167 lines
9.0 KiB
Raw Normal View History

2019-09-19 15:15:46 +02:00
# Pwnagotchi
2019-09-28 20:45:06 +02:00
<p align="center">
<p align="center">
<a href="https://github.com/evilsocket/pwnagotchi/releases/latest"><img alt="Release" src="https://img.shields.io/github/release/evilsocket/pwnagotchi.svg?style=flat-square"></a>
<a href="https://github.com/evilsocket/pwnagotchi/blob/master/LICENSE.md"><img alt="Software License" src="https://img.shields.io/badge/license-GPL3-brightgreen.svg?style=flat-square"></a>
<a href="https://travis-ci.org/evilsocket/pwnagotchi"><img alt="Travis" src="https://img.shields.io/travis/evilsocket/pwnagotchi/master.svg?style=flat-square"></a>
2019-09-22 14:50:13 +02:00
[Pwnagotchi](https://twitter.com/pwnagotchi) is an "AI" that learns from the WiFi environment and instruments bettercap in order to maximize the WPA key material (any form of handshake that is crackable, including [PMKIDs](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/), full and half WPA handshakes) captured.
2019-09-21 14:38:19 +02:00
Specifically, it's using an [LSTM with MLP feature extractor](https://stable-baselines.readthedocs.io/en/master/modules/policies.html#stable_baselines.common.policies.MlpLstmPolicy) as its policy network for the [A2C agent](https://stable-baselines.readthedocs.io/en/master/modules/a2c.html), here is [a very good intro](https://hackernoon.com/intuitive-rl-intro-to-advantage-actor-critic-a2c-4ff545978752) on the subject.
2019-09-19 15:27:08 +02:00
Instead of playing [Super Mario or Atari games](https://becominghuman.ai/getting-mario-back-into-the-gym-setting-up-super-mario-bros-in-openais-gym-8e39a96c1e41?gi=c4b66c3d5ced), pwnagotchi will tune over time [its own parameters](https://github.com/evilsocket/pwnagotchi/blob/master/sdcard/rootfs/root/pwnagotchi/config.yml#L54), effectively learning to get better at pwning WiFi things. **Keep in mind:** unlike the usual RL simulations, pwnagotchi learns over time (where a single epoch can last from a few seconds to minutes, depending on how many access points and client stations are visible), do not expect it to perform amazingly well at the beginning, as it'll be exploring several combinations of parameters ... but listen to it when it's bored, bring it with you and have it observe new networks and capture new handshakes and you'll see :)
Multiple units can talk to each other, advertising their own presence using a parasite protocol I've built on top of the existing dot11 standard, by broadcasting custom information elements. Over time, two or more units learn to cooperate if they detect each other's presence, by dividing the available channels among them.
2019-09-19 15:27:08 +02:00
2019-09-21 14:38:19 +02:00
Depending on the status of the unit, several states and states transitions are configurable and represented on the display as different moods, expressions and sentences.
2019-09-19 15:15:46 +02:00
2019-09-27 13:13:44 +02:00
If instead you just want to use your own parameters and save battery and CPU cycles, you can disable the AI in `config.yml` and enjoy an automated deauther, WPA handshake sniffer and portable bettercap + webui dedicated hardware.
2019-09-27 13:13:44 +02:00
**NOTE:** The software **requires at least bettercap v2.25**.
## Why
For hackers to learn reinforcement learning, WiFi networking and have an excuse to take a walk more often. And **it's cute as f---**.
2019-09-19 15:15:46 +02:00
## Documentation
2019-09-19 15:16:35 +02:00
2019-09-19 15:15:46 +02:00
2019-09-28 21:44:24 +02:00
However, there's [a Slack channel](https://join.slack.com/t/pwnagotchi/shared_invite/enQtNzc4NzY3MDE2OTAzLTg5NmNmNDJiMDM3ZWFkMWUwN2Y5NDk0Y2JlZWZjODlhMmRhNDZiOGMwYjJhM2UzNzA3YjA5NjJmZGY5NGI5NmI).
### Hardware
- Raspberry Pi Zero W
- A decent power bank (with 1500 mAh you get ~2 hours with AI on)
2019-09-28 20:32:39 +02:00
#### Display (optional)
The display is optional if you connect to `usb0` (by using the data port on the unit) and point your browser to the web ui (see config.yml).
The supported models are:
2019-09-29 21:28:06 +02:00
- [Waveshare eInk Display (both V1 and V2)](https://www.waveshare.com/2.13inch-e-paper-hat.htm)
2019-09-28 20:32:39 +02:00
- [Pimoroni Inky pHAT](https://shop.pimoroni.com/products/inky-phat)
2019-09-29 06:38:24 +01:00
- [PaPiRus eInk Screen](https://uk.pi-supply.com/products/papirus-zero-epaper-screen-phat-pi-zero)
2019-09-28 20:32:39 +02:00
### Software
2019-09-21 14:14:51 +02:00
- Raspbian + [nexmon patches](https://re4son-kernel.com/re4son-pi-kernel/) for monitor mode, or any Linux with a monitor mode enabled interface (if you tune config.yml).
2019-09-21 14:38:19 +02:00
**Do not try with Kali on the Raspberry Pi 0 W, it is compiled without hardware floating point support and TensorFlow is simply not available for it, use Raspbian.**
2019-09-23 19:04:36 +02:00
#### Automatically create an image
2019-09-24 15:50:27 +02:00
You can use the `scripts/create_sibling.sh` script to create an - ready to flash - rasbian image with pwnagotchi.
