Evil-M5Core2 is an innovative tool developed for ethical testing and exploration of WiFi networks. It harnesses the power of the M5Core2 device to scan, monitor, and interact with WiFi networks in a controlled environment. This project is designed for educational purposes, aiding in understanding network security and vulnerabilities.
Disclaimer: The creator of Evil-M5Core2 is not responsible for any misuse of this tool. It is intended solely for ethical and educational purposes. Users are reminded to comply with all applicable laws and regulations in their jurisdiction. All files provided with Evil-M5Core2 are designed to be used in a controlled environment and must be used in compliance with all applicable laws and regulations. Misuse or illegal use of this tool is strictly prohibited and not supported by the creator.
With more than 100 references at each boot.
If you like this project, support me by buying me a coffee on Ko-fi !
Or use this affiliate link to buy M5 product Support the project on M5 shop !
Meet the smallest hacking tool in the world with all Evil-M5Core2 inside !
(With Screen / SDcard / GPS )
Thx to samxplogs for the video :
Evil-AtomS3 Functionnality :
- All Evil-M5Core2 functionnality except bluetooth serial.
Consumption:
- Tests show max 200mA draw with 100% brightness and using WiFi/GPS
Hardware Requirement :
- M5AtomS3 link M5Stack link AliExpress
- ATOMIC GPS Base link M5Stack link AliExpress
Optional:
- ATOM TailBat(45min) link
It pretty small so you can also check and control serial on USB from your phone or IDE.
Detect deauthentication packets near you, when a machine disconnects from an access point, it sends a deauthentication packet to close the connection, deauthentication packets can also be spoofed to disconnect the device and attacker use automatic reconnection to sniff the 4-way handshake, many deauthentication packets are not normal and should be considered as a possible Wi-Fi attack. This feature also detects nearby pwnagotchi by printing the name and number of pwned network that it get, in this way you can know if you are under attacked.
Beacon Spam create multiple networks on all channels to render multiples SSIDs in wifi search and sniffing equipement. You can use custom Beacon with config file.
For those who do not have GPS but still want to have a use for the wardriving function,
now at the end of a wardriving you can directly record the open networks that you have crossed in order to do targeted karma,
at the end From the scan a KarmaList.txt file is created and karma spear uses this list of SSIDs. You can also add custom SSIDs to the list.
You can now use your Evil-M5Core2 and AtomS3 as a wardriving tool ! Scan wifi network around and link it to position in Wigle format, you can upload it to wigle and generate KLM file for Google earth. You need a GPS for this.
Tested device working on Core2/Fire/AtomS3 :
- ATOMIC GPS Base link M5Stack link AliExpress
Waiting for test :
- GPS Module with Internal & External Antenna link M5Stack
- Mini GPS/BDS Unit link M5Stack
Also if you don't have any GPS wait few days to get an usage of this functionality in V1.1.6 with and without GPS.
- WiFi Network Scanning: Identify and display nearby WiFi networks.
- Network Cloning: Check information and replicate networks for in-depth analysis.
- Captive Portal Management: Create and operate a captive portal to prompt users with a page upon connection.
- Credential Handling: Capture and manage portal credentials.
- Remote Web Server: Monitor the device remotely via a simple web interface that can provide credentials and upload portal that store file on SD card.
- Sniffing probes: Sniff and store on SD near probes.
- Karma Attack: Try a simple Karma Attack on a captured probe.
- Automated Karma Attack: Try Karma Attack on near probe automatically.
- Bluetooth Serial Control: You can control it with bluetooth.
- Wardriving: Wardriving with Wigle format output on SD.
- Beacon Spam: Generate mutliple SSIDs arround you.
( What is a Karma attack ? check the blog : https://7h30th3r0n3.fr/does-your-machine-have-a-good-or-bad-karma/)
- M5Stack Core2 link M5Stack link AliExpress (this project is coded with M5Unified, it should work on other M5Stack).
- SD card (fat32 max 16Go, consider 8Go is already more than enough).
Tested working others device :
- Connect your M5Core2 to your computer.
- Open the Arduino IDE and load the provided code.
- Ensure M5unified, TinyGpsPlus, ArduinoJson and adafruit_neopixel libraries are installed.
