If you want to start snooping on Wi-Fi networks, you usually need to start with a Wi-Fi adapter. However, thanks to a Wi-Fi sniffing library written in Arduino and the extremely low-priced ESP8266 chip, you may not need one. For less than $ 10 of electronic equipment, you can build a tiny Arduino Wi-Fi sniffer that stores Wireshark-compatible PCAP files and fits anywhere.
Using Wi-Fi packages, you can learn a lot about the wireless landscape of an area. Even without the Wi-Fi password, you can find out what kinds of devices are nearby, what devices are connected to which networks, and what other information can be helpful to a hacker. To get started, you typically need to invest in a wireless network adapter that gives you more control than the average consumer adapter.
While there's a lot of talk about which wireless network adapter is best, you can get a taste of what's right for you. If you're looking for easy snooping, it turns out that a cheap, easy-to-program microcontroller works well instead.
The ESP8266 for Wi-Fi Recon
The ESP8266 microcontroller can be programmed in Arduino and is integrated with Wi-Fi, which is visible from the printed antenna on the board. These boards are also dirt cheap, which results in many manufacturers adding them to development boards that add useful features such as a USB port to which they can be connected to facilitate programming of the device. While you see many different types of ESP8266-based microcontrollers, they all have the same chip in the middle with the distinctive antenna pattern.
One of the most popular development boards for the ESP8266 is the D1
Due to the popularity of the manufacturers There are many additional "shields" that are sold together with the D1 Mini. These can be stacked on top of each other to increase functionality. One of the most useful D1 Mini Shields is an SD card module for reading and writing data to a microSD card.
Space Chicken's Arduino PCAP Library
Thanks to the efforts of Stefan Kremser, aka Space Chicken, an easy to use library for creating Wireshark readable PCAP files can be loaded onto an ESP8266 in minutes. While the ESP8266 is much less powerful than most wireless network adapters, it's really cool to read the Wi-Fi network with just a microcontroller.
There are some limitations here, and in general, this library works better on the more powerful ESP32, which costs a bit more. The trade-off is expensive, and since you can get a D1 Mini plus a datalogger for less money (depending on where you shop), it's easy to accept the limitations of a small, inexpensive microcontroller.
Once you have the library On the ESP8266 device, you must retrieve the read data. One of the best ways to do this is to have a serial connection that allows you to write data from the microcontroller to your computer via the serial port. It is impressive to see how Wireshark's results are transmitted live by a small microcontroller. Instead, we focus on a small unconnected version that stores the traffic recorded on a microSD card.
This form factor can be used for hiding, an area in which many users must create a list of MAC addresses that they own as passive Wi-Fi sniffers, which could prove that a device belongs to a particular one Time in an area, or to understand the network layout of an area and which devices are entitled to connect to which networks. With the tiny D1 Mini you can hide the sniffer in almost everything.
What You Need
First, you need an ESP8266-based device such as the NodeMCU or the D1 Mini. I highly recommend the D1 Mini as it offers just the right size for the next important piece of the puzzle, the SD card reader.
The SD card reader is important if you want to save the data to a microSD card. I recommend the aforementioned D1 mini-datalogger sign, which you can actually get quite cheap. That way, you can simply solder the pins together and put them together to create a wireless data logger. It contains a real time clock, meaning you can write time-stamped data to any properly formatted microSD card you have.
You also need a soldering iron to solder the headers supplied with the D1 Mini and the Datalogger Shield to the D1 Mini and Datalogger Shield. Finally, you need a microSD card that is formatted with a Fat32 file system. Exfat does not work, I tried.
The free, cross-platform Arduino IDE allows us to quickly prototype what we do. Make sure you that have been installed on your computer. Arduino's integrated development environment enables fast writing and uploading of scripts to Arduino-style microcontroller devices.
For this project to work, we need to install some libraries that allow us to communicate everything. We need the microcontroller's radio to store packages on the microSD card. This means we need libraries to communicate with the microSD card and turn the radio signals into meaningful data. Installing any library in Arduino is fairly simple and usually includes some helpful sample sketches to build from.
In the Arduino IDE, open the "Arduino" folder, where the Arduino IDE saves your sketch files. You should see a folder called "Libraries" that should be stored in a location listed below for your operating system. If you add a library here, it will be displayed in the "Import Library" menu.
- macOS: ~ / Documents / Arduino / libraries /
- Windows: My Documents Arduino libraries
In a Terminal Window, Change to the directory where your Arduino libraries are located and then copy the Arduino PCAP repository, the Arduino Time Library, and the ESP8266 dependency on GitHub ~ / Documents / Arduino / Libraries /
Git clone https://github.com/spacehuhn/ArduinoPcap.git
Git clone https://github.com/PaulStoffregen/Time.git
git clone https://github.com/esp8266/Arduino.git[19659028DieserOrdnerwirdvonArduinoIDEbeijedemStartaufbenutzerdefinierteBibliothekengeprüftImAllgemeinengibteszweiMöglichkeiteneineBibliothekhinzuzufügenSiekönnenauf"Skizze"inderoberenMenüleisteklickendannauf"Bibliothekeinschließen"undschließlichauf"Bibliothekenverwalten"umdieSuchleistezuöffnen
Here you can unobtrusively can search for libraries that are popular in the community and download them directly. This is one of the easiest ways to download things like the Adafruit Neopixel library or the SdFat library required to write to our microSD card. Enter "sdfat" and download the SdFat library by clicking "Install". This allows us to include them in each of our sketches from now on.
Close the Arduino IDE and restart it to make sure they are all loaded.
