Did you know that ATC conversations and conversations between planes are freely available, with no encryption? It is legal to listen in on ATC conversations, and in this guide I will tell you how if you have some free time.
What You Need
RTL-SDR Stick and Antenna (x1)
This is the antenna and radio processor we will be using to get a signal from an air traffic control tower.
If it is your first time using SDR# (SDRSharp), then you must install SDR#, then install the drivers. The below guide will show you how to do so.
First, install SDR# and let the installation wizard guide you through the process.
Then, open the newly added program Zadig and you should see a screen like the one below.
A: This is where you choose the interface you want to install drivers for
B: This is where you check if a driver was installed
C: This is where you can install the drivers
Follow the steps below:
First, use dropdown A to select an interface. The interface must start with Bulk-in, Interface. If you have multiple bulk-in interfaces, repeat these steps for every one
Next, make sure textbox B tells you that there is no driver installed
Finally, click Install WCID Driver (button C)
Opening SDR#
Once all the drivers are installed, you may close out of Zadig and open SDR#. You should see a screen like the one below.
A: This is the frequency selector. This is where you can choose which frequency your antenna is supposed to be tuned to. Right now it is tuned to 120 MHz, but in the next section you will learn to find the frequency of your ATC tower
B: This is where you can choose your radio settings. For this tutorial, keep the default settings but change the radio mode to AM
C: This is where you choose the source of the radio stream. Right now you want it set to RTL-SDR USB
D: This is where you can visualize the radio waves. You can click anywhere on this to set the frequency to the location of the waves to which you clicked. You can drag the lighter waves to set the bandwidth. You want to make sure that the bandwidth is not too big otherwise you will get interference, but not too small so you only get part of the wave. I have set my bandwidth to 7.557 kHz
Reading Aerospace Vector Maps
Using a site, like SkyVector, you can find your airport and look at the frequency under it. Tune to that frequency. For place value context, think of the second segment of numbers as MHz SkyVector shows frequencies in megahertz.
Some airports, like the ones marked with a star, do not have full-time ATC, meaning that planes have to talk directly to each other.
Tune to this frequency on SDR#.
Listening to these frequencies
Look for any spikes in these frequencies. Ste the frequency to the frequency of these spikes (you can do this easily by clicking on these spikes) Adjust the bandwidth to these spikes, hovering over the top-right Zoom button and using the slider below it to zoom into the waves. Click on the top-left gear icon and adjust the setting to match the ones below:
Now, turn the volume up and listen. If you do not hear talking, experiment with the bandwidth or choose another frequency. A good frequency should be like the one below:
Done!
And that is the end of the project! Pretty easy, right? There are some caveats, though. You will only get the best signal when you live no further than 50 kilometers away from an airport with a full-time ATC, and the radio tends to disconnect a lot if not screwed in fully. Either way, it is still a super cool project, and is definitely worth trying out if you are interested in this kind of thing. Frequencies might not be exact, so experiment a little!
There is a common WiFi attack that can disconnect any device on the network you are currently on. It also works on networks that you are not currently on.
How it works
There is a protocol in WPA2 that lets you disconnect a device safely from a network. However, these packets are not encrypted, so anyone with a WiFi-enabled device (like the ESP8266) can fake these packets.
Installing the software
First, go to the ESP8266 deauther page and download the latest release and download the file esp8266_deauther_[VERSION]_NODEMCU.bin.
Next, download the ESP8266 Flasher and run the utility. Flash the binary file (the .bin you downloaded) at 0x00000. Click Flash and wait till it completes.
Running attacks
On a device, connect to the Wi-Fi network named pwned and enter the password deauther. Next, go to the IP address 192.168.4.1 and click I have read and understood the risks and choose a target network. Under the Attacks tab, begin the attack Deauth.
A note on WPA3
WPA3, which was passed as an official WiFi protocol, encrypts these packets so hackers cannot abuse them. However, some WiFi routers still use WPA2, so this attack will still work sometimes.
In this post, I will be showing you how to start feeding flight data to three services: Flightradar24, ADS-B Exchange, and FlightAware. This post may be helpful to some of you who want to run your own flight feeder, and can’t tell which is a better service to feed to.
