2. Flipper Add‐On: Marauder ‐ Marauder Spoof

How Flipper Add-On Marauder-Marauder Spoof's technologies works?

Marauder

The ESP32 Marauder is a WiFi and Bluetooth analysis tool. It hosts a suite of capabilities for frame capture, device enumeration, and frame transmission. It is intended to serve as a portable device to stand in for physically larger traffic capturing tools and to provide captured data for post-op analysis.

MagSpoof

MagSpoof, Based on SamyKamkar's work, emulates a magnetic stripe by quickly changing the polarization of an electromagnet, producing a magnetic field similar to that of a normal magnetic stripe as if it's being swiped.

For learn more about MagSpoof or card magnetic stripes visit:

• Electronic Cats MagSpoof Wiki
• Flipper Add-On: MagSpoof Section

Flipper Add-On: Marauder

This Add-On unlocks a powerful toolset for the Flipper, fueled by the ESP32-S3 module and meticulously crafted for offensive and defensive maneuvers in the WiFi and Bluetooth realms.

ESP32-S3 supports a 2.4 GHz Wi-Fi (802.11 b/g/n) with 40 MHz of bandwidth support. The Bluetooth Low Energy subsystem supports long-range through Coded PHY and advertisement extension. It also supports higher transmission speed and data throughput, with 2 Mbps PHY. Both Wi-Fi and Bluetooth LE have superior RF performance that is maintained even at high temperatures.

Tech Specs

ESP32-S3

• Xtensa® dual-core 32-bit LX7 microprocessor,up to 240 MHz.
• 384 KB ROM
• 512 KB SRAM
• Secure boot
• Bluetooth LE: Bluetooth 5, Bluetooth mesh.
• IEEE 802.11b/g/n-compliant.

Flipper Add-On: Marauder Spoof

This Add-On emerges from the fusion of our renowned MagSpoof variant with the ESP32-S3 module, seamlessly infused with the Marauder.

This Add-On incorporates the renowned MagSpoof functionality into the Flipper system. Leveraging identical components and enhancements that define our distinct MagSpoof iterations, these elements have been expertly adapted to seamlessly integrate with the Flipper platform.

Tech Specs

ESP32-S3

• Same as Flipper Add-On: Marauder

MagSpoof

• TC4424 (Dual High-Speed Power MOSFET driver)
  • High Peak Output Current: 3A.
  • Wide Input Supply Voltage Operating Range:4.5V to 18V.
  • High Capacitive Load Drive Capability: 1800 pF in 25 ns.
  • Short Delay Times: <40 ns (typ).
  • Low Output Impedance: 3.5ohms (typ).

Schematics

Find the Marauder Spoof schematics here: flipper-shields/MARAUDER_SPOOF

Marauser Spoof case

@Gino-Tonic has shared with us his 3D-designed case ready to be printed. You can find and download the STL file HERE. Go and thank Gino!

Understanding Flipper Add-On: Marauder and Flipper Add-On: Marauder:Spoof

Marauder is not just firmware for the ESP32; it's a suite of powerful tools that unlocks its full potential as a WiFi and Bluetooth powerhouse for both offensive and defensive security purposes. Offering a variety of capabilities:

• Offensive Arsenal:

  • Network Scanning and Sniffing: Scan for nearby Wi-Fi networks, identify connected devices, and even capture network traffic to understand data flow.
  • Vulnerability Assessments: Test the security of Wi-Fi networks and devices by probing for weaknesses like WPS vulnerabilities, open ports, and outdated firmware.
  • Deauth Attacks: Disrupt wireless connections by injecting deauthentication packets, effectively "kicking" devices offline.
  • Packet Injection: Craft and inject custom packets into wireless networks for advanced manipulation and exploration.
  • Man-in-the-Middle Attacks: Intercept and modify communication between devices on a network, potentially gaining access to sensitive information.

• Defensive Shield:

  • Wireless Intrusion Detection: Monitor your own network for suspicious activity and identify potential threats like unauthorized devices or hacking attempts.
  • Packet Capture and Analysis: Capture and analyze network traffic to understand data flows, identify anomalies, and troubleshoot network issues.
  • Penetration Testing: Simulate real-world attacks on your own network to identify and address vulnerabilities before attackers do.
  • Wireless Forensics: Analyze captured network traffic for traces of past activity, potentially aiding in investigations or incident response.

