Ground Control Station Discovery - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki
Locating ground control stations by detecting communication signals or network presence.
Damn Vulnerable Drone > Attack Scenarios > Reconnaissance > Ground Control Station Discovery
The whole goal here is to witness both the source and destination for MAVLink telemetry and commands to determine the IP address for the ground control stations. You should be able to see commands and telemetry flowing between the companion computer and GCS IPs while the drone is flying around.
⚠️ Solution Guide (Non-WiFi Mode)
Verify you are connected to the Docker bridge network:
ip addr showYou should have a bridge interface with an IP in the 10.13.0.0/24 range.
Use Nmap to scan the Docker network range, excluding known IPs:
nmap -sn 10.13.0.0/24 --exclude 10.13.0.1,10.13.0.5This helps identify active hosts, including potential GCS machines.
Connect to the drone and use flight controls to generate MAVLink telemetry. Then, in Wireshark apply this filter:
mavlink_protoFrom here, you should see traffic from 10.13.0.3 (companion computer) to 10.13.0.4 (likely GCS).
In Wireshark, refine your capture with:
mavlink_proto && ip.src == 10.13.0.4This will isolate telemetry and command traffic from the GCS.
⚠️ Solution Guide (WiFi Mode)
Check your active interfaces:
ip addr showYou should see a bridge address in the 10.13.0.0/24 range.
Use Nmap to discover devices in the WiFi range:
nmap -sn 192.168.13.0/24This should surface devices including the GCS and drone nodes.
Use flight state buttons to stimulate MAVLink telemetry. In Wireshark, apply this filter:
mavlink_protoYou should observe traffic from 192.168.13.1 (companion) and 192.168.13.14 (GCS).
To specifically observe traffic from the GCS, apply this Wireshark filter:
mavlink_proto && ip.src == 192.168.13.14This isolates command and telemetry packets from the ground control station.