6. Flipper Add‐On: Ethernet - ElectronicCats/flipper-addons GitHub Wiki

Flipper Add-On: Ethernet

Add wired Ethernet connectivity to your Flipper Zero for network analysis, scanning, or sniffing in environments without WiFi. This Add-On, along with the Ethernet app, allows you to interact with networks working over Ethernet.

Tech Specs

ENC28J60

Is a stand-alone Ethernet controller with an SPI Interface. The ENC28J60 meets all of the IEEE 802.3 specifications. Provides an internal DMA module for fast data throughput and hardware-assisted checksum calculation, which is used in various network protocols.

  • Operates from 3.3V - 5V
  • Input Voltage 5V

Read more of its characteristics in the datasheet.

Schematics

Find the project files here → FLIPPER_ETHERNET

Understanding Flipper Add‐On: Ethernet

Main functions

This add-on allows scanning wired networks and running essential network analysis tools. It includes features such as ARP scan, ARP Poison, ARP Spoofing, device detection, ping, PCAP file generation, and other basic network utilities. Perfect for pentesters, red teamers, and security researchers looking to expand their Flipper Zero’s capabilities in wired environments.

Connecting your Add-On to Flipper

Use the pin headers to connect your Add-On to your Flipper.

[!WARNING] IF THE ADD-ON IS DISCONNECTED FROM THE FLIPPER DURING THE OPERATION, YOU MUST RESTART THE APP TO CONTINUE USING IT.

First steps with Flipper Add‐On: Ethernet

[!IMPORTANT] The first step for using the Ethernet Add-On is installing the Ethernet app in the Flipper. You can find the instructions here.

Sniffer

Upon entering the Sniffing mode, an initial screen is displayed, prompting the user to start the sniffing process. If the device is not connected to a network, a waiting screen will appear until a connection is established.

Once connected, the interface begins displaying the packets being captured in real time. To stop the sniffing process, either press the OK button or return to the main menu.

After stopping the capture, the system will prompt you to view the sniffed packets. To access this view, press the right button. The packet viewer screen allows browsing through the captured packets using the left and right navigation buttons.

Exiting the packet viewer will return the user to the initial screen, where the sniffing process can be started again.

ARP Actions

The ARP Actions offer several tools for interacting with the ARP (Address Resolution Protocol). Upon opening this section, a menu appears listing all available options:

[!NOTE] The effectiveness of spoofing attacks depends on the router or modem being used. Some network devices come with built-in protections that can block or limit the impact of these actions, particularly those that attempt to disrupt internet access.

- ARP Scanner: used to scan for IP addresses currently active within the local network, providing visibility into connected devices. -

Upon opening ARP Scanner, a menu appears with options to start the scan, choose the starting IP address, and set the range of addresses to be scanned. When selecting an IP address, an IP configuration screen is displayed. This view is commonly used throughout the application whenever an IP needs to be selected or configured. To adjust the scan range, simply use the left and right navigation buttons to increase or decrease the value.

When the scan begins, if there is no network connection, a “Network Not Detected” message will appear. This screen may appear frequently in cases where network access is not established. If the device is properly connected to a network, a list of discovered IP addresses within the selected range will be displayed.

For example, if the starting IP is 192.168.0.100 and the selected range is 10, the scan will include addresses up to 192.168.0.110. Any IP address marked with (D) indicates that the address is duplicated on the network.

Selecting any of the listed IP addresses opens a detail view showing the device's IP address and corresponding MAC address.

- ARP Spoofing Specific IP: enables a targeted spoofing attack, where a specific device on the network is denied internet access by impersonating the gateway. -

The ARP Spoofing Specific IP option allows targeting a single device on the network for a spoofing attack. This section presents a menu with the following actions:

  • Scan for IP: This option works similarly to the ARP Scanner. It displays a list of detected IP addresses on the network. However, when an IP is selected, the screen returns to the spoofing menu rather than showing detailed information.

  • Attack IP: Launches the spoofing attack against the selected or manually entered IP address.

  • Set IP Manually: Allows direct input of the target IP address without scanning the network.

When starting an attack using Attack IP, the process first checks whether the target IP is valid and if its MAC address has been retrieved. If the MAC address is unavailable, either because the device is offline or unresponsive, a “MAC Not Retrieved” message will appear.

Once a valid target is identified, an attack confirmation screen is displayed. Pressing the OK button initiates the spoofing process. The same button can be used again to stop the attack at any time.

- ARP Spoofing All: performs the same spoofing attack, but this time targeting all devices connected to the network simultaneously. -

The ARP Spoofing All option allows launching a spoofing attack against all devices connected to the network.

When this option is selected, a confirmation screen appears asking whether to proceed using the current IP address or to obtain a static IP assigned by the network's router. Once this step is completed, the assigned IP address is displayed, either the one provided by the router or a custom IP configured earlier from the Settings menu in the Main Menu.

Next, a screen appears asking whether to begin the attack. If confirmed, an animation will indicate that the attack is in progress. To stop the attack, simply press the OK button again. This action stops the spoofing process and returns to the initial screen.

Read Caps

This option allows reading PCAP files, which contain data packets previously captured using the Sniffing feature.

Upon selecting this option, a list of saved PCAP files is displayed. Each file is named using the format pcap_DD_MM_YYYY_N, where:

  • DD is the day
  • MM is the month
  • YYYY is the year
  • N is the number of the file saved on that particular day

Opening any file shows a screen similar to the packet viewer displayed after completing a sniffing session.

These PCAP files can be exported and analyzed using packet inspection tools such as Wireshark. All files are stored in the following directory on the device: SD Card/apps_data/ethernet/files. Files can be accessed and copied directly from this folder for further analysis.

Settings

The Settings menu displays the currently assigned MAC address and IP address. By default, the MAC address is set to ba:3f:91:c2:7e:5d and the IP address to 192.168.0.2.

  • MAC Address Configuration Within the MAC settings, there are two options:

    • Set Random MAC: Assigns a randomly generated MAC address to the device.
    • Set MAC Manually: Allows entering a custom MAC address manually.

  • IP Address Configuration The IP settings include:

    • Get IP: Requests a static IP assigned automatically by the router or modem. Note that the device must be connected to the network for this option to work properly.
    • Set IP Manually: Opens an IP assignment screen to enter a custom IP address manually.