Evil-M5Project v1.2.7 - PwnGrid Spam

Evil-M5Project is an innovative tool developed for ethical testing and exploration of WiFi networks. It harnesses the power of the M5Core2 device to scan, monitor, and interact with WiFi networks in a controlled environment. This project is designed for educational purposes, aiding in understanding network security and vulnerabilities.

Disclaimer: The creator of Evil-M5Core2 is not responsible for any misuse of this tool. It is intended solely for ethical and educational purposes. Users are reminded to comply with all applicable laws and regulations in their jurisdiction. All files provided with Evil-M5Core2 are designed to be used in a controlled environment and must be used in compliance with all applicable laws and regulations. Misuse or illegal use of this tool is strictly prohibited and not supported by the creator.

Booting Screen

With more than 100 references at each boot.

If you like this project, support me by buying me a coffee on Ko-fi !

Or use this affiliate link to buy M5 product Support the project on M5 shop !

Designed to spam face and name on all pwnagotchi devices nearby and can be used to causing a DoSPWND (Denial Of Screen PWND part). You can change the face and message sended in a text file.

REMEMBER TO PUT THE FILE IN CONFIG FOLDER : https://github.com/7h30th3r0n3/Evil-M5Core2/blob/main/SD-Card-File/config/pwngridspam.txt

Perfect for showcasing at events like DEFCON or BlackHat.😜

It's also available standalone on any esp32 here : https://github.com/7h30th3r0n3/PwnGridSpam

part of the code have been taken and refactored from https://github.com/viniciusbo/m5-palnagotchi

On screen:

• URL: The website URL being crawled
• Pages: current of page crawled
• Dictonnary on SD card so it could be swaped
• Scrolling list at the end to see all the content crawled

On screen:

• A real SSH Shell with CTRL+C
• Can be used from the Scan Hosts after menu

It does:

• ARP broadcast on all the network
• Check Hosts up
• List them to let you choose actions (Scan ports / SSH connect / Web Crawling)

On screen:

• Status: Transmission status (e.g., Sending, Finished)

( This functionnality has been not totally tested, it send the same signal than the flipper zero best-tesla-opener )

Meet the smallest hacking tool in the world with all Evil-M5Core2 inside !

(With Screen / SDcard / GPS )

Thx to samxplogs for the video :

Evil-AtomS3 Functionnality :

• All Evil-M5Core2 functionnality except bluetooth serial.

Consumption:

• Tests show max 200mA draw with 100% brightness and using WiFi/GPS

Hardware Requirement :

• M5AtomS3 link M5Stack link AliExpress
• ATOMIC GPS Base link M5Stack link AliExpress

Optional:

• ATOM TailBat(45min) link

It pretty small so you can also check and control serial on USB from your phone or IDE.

The parasite project still exist but rename to Evil-Face and should be updated in futur too.

• WiFi Network Scanning: Identify and display nearby WiFi networks.
• Network Cloning: Check information and replicate networks for in-depth analysis.
• Captive Portal Management: Create and operate a captive portal to prompt users with a page upon connection.
• Credential Handling: Capture and manage portal credentials.
• Remote Web Server: Monitor the device remotely via a simple web interface that can provide credentials and upload portal that store file on SD card.
• Sniffing probes: Sniff and store on SD near probes.
• Karma Attack: Try a simple Karma Attack on a captured probe.
• Automated Karma Attack: Try Karma Attack on near probe automatically.
• Bluetooth Serial Control: You can control it with bluetooth.
• Wardriving: Wardriving with Wigle format output on SD.
• Beacon Spam: Generate mutliple SSIDs arround you.
• Deauther: send deauthentification frames, and sniff 4-Way handshakes and PMKID.
• Client Sniff And Deauth: Sniff clients connected to AP and auto deauth while sniffing EAPOL.
• EAPOL/Deauth detection: Detect deauthentification packet, 4-Way handshakes, PMKID and pwnagotchi near you.
• Wall Of Flipper: Detect and save Flipper Zero with bluetooth enable near you and detect BLE SPAM.

( What is a Karma attack ? check the blog : https://7h30th3r0n3.fr/does-your-machine-have-a-good-or-bad-karma/)

Features may vary depending on the firmware/device you are using:

• M5Stack Core2 M5Stack link AliExpress (this project is coded with M5Unified, it should work on other M5Stack).
• SD card (fat32 max 16Go, consider 8Go is already more than enough).

