Spear is a custom firmware built using micropython for the Hack Club Sprig console used for cybersecurity pentesting. Scroll down for instructions.
Development for Spear has completed. Hack Club has decided to switch to the Orpheus Pico as the microcontroller for the Sprig console. The Orpheus Pico does not have a WiFi/Bluetooth chipset and as such won't be able to perform the majority of Spear's functions.
Thank you to everyone who used Spear! See you in the next project!
Hack Club team for the Sprig :D
ECTO-1A for the AppleJuice Code
Chris Hager for most of the Captive Portal Code
- Bluetooth AppleJuice Attack (Read Disclaimer)
- USB Keyboard
- Read rubber ducky payloads (not all functions supported yet)
- Read from microsd card slot
- WiFi Evil Twin
- WiFi Evil Twin customization (read disclaimer)
- WiFi Beacon Spam
- BLE Device Scanning and Info
- WiFi Deauth Attack (missing monitor mode)
- Bluetooth Deauth (bad Bluetooth classic support)
- Bluetooth L2CAP ping
- Bluetooth Fake device
- I'm not responsible for what you do so don't do anything stupid. (I know some of you will)
- AppleJuice attack has been patched by Apple. The attack is also unreliable due to possible ETIMEOUT Error.
- Captive portal files can only go up to a certain size before the pico freaks out and hard resets.
- Applejuice attacks may take up to 5 seconds to exit.
- The BLE Scanning submenu can sometimes stall the pico due to memory overload
- Download Micropython
- Flash to the Pico W (Newer versions of the Sprig come with a Pico W)
- Use Thonny or MicroPico to send all the python files to the Pico W
- Install mpremote using pip
python3 -m pip install mpremote - Install keyboard libraries
python3 -m mpremote mip install usb-device-keyboard, you may need to close vscode or thonny during this part - Install aioable for BLE scanning
python3 -m mpremote mip install aioble-central - Install sdcard libraries
python3 -m mpremote mip install sdcard - Put rubber ducky payloads in a folder called ducks at root or on sdcard (fat32) as .ducky files
- Put beacons.txt in root or on sdcard (contains SSID names for beacon spamming)
- Follow instructions below for captive portals
- Reboot the Pico W
- Use buttons to navigate. Up/Down to select, Right to enter, Left to go back
- You can find captured credentials in cred.txt at the root folder
Note: You must create a ducks folder, a beacons.txt file, and a portals folder at root or else the device won't boot
Optional: Place bootimg.raw at root to get a fun splash screen at boot
- Create a folder called portals in root or on sdcard
- Inside portals create a folder with whatever name you want
- Inside your created folder, make a file called config.txt
- Place your SSID (WiFi name) and password inside config.txt
Example (leave PASS blank for open network):
SSID = "TEST"
PASS = ""
- Create a file called index.html
- Place your login page inside index.html, have it return username and password through POST requests
Note: There is no support for images or reading other files as index.html can only reach a few kb in size
Example:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login Page</title>
</head>
<body>
<h1>Welcome to the Captive Portal</h1>
<form action="/" method="POST">
<label for="username">Username:</label>
<br>
<input type="text" id="username" name="username" required>
<br><br>
<label for="password">Password:</label>
<br>
<input type="password" id="password" name="password" required>
<br><br>
<button type="submit">Login</button>
</form>
</body>
</html>