The main benefit of running your own Raspberry Pi flight tracker is that you will get paid accounts for free. For example, you will get a free FlightAware enterprise account, a subscription valued at around $89.95 a month. FlightRadar24 will also give you a free business plan, which costs $49.99 a month. If you also want to support non-proprietary websites, you can also give flight data to ADS-B Exchange.
What you will need (hardware)
Below are the parts you will need:
Raspberry Pi 3B (x1, required)
The Raspberry Pi will be our microcontroller (This also works with other models, just not the Zero or the Pico; you can see FlightAware’s compatibility list here)
To begin the installation, we will have to first start feeding to FlightAware. To begin, first, create an account at their website, or log in at their website.
Note that you must select the correct drive, as this will erase your drive.
Configuring the ISO
If you want to enable SSH on your PiAware, or you have a wireless network configuration that you want to set (this will be typically everyone, unless you are using an ethernet cable on your Raspberry Pi), you must follow the below steps to configure the new operating system to use your configurations. You can refer to the configurations at FlightAware’s Website, or you could not set a default configuration, and once the PiAware has booted up, configure it using Bluetooth.
Booting it up
Now, you can put it all together! Connect your ADS-B antenna to your Raspberry Pi via USB, and then put the SD card through the back. Then, plug in the HDMI cable (and ethernet if you are going to be using it), and power it on.
Now, once the Raspberry Pi has booted up, you should see a screen showing the PiAware Status. If you did this correctly, it should be connected. You will also need to connect a keyboard if you do not know your PiAware’s IP address. If it asks you for credentials, the default is pi for username, and raspberry for password.
Setting up the FlightAware feeder
Now we get to the fun part! Now, we set up the feeders. Let’s start off with the FlightAware feeder. Since we flashed the custom ISO file, FlightAware is going to be installed, just not set linked to an account. Create a basic plan FlightAware account at their website if you don’t already have one, and claim your PiAware. Once that is set up, make sure you are connected to the same network as your PiAware. It will come in handy for later. Once you do that, make sure you are still on the status page on your PiAware, click Alt+F2 (or whatever key it says to press to open the terminal and run commands). If it asks you for credentials, the default is pi for username, and raspberry for the password (unless it is set otherwise, of course). Now run the following command:
BASH
hostname -I
This should return your Pi’s IP address. Now, on another device, navigate to your IP address on the SkyAware page. For example, if my Pi’s IP address is 192.168.1.1, I will navigate to the following website:
URL
http://192.168.1.1/skyaware
After that, you should see a map with all the aircraft you are tracking. You have successfully set up FlightAware! After some time, your basic account will be upgraded, and you can view your ADS-B statistics.
Setting up FlightRadar24
Now, open the terminal and run the following command:
You will then be asked some questions about antenna position, fr24 sharing key, and other things.
Now, we need to configure FlightRadar24. To begin, sign up for an account at their official website. Note that all you need to do is sign up for a free account and do not select any paid plans. This is because your account will automatically be upgraded at the end of this tutorial.
Run the following command to enter configuration:
BASH
sudo fr24feed --signup
You will be asked questions about you and the antenna that you are using. Answer the questions similar to the ones below:
Email Address: Enter the same email address you used to sign up for FlightRadar24. This is the same email address that your sharing key will be sent to, and the same email address that your account on will be upgraded.
FR24 Sharing key: If you have never set up a feeder or have never got a sharing key from FlightRadar24, leave this blank. If not, enter your FlightRadar24 sharing key.
Participating in MLAT Calculations: Answer yes, unless you know you don’t want it or need it.
Autoconfiguration for dump1090 (if asked): Yes
Latitude & Longitude: Use a website like latlong.net to find your latitude and longitude. It is best to be as accurate as possible. Enter this question in the form of XX.XXXX and XX.XXXX (leave out any extra numbers).
Altitude: This is your altitude from sea level. You can use whatismyelevation.com to find your altitude.
Receiver Selection: If you are using a DVB-T (the type I put in the parts list) stick then I strongly recommend option 1. If you encounter an error regarding dump1090 in this tutorial, restart the tutorial and click option 4. If you do not have a DVB-T stick, check out your other options.
