Weaponizing Princess Toys: Crafting Wi-Fi Attack Kits

Share this…

… Alternate Title: “Why I Love BHIS”

So, I was gifted this cute little princessy-toy thing recently. My first thought was that my daughters will love this thing. My second thought was “let’s turn this into a princess play thing, reverse SSH Kali hacker backdoor exploit kit with onboard ad-hoc Wi-Fi that I can connect to remotely via a directional Wi-Fi antenna for covert use in wireless and contractual engagements.”

Parts list minus the directional antenna:

I installed and Configured Kali for pi. Link here for RPi kali image. Assembled parts. I recommend reviewing Wired’s Guide to Parenting on Wired (Gaffigan’s stuff is hilarious BTW).

(Editor’s Note: We hope you’ll notice how much awesome is going on in this photo!)

It was time to make the RPi fit inside the princessy-toy thing. I used a standard rotary tool and just started carving. I was able to craft a nifty little opening for a power port. I dropped in the screw port to keep the RPi in place once the unit is ready for action.

Boom! I got power running of a solar cell. Corollary: This 10000 mAh cell gave me about 15 hours running time with an ad-hoc Wi-Fi cell, an external USB Wi-Fi adapter and Kismet running. Anker, the cell below is from PowerCell, but for actual use in the field, I went with the extremely low profile PowerCore+ mini [Amazon – 13 bucks].

Finished product, bottom side. @ANKERofficial

And yes, you darn right the thing still works!

In the next step I configured hostapd to broadcast an ad-hoc wireless cell on the RPi for remote connectivity. With the directional antenna, the theory goes something like this: “Point the directional antenna at the target. Connect the legally and contractually allowed laptop or VM to the ad-hoc cell. Run kismet off the USB dongle that @Hak5 sells. Capture 4 way handshake and let the cracker do the rest.” This USB dongle works out of the box and has no issues with driver integration on Kali for RPi.

hostapd configuration on RPi:

Wlan0 interface for ad-hoc Wi-Fi and the secondary wlan adapter for packet sniffing and injection:

I sent one of the kids down the street with the new toy.

Here was the living room rig for some initial testing.

Now, from my really nice mountain ash tree post about twenty feet up, I had a bird’s eye line of sight with the JoyLive yagi antenna of the daycare where my kids hang out when they get bored of my shenanigans. And who knew the little princess toy was ready to audit their home Wi-Fi networks?

….had they not been previously advised.

From the perch I have about a block or block and a half shot to the day care. I got a pretty decent signal, the real problem being the moving target.

This really happened.

Wireless info from the laptop. Note the super legit Tx-Power with that directional attached. 1000mW / 1W / FTWin!

I went with the WAN ISP type network configuration, a /30 without DHCP services, which most of the articles that discussed hostapd included. Not bad for connectivity, you can see the dropped packets, but it was stable enough to connect.

I launched Kismet (remember to launch from directory where you want output files created) and linked it with attached USB interface. Kismet is fun, but the real action is done in airmon-ng and airodump-ng.

Side Note: I tested out a Kismet and Wi-Fi packet sniffing config with this device driving across South Dakota recently. I captured less than 25MB of SSID data. There are nine towns in the state and we are struggling with the new WAN drops out here. Most of the hardware we have at the BHIS offices is still on dial-up and token ring. Anyway, since there are less people in this whole state than a city block anywhere east of the Mississippi river, we’ve had some wireless adoption delays. We’re still trying though!

Anyway, I launched and killed Kismet, and as usual, it leaves behind a ‘mon’ interface…used that with airmon-ng instead and sent off the deauth packets.

With airmon-ng running in the background, I fired up another console and launched airodump-ng with the packet destination.

Deauth someone at the daycare facility.

Rock and Roll! I snagged a handshake.

Great Successes! Handshake complete, hashes off to the Nvidia Grid GPU EC2 instance for further investigations. Or, for brevity’s sake, check out my test run against a pre-fab dictionary file:

Next up, looking at a couple different things….but, our good friend Delta Charlie has us all talking about remotely controlling modified kids toys via SDR to run surveillance!