Tarkov Wireless Vulnerability
Escape from Tarkov wireless vulnerability PoC
- ARP Cache Poisoning & MITM
- Tensorflow 2
- Flask
- React.js & Three.js
- Windows machine running Tarkov
- A secondary device running Linux (on the same local network)
This project should NOT be used for anything other than as an educational resource. Important elements are intentionally redacted to prevent misuse.
This information has been sent to Battlestate Games as a "Reproducable game exploit method allowing players to kill/loot while invisible, see players through walls, loot map of all valuable items in seconds."
Mitigation solutions are posted at the bottom of this readme
- Clone Repo
- Set up secondary linux machine
- Set up networking rules
- Learn the structure of the game packets
- filter out by udp and obtain player info
- make player info available via flask api
- launch react web service for esp
- launch invisibility hack
git clone git@github.com:wau/norussian.gitIf running in a virtualbox vm make sure you have a wireless adaptor plugged into the device for it to use
sudo apt-get install apt-get update && \
apt-get -qq -y install \
python3 \
python3-pip \
python \
python-pip \
iptables \
build-essential \
libnetfilter-queue-dev \
wireless-tools && apt-get cleanDiscover your target's local ip address
Discover your attacker's primary wireless interface name
For outbound traffic filtering:
sudo iptables -t raw \
-A PREROUTING \
-p udp --destination-port 17000:17100 \
-j NFQUEUE --queue-num 1For inbound traffic filtering:
sudo iptables -t raw \
-A PREROUTING \
-p udp --destination-port 56000:61000 \
-j NFQUEUE --queue-num 2List your ip tables rules to verify it has been added
sudo iptables -L --line-numbers
0003c2f020292180 ffffffffffffffffffffffffffffff f8 611dc65c271600aa001400794001021080068b4c57ff00e800622e00000000
Player rotation packets are 102 in length
movement_packets = [102, 110, 156, 172, 220] #or > 220 #TRY
combat_packets = [142, 150, 158, 166] #combat (142, hatchet) (150, 158, 166 bullet/gun movement)
loot_packets = [296, 302, 206, 344, 336] #loot (246, 166, 174 drop item) (296, 302 take item) (328, attach to gun) (206, search) (344, 336 switch into inventory)Use tensorflow to automate finding what payload position corresponds to what action and generate new ones.
0005e029dfa7fc18fffffffffffffffffffffffffffffff00d85417740e6 1200aa00100060a0010210800e981d00000100000000 1200aa0010006000020210800e991d00000100000000 1200aa00100060800102108006991d00000100000000.... 1200aa001000606001021080069d1d00000100000000 1200aa0010006080010210800e9e1d00000100000000 1200aa0010006080010210800e9f1d00000100000000 1200aa001000608001021080069f1d00000100000000 1200aa0010006080010210800ea01d00000100000000 1200aa0010006060010210800ea11d00000100000000 1200aa00100060a0010210800ea21d00000100000000 : 2798sudo python3 mitm.py --interface en0 --ip [TARGET_IP]python app.py -- argsYou will be able to see the location of each player relative to your position
Your player will freeze in place for other people but you will be able to move around, kill and loot without them seeing.
sudo python3 nfqueue.pyThe following is a list of possible preventative solutions with reducing effort
Encrypt traffic to and from the client. This would prevent attackers from discovering patterns in the netcode without finding a way to decrypt.
Rotational changes to the netcode to prevent people from discovering the payload structure of the UDP packets.
Put less trust in the player's client and offload more work to the server.
https://www.stjude.org/donate/donate-to-st-jude.html?sc_icid=wtg-lz-donatenow