Month: June 2024

Long Range Hacking with LoRa

LoRa or Long-Range wireless is an extremely long range, low bandwidth communication protocol that allows you to send data packets at ranges that far exceed standard WiFi. In this article we will see how it could be used to create a long-range hacking platform.

Introduction

In the ever-evolving landscape of cyber security and hacking, researchers and security professionals are constantly exploring innovative techniques to push the boundaries of what is possible. One such area of exploration is the utilization of Long-Range (LoRa) wireless technology for security and defense purposes.

For example, Russia is using LoRa to help make their new drones GPS jam proof. This same tech could be used to extend the reach of hacking platforms beyond the limitations of traditional WiFi networks. This article delves into the creation of an Extended Range Hacking Platform leveraging LoRa, offering a unique perspective on the potential applications and implications of this emerging technology usage.

LoRa Based Long Range Hacking Platform

For several years I pondered about using LoRa in a long-range hacking platform. Something that wasn’t cellular, or relied on cell towers, but something that would extend pentest drop box range or P4wnP1 ALOA from the short range of WiFi signals to something that you could control from a block away, or maybe a mile or more.

The Problem with WiFi Hacking – Range

It’s a popular Red Team tactic to park in a parking lot and use long range WiFi antennas to try to access internal systems in an office building. Everybody is doing it now, even Russian spies! I remember seeing a photo of a car used in an espionage attack where Russian operatives hid long range WiFi antennas in the trunk of a car and sat in the parking lot of a target.

The problem with WiFi is range. Yes, you can extend it with Yagi and directional antennas, but at the end of the day, the limit is still range. 

Another technique is to use “hacking” drones and fly them near or land them on top of a target building in an attempt to hack into the target’s WiFi system. Yes, it is effective, but what happens if you lose your drone on the roof? Say, it lands and for some reason you can’t get it to take off again?

That could get expensive quick! And it is also one of the reasons why I stopped using my NetHunter phone on my drone. After a couple unpredictable New York wind crashes, I figured losing a cell phone really wasn’t worth it!

Enter LoRa

LoRa isn’t hobbled by the very short ranges of WiFi. With the right antennas and power level tweaking, you can reach up to 20kms in open air!

Two LoRa Devices with Long Range Antennas

As mentioned before, the shortfall of LoRa is Bandwidth. Lora is perfect for sending small packet of information. So, it is perfect for say, an off the grid survival communication device. In fact, LoRa is used for exactly this. You can find many text-based survival comm devices that use LoRa. But if you are looking to stream live video this isn’t the solution for you.

My LoRa Hacking Platform

I always felt you could use LoRa for hacking, over my last vacation I realized I had all the parts I needed and gave it a go!

Raspberry Pi LoRa Device

The Parts:

  • Adafruit LoRa Radio with OLED Bonnet @ 915MHz – https://www.adafruit.com/product/4074
  • Pi 0 W or Pi 0W 2, I used the original Pi 0 W
  • IPX to RP SMA Female IPEX Connector RF Pigtail Mini PCI e WiFi Antenna Cable
  • Long Range Antennas
Raspberry Pi LoRa device with Antenna Connector

Using Raspberry Pi 0w’s, the Adafruit LoRa Pi Zero Hat, and the Adafruit LoRa tutorial, I was able to work quickly through the basic, “Hello World” transmissions. Next, using AI to create my code, I was able to send terminal commands from one Pi Zero to the other.

Two RPI LoRa devices communicating

Once I could send terminal commands, I was able to quickly go from just running the “ls” command to view a directory listing of the other Pi, to commanding it to run nmap against local targets and even having it kick of an automated WiFi scan that automatically scanned and attacked any area WiFi networks!

In the screenshot below – The first Pi is telling the second Pi to run Besside-NG using the wlan1 (using an extended range Alfa WiFi USB WiFi adapter – not shown)

Hacking with LoRa

How do you actually make this work? Every LoRa board is a little different. See the manufacturers website for the LoRa board that you have and follow the instructions. An abbreviated set of the steps I took for the Adafruit board follows.

