Spear is a custom firmware built using micropython for the Hack Club Sprig console used for cybersecurity pentesting. Scroll down for instructions.
Hack Club team for the Sprig :D
ECTO-1A for the AppleJuice Code
Chris Hager for most of the Captive Portal Code
- Bluetooth AppleJuice Attack (Read Disclaimer)
- USB Keyboard
- Read rubber ducky payloads (not all functions supported)
- Read from microsd card slot
- WiFi Evil Twin
- WiFi Evil Twin customization (read disclaimer)
- WiFi Deauth Attack (missing monitor mode)
- WiFi Beacon Spam
- Bluetooth Deauth
- Bluetooth L2CAP ping
- Bluetooth Fake device (maybe)
- I'm not responsible for what you do so don't do anything stupid. (I know some of you will)
- AppleJuice attack has been patched by Apple. The attack is also unreliable due to possible ETIMEOUT Error.
- Captive portal files can only go up to a certain size before the pico freaks out and hard resets.
- Applejuice attacks may take up to 5 seconds to exit.
- Download Micropython
- Flash to the Pico W (Newer versions of the Sprig come with a Pico W)
- Use Thonny or MicroPico to send all the python files to the Pico W
- Install mpremote using pip
python3 -m pip install mpremote - Install keyboard libraries
python3 -m mpremote mip install usb-device-keyboard, you may need to close vscode or thonny during this part - Install sdcard libraries
python3 -m mpremote mip install sdcard - Put rubber ducky payloads in a folder called ducks at root or on sdcard (fat32) as .ducky files
- Follow instructions below for captive portals
- Reboot the Pico W
- Use buttons to navigate. Up/Down to select, Right to enter, Left to go back
- You can find captured credentials in cred.txt at the root folder
- Create a folder called portals in root or on sdcard
- Inside portals create a folder with whatever name you want
- Inside your created folder, make a file called config.txt
- Place your SSID (WiFi name) and password inside config.txt
Example (leave PASS blank for open network):
SSID = "TEST"
PASS = ""
- Create a file called index.html
- Place your login page inside index.html, have it return username and password through POST requests
Note: There is no support for images or reading other files as index.html can only reach a few kb in size
Example:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login Page</title>
</head>
<body>
<h1>Welcome to the Captive Portal</h1>
<form action="/" method="POST">
<label for="username">Username:</label>
<br>
<input type="text" id="username" name="username" required>
<br><br>
<label for="password">Password:</label>
<br>
<input type="password" id="password" name="password" required>
<br><br>
<button type="submit">Login</button>
</form>
</body>
</html>