Important

ONLY MARAUDERSPOOF:

What can MagSpoof can do:

• Store all of your credit cards and mag stripes in one device.
• Works on traditional mag stripe readers wirelessly (no NFC/RFID required).
• Supports all three magnetic stripe tracks, and even supports Track 1+2 simultaneously.
• Simulates the swiping of a magnetic stripe card, either in one direction or in the opposite direction.
• MagSpoof can be used as a traditional credit card and simply store all of your credit cards (and with modification, can technically disable chip requirements) in various impressive and exciting form factors, or can be used for security research in any area that would traditionally require a mag stripe, such as readers for credit cards, drivers licenses, hotel room keys, automated parking lot tickets, etc.

Buttons on Flipper Add-On: Marauder and Marauder Spoof

The buttons on the Add-On are only useful to reset the ESP32 module and enter the bootloader mode. Resetting the board is possible using the option Reboot in the Marauder menu.

Bootloader mode is used to update the ESP32-S3 firmware here: Update the ESP32-S3 Marauder Firmware

What Marauder can do?

WiFi attacks encompass the deliberate broadcasting of WiFi data using the ESP32 Marauder. Tailored WiFi packets are generated to achieve distinct transmission objectives.

Marauder menu explanation

Marauder application has different options and menus that may be confusing, here you will find a brief description of each option in the Marauder application. Some option names explain the function itself.

First let's get into the Marauder application, go to Apps > GPIO > [ESP32] WiFi Marauder, you can visualize these steps in the Finding the Apps section.

Note: To save the changes use the save button on the flipper keyboard!

1. View Log from

With this option, you can see the log of the attacks, configuration, and more you have made using the Marauder app.

2. Scan

Does a scan of wireless access points and saves them to a list to be used in future operations.

3. SSID

Generate or remove SSIDs for beacon spam attacks. In this menu you will have three additional options:

• add rand: which stands for add random, generate random SSIDs, and add them to the SSID list.

^{_{Example: Generates 4 random SSIDs}}

• add name: generates an SSID with the name defined and adds it to the list.

^{_{Example: Generates an SSID named “ecats” and adds it to the list}}

• remove: remove the SSID in the defined index number from the list of SSIDs.

^{_{Example: Removes SSID at index 2 from the list of SSIDs}}

4. List

Get the full list of access points scanned or SSIDs added with ssid. Each access point, ssid or station listed is linked to a list number, this will allow us to select an item from a list for future attacks. In this menu you will have three additional options:

• ap: list of access points.
• ssid: list of ssids added with ssid.

^{_{Example: ecats SSID listed previously added with ssid}}

• station: list of stations.

5. Select

Select or deselect access points and/or stations for targeted attacks. You must provide a comma-separated list of indices of the desired access points and/or stations from list. Same as list you can select an item in the AP, SSIDs or stations lists.

^{_{Example: ecats SSID selected by indicating position 0 in the SSID list, then unselected by indicating the same number}}

6. Clear list

Clears the list of scanned access points or SSIDs from Scan, and ssid. It is important to note if the list of access points is cleared, the list of stations will be cleared as well.

7. Attack

Transmit WiFi frames with specific targets or broadcasts. In this menu you will have three additional options:

• deauth: in a de-authentication attack, a target access point is specified as the source address of each de-authentication frame sent. The destination address of these frames is set to broadcast. The intention is for all stations connected to the target access point to be removed from that network. Before executing a deauth flood attack on the ESP32 Marauder, you must build a list of available access points and select which access points to target. See Scan and select for more details on how to build a target list.

Once a proper target list has been built, a deauth attack can be executed.

• probe: It broadcasts a lot of probe requests with a selected AP or SSID. This can be used to confuse probe request sniffers. Before executing a probe request flood attack on the ESP32 Marauder, you must build a list of available access points and select which access points to target. See Scan and select for more details on how to build a target list.

Once a proper target list has been built, a probe request flood can be executed.

• rickroll: broadcasts a lot of access points with sections of the well-known song.

8. Evil Portal

Not working for the MarauderSpoof Add-On In case you are curious about what this does, visit evilportal.

9. Beacon Spam

List Beacon Spam is a method of beacon spam where beacon frames are constructed from a list of AP or SSIDs provided by the user and then broadcasted to all stations in range. In this case, the MarauderSpoof will spam a list of AP using the names in AP list, SSID list, or a random list.

