Hack Rifle

Since some people are concerned: this isn’t a real gun, it’s an airsoft rifle. And yes, pointing anything that looks like a gun at a person or building is a terrible idea, and yes this thing will freak people out and probably get you arrested. That’s why it’s never been outside my apartment, has never been aimed out my windows, and has an orange tip.

Way back in 2004, some guys at DefCon built a WiFi rifle. It was basically a gun stock with a big Yagi antenna on the end. They plugged it in to a laptop next to the rifle and could wreak 2.4 GHz havoc from the rooftops. Ten years later, technology has changed a lot. I thought it would be fun to rebuild the WiFi rifle to take advantage of that. I’m calling my version the Hack Rifle.

IMG_6484 IMG_6485My version is lighter than the original, has higher gain (25 dBi vs 14.6 dBi), and most importantly is self contained and can crack a network without any external equipment. It’s also got a fold out screen a la the CornerShot.

IMG_6489It uses the ubiquitous Raspberry Pi running the Raspberry Pwn distro from Pwnie Express. When it boots up, it automatically launches a script that’s controlled with the two buttons on the gun. You can always plug in a keyboard, but that kind of defeats the purpose of being fully self contained. So I added two buttons: the trigger and a small button next to the trigger.

IMG_6493The trigger has a small limit switch to detect a pull and the little pushbutton is placed to line up with your index finger when it’s not on the trigger.

Powering the entire thing is a rechargeable USB battery which lasts about 7 hours. Since the TFT screen requires 12v, I have a small DC to DC converter to get 12v from the 5v from USB. It’s the little circuit board near the butt of the gun.

IMG_6491The WiFi card is an Alfa AWUS 036H. The gun itself is an airsoft rifle. It was WAY cheaper than a real assault rifle body and is also much lighter. I thought about shoving all the electronics inside the body, but there’s not enough room. I think it looks kind of cool with stuff all over it though. And it does still shoot airsoft pellets.

I assembled it in such a way that it is collapsible. The airsoft gun comes apart in about 5 pieces and the electronics can all be unplugged from each other, so it’s easy to take it all apart for travel (since it looks SUPER sketchy) and put it back together.

The way it’s set up right now, after pressing the button on the battery and booting up, pulling the trigger will scan for networks, find the best candidate, and start cracking.

In the future, I’d like to add another small 1″ screen to the scope that shows a continuous FFT off the antenna. My thinking is that a regular rifle scope shows you the light at the end of the barrel, so a 2.4 GHz rifle should show you the spectrum at the end of the barrel. Little 1″ TFT screens are surprisingly expensive though, and I’d have to probably get a new scope to make it fit. Plus looking at the raw spectrum isn’t actually that helpful since it’s basically impossible to identify data streams, especially if they’re as wide band as WiFi or Bluetooth. The other thing I’d like to do is get a decent external Bluetooth module (like the Ubertooth One) so I can use the antenna for that as well. I also own a 5 watt 2.4 GHz wideband amplifier, but it uses a lot of power, gets pretty hot, and is big, so I didn’t put that on the rifle. If you wanted to go crazy though, you could have a backpack or something with a bigger battery, a giant amplifier, circulator, and SDR for the complete long range, wireless mischief package. That brings new meaning to the term “spec ops”!

11 thoughts on “Hack Rifle

  1. Hi Hunter, where did you source your antenna. I have a somewhat similar interest, but the best directional yagi I have found is a 16dBi, from pacific wireless, if I recall.

    Anyway, nice looking project.

    Cheers!