Tested working others device :

• M5Cardputer M5stack link AliExpress (not offical M5store
• M5stack fire (with LED effect) M5stack
• M5stack core1 M5stack
• M5stack AWS M5stack
• M5stack CoreS3 [M5stack] [link AliExpress](https://s.click.aliexpress.com/e/_DBIMh8l

1. Connect your M5Core2 to your computer.
2. Open the Arduino IDE and load the provided code.
3. Ensure M5unified, TinyGpsPlus, ArduinoJson and adafruit_neopixel libraries are installed.
4. Ensure esp32 and M5stack board are installed (Error occur with esp32 3.0.0-alpha3, please use esp32 v2.0.14 and below).
5. Place SD file content needed on the SD card. ( Needed to get IMG startup and sites folder).
6. Ensure to run the script in utilities to bypass the esp32 firmware. (be sure that the folder in the script exist, change if needed (M5stack/eso32))
7. Ensure that the baudrates is at 115200.
8. Ensure that PSRAM is disabled in tools menu.
9. Upload the script to your M5Core2 device.
10. Restart the device if needed.

Warning : for Cardputer you need to change the Flash size to 8MB and the Partition Scheme to 8M with spiffs (3MB APP/1.5MB SPIFFS) or space error may occur.

It's your first time with arduino IDE or something not working correctly? You should check out video section !

Screenshots and Media

Booting Screen

With more than 100 references at each boot.

Menu Screen

Probes Sniffing

Low Battery at boot ( when under 15%)

Video

🇫🇷 Le turoriel et la démo en francais réalisé par Samxplogs 🇫🇷 (un trés grand merci à lui) :

Samxplogs tutorial video and demo thx to him :

More demo ? Thx to TalkingSasquatch for making a video about the project :

Follow these steps to efficiently utilize each feature of Evil-M5Core2.

• Scan Near WiFi: A fast scan is already made when starting up.

• Menu: Select a network from a list, use left and right keys to navigate and select a network.

• List Details: Informations about the selected network. You can clone the SSID in this menu.

• Operate Captive Portal: With normal.html page, a mock WiFi passord page designed to mimic a legitimate error on box.

• /evil-m5core2-menu: Menu for pages bellow.
• /credentials: Lists captured credentials.
• /uploadhtmlfile: Provides an upload form to store files on the SD card (for new portal pages and file exfiltration).
• /check-sd-file: Provides an index of to check, download and delete files on the SD card.
• /Change-Portal-Password: Provides a page to change the password of the deployed access point.

When Captive Portal is ON you can connect to it to acces to 3 fonctionnality protected by password :

• /evil-m5core2-menu This page is just a menu to provide easy access to others page with authentification form.

• /credentials This page can list the captured credentials.

• /uploadhtmlfile This page provide a upload form that store files in SD card in any folder of the SD to be able to send new portal page, exfiltrate file trough wifi or change the startup image. please considere to upload file under 1Mo to ensure no lag during the transfert process.

• /check-sd-file This page provide an index of to check, download and delete files on the SD card.

• /Change-Portal-Password Provides a page to change the password of the deployed Access Point. Required if attempting a Karma attack on a network with a known password.

To prevent unauthorised access of these page they are really simply protected by a password that you need to change in the code. To acces to these page use the password form in menu:

http://192.168.4.1/evil-m5core2-menu

Any other tried page should redirect to the choosen portal.

• Deactivate: Stops the captive portal and DNS.

• Menu: Choose the portal provided to connecting users. Lists only HTML files.

• Menu: To check captured credentials.

• Option: Delete all captured credentials.

The Monitor Status feature consists of three static menus that can be navigated using the left and right buttons. Each menu provides specific information about the current status of the system:

• Number of Connected Clients: Displays how many clients are currently connected.
• Credentials Count: Shows the number of passwords stored in credentials.txt.
• Current Selected Portal: Indicates which portal is currently being cloned.
• Portal Status: Displays whether the portal is ON or OFF.
• Provided Portal Page: Details about the portal page currently in use.
• Bluetooth: Displays whether the bluetooth is ON or OFF.

• MAC Addresses: Lists the MAC addresses of all connected clients.