Dump1090 Arguments (if asked): Leave this blank and hit enter.
Raw Data Feed: No, unless you know what you are doing.
Basestation Data feed: No unless you know what you are doing.
Logfile Mode: 48-hour, 24 rotation.
Logfile Path: This will be the path that the log file is saved to. If you want to use a custom path for logs, put it here. If not, stick with the default and hit enter.
FlightRadar24’s configuration should return that everything is correctly set up. The program should also give you a sharing key. Save this key as you may need it later in the future.
To begin feeding ADS-B data to FlightRadar24, enter the command below. Note that MLAT or general feeding might take some time to show up. For me, it took 30 minutes before the feeder was actively sending data to FlightRadar24:
BASH
sudo systemctl restart fr24feed
You can go to the data page and view your feeder statistics. If you want to access the web UI for FlightRadar24, then go to your Raspberry Pi’s IP address (remember, you can access it with sudo hostname -I), and access it via a web browser on port 8754, unless set otherwise. For example, my Raspberry Pi’s IP address is 192.168.1.252, so I access it by using http://192.168.1.252:8754.
Also, it is important to note that it may take some time for the receiver to start working and sending data. For me, it took 30 minutes before flight data was sent to the services I was feeding to.
Setting up MLAT for FlightAware
If you want to set up MLAT configurations on FlightAware (we highly recommend doing so, it can increase the amount of positions seen), then follow our steps.
First, go to your FlightAware data sharing page and clcik the gear icon next to the nearest airport, labeled in orange.
Then, enable MLAT and Mode S Alliteration. Put in the same details as you did for FlightRadar24, or new details if you have to.
Setting up ADS-B Exchange
First, we need to download ADS-B Exchange. You can do that with the following command:
You will be asked a couple questions. For the first one, type in a random username, but note that this username will be public. Next, enter the details it asks for, and it will begin configuring. Note that this may take a while.
The script should output a sharing key. You can use this to view your feeder statistics at the official website of ADS-B Exchange. You should also be able to access your web interface on the adsbx page. This will be your Raspberry Pi’s IP address, with /adsbx at the end. For me, the URL was http://192.168.1.252/adsbx.
“Follina”, or CVE-2022-30190 is a widely used exploit that allows an attacker to remotely execute Powershell code on Windows machines from a Microsoft Word document or a URL.
What it does
Follina can do anything the attacker desires. Follina is a remote-code execution scheme, which means that a hacker can run any code the hacker wants on your machine without your knowledge. Some examples include lateral movement, privilege escalation, and the ability to steal browser credentials.
How it works
Follina takes advantage of URL protocols. URL protocols are used to run applications from a URL. Many people let this happen, mainly because URL protocols are not supposed to invoke code from applications. For example, if you are on a Windows machine, and you type “ms-calculator://” into the address bar, Windows should launch the calculator. However, the specific URL protocol Follina takes advantage of is “ms-msdt://”. This will launch the Microsoft Support Diagnostics Tool, which is mainly used by support professionals to gain information about your system. If you put some special parameters into the URL though, you can trick the program into running Powershell code, and sending the results to the hacker.
How it was discovered
The thing about Follina is that it was first discovered early-to-mid April of 2022 by someone who goes by the name of “crazyman” as part of the Shadow Chaser Group. However, Microsoft dismissed the threat, stating that it is not a security issue.
The support representative stated that his sample did not work at his lab. MSDT requires a password on startup, but the original script had enough junk and padding to make this file over 4096 bytes, and according to my tests and speculations, MSDT will only open if the exploiting file is over 4096 bytes. Also, this can be exploited through Rich Text Documents and URLs or URL shortcuts, not just Word documents. Another reason that this is a dangerous threat is that, when saved as a Rich Text file, simply navigating to it and opening it up in the preview pane in File Explorer could trigger the execution, meaning that you don’t even have to open the file for the code to be invoked.
However, this file was only brought to the community’s attention when a Twitter user by the name of “nao_sec”, was looking for documents on VirusTotal using an older exploit, CVE-2021-40444, found this document and alerted the community about it.
Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3pic.twitter.com/rVSb02ZTwt
Because Follina is a zero-day exploit, there is no guaranteed patch. There is one solution that Microsoft acknowledged. The solution disables the “ms-msdt://” URL protocol.
In this guide, I will be turning a Raspberry Pi into an OpenWrt router. This is good for travel, and it can connect to VPN servers to give you secure VPN internet.
First, we need to install OpenWrt on the board. To do that, put the MicroSD card into the MicroSD card reader, then plug the MicroSD card reader into the computer.
Once that is done, download the proper firmware from this site. Then, once you have the Raspberry Pi Imager open, select, click “Choose OS”. Then scroll down and click “Use Custom”, then select the location of the firmware that you downloaded from the OpenWrt Wiki.
Click “Select Drive”, then click the drive of the SD card reader.
Step 2: Connect to OpenWrt via SSH
Now, plug the ethernet cable into your Raspberry Pi, then plug the other end into your computer. Open Command Prompt, then run:
BATCH
ssh root@192.168.1.1
On the fingerprint prompt, type “yes”.
Step 3: Setting a password
When we used SSH to log in to the OpenWrt session, notice that it did not prompt us for a password. Super insecure. To set one, run the command. This is also how you change the password on any Linux device:
Run these commands. I hooked mine up to the LAN interface, if you want to use Wi-Fi, follow the official documentation. These will configure OpenWrt to connect to your network.
ASH SHELL
uci set network.lan.ipaddr=192.168.2.2
uci set network.lan.gateway=192.168.2.1
uci set network.lan.dns=192.168.2.1
uci commit
service network restart
Step 6: Partitioning
Create a partition to store data. We will install fdisk and use it:
opkg update
opkg install fdisk
fdisk /dev/mmcblk0
To create two partitions (one for /home and one for /srv), use the following fdisk commands.
p to print the current partition table.
n then e to create an extended partition.
n then l to create the first partition. When asked for the last sector, type +2G to make it 2GB large.
n then l to create the second partition. When asked for the last sector, leave empty to fill the remaining space.
Now we can mount the first partition at /home and the second at /srv. Both are on a flash SD card, the noatime flag is important.
ASH SHELL
opkg update
opkg install block-mount
block detect | uci import fstab
uci set fstab.@mount[2].target=/home
uci set fstab.@mount[2].enabled=1
uci set fstab.@mount[2].options=noatime
uci set fstab.@mount[3].target=/srv
uci set fstab.@mount[3].enabled=1
uci set fstab.@mount[3].options=noatime
uci commit
Create the srv mount point, as the other one already exists.
ASH SHELL
mkdir -p /srv
Mount both partitions.
ASH SHELL
block mount
Step 8: Set the hostname
ASH SHELL
uci set system.@system[0].hostname='thetechmaker-good.hi.testing'
uci commit
Step 9: Remove unused packages
OpenWrt was originally a Linux distribution for routers, so it might come with useless networking software you’ve never heard of. You can remove this with the following commands:
Here is how to use Wireshark for beginners. It was originally known as Ethereal and it can capture packets in real-time and display them in a readable format on your computer.
You have to go to Wireshark’s website to download Wireshark for Windows or macOS. If you are using Linux, the download will slightly vary by distribution. Most of the time, it is in the OS’s package repository. Ubuntu users can find it in the Ubuntu Software Center.
Just know that many organizations do not allow such tools on their networks. It is best to play it safe and not use this tool at work unless you have permission.
Tip: “The UAC crisis”
Depending on how you installed Wireshark, you might get bombarded by UAC prompts if you run it. I don’t think you can turn this off, but you can reduce the amount of UAC prompts you get to only one prompt if you run it as administrator. Most of the time, I don’t have the patience to actually run it with administrator privileges yet I don’t have the patience to answer “Yes” to every dialog it throws at me. The below steps will help you run it with administrator privileges by default.
1: Open file explorer
2: Navigate to C:\Program Files\Wireshark (Path in URL form). The path might be different if you have changed your installation directory
3: Look for “Wireshark.exe”
4: Right-click “Wireshark.exe”, click “Properties”, and navigate to the “Compatibility” tab.