    • I got it from Deal Extreme, but as some others have correctly noted, those kind of dealers tend to use “Chinese dBi”, which is often much different from real dBi. I haven’t hooked this up to a network analyzer to actually measure it, but it is probably less than 25 dBi. I don’t know by how much though. However, I’ve used this company to custom make me antennas before and they were great: http://antennaworld.com/

  2. Pingback: Sniping 2.4GHz | Hack The Planet

  3. My interest is pure utility. We sail/cruise. Pull into an anchorage and one used to be able to pick up unprotected connections. I have a watertight non-directional antenna & USB booster cable so we can hoist the antenna about 40 feet. The problem is that everything is password protected and the marinas will charge insane minute charges to use their connection. I don’t want to own it. I just need to download raster & vector charts and weather maps. antenna – Ubiquiti Bullet – older model now

    • Well, it’s illegal to crack a network without permission, but I can’t stop you. If you sail near the US, a 3G or 4G USB cell modem might work. Otherwise, I’d switch to a directional antenna, since an omnidirectional antenna wastes a bunch of gain out to sea that you could be using to go further towards land. Then you could turn the antenna while scanning and see what you get. You might also add a WiFi amplifier. Also, if you’re running a USB cable 40 feet, the signal quality won’t be very good, even with a booster, and that might decrease your network speed a lot. It’s best to run coaxial cable from the antenna to your wifi card. USB is a high speed bus, and it’s really only good for a couple meters. The wifi adapter I used for this project is quite high power for a consumer card and has an RP-SMA connector on it for running that coax cable, so it might be a good choice. Looks like the new version of the Ubiquiti Bullet lets you run ethernet to it, which is also good for long distances.

  4. Awesome project here! I’m a hobbyist wifi guy and known around the office as the “Guy with the Yag-zooka” so I’m really digging this rifle. I just wanted to offer up some tips and tricks that I’ve learned from studying 802.11 and RF theory. First, have you thought about shielding your antenna? I use a tube encased yagi and wrap the outer plastic tube with tin foil (or silver duct tape) so it keeps near-by emitters on the same or neighboring channels out of the receive equation and effectively lowers the noise floor so your far-off emitter has a better chance of being received cleanly. And don’t forget polarity, you may be surprised that your rifle could work better shooting ‘gangster style’ in some cases.

    If you have a particularly difficult shot in a noise-rich environment, you can build a “pin-hole camera” of sorts out of tinfoil and shoot the yagi right out of the “pin-hole”, which greatly tightens your beamwidth.

    Also, airodump can be a bit misleading with that bright and shiny PWR column. The RXQ and data/# are better but are not optimized for what you’re trying to do. I’ve found that wireshark filtered to “wlan.fc.type eq 2 && wlan.bssid == (targets bssid)” or substitute “wlan.fc.type_subtype == 0x20 && …..” allows you to really get the best reading on if you’re actually honed in on the tgt AP instead of just hearing its loud 1 Mbit rate probes (modify the filters as you see fit…). You should also consider dropping the wlan.bssid filter and see if other APs are particularly noisy and drown out your target. In this case, you may see nice 54 Mbit packets from your WPA target but if you only see 100 of them out of 3000 other type 2 data packets over time on your channel, then you need to minimalize the other APs that your hardware is hearing. In WEP’s case, you’ll want to look for 11 Mbit rate data packets, which are far more robust/stable compared to WPA so you can really pull off some long shots against WEP in noise-rich areas. Also, if you’re playing with wireshark, make sure you’re not channel hopping!

    Hope my troubles over the years with wifi can help you out a bit! Keep up the good work!

    Z

  5. Pingback: itboomblog

  6. I would absolutely love it if you could write a brief tutorial for your custom modifications like the the attachment of the fold-out screen and the script that determines the best candidate. On what criteria does it select a network for cracking? I know my way around rPi and Raspberry Pwn / Kali

    • The screen is just a TFT LCD I got off ebay that has a composite video input (they go for like $20 or so and are meant for car dashboards). To attach it to the gun, I literally superglued it to a small metal hinge I got from Home Depot.
      The cracking script right now is a slightly customized version of I think autocrack, which is a shell script that searches for networks and picks the one that has the highest signal and is encrypted with WEP (there’s still a surprising number of those around). You could also use the autopwn module for Metasploit, although I think it’s deprecated now.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>