February 28, 2016

Hacking with ESP8266

I wasn't too active here in the last year, and the main reason is that I started a master in IT Security, and my projects became less electronics oriented. But now I had some time to play with my ESP8266 modules and try out some hacking with them. The module I'm using is named "NodeMcu Lua WIFI Internet Things development board based ESP8266 CP2102 module" on ebay and costs $5. I really like it, because it can be programmed with a normal USB cable, and it has all the connections easily accessible:

Creating a lot of fake access points

Technically it does not create any access points, but if you list the available access points with your phone or computer you will see a really a lot of them all with a random name and no encryption. The ESP8266 does it with sending beacon frames, similarly to the ones routers are using to advertise their wifi network. The original blogpost I was using is here: http://ruralhacker.blogspot.it/2016/01/esp8266-jamming.html and the code is here: https://github.com/kripthor/WiFiBeaconJam It was working for me flawlessly.

Disconnecting everyone from the wifi

There is a known attack against wifi networks: it is pretty easy to forge a deauth packet in the name of the access point and send it to the clients, and they will drop the connection (and usually try to reconnect). I was using this code from github: https://github.com/RandDruid/esp8266-deauth but it took me a while to make it work.
The problem is, that the developers of ESP8266 do not really want us to send these type of packages with the module. They (accidentally) added the functionality in SDK v1.3.0 but they removed it in v1.5.0. So we have to use v1.3.0. To do this with the Arduino IDE I did the followings:
  • I used a freshly downloaded Arduino 1.6.5
  • Then I added the staging version of esp8266 to Board Manager (more info: https://github.com/esp8266/Arduino)
  • I installed the ESP8266 boards version 2.1.0-rc2 from the Board Manager. The version is really important, because they use the SDK v1.3.0.
  • Then I edited the user-interface.h, because although the functionality is presented in the binaries of the SDK, it is not included in the header files. The user-interface.h was under ~/.arduino15/packages/esp8266/hardware/esp8266/2.0.0-rc2/tools/sdk/include/user_interface.h (I'm using Ubuntu).
    I simply added the following lines to the end of the file (before the #endif):
    typedef void (*freedom_outside_cb_t)(uint8 status);
    int wifi_register_send_pkt_freedom_cb(freedom_outside_cb_t cb);
    void wifi_unregister_send_pkt_freedom_cb(void);
    int wifi_send_pkt_freedom(uint8 *buf, int len, bool sys_seq);
Thereafter the code from github compiled fine, and it is working now. If it finds an access point and a client it notes it, and then it sends the deauth package to that specific host.
I have also tried to run the improved version using 2 ESP8266 module (https://github.com/RandDruid/esp8266-deauth2), but I couldn't make it work so far.


  1. Hi,
    Sorry I'm very new with programming.
    How to see it works?
    I cannot see anything on serial monitor.

    1. Hello,
      which one do you mean?
      The first (fake access points) can be checked if you search for wifi with your phone or computer. You should see a lot of random wifi networks displayed.
      For the second one (disconnecting everyone from the wifi) just simply connect to the wifi with your phone and it should be disconnected.

  2. I can't make it working. Compiled and updated the user interface h. However seems not to deauth clients unless from time to time they loose a packet or quickly disconnect once. But it is not reliable at least for me but followed instructions

  3. Arduino: 1.8.2 (Windows 10), Board: "Generic ESP8266 Module, Serial, 80 MHz, 40MHz, DIO, 115200, 512K (64K SPIFFS), ck, Disabled, None"

    sketch\APScan.cpp: In member function 'bool APScan::start()':

    APScan.cpp:15: error: 'i' was not declared in this scope

    _ap.set(WiFi.BSSID(i)[0], WiFi.BSSID(i)[1], WiFi.BSSID(i)[2], WiFi.BSSID(i)[3], WiFi.BSSID(i)[4], WiFi.BSSID(i)[5]);


    sketch\APScan.cpp: At global scope:

    APScan.cpp:76: error: expected unqualified-id before 'if'

    if (debug) Serial.println("scan done");


    APScan.cpp:77: error: expected unqualified-id before 'return'

    return true;


    APScan.cpp:78: error: expected declaration before '}' token



    exit status 1
    'i' was not declared in this scope

    This report would have more information with
    "Show verbose output during compilation"
    option enabled in File -> Preferences.
    this is my problem, what can i do?