Protocol Fingerprinting - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki

Determining the MAVLink protocol version to exploit specific vulnerabilities.

Damn Vulnerable Drone > Attack Scenarios > Reconnaissance > Protocol Fingerprinting

Description

In this scenario, the attacker aims to identify various MAVLink protocol parameters such as the version, system ID, component ID, and whether packet signing is enabled. By leveraging MAVLink protocol analysis, the attacker can fingerprint the MAVLink communication to gather critical information about the drone system.

Resources

⚠️ Solution Guide – Click to reveal

Step 1. Capture MAVLink Packets

Use Wireshark to capture MAVLink packets. Follow the setup guide from the Packet Sniffing scenario.

Install Wireshark:

sudo apt install wireshark

Step 2. Filter for MAVLink Traffic

Configure Wireshark to filter MAVLink traffic using the protocol’s magic bytes:

(mavlink_proto.magic == 0xFE) || (mavlink_proto.magic == 0xFD)

Optionally, filter by MAVLink 2.0:

mavlink_proto.magic == "MAVLink 2.0"

Step 3. Analyze Version Info

Analyze the captured packets. Look for version information in the MAVLink header as described in the MAVLink Version Guide.

Step 4. Extract System & Component ID

Identify the System ID and Component ID from the MAVLink headers:

  • System ID: Identifies the drone or ground station
  • Component ID: Identifies the subsystem (e.g., autopilot, camera)

Step 5. Detect Packet Signing

Check for the presence of MAVLink signature fields in captured packets. See the Message Signing Guide for how to detect and interpret message signing in MAVLink 2.0.

⚠️ **GitHub.com Fallback** ⚠️