• Stack left: Displays the remaining Stack in the device.
• Available RAM: Displays the remaining RAM in the device.
• Battery Level: Shows the current battery level.
• Temperature: Reports the device's internal temperature.

Send fake random probes near you on all channel. Perfect for counter the Probe Sniffing attack. Press left or right to reduce or increase time delay. (200 ms to 1000ms)

Probe Sniffing start a probe scan that capture the SSID receive, you can store and reuse then. Restricted to 150 probes max.

Same as Probe Sniffing but provide a menu after stopping scan to choose a unique SSID, when SSID is chosen, a portal with the same SSID is deploy, if the original AP is an Open Network and the machine is vulnerable it should connect automaticaly to the network and dependind of the machine can pop up automatically the portal, if a client is present when scan end or stopped, the portal stay open, if not the portal is shutdown. (Can be used with password if set on web interface).

Same as Karma Attack but try the first probe seen, if no client connects after 15 seconds the Evil-m5core2 returns to sniffing mode to try another captured probe and continues in a cycle until stopped by the user. Can also be used with a password if set on the web interface, if you have a password and you don't know on which AP it work you could try it with different probe request to test if karma work and get the SSID. This feature is inspired by the pwnagotchi project but with probe request and karma attack, you can use both to ensure a full attack of the near devices around you.

You can add SSID on KarmaAutoWhitelist line like this : KarmaAutoWhitelist=notmybox,thisonetoo

Probe should be ignored and serial message send to notify that this network is whitelisted, it also work on probe sniffing and karma attack.

Same as Karma Auto but with Open SSID captured with wardriving. You can also add custom SSIDs to KarmaList.txt.

Menu to select a previous captured probe SSID and deploy it. List is restricted to 150 probes.

Menu to delete a previous captured probe SSID and deploy it. List is restricted to 150 probes.

Delete ALL previous captured probes. Basically reset probes.txt on SD.

Change the Brightness of the screen.

Switch bluetooth ON or OFF.

Scan wifi network around and link it to position in Wigle format, you can upload it to wigle to earn point and generate KLM file for Google earth. You need a GPS for this.

Tested device working on Core2/Fire/AtomS3 :

• ATOMIC GPS Base link M5Stack link AliExpress

Tested device working on Core2/Fire:

• GPS Module with Internal & External Antenna link M5Stack

Tested device working on Core2/Fire/CoreS3/Cardputer :

• Mini GPS/BDS Unit link M5Stack

PIN :

• PIN for Core2 : use RX2/TX2 | GND | 5v or 3.3v

GPIO 13

GPIO 14

• PIN for Fire on C-PORT :

GPIO 16

GPIO 17

Beacon Spam create multiple networks on all channels to render multiples SSIDs in wifi search and sniffing equipement. You can use custom Beacon with config file.

Based on an original idea from K3YOMI, thanks to him for the fantastic work !

You absolutely must see the original project here from which I took inspiration and from which I used the code :

https://github.com/K3YOMI/Wall-of-Flippers

Flipper Zero detection via bluetooth :

Discover Flipper Zero Devices :

• Discovering Flipper Name
• Discovering Flipper Mac Address and if it's spoofed (normal/spoofed)
• Discovering Flipper color (Detection of Transparent, White, & Black Flipper)
• Saving Flipper Zero Devices Discovered near you on SD Card.

Capability to Identify Potential Bluetooth Advertisement Attacks from Flipper and Other Devices :

• Suspected Advertisement Attacks
• iOS Popup Advertisement Attacks
• Samsung and Android BLE Advertisement Attacks
• Windows Swift Pair Advertisement Attacks
• LoveSpouse Advertisement Attacks (Denial of Pleasure)

Based on an original idea from evilsocket the pwnagotchi

You absolutely must see the original project here from which I took inspiration:

https://github.com/evilsocket/pwnagotchi

On screen:

• AP: Number of APs near you
• C : Current Channel
• H : Numbers of new PCAP created ( at least one EAPOL and beacon frame)
• E : Numbers of EAPOL packets captures
• D : 0 = no deauth only sniffing / 1 = active deauth
• DF: Fast Mode

Left Button : ON/OFF deauth

middle : back to menu

right Button : Fast/slow mode

So what ?