Quick Instructions

Installing:

  1. Download and burn that latest Pi OS Lite to your Pi 0w. I used the 32-bit version- https://www.raspberrypi.com/software/operating-systems/
  1. Edit/Create the 4 boot up files before you boot the card

https://learn.adafruit.com/raspberry-pi-zero-creation/text-file-editing

userconf.txt – create the Pi user

config.txt – Enables devices

ssh – Empty file, enables SSH

wpa_supplicant.conf – setup your WiFi

  1. Insert your card in the Pi and boot it up
  2. sudo nano /etc/default/keyboard” – Set your keyboard to “us
  3. sudo nano /etc/wpa_supplicant/wpa_supplicant.conf” if wifi doesn’t connect add it manually
  4. If you only want to use IPv4

sudo nano /etc/sysctl.conf

add “net.ipv6.conf.all.disable_ipv6=1

Set Auto Login

To enable Auto-login run:

  • sudo raspi-config

Choose option: 1 System Options Choose option: S5 Boot / Auto Login Choose option: B2 Console Autologin Select Finish, and reboot the Raspberry Pi

Install Blinka – Adafruit’s Circuit Python

https://learn.adafruit.com/circuitpython-on-raspberrypi-linux/installing-circuitpython-on-raspberry-pi

Install the Lora Software and Virtual Environment

https://learn.adafruit.com/lora-and-lorawan-radio-for-raspberry-pi/rfm9x-raspberry-pi-setup#

*Don’t use sudo for the pip commands

Create and run the Radio command. If it detects the radio, you should be all set!

Creating your First Code

https://learn.adafruit.com/lora-and-lorawan-radio-for-raspberry-pi/sending-data-using-a-lora-radio

Enter the code from this website and if it sends and receives packets between the two, congrats, it’s working!!

Two LoRa Raspberry Pi systems

Creating Code with AI

Now that we have the devices communicating, we can start to create our own code.

Enter the virtual environment, “source env/bin/activate

Create your send and receive code. I used ChatGPT for all of my code. I just had to tell it that I was using the RFM95 Adafruit OLED bonnet and then explained in detail what I wanted it to do.

I needed it to send a terminal command from the sending Pi and then execute the command on the receiving Pi. ChatGPT instantly created the code I needed I just had to change the import commands and variable settings to the ones from the code from Adafruit’s site and it worked perfectly! 

I started simple, I had it send an “ls” command with one button push, and then a “Hello World!” echo statement with the second button.

Remote WiFi Scanning and Testing with Besside-NG

Tool GitHub: https://www.aircrack-ng.org/doku.php?id=besside-ng

We can go a step further

Install aircrack-ng:

  • sudo apt install aircrack-ng
Installing Besside-NG

Then I programmed button 3 to send “sudo besside-ng -W wlan1” to the receiving unit.

Here is a snippet of my sending code:

The receiving system displays what command is being run on the OLED and the terminal, then saves the output of the file to the drive with a time date stamp. 

Below is a terminal view of both Pi’s:

LoRa AI Code Sample

As you can see in this test, the sending system sent three commands, “ls”, “Hello World!!” and then the command to start scanning the WiFi for targets. The LS command actually performs a directory list and stores it as a file. Once the third button was pushed, the WiFi attack button, you can see that the receiving machine not only successfully scanned WiFi networks near it, but was able to obtain a handshake key from a target WiFi network!

Let’s Go Long Range!

For a better test, I put the sending and receiving units about half a mile apart. In this scenario the attacker could leave the receiving unit in a target area and be a half mile, or more away and still successfully send commands to it. There was dense woods and a large industrial building between the two units.

They communicated perfectly, and on command, the receiving unit started scanning for WiFi Networks. Even though the two systems were half a mile apart, it was as if I was entering terminal commands on the receiving one from an attached keyboard.

AI Coded Long Range Hacking Device

The Next Steps

This is just the beginning; with this setup one could create their own code and use the hacking platform in many different ways. One way, which is being implemented by a good friend, is using it on a drone platform. LoRa will communicate for very long distances over open air, so drone is naturally the platform of choice.

But it could be used in many different ways, only the imagination is the limit.

Conclusion

The article presents a compelling case for the incorporation of LoRa technology into hacking platforms, demonstrating its capability to transcend the range limitations of WiFi-based solutions. By leveraging off-the-shelf components and using AI tools for code development, the author showcases a functional LoRa-based system that can execute remote commands and initiate WiFi network attacks from substantial distances.

While the low bandwidth nature of LoRa restricts its use for data-intensive applications like video streaming, its long-range capabilities open up new avenues for covert and remote hacking operations. The integration of this technology with drone platforms further amplifies its potential, enabling a new level of stealth and remote hacking possibilities.