Hack Rifle

Since some people are concerned: this isn’t a real gun, it’s an airsoft rifle. And yes, pointing anything that looks like a gun at a person or building is a terrible idea, and yes this thing will freak people out and probably get you arrested. That’s why it’s never been outside my apartment, has never been aimed out my windows, and has an orange tip.

Way back in 2004, some guys at DefCon built a WiFi rifle. It was basically a gun stock with a big Yagi antenna on the end. They plugged it in to a laptop next to the rifle and could wreak 2.4 GHz havoc from the rooftops. Ten years later, technology has changed a lot. I thought it would be fun to rebuild the WiFi rifle to take advantage of that. I’m calling my version the Hack Rifle.

My version is lighter than the original, has higher gain (25 dBi vs 14.6 dBi), and most importantly is self contained and can crack a network without any external equipment. It’s also got a fold out screen a la the CornerShot.

It uses the ubiquitous Raspberry Pi running the Raspberry Pwn distro from Pwnie Express. When it boots up, it automatically launches a script that’s controlled with the two buttons on the gun. You can always plug in a keyboard, but that kind of defeats the purpose of being fully self contained. So I added two buttons: the trigger and a small button next to the trigger.

The trigger has a small limit switch to detect a pull and the little pushbutton is placed to line up with your index finger when it’s not on the trigger.

Powering the entire thing is a rechargeable USB battery which lasts about 7 hours. Since the TFT screen requires 12v, I have a small DC to DC converter to get 12v from the 5v from USB. It’s the little circuit board near the butt of the gun.

The WiFi card is an Alfa AWUS 036H. The gun itself is an airsoft rifle. It was WAY cheaper than a real assault rifle body and is also much lighter. I thought about shoving all the electronics inside the body, but there’s not enough room. I think it looks kind of cool with stuff all over it though. And it does still shoot airsoft pellets.

I assembled it in such a way that it is collapsible. The airsoft gun comes apart in about 5 pieces and the electronics can all be unplugged from each other, so it’s easy to take it all apart for travel (since it looks SUPER sketchy) and put it back together.

The way it’s set up right now, after pressing the button on the battery and booting up, pulling the trigger will scan for networks, find the best candidate, and start cracking.

In the future, I’d like to add another small 1″ screen to the scope that shows a continuous FFT off the antenna. My thinking is that a regular rifle scope shows you the light at the end of the barrel, so a 2.4 GHz rifle should show you the spectrum at the end of the barrel. Little 1″ TFT screens are surprisingly expensive though, and I’d have to probably get a new scope to make it fit. Plus looking at the raw spectrum isn’t actually that helpful since it’s basically impossible to identify data streams, especially if they’re as wide band as WiFi or Bluetooth. The other thing I’d like to do is get a decent external Bluetooth module (like the Ubertooth One) so I can use the antenna for that as well. I also own a 5 watt 2.4 GHz wideband amplifier, but it uses a lot of power, gets pretty hot, and is big, so I didn’t put that on the rifle. If you wanted to go crazy though, you could have a backpack or something with a bigger battery, a giant amplifier, circulator, and SDR for the complete long range, wireless mischief package. That brings new meaning to the term “spec ops”!