GlomarGadaffi/wifi-ble-marauder

# wifi-ble-marauder 纯 ESP-IDF 6.0.1 WiFi/BLE 安全研究工具。无 Arduino。无封装。 它是 [ESP32Marauder](https://github.com/justcallmekoko/ESP32Marauder) 的继任者——使用 C 语言针对原生 IDF 协议栈从底层完全重写，并引入了 Arduino 无法涉足的新型攻击向量。 ## 相比 Marauder 的新特性 | 功能 | Marauder (Arduino) | wifi-ble-marauder (IDF 6.0.1) | |---|---|---| | 5 GHz deauth + beacon spam | ✗ | ✓ ESP32-C5 | | WiFi 6 (802.11ax) 帧构造 | ✗ | ✓ C5/C6 | | 触摸屏上的实时 RSSI 频谱 | ✗ | ✓ S3 + Guition | | Thread neighbor 拓扑转储 | ✗ | ✓ C6 (通过 Thread 1.3 认证) | | Matter 授权拦截 | ✗ | ✓ C6 | | Zigbee 网络枚举 | ✗ | ✓ C6 | | BLE 5.0 扩展广播 (254 字节) | ✗ (限制 31 字节) | ✓ C5/C6 | | 802.15.4 + WiFi 冲突 DoS | ✗ | ✓ C5/C6 | | 多核任务隔离 | ✗ (单一 Arduino loop) | ✓ 核心 0 执行攻击，核心 1 处理 UI/CLI | | µs 级精度 EAPOL 计时 | ✗ | ✓ esp_timer | | 多无线电交替 PCAP | ✗ | ✓ WiFi + BLE + 802.15.4 | ## 硬件目标 ### 活跃 — S3 + Guition 显示屏 (阶段 4) **[Guition JC3248W535EN](https://github.com/GlomarGadaffi/jc3248-display-driver)** - ESP32-S3，240 MHz，8 MB OPI PSRAM，16 MB flash - AXS15231B QSPI 320×480 IPS 显示屏，FT5336 电容触摸 - 显示驱动：[jc3248-display-driver](https://github.com/GlomarGadaffi/jc3248-display-driver) ``` idf.py --sdkconfig-defaults sdkconfig.defaults.s3_guition set-target esp32s3 build idf.py -p COM3 flash monitor ``` 启动时，显示屏会显示实时的 2.4 GHz RSSI 频谱。触摸通道柱状图即可将其选为当前攻击通道，然后点击操作按钮： ``` ┌──────────────────────────────────────┐ │ wifi-ble-marauder CH:6 2.4 GHz RSSI │ header ├──────────────────────────────────────┤ │ ▁▃█▅▁▁▂▁▁▁▃▁▁ │ channel bars 1–13 │ 1 2 3 4 5 6 7 8 9 10 11 12 13 │ tap to select ├──────────────────────────────────────┤ │ ch 6 -62dBm CoffeeShop │ recent APs │ ch 1 -78dBm NETGEAR_5A │ ├──────────────────────────────────────┤ │ [DEAUTH] [BEACON] [SWEEP] [STOP] │ action bar └──────────────────────────────────────┘ ``` UART CLI 依然可以以 115200 波特率并行工作。 ### 阶段 2 — C5 (5 GHz 攻击) **[Espressif ESP32-C5-DevKitC-1-N8R4](https://www.espressif.com/en/products/devkits)** - ESP32-C5，240 MHz RISC-V，双频 2.4 + 5 GHz WiFi 6 (802.11ax) - BLE 5.0，8 MB Flash，4 MB PSRAM，原生 USB-CDC ``` idf.py --sdkconfig-defaults sdkconfig.defaults.c5 set-target esp32c5 build flash monitor ``` ### 阶段 3 — C6 (Thread / Matter / Zigbee) **[Seeed XIAO ESP32-C6](https://wiki.seeedstudio.com/xiao_esp32c6_getting_started/)** - ESP32-C6，通过 Thread 1.3 / Zigbee 3.x 认证，WiFi 6，BLE 5.3 ``` idf.py --sdkconfig-defaults sdkconfig.defaults.c6 set-target esp32c6 build flash monitor ``` ## 项目结构 ``` wifi-ble-marauder/ ├── main/main.c # app_main — board dispatch + task spawn ├── components/ │ ├── wifi_attack/ # 802.11 frame inject/sniff (native esp_wifi) │ ├── ble_attack/ # NimBLE attacks (esp_nimble direct) │ ├── cli/ # esp_console REPL (UART, all boards) │ ├── display/ # S3 Guition: backlight, QSPI panel, I2C touch, framebuf │ ├── spectrum/ # S3 Guition: RSSI spectrum task + touch dispatch │ ├── esp_lcd_axs15231b/ # AXS15231B QSPI + touch driver (from jc3248-display-driver) │ ├── pcap/ # SD-backed PCAP writer with radiotap │ ├── evil_portal/ # captive portal (esp_http_server + DNS) │ ├── gps/ # NMEA UART parser │ └── board/ # board_c5.h, board_c6.h, board_s3_guition.h ├── sdkconfig.defaults.c5 ├── sdkconfig.defaults.c6 ├── sdkconfig.defaults.s3_guition └── partitions_8mb.csv ``` ## CLI 命令 烧录后，以 115200 波特率连接终端（适用于所有开发板）。 ``` bm> help # list all commands bm> scan_ap # passive beacon/AP scan bm> scan_raw # raw promiscuous capture bm> sweep # passive sweep all 2.4+5 GHz channels (200ms dwell) bm> sweep -d 100 # 100ms dwell bm> sweep -2 # 2.4 GHz only bm> deauth -c 6 -n 50 # broadcast deauth flood ch 6, 50 frames bm> deauth -b aa:bb:cc:dd:ee:ff -c 6 -n 20 # targeted deauth by BSSID bm> beacon -s "FreeWiFi" -c 6 # beacon spam fixed SSID bm> beacon -c 6 # random SSID beacon spam bm> eapol -c 6 # EAPOL bad-message flood bm> portal -s "Airport WiFi" # evil captive portal bm> ble_scan # passive BLE scan bm> sour_apple # Apple proximity popup attack bm> swiftpair # Microsoft Swift Pair spam bm> ble_spam # all BLE vectors (Apple, MS, Samsung, Google, Apple Juice) bm> stats # packet counters bm> channel 149 # jump to 5 GHz ch 149 (C5) bm> stop # stop all attacks ``` ## FreeRTOS 任务布局 ### S3 Guition (阶段 4) ``` app_main (core 1) ├── spectrum_task core 1 priority 4 — display render + touch dispatch (~25 fps) ├── cli_task core 1 priority 5 — UART REPL ├── health_task core 1 priority 2 — heap/stats log every 30s └── (attack tasks pinned to core 0, spawned on demand) wifi_attack core 0 priority 20 ble_attack core 0 priority 19 ``` ### C5 / C6 (无头模式) ``` app_main (core 1) ├── cli_task core 1 priority 5 ├── health_task core 1 priority 2 └── (attack tasks on demand, core 0) ``` ## 帧 Hook API `wifi_attack_set_frame_hook(cb)` 会注册一个 `(uint8_t channel, int8_t rssi)` 回调函数， 该函数会在 WiFi RX 任务中针对每个解析到的 beacon 调用。频谱可视化工具利用此功能 更新各通道的 RSSI 状态，而无需单独的 promiscuous 注册。 ``` void my_hook(uint8_t channel, int8_t rssi) { /* fast, ISR-safe */ } wifi_attack_set_frame_hook(my_hook); ``` ## 构建 需要 ESP-IDF 6.0.1+。在 Windows 上： ``` # 激活 IDF（已安装于 C:\esp\v6.0.1） C:\esp\v6.0.1\export.ps1 # S3 Guition（Phase 4 — 显示屏 + 频谱） idf.py --sdkconfig-defaults sdkconfig.defaults.s3_guition set-target esp32s3 build idf.py -p COM3 flash monitor # C5（5 GHz 双频） idf.py --sdkconfig-defaults sdkconfig.defaults.c5 set-target esp32c5 build idf.py -p COM3 flash monitor # C6（Thread/Matter/Zigbee） idf.py --sdkconfig-defaults sdkconfig.defaults.c6 set-target esp32c6 build idf.py -p COM3 flash monitor ``` ## 路线图 - [x] 阶段 2：WiFi 攻击核心 (deauth, beacon, EAPOL, evil portal)，C5 5GHz - [x] 阶段 2：通道扫描 CLI 命令，支持可配置的驻留时间 + 频段过滤器 - [x] **阶段 4：Guition JC3248W535EN 显示屏 + RSSI 频谱可视化工具** ← 活跃 - [ ] 阶段 2：将带有 radiotap 头的 PCAP 捕获到 SD 卡 - [ ] 阶段 3：Thread neighbor 扫描 (`esp_openthread` / `otLinkActiveScan`) - [ ] 阶段 3：Matter 授权嗅探器 (mDNS + PAKE 拦截) - [ ] 阶段 3：Zigbee 被动通道扫描 - [ ] 阶段 3：BLE 5.0 扩展广播突发循环 ## 相关项目 - [jc3248-display-driver](https://github.com/GlomarGadaffi/jc3248-display-driver) — JC3248W535EN 搭建 + 显示驱动源码 - [deauth-detector](https://github.com/GlomarGadaffi/deauth-detector) — 802.11 攻击检测传感器 (互补：用于检测本项目生成的内容) - [wigle-wardriver](https://github.com/GlomarGadaffi/wigle-wardriver) — WiFi/BLE wardriver ## 许可证 Apache 2.0

标签：BLE安全, ESP-IDF, WiFi渗透测试, 客户端加密, 密码管理, 插件系统, 物联网安全, 硬件黑客