10. Sniff

Marauder automatically cycles through channels to capture as much traffic as possible. In this menu you will have eight additional options:

• beacon: Sniffs and displays information on beacon frames transmitted from access points. Beacon frames contain important information about access points.
• deauth: Sniff and display de-authentication frames on the screen.
• pmkid: Sniffs and displays captured pmkid/eapol frames sent during WiFi authentication sessions. Unlike other sniffing functions, the raw frame data is displayed on screen.
• probe: Sniff and display captured WiFi traffic and harvest probe requests sent from surrounding WiFi clients against any network.
• pwn: Sniffs and displays information from beacon frames sent by the Pwnagotchi. The Pwnagotchi sends beacon frames to advertise its presence to other Pwnagotchis. These packets contain information about the Pwnagotchi.
• raw: Sniffs and displays information of transmitted frames with no format.
• bt, skim: uses Bluetooth and is not supported by the Flipper Marauder app.

11. Signal monitor

Shows changes in signal strength as long as the RSSI value changes by 5. Only access points marked as "selected" will be tracked. While scanning, channels are hopped once every second.

12. Channel

Gets or sets the channel of the WiFi interface.

• get: shows the current channel.
• set: Set the channel to the defined.

13. LED

Not working for Flipper Add-On Marauder Spoof.

14. Settings

Display and manage settings for the ESP32 Marauder firmware. For more information on the available settings, see Marauder Settings.

15. Update

Not working for Flipper Add-On Marauder Spoof.

16. Reboot

Soft reset of the ESP32.

17. Help

Shows the full list of commands and their available arguments.

18. Scripts

Write your scripts to perform multiple Marauder functions and run them with a simple click.

19. Save to flipper sdcard

Allow to save the logs in the flipper SD card, recommended to activate both options.

Marauder examples

Here you will find a set of examples showing the capabilities of the Marauder Spoof, however, you can try using the different menus in the Marauder app to get more play out of Marauder.

Rickroll

1. Go to attack and select rickroll.

2. Open the WiFi settings on another device and you'll find networks created by Maruader named after snippets of lyrics from the song Never Gonna Give You Up.

Beacom spam AP list

1. Scan the AP near to you using Scan > ap

2. Go to Beacon Spam > ap list

3. Now there is a spam attack broadcasting new APs using the names of the APs saved in Step 1.

^{_{Several EC_HQ APs appeared after starting the spam attack}}

Update the ESP32-S3 Marauder firmware.

It is important to keep the Marauder updated to the latest version to ensure the correct functionality.

As in other applications, the ESP32-S3 module is not the main MCU when using it with a flipper. This means that the firmware updates should be done using the USB-C port on the Add-On. These updates will assure a better performance and correct functionality of the Marauder applications.

Note: All the processes and tools are taken from the GitHub repository justcallmekoko/ESP32Marauder.

Follow the next steps to perform firmware updates:

1. Go to the ESPWEBTOOL.

2. Attach the Marauder Spoof Add-On to the flipper.

3. Plug the USB cable into the USB-C port of the Add-On, and click connect. A pop-up menu will appear, select the correct board and port.

4. Perform the following combination of buttons while the board is attached and plugged in to enter bootloader mode:

   • Press and hold the GPIO button.
   • Press Reset and release it.
   • Release the GPIO button.

5. Use the following table to select the appropriate files and place them at the corresponding addresses.

	Flipper Zero Multi Board S3
Bootloader	0x0
Partitions	0x8000
Boot App	0xE000
Firmware	0x10000

Special Firmware mod file for Electronic Cats Flipper Add-On: Marauder Spoof

Important

If you want to make the function Save on flipper's SD card option, you may want to use this .bin firmware file and interchange it for the firmware file of the above table.

Note: You can find the table and files updated to the latest version on the original wiki repository here: justcallmekoko/ESP32Marauder/wiki/update-firmware/, use the files and addresses listed for Flipper Zero MultiBoard S3.

6. Click on PROGRAM. A confirmation pop-up window will appear, click on CONTINUE.

7. The update will start immediately. Do not disconnect the USB cable or detach the Add-On from the flipper while updating.

8. Once the update has been finalized, press the reset button.

Now you can unplug the USB cable and you are ready!