2019-09-23 19:04:36 +02:00
usage: ./scripts/create_sibling.sh [OPTIONS]
2019-09-23 19:04:36 +02:00
2019-09-27 13:18:47 +02:00
-n <name> # Name of the pwnagotchi (default: pwnagotchi)
-i <file> # Provide the path of an already downloaded raspbian image
-o <file> # Name of the img-file (default: pwnagotchi.img)
-s <size> # Size which should be added to second partition (in Gigabyte) (default: 4)
-v <version> # Version of raspbian (Supported: latest; default: latest)
-p # Only run provisioning (assumes the image is already mounted)
-d # Only run dependencies checks
-h # Show this help
2019-09-23 19:04:36 +02:00
2019-09-24 15:50:27 +02:00
#### Host Connection Share
2019-10-01 12:28:34 +02:00
If you connect to the unit via `usb0` (thus using the data port), you might want to use the `scripts/linux_connection_share.sh` script to bring the interface up on your end and share internet connectivity from another interface, so you can update the unit and generally download things from the internet on it.
2019-09-24 15:50:27 +02:00
2019-10-02 00:29:14 +02:00
#### Update your pwnagotchi
You can use the `scripts/update_pwnagotchi.sh` script to update to the most recent version of pwnagotchi.
2019-10-02 10:41:42 +02:00
usage: ./update_pwnagitchi.sh [OPTIONS]
-v # Version to update to, can be a branch or commit. (default: master)
-u # Url to clone from. (default: https://github.com/evilsocket/pwnagotchi)
-m # Mode to restart to. (Supported: auto manual; default: auto)
-b # Backup the current pwnagotchi config.
-r # Restore the current pwnagotchi config. -b will be enabled.
-h # Shows this help. Shows this help.
2019-10-02 00:29:14 +02:00
2019-09-21 14:38:19 +02:00
### UI
2019-09-27 12:37:53 +02:00
The UI is available either via display if installed, or via http://pwnagotchi.local:8080/ if you connect to the unit via `usb0` and set a static address on the network interface (change `pwnagotchi` with the hostname of your unit).
2019-09-21 14:38:19 +02:00
* **CH**: Current channel the unit is operating on or `*` when hopping on all channels.
* **APS**: Number of access points on the current channel and total visible access points.
* **UP**: Time since the unit has been activated.
* **PWND**: Number of handshakes captured in this session and number of unique networks we own at least one handshake of, from the beginning.
* **AUTO**: This indicates that the algorithm is running with AI disabled (or still loading), it disappears once the AI dependencies have been bootrapped and the neural network loaded.
2019-09-29 14:17:02 +02:00
#### Languages
2019-09-29 21:29:19 +02:00
Pwnagotchi is able to speak multiple languages!! Currently supported are:
2019-09-29 14:17:02 +02:00
* **english** (default)
* german
* dutch
2019-10-01 20:16:23 +02:00
* greek
2019-10-01 14:43:06 +02:00
* italian
2019-09-29 14:17:02 +02:00
2019-10-01 16:48:03 +02:00
If you want to add a language use the `language.sh` script. If you want to add for example the language **italian** you would type:
2019-09-29 14:17:02 +02:00
./scripts/language.sh add it
# Now make your changes to the file
2019-09-29 21:29:19 +02:00
# sdcard/rootfs/root/pwnagotchi/scripts/pwnagotchi/locale/it/LC_MESSAGES/voice.po
2019-09-29 14:17:02 +02:00
./scripts/language.sh compile it
If you changed the `voice.py`- File, the translations need an update. Do it like this:
./scripts/language.sh update it
# Now make your changes to the file (changed lines are marked with "fuzzy")
2019-09-29 21:29:19 +02:00
# sdcard/rootfs/root/pwnagotchi/scripts/pwnagotchi/locale/it/LC_MESSAGES/voice.po
2019-09-29 14:17:02 +02:00
./scripts/language.sh compile it
2019-10-01 12:28:34 +02:00
Now you can use the `preview.py`-script to preview the changes:
./scripts/preview.py --lang it --display ws2 --port 8080 &
./scripts/preview.py --lang it --display inky --port 8081 &
# Now open http://localhost:8080 and http://localhost:8081
### Random Info
- `hostname` sets the unit name.
- At first boot, each unit generates a unique RSA keypair that can be used to authenticate advertising packets.
- **On a rpi0w, it'll take approximately 30 minutes to load the AI**.
- `/var/log/pwnagotchi.log` is your friend.
- if connected to a laptop via usb data port, with internet connectivity shared, magic things will happen.
- checkout the `ui.video` section of the `config.yml` - if you don't want to use a display, you can connect to it with the browser and a cable.
2019-09-27 13:18:47 +02:00
- If you get `[FAILED] Failed to start Remount Root and Kernel File Systems.` while booting pwnagotchi, make sure
the `PARTUUID`s for `rootfs` and `boot` partitions are the same in `/etc/fstab`. Use `sudo blkid` to find those values when you are using `create_sibling.sh`.
2019-09-19 15:15:46 +02:00
## License
`pwnagotchi` is made with ♥ by [@evilsocket](https://twitter.com/evilsocket) and it's released under the GPL3 license.