Their version were ESP-IDF v4.0-dev-459-gba1ff1692 and NONOS-SDK v3.0-103-g7a31cb7 respectivelly at the time of the discovery.\n\nWhile a custom version of hostapd is provided to test the first 2 vulnerabilities, for the last one, an ESP8266 is used to inject fake 802.11 beacon frames in order to crash others of its own (no pun intended!).\n\n### PoC Building and running instructions\n\n##### Running pre compiled binary\n\n​\tIf you are running debian or ubuntu you can execute the already compiled hostapd in the folder `hostapd-2.8_binary`. Just run `hostapd-2.8_binary/run_hostapd_exploit.sh` to start the access point to test the vulnerability or `hostapd-2.8_binary/run_zero_pmk_EAP.sh` to start without this test. Be advised that you need to stop network services with `service network-manager stop` for your Wi-Fi interface to be free.\n\n###### TLDR:\n\n```shell\nservice network-manager stop\n./run_zero_pmk_EAP.sh # to test against CVE-2019-12587 (remember to restart ESP first)\n./run_crash_esp_EAP.sh # to test against CVE-2019-12586\n```\n\n##### Running from source\n\n​\tIf for some reason the binary doesn't work with your system, you can compile the project `hostapd-2.8_source` by running the script `./buid.sh`. The script installs the following dependencies before running the tool: `build-essential pkg-config git libnl-genl-3-dev libssl-dev libnl-route-3-dev`.\n\n​\tAfter the build is successful, you can run the script `./run_zero_pmk_EAP.sh` to start the access point to test the vulnerability or `./run_hostapd_normal.sh` to start without the test.\n\n###### TLDR:\n\n```shell\n./build\n./run_zero_pmk_EAP.sh # to test against CVE-2019-12587 (remember to restart ESP first)\n./run_crash_esp_EAP.sh # to test against CVE-2019-12586\n```\n\n##### Testing beacon frame crash (CVE-2019-12588)\n\nIn order to compile the code for esp8266 in folder **beacon_frame_crasher** , it's necessary to follow the steps in [ESP8266 Deauther](https://github.com/spacehuhn/esp8266_deauther/wiki/Installation#compiling-using-arduino-ide). This is a modified version of the board support package for ESP8266 that allows the injection of raw 802.11 frames. A binary is also provided for a quick test in `beacon_frame_crasher/ESP8266Crasher.ino.d1_mini.bin` in case you have a spare wemos d1 mini board. Note that this code is hardcoded to crash an ESP8266 configured for an access point with a ssid=TEST_KRA. As soon as the \"beacon frame crasher\" device starts, the other ESP8266 devices connected to the access point should restart intermittently.\n\nAlternatively, if your Wi-Fi hardware supports monitoring and injection, you can run the python script:\n\n```shell\nsudo apt-get install -y aircrack-ng\nsudo airmon-ng check kill\nsudo airmon-ng wlan0 start # wlan0 is your wifi interface name\npip install scapy\npython beacon_frame_crasher/ESP8266Crasher.py\n```\n\n### PoC Output\n\nIf your ESP device SDK is vulnerable to **CVE-2019-12587**, you should receive an output like this from hostapd:\n\n![zero_pmk](docs/zero_pmk.png)\n\nIf your ESP device SDK is vulnerable to **CVE-2019-12586**, you should receive an output like this from hostapd:\n\n![eap_crasher](docs/eap_crasher.png)\n\nIn this case, as the device is restarting every time it attempts a connection with hostapd, you should receive a lot of logs indicating re-connection. If you're monitoring the device serial port, you can also receive trace logs.\n\n### Configuring\n\nBy default the PoC access point has the following default configuration:\n\n* ssid=TEST_KRA\n* channel=9\n* bssid=28:c6:3f:a8:af:c5\n* interface=wlan0\n* server_cert=wpa2_server.pem\n* private_key=wpa2_server.key\n* user=matheus_garbelini\n* user_password=testtest\n* EAP method=PEAP\n\nTo change this options, change the file `hostapd.conf` in the root folder of hostapd (`hostapd-2.8_binary/hostapd.conf` or  `hostapd-2.8_source/hostapd/hostapd.conf`). **Please change the interface  parameter to match your Wi-Fi NIC, it's advised to leave other parameters as the default if you wish to test the ESP32/8266 client test codes. Correct certificates are also included (same from ESP-IDF repository), so no need to change them in hostapd folder.**\n\nIf you wish to change EAP methods or username credentials, just change `hostapd.eap_user`\n\n##### Attention\n\nCheck if you your openssl library allows to use TLS version of 1.0. You can change this configuration normally in `/etc/ssl/openssl.cnf`,  Changing the last lines to:\n\n```shell\n[system_default_sect]\nMinProtocol = TLSv1.0\nCipherString = DEFAULT@SECLEVEL=1\n```\n\n### Test client codes (optional)\n\nThe codes used for testing the vulnerable devices is in folder `esp_client_test_codes`. \n\n`ESP32_Arduino_EAP_Client` and `ESP8266_Arduino_EAP_Client` can be compiled by using their respective Arduino board support packages ([arduino-esp32](https://github.com/espressif/arduino-esp32) and [arduino-esp8266](https://github.com/esp8266/Arduino)). As for non-arduino codes, ESP-IDF and ESP8266_NONOS_SDK are required to compile `ESP8266_EAP_Client` and `ESP32_EAP_Client`. Note that you need to use the same or earlier SDKs as mentioned here to trigger all the described vulnerabilities. \n\n### Acknowledgments\n**This research was partially supported by [Keysight Technologies](https://www.keysight.com/sg/en/home.html).**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatheus-garbelini%2Fesp32_esp8266_attacks","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatheus-garbelini%2Fesp32_esp8266_attacks","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatheus-garbelini%2Fesp32_esp8266_attacks/lists"}