Wifi Client Data Leak - nicholasaleks/Damn-Vulnerable-Drone GitHub Wiki
Capturing metadata and unencrypted traffic from devices connected to the drone's WiFi network.
Damn Vulnerable Drone > Attack Scenarios > Exfiltration > Wifi Client Data Leak
When drones create their own WiFi networks (such as companion computer APs or WiFi telemetry bridges), all connected clients—GCS, operator laptops, tablets—transmit and receive data over the same shared medium. If encryption is weak or broken (e.g., cracked WEP or open AP), an attacker can sniff this traffic and capture valuable metadata, cleartext HTTP sessions, ARP broadcasts, DNS queries, and even leaked credentials.
This scenario focuses on passively monitoring connected devices for data leaks without actively sending traffic.
⚠️ Solution Guide
Refer to the WiFi cracking attack scenario:
/nicholasaleks/Damn-Vulnerable-Drone/wiki/Wifi-Analysis-&-Cracking
Once connected, you’re on the same network as all client devices.
Use tcpdump to capture broadcast and client-originated traffic:
tcpdump -i wlan0 -nn -s0 -w client_capture.pcap
Or filter by MAC/IP:
tcpdump -i wlan0 ether src
Open the .pcap file in Wireshark and filter:
-
dns— DNS queries can reveal software update checks -
http— Capture login panels or GCS web sessions -
udp.port == 14550— Check for MAVLink traffic -
frame contains "password"— Look for sensitive POST bodies
Run nmap -O or Wireshark’s OS fingerprinting heuristics to learn:
- OS version of connected devices
- Hostnames and local service advertisements
- Cached internal IP mappings (via ARP or DHCP leaks)
| Leak Type | Description |
|---|---|
| DNS Query | updates.qgroundcontrol.com |
| HTTP GET | /api/session?token=... |
| ARP Ping | Maps MAC → IP |
| MAVLink | Client origin reveals GCS role |