scifijunkie/pwnagotchi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #181 from hexwaxwing/master

Browse Source 
FAQ links + WPA handshake rephrasing + minor edits
This commit is contained in:
evilsocket 2019-10-06 15:36:18 +02:00 committed by GitHub
commit 09fd8e0194
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 257 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -38,12 +38,12 @@ For hackers to learn reinforcement learning, WiFi networking, and have an excuse
---
- [About the Project](https://github.com/evilsocket/pwnagotchi/blob/master/docs/about.md)
- [FAQ](https://github.com/evilsocket/pwnagotchi/blob/master/docs/faq.md)
- [How to Install](https://github.com/evilsocket/pwnagotchi/blob/master/docs/install.md)
- [Configuration](https://github.com/evilsocket/pwnagotchi/blob/master/docs/configure.md)
- [Usage](https://github.com/evilsocket/pwnagotchi/blob/master/docs/usage.md)
- [Plugins](https://github.com/evilsocket/pwnagotchi/blob/master/docs/plugins.md)
- [Development](https://github.com/evilsocket/pwnagotchi/blob/master/docs/dev.md)
- [FAQ](https://github.com/evilsocket/pwnagotchi/blob/master/docs/faq.md)
- [Community Hacks](https://github.com/evilsocket/pwnagotchi/blob/master/docs/hacks.md)
## Links

20
docs/about.md
View File

@ -17,25 +17,27 @@ Multiple units within close physical proximity can "talk" to each other, adverti
Of course, it is possible to run your Pwnagotchi with the AI disabled (configurable in `config.yml`). Why might you want to do this? Perhaps you simply want to use your own fixed parameters (instead of letting the AI decide for you), or maybe you want to save battery and CPU cycles, or maybe it's just you have strong concerns about aiding and abetting baby Skynet. Whatever your particular reasons may be: an AI-disabled Pwnagotchi is still a simple and very effective automated deauther, WPA handshake sniffer, and portable [bettercap](https://www.bettercap.org/) + [webui](https://github.com/evilsocket/pwnagotchi/blob/master/docs/usage.md#bettercaps-web-ui) dedicated hardware.
## WPA/WPA2 Handshakes 101
## WiFi Handshakes 101
Before a device that's connecting to a wireless access point (say, your phone connecting to your home WiFi) is able to securely transmit and receive data, a process called *4-Way Handshake* needs to happen in order for WPA encryption keys to be generated.
This process consists in the exchange of four packets (therefore the "4" in the name) between the station and the AP that are used to derive session keys from the main access point WiFi password, once the packets are successfully
exchanged and the keys generated, the client station is authenticated and can start sending data packets that are secured by encryption.
In order to understand why it's valuable to have an AI that wants to eat handshakes, it's helpful to understand a little bit about how handshakes are used in the WPA/WPA2 wireless protocol.
<p>
Before a client device that's connecting to a wireless access point—say, for instance, your phone connecting to your home WiFi network—is able to securely transmit to and receive data from that access point, a process called the **4-Way Handshake** needs to happen in order for the WPA encryption keys to be generated. This process consists of the exchange of four packets (hence the "4" in "4-Way") between the client device and the AP; these are used to derive session keys from the access point's WiFi password. Once the packets are successfully exchanged and the keys have been generated, the client device is authenticated and can start sending and receiving data packets to and from the wireless AP that are secured by encryption.
<p align="center">
<img src="https://i.imgur.com/nI8IE6a.png"/>
<br/>
<small>image taken from <a target="_blank" href="https://www.wifi-professionals.com/2019/01/4-way-handshake">wifi-professionals.com</a></small>
</p>
The catch here is that these four packets can be "sniffed" by an attacker and, through the use of dictionary and/or bruteforce attacks, the original WiFi key can be recovered from them. Technically speaking, the recovery of
the WiFi key doesn't necessarily need all four packets: an half-handshake (containing ony two of the four packets) can be cracked too, and in some (most) cases even just [a single packet is enough](https://hashcat.net/forum/thread-7717-post-41447.html), even without clients.
So...what's the catch? Well, these four packets can easily be "sniffed" by an attacker monitoring nearby (say, with a Pwnagotchi :innocent:). And once recorded, that attacker can use [dictionary and/or bruteforce attacks](https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2) to crack the handshakes and recover the original WiFi key. In fact, **successful recovery of the WiFi key doesn't necessarily even need all four packets!** A half-handshake (containing only two of the four packets) can be cracked, too—and in some *(most)* cases, just [a single packet is enough](https://hashcat.net/forum/thread-7717-post-41447.html), *even without clients.*
In order to get these packets, Pwnagotchi will deauthenticate client stations it detects (thus forcing them to reauthenticate to their access point, resending the handshake packets) and send association frames to the access points
In order to ~~eat~~ collect as many of these crackable handshake packets as possible, Pwnagotchi uses two strategies:
- **Deauthenticating the client stations it detects.** A deauthenticated device must reauthenticate to its access point by resending the 4-Way Handshake, thereby giving Pwnagotchi another chance to sniff the handshake packets and collect more crackable material.
- **Send association frames directly to the access points themselves**
to try to force them to [leak the PMKID](https://www.evilsocket.net/2019/02/13/Pwning-WiFi-networks-with-bettercap-and-the-PMKID-client-less-attack/).
All the handshakes captured this way are saved into `.pcap` files (organized as one file per access point containing all the captured handshakes for that access point) that can later be [cracked with proper hardware and software](https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2).
All the handshakes captured this way are saved into `.pcap` files on Pwnagotchi's filesystem. Each PCAP file that Pwnagotchi generates is organized according to access point; one PCAP will contain all the handshakes that Pwnagotchi has ever captured for that particular AP. These handshakes can later be [cracked with proper hardware and software](https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2).
## License