It does :

• Scan for near AP
• Sniff if client is connected
• Send broadcast deauth frame to each AP which have client
• Send spoofed deauth frame for each client
• Sniff EAPOL at same time
• Loop at Scan near AP

Based on an original idea from spacehuhn the deauther

You absolutely must see the original project here from which I took inspiration:

https://github.com/SpacehuhnTech/esp8266_deauther

Evil-M5core2 is now able to send deauthentification frames and you can sniff the EPAOL in same time.

Just select the network and go to deauther, answer asked question, and start to deauth and sniff at same time !

Special thanks to Aro2142 and n0xa for the help and work.

Based on an original idea from G4lile0 the Wifi-Hash-Monster.

You absolutely must see the original project here from which I took inspiration:

https://github.com/G4lile0/ESP32-WiFi-Hash-Monster

• Channel : Current Channel
• Mode : Static : Stay on same channel / Auto: Hopping trough all channel
• PPS : Packets Per Second on the channel (if no activities on the channel the PPS could be locked to the last know number of packets because the refresh occur when a packet is reveived)
• H : Numbers of new PCAP created ( at least one EAPOL and beacon frame)
• EAPOL : Numbers of EAPOL packets captures
• DEAUTH : Numbers of Deauth seen
• RSSI : The transmission power (gives an idea of ​​the distance from the transmitter)

If a EAPOL packet is detected, its stored in a pcap file with the mac address of the AP and a beacon frames wih the BSSID. You can crack a Wifi password with a 4-way handshakes or a PMKID with Aircrack-ng or Hashcat.

A python tool to process multiple pcap to hashcat format is provided in utilities.

Detect deauthentication packets near you, when a machine disconnects from an access point, it sends a deauthentication packet to close the connection, deauthentication packets can also be spoofed to disconnect the device and attacker use automatic reconnection to sniff the 4-way handshake, a lot of deauthentication packets are not normal and should be considered as a possible Wi-Fi attack.

This feature also detects nearby pwnagotchi by printing the name and number of pwned network that it get, in this way you can know if you are under attacked.

Upload a startup.jpg 320x240 image to replace original startup.jpg and make your Evil-M5Core2 more special.

Evil-M5Core2 sends messages via serial for debugging purposes and message when you navigate on the Core2, you can use the serial app on Flipper to see these messages. Plug your flipper with :

• On flipper :

PIN 13/TX

PIN 14/RX

• On M5Core2 :

PIN G3/RXD0

PIN G1/TXD0

You can control almost all functionnaly with serial command:

Available Commands:

• scan_wifi - Scan WiFi Networks
• select_network - Select WiFi
• change_ssid <max 32 char> - change current SSID
• set_portal_password <password min 8> - change portal password
• set_portal_open - change portal to open
• detail_ssid - Details of WiFi
• clone_ssid - Clone Network SSID
• start_portal - Activate Captive Portal
• stop_portal - Deactivate Portal
• list_portal - Show Portal List
• change_portal - Switch Portal
• check_credentials - Check Saved Credentials
• monitor_status - Get current information on device
• probe_attack - Initiate Probe Attack
• stop_probe_attack - End Probe Attack
• probe_sniffing - Begin Probe Sniffing
• stop_probe_sniffing - End Probe Sniffing
• list_probes - Show Probes
• select_probes - Choose Probe
• karma_auto - Auto Karma Attack Mode stop automatically when successfull

Your Evil-Core2 or Flipper Zero feels lonely?

Add a small parasite to it !!!

He can also be used standalone but he needs a host for energy like a phone or a powersupply to survive or he die.

Parasite Functionnality :

• Cute (yes it's a useful feature to survive).
• Accelerometer interaction (don't shake it or it get mad).
• AutoKarmaAttack when face is pressed ( when a karma attack is successfull your little parasiste tell the name of the SSID in a textbubble until the next karma successfull or death).
• Whitelist (hardcoded, need to be change by compiling the code again)

(For the moment no portal is sent it just tests if a device connect).

Hardware Requirement :

• M5AtomS3

Software Requirement : This little parasite use m5stack-avatar to render face, donwload avatar librairie before compile.

• https://github.com/meganetaaan/m5stack-avatar

It pretty small so you can also check serial on USB to get information.

(ask if broken)

MIT License

Copyright (c) 2023 7h30th3r0n3

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.