5: Check the “Run this program as an administrator” option under “Settings”
Capturing packets
Now we can run Wireshark. The software looks quite modern for what you were probably thinking, for an open-source project. You can click on a wireless interface. For example, if you wanted to capture packets over Wi-fi, you would click your wireless interface. For me, and for most people, this Wi-fi interface is simply called “Wi-Fi”. When you double-click on these interfaces, you can capture packets with them. In this tutorial, I will use my Wi-fi interface.
Like I said, as soon as you double-click the interface’s name, a list of packets will appear in real-time. Wireshark will show you each packet coming to or from your computer, as well as tools to dive deeper into each packet, like packet details, source, destination, protocol, and even the raw hex of the packet.
Should you have promiscuous mode on, you will see every single packet going through the network, not just the ones that happen to be going in and out of your computer. Even though it is enabled by default, if you ever so happen to get it disabled, you can always enable it and check if it is enabled by going to Capture>Options>and checking if the “Enable promiscuous mode on all interfaces” checkbox is enabled. This is an example of a packet I captured:
This is how the packet list should look like:
Click the red “Stop” square at the top left-hand corner if you think sniffing time is up.
Sign up for our newsletter!
You can also keep the packets for saving if you need to share them or come back to them later by going to File>Save to save them as a local file. If you want to retrieve a packet file, go to File>Open>and select the capture file to monitor.
Filters
Out of this massive list of packets to inspect, if you are looking for a specific type, you would probably have a hard time finding it in that long, always growing list. This is where filters come in. The easiest and basic way to apply a filter is to enter it into the program’s filter box located above the packet list and then clicking the arrow button or enter. In this example, I will be typing “ARP” into the filter box and I will only see packets that use the ARP protocol for network transmission.
If you start trying to use filters, you’ll start to notice that Wireshark’s version of “filters” are more tech-heavy than you probably expected them to be. Wireshark has got some great documentation on how Wireshark’s language with filters works. You can add your own filters or check out some existing ones when you go to Analyze>Display Filters.
Color-Coding
If you have “Colorize Packet List” turned on at the top bar, the packets will be colored. Wirehark does this to help you identify their type at a glance. You can put your own coloring rules in View>Coloring Rules. You can see what they mean here, too.
TCP, UDP, TLS, HTTP, HTTP/2, and QUIC stream monitoring
Annother cool thing you can do with this software is to right-click on any packet that has the following protocol:
TCP
UDP
TLS
HTTP
HTTP/2
QUIC
To find the protocol of a packet, look under the packet’s “Protocol” column. Anyway, after you right-click an applicable packet, you can go to Follow>and click whatever option it will let you click or just click the one that seems appropriate for your protocol.
This will show you the full conversation between the server and the client.
Close the window and you’ll find a filter has been applied automatically. Wireshark is trying to show you only the packets that belong to the conversation you were following just now.
Inspecting deeper into these packets
You’ve most likley noticed now that you can click on a packet and you can dig down into it’s details.
You can also create filters based off of this information, just right-click any detail and use the “Apply as Filter” submenu.
Sample Captures
If there is nothing good to find on your network, you can use a sample capture off of Wireshark’s wiki.
Name resolution
If IP addresses are too much for you, use name resolution. To enable it go to View>Name Resolution>and enable all of them.
Done!
Wireshark is a very powerful tool, and yet we’ve not even made a dent in learning everything about what this software can do. You will find professionals using it for debuging network protocol implementations, finding security holes, and much more.
3: Change the line static ip-address=192.168.0.4/24 to what you want your new static IP to be. static ip_address= proceeds, /24 follows. It should look like this. NOTE: Your IP has to start with 192.168 for this to work:
CONFIG
static ip-address=[Your IP]/24
4: Press CTRL+ALT+X
5: Hit Y
6: Reboot:
BASH
sudo reboot
7: Now, on a Windows machine on the same network, open up Command Prompt and type the batch code. NOTE: THE -t FLAG IS NOT REQUIRED:
WINDOWS BATCH
ping [YOUR PI'S NEW STATIC IP] -t
8: Now wait for a response to test if it’s working