- Ensure esp32 and M5stack board are installed (Error occur with esp32 3.0.0-alpha3, please use esp32 v2.0.14 and below).
- Place SD file content needed on the SD card. ( Needed to get IMG startup and sites folder).
- Ensure that the baudrates is at 115200.
- Upload the script to your M5Core2 device.
- Restart the device if needed.
It's your first time with arduino IDE or something not working correctly? You should check out video section !
With more than 100 references at each boot.
🇫🇷 Le turoriel et la démo en francais réalisé par Samxplogs 🇫🇷 (un trés grand merci à lui) :
Samxplogs tutorial video and demo thx to him :
More demo ? Thx to TalkingSasquatch for making a video about the project :
Follow these steps to efficiently utilize each feature of Evil-M5Core2.
- Scan Near WiFi: A fast scan is already made when starting up.
- Menu: Select a network from a list, use left and right keys to navigate and select a network.
- List Details: Informations about the selected network. You can clone the SSID in this menu.
- Operate Captive Portal: With
normal.htmlpage, a mock WiFi passord page designed to mimic a legitimate error on box.
- /evil-m5core2-menu: Menu for pages bellow.
- /credentials: Lists captured credentials.
- /uploadhtmlfile: Provides an upload form to store files on the SD card (for new portal pages and file exfiltration).
- /check-sd-file: Provides an index of to check, download and delete files on the SD card.
- /Change-Portal-Password: Provides a page to change the password of the deployed access point.
When Captive Portal is ON you can connect to it to acces to 3 fonctionnality protected by password :
-
/evil-m5core2-menu This page is just a menu to provide easy access to others page with authentification form.
-
/credentials This page can list the captured credentials.
-
/uploadhtmlfile This page provide a upload form that store files in SD card in any folder of the SD to be able to send new portal page, exfiltrate file trough wifi or change the startup image. please considere to upload file under 1Mo to ensure no lag during the transfert process.
-
/check-sd-file This page provide an index of to check, download and delete files on the SD card.
-
/Change-Portal-Password Provides a page to change the password of the deployed Access Point. Required if attempting a Karma attack on a network with a known password.
To prevent unauthorised access of these page they are really simply protected by a password that you need to change in the code. To acces to these page use the password form in menu:
http://192.168.4.1/evil-m5core2-menu
Any other tried page should redirect to the choosen portal.
- Deactivate: Stops the captive portal and DNS.
- Menu: Choose the portal provided to connecting users. Lists only HTML files.
- Menu: To check captured credentials.
- Option: Delete all captured credentials.
The Monitor Status feature consists of three static menus that can be navigated using the left and right buttons. Each menu provides specific information about the current status of the system:
- Number of Connected Clients: Displays how many clients are currently connected.
- Credentials Count: Shows the number of passwords stored in
credentials.txt. - Current Selected Portal: Indicates which portal is currently being cloned.
- Portal Status: Displays whether the portal is ON or OFF.
- Provided Portal Page: Details about the portal page currently in use.
- Bluetooth: Displays whether the bluetooth is ON or OFF.
- MAC Addresses: Lists the MAC addresses of all connected clients.
- Stack left: Displays the remaining Stack in the device.
- Available RAM: Displays the remaining RAM in the device.
- Battery Level: Shows the current battery level.
- Temperature: Reports the device's internal temperature.
Send fake random probes near you on all channel. Perfect for counter the Probe Sniffing attack. Press left or right to reduce or increase time delay. (200 ms to 1000ms)
Probe Sniffing start a probe scan that capture the SSID receive, you can store and reuse then. Restricted to 150 probes max.
Same as Probe Sniffing but provide a menu after stopping scan to choose a unique SSID, when SSID is chosen, a portal with the same SSID is deploy, if the original AP is an Open Network and the machine is vulnerable it should connect automaticaly to the network and dependind of the machine can pop up automatically the portal, if a client is present when scan end or stopped, the portal stay open, if not the portal is shutdown. (Can be used with password if set on web interface).
