Intercepting MAVFTP file transfers between the Ground Control Station (GCS) and the drone to access logs, missions, or parameters.

Damn Vulnerable Drone > Attack Scenarios > Exfiltration > FTP Eavesdropping

Description

MAVFTP is a file transfer protocol built into MAVLink 2.0 that allows Ground Control Stations to upload or download files from a drone's onboard storage — including mission files, tlogs, and flight parameters. These transfers occur over MAVLink message type FILE_TRANSFER_PROTOCOL.

An attacker on the telemetry link can passively monitor and reconstruct file transfers by parsing FILE_TRANSFER_PROTOCOL messages in real-time. In some cases, the attacker can reconstruct entire .BIN logs, parameter files, or mission plans without ever directly interacting with the drone.

Resources

MAVLink FILE_TRANSFER_PROTOCOL
MAVProxy: MAVFTP Module
Wireshark with MAVLink dissector
MAVLink Inspector (in QGroundControl)

⚠️ Solution Guide

Step 1. Setup Packet Capture on the MAVLink Link

If the drone is communicating over UDP (e.g., 14550), use tcpdump or Wireshark to sniff the stream:

tcpdump -i any port 14550 -w mavftp.pcap

Step 2. Use Wireshark with MAVLink Dissector

Install the MAVLink dissector plugin in Wireshark or use QGroundControl’s MAVLink Inspector to parse FILE_TRANSFER_PROTOCOL packets.

Filter the stream using:

mavlink.message.name == "FILE_TRANSFER_PROTOCOL"

You’ll see messages with file names, offsets, and raw file payload chunks.

Step 3. Reconstruct Files (Optional)

If you're logging the FILE_TRANSFER_PROTOCOL payloads, you can reconstruct the transmitted files manually or script the process.

Each message payload contains:

seq_number
offset
data[] buffer

Write a simple Python script to reorder and write the binary stream to disk.

Step 4. Use MAVProxy to Actively Download (if permitted)

If you’ve already hijacked the GCS session or spoofed a new one, you can initiate file downloads using MAVProxy:

module load mavftp
ls /
cd /APM/LOGS
get 1.BIN

This downloads a flight log to your local system. You can then analyze it using Mission Planner or DroneLogbook.

Examples of Sensitive Files via MAVFTP

File	Description
`/APM/LOGS/*.BIN`	Raw flight logs
`/APM/STRG*`	Flash storage logs
`/APM/Missions/*`	Active mission waypoints
`/APM/Parameters.parm`	Full flight controller parameter dump

FTP Eavesdropping - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki

Description

Resources

Step 1. Setup Packet Capture on the MAVLink Link

Step 2. Use Wireshark with MAVLink Dissector

Step 3. Reconstruct Files (Optional)

Step 4. Use MAVProxy to Actively Download (if permitted)

Examples of Sensitive Files via MAVFTP

⚠️ GitHub.com Fallback ⚠️

FTP Eavesdropping - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki

Description

Resources

Step 1. Setup Packet Capture on the MAVLink Link

Step 2. Use Wireshark with MAVLink Dissector

Step 3. Reconstruct Files (Optional)

Step 4. Use MAVProxy to Actively Download (if permitted)

Examples of Sensitive Files via MAVFTP

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️