Step 2: Install the Board Library
Now we need to tell the Arduino IDE which hardware we are working with. Click on the "Arduino" drop-down menu and select "Preferences". Next, paste the following URL into the Additional Boards Manager URLs field. Click OK to continue. This should add the ESP8266 cards to the list of cards we can install.
To add the specific D1 Mini we use Click on "Tools" and move your mouse over the "Board" area to to display the list of supported boards. Click on "Boards Manager" above to open the window where you can add more boards.
When the Boards Manager window opens, type "esp8266" in the search bar. Select "esp8266" from ESP8266 Community and install it to add support for the D1 Mini to the Arduino IDE. You may find it already installed in the previous step, but update it if an update is available.
Now a section labeled "ESP8266 Modules" should be displayed under "Board". Select the "WeMos D1 R2 & mini" card and you should be ready to use.
By opening a sample sketch that you can work with, open the Arduino menu and click File -> Examples -> Arduino Pcap. Here's an example called "esp8266_pcap_sd" – open the sketch as we use it as a template for what we send to the D1 Mini. If you want to do this on the more powerful ESP32, you can do the same thing and select ESP32 instead.
When the sketch is open, you will see the main configuration settings.
// ===== SETTINGS ===== // #define CHANNEL 1 #define filename "esp8266" #define SAVE_INTERVAL 30 // Save new file every 30s #define CHANNEL_HOPPING true // If true, all channels are searched #define MAX_CHANNEL 11 // (only necessary if channelHopping is true) #define HOP_INTERVAL 214 // in ms (only necessary if channelHopping is true)
Let's start by setting these settings so that we can effectively sniff. First, we define the channel on which the device tracks. The most commonly used network channels are 1, 6 and 11, so we set this to 6.
#define CHANNEL 6
Next, we decide how long we want to wait before we save the file to the computer Micro SD card. The D1 Mini does not have that much memory, so it's a good idea to do it every 30 seconds. You can name the file in which it is created differently. Increasing the time results in larger file sizes, but the likelihood of overloading the device with too much traffic is too great.
#define FILENAME "esp8266" #define SAVE_INTERVAL 30 // save new file every 30s
Now we want to decide if we want to channel the channel or not. In this way, we can see the traffic and devices that use other channels, but also shred many packets as we move between networks and make them useless. Therefore, you can retrieve a variety of packets from many different channels or focus on one channel without fear of fragmentation. In our example, we avoid fragmentation by setting the value to false.
If you choose channel hop, you can choose how high the channel should go. In the US, Wi-Fi networks do not use channels over 11, but in other countries. Here, however, it only makes sense to set the value to 11.
#define CHANNEL_HOPPING false // If true, it will search on all channels #define MAX_CHANNEL 11 // (only necessary if channelHopping is true)
If we want to enable channel hopping, we can reduce some of the damage fragmentation to our example by setting the next value to a longer value. A longer value here means more time for snooping for each channel, resulting in less packet fragmentation of samples.
#define HOP_INTERVAL 214 // in ms (only required if channelHopping is true)
Our control settings should now look something like this.
// ===== SETTINGS ===== // #define CHANNEL 6 #define FILENAME "nullbyte" #define SAVE_INTERVAL 30 // Save new file every 30s #define CHANNEL_HOPPING false // If true, all channels are searched #define MAX_CHANNEL 11 // (only necessary if channelHopping is true) #define HOP_INTERVAL 214 // in ms (only necessary if channelHopping is true)
Step 4: Connect the hardware together
Now it's time to connect the hardware. If you have your D1 Mini and a Datalogger Shield online, you need to solder the pins which is surprisingly easy (trust me). For the D1 Mini, make sure you solder pin headers into which you can plug in the datalogger, as in the following example.
If you do not want to solder and want to support Spacehuhn's work, you can also buy a board in his webshop.
Step 5: Press the Code and Sniff Packages
Now it's time to connect everything. Insert the microSD card into the module, plug the USB cable into your computer and into the D1 mini and click on the "Tools" menu and then on "Port". You should see a "serial" port that may already be selected. If not, select it here. If you do not see the correct serial port, it means that you probably have not installed the correct driver to see the USB interface of the D1 Mini, and that needs to be installed.
As soon as you see the serial port, you are ready to press the code! First, check that the code compiles correctly by clicking the check mark button in the top left corner of the screen. Then click the arrow button next to the check mark to send the code to the D1 Mini.
Then click "Tools," then "Serial Monitor" to display the status of the D1 Mini. Set the baud rate to 115,200 otherwise it would look like random characters.
If you see a message like above, you are successful! You can log PCAP files on the SD card. Once you're done logging, you can unplug the device, remove the microSD card and load it into a computer to see the results.
With If you run a small coin-cell battery, your logger can work independently as long as the SD card has room and the battery is powered. Some interesting ideas for saving energy could also be the installation of a passive infrared sensor, which only turns on when motion is detected, and logs the Wi-Fi traffic from nearby devices when people are detected as being present.
Compromising with the ESP8266  Although the Arduino PCAP library is an excellent way to start sniffing, there are a number of limitations. The ESP8266 does not have a more powerful wireless network adapter, and it is much more likely that frames will be damaged for a variety of reasons or missed packet capture.
It should be remembered that there are always multiple channels The sniffer can not hear while scanning on a particular channel. So, if you capture Wi-Fi traffic by scanning each channel, the fragmentation is likely to be large. If you tune the sniffer so that it only listens on one channel, it will be more likely to capture everything, provided you know that the channel of your target network is active.
I hope you liked this guide to sniffing Wi-Fi on an ESP8266 microcontroller! If you like this project and you want to see more, you can support Space Chicken on Patreon. And if you have questions about this ESP8266 tutorial or have a comment, please do not hesitate to contact me on Twitter @KodyKinzie .