Same as Karma Attack but try the first probe seen, if no client connects after 15 seconds the Evil-m5core2 returns to sniffing mode to try another captured probe and continues in a cycle until stopped by the user. Can also be used with a password if set on the web interface, if you have a password and you don't know on which AP it work you could try it with different probe request to test if karma work and get the SSID. This feature is inspired by the pwnagotchi project but with probe request and karma attack, you can use both to ensure a full attack of the near devices around you.
You can add SSID on KarmaAutoWhitelist line like this : KarmaAutoWhitelist=notmybox,thisonetoo
Probe should be ignored and serial message send to notify that this network is whitelisted, it also work on probe sniffing and karma attack.
Same as Karma Auto but with Open SSID captured with wardriving. You can also add custom SSIDs to KarmaList.txt.
Menu to select a previous captured probe SSID and deploy it. List is restricted to 150 probes.
Menu to delete a previous captured probe SSID and deploy it. List is restricted to 150 probes.
Delete ALL previous captured probes. Basically reset probes.txt on SD.
Change the Brightness of the screen.
Switch bluetooth ON or OFF.
Scan wifi network around and link it to position in Wigle format, you can upload it to wigle to earn point and generate KLM file for Google earth. You need a GPS for this.
- PIN for Core2 : use RX2/TX2 | GND | 5v or 3.3v
GPIO 13
GPIO 14
- PIN for Fire on C-PORT :
GPIO 16
GPIO 17
Beacon Spam create multiple networks on all channels to render multiples SSIDs in wifi search and sniffing equipement. You can use custom Beacon with config file.
Detect deauthentication packets near you, when a machine disconnects from an access point, it sends a deauthentication packet to close the connection, deauthentication packets can also be spoofed to disconnect the device and attacker use automatic reconnection to sniff the 4-way handshake, many deauthentication packets are not normal and should be considered as a possible Wi-Fi attack. This feature also detects nearby pwnagotchi by printing the name and number of pwned network that it get, in this way you can know if you are under attacked.
Upload a startup.jpg 320x240 image to replace original startup.jpg and make your Evil-M5Core2 more special.
Evil-M5Core2 sends messages via serial for debugging purposes and message when you navigate on the Core2, you can use the serial app on Flipper to see these messages. Plug your flipper with :
- On flipper :
PIN 13/TX
PIN 14/RX
- On M5Core2 :
PIN G3/RXD0
PIN G1/TXD0
You can control almost all functionnaly with serial command:
Available Commands:
- scan_wifi - Scan WiFi Networks
- select_network - Select WiFi
- change_ssid <max 32 char> - change current SSID
- set_portal_password <password min 8> - change portal password
- set_portal_open - change portal to open
- detail_ssid - Details of WiFi
- clone_ssid - Clone Network SSID
- start_portal - Activate Captive Portal
- stop_portal - Deactivate Portal
- list_portal - Show Portal List
- change_portal - Switch Portal
- check_credentials - Check Saved Credentials
- monitor_status - Get current information on device
- probe_attack - Initiate Probe Attack
- stop_probe_attack - End Probe Attack
- probe_sniffing - Begin Probe Sniffing
- stop_probe_sniffing - End Probe Sniffing
- list_probes - Show Probes
- select_probes - Choose Probe
- karma_auto - Auto Karma Attack Mode stop automatically when successfull
Your Evil-Core2 or Flipper Zero feels lonely?
Add a small parasite to it !!!
He can also be used standalone but he needs a host for energy like a phone or a powersupply to survive or he die.
Parasite Functionnality :
- Cute (yes it's a useful feature to survive).
- Accelerometer interaction (don't shake it or it get mad).
- AutoKarmaAttack when face is pressed ( when a karma attack is successfull your little parasiste tell the name of the SSID in a textbubble until the next karma successfull or death).
- Whitelist (hardcoded, need to be change by compiling the code again)
(For the moment no portal is sent it just tests if a device connect).
Hardware Requirement :
- M5AtomS3
Software Requirement : This little parasite use m5stack-avatar to render face, donwload avatar librairie before compile.
It pretty small so you can also check serial on USB to get information.
https://discord.com/invite/JApAxeY2
(ask if broken)
MIT License
Copyright (c) 2023 7h30th3r0n3
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.