209
docs/faq.md
View File

@ -1,55 +1,208 @@
# FAQ
<!-- IF YOU CHANGE ANY CHARACTERS IN AN FAQ QUESTION, YOU MUST ALSO CHANGE THE TABLE OF CONTENTS ENTRY &&&AND&&& THE ANCHOR LINK TEXT, OR ELSE THE LINKS WILL BREAK. -->
[**What can Pwnagotchi actually do?**](#what-can-pwnagotchi-actually-do)
* Does Pwnagotchi support both 2.4 GHz and 5.0 GHz?
* Just how politely *does* Pwnagotchi deauth?
* What kinds of handshakes does Pwnagotchi eat?
* Hey, I want to learn more about how Pwnagotchi actually works.
* [Why does Pwnagotchi eat handshakes?](#why-does-pwnagotchi-eat-handshakes)
* [What kinds of handshakes does Pwnagotchi eat?](#what-kinds-of-handshakes-does-pwnagotchi-eat)
* [Does Pwnagotchi support both 2.4 GHz and 5.0 GHz?](#does-pwnagotchi-support-both-24-ghz-and-50-ghz)
* [Just how politely *does* Pwnagotchi deauth?](#just-how-politely-does-pwnagotchi-deauth)
* [Hey, I want to learn more about how Pwnagotchi actually works.](#hey-i-want-to-learn-more-about-how-pwnagotchi-actually-works)
* [How is Pwnagotchi using bettercap?](#how-is-pwnagotchi-using-bettercap)
* [What happens if I run a Pwnagotchi without the AI enabled?](#what-happens-if-i-run-a-pwnagotchi-without-the-ai-enabled)
* [How easy is it to hack Pwnagotchi to add additional functionality?](#how-easy-is-it-to-hack-pwnagotchi-to-add-additional-functionality)
[**Building Your Pwnagotchi**](#building-your-pwnagotchi)
* What hardware do I need to create my very own Pwnagotchi?
* Is there any way to see my Pwnagotchi's face even if I don't have a display?
* I love my new Pwnagotchi, but it kinda looks like a bomb. Where can I find a decent case?
* Why does everybody use e-ink screens for their Pwnagotchis?
* How do I connect to my Pwnagotchi?
* [What hardware do I need to create my very own Pwnagotchi?](#what-hardware-do-i-need-to-create-my-very-own-pwnagotchi)
* [Is there any way to see my Pwnagotchi's face even if I don't have a display?](#is-there-any-way-to-see-my-pwnagotchis-face-even-if-i-dont-have-a-display)
* [How do I attach the screen to the Raspberry Pi?](#how-do-i-attach-the-screen-to-the-raspberry-pi)
* [I love my new Pwnagotchi, but it kinda looks like a bomb. Where can I find a decent case?](#i-love-my-new-pwnagotchi-but-it-kinda-looks-like-a-bomb-where-can-i-find-a-decent-case)
* [Why does everybody use e-ink screens for their Pwnagotchis?](#why-does-everybody-use-e-ink-screens-for-their-pwnagotchis)
* [How do I connect to my Pwnagotchi?](#how-do-i-connect-to-my-pwnagotchi)
[**Customizing Your Pwnagotchi**](#customizing-your-pwnagotchi)
* How do I change my Pwnagotchi's name?
* I want to change the faces. What do I hack?
* I want my Pwnagotchi to speak a different language. Can it?
* I have a great idea for something cool I wish Pwnagotchi could do!
* [How do I change my Pwnagotchi's name?](#how-do-i-change-my-pwnagotchis-name)
* [I want to change the faces. What do I hack?](#i-want-to-change-the-faces-what-do-i-hack)
* [I want my Pwnagotchi to speak a different language. Can it?](#i-want-my-pwnagotchi-to-speak-a-different-language-can-it)
* [I have a great idea for something cool I wish Pwnagotchi could do!](#i-have-a-great-idea-for-something-cool-i-wish-pwnagotchi-could-do)
* [Are there any unofficial community "hacks" for further customizing my Pwnagotchi?](#are-there-any-unofficial-community-hacks-for-further-customizing-my-pwnagotchi)
[**Getting to Know Your Pwnagotchi**](#getting-to-know-your-pwnagotchi)
* What is MANU mode? What is AUTO mode?
* Why does the AI take 30 minutes to load?
* What is Pwnagotchi doing while it's waiting for the AI to load?
* How do I whitelist my home network so Pwnagotchi stops pwning me?
* [What does everything on the screen mean?](#what-does-everything-on-the-screen-mean)
* [How do I whitelist my home network so Pwnagotchi stops pwning me?](#how-do-i-whitelist-my-home-network-so-pwnagotchi-stops-pwning-me)
* [What is MANU mode? What is AUTO mode?](#what-is-manu-mode-what-is-auto-mode)
* [Why does the AI take 30 minutes to load?](#why-does-the-ai-take-30-minutes-to-load)
* [What is Pwnagotchi doing while it's waiting for the AI to load?](#what-is-pwnagotchi-doing-while-its-waiting-for-the-ai-to-load)
* [How do I know when the AI is running?](#how-do-i-know-when-the-ai-is-running)
* [Where does Pwnagotchi store all the handshakes it's eaten?](#where-does-pwnagotchi-store-all-the-handshakes-its-eaten)
* [What happens when my Pwnagotchi meets another Pwnagotchi?](#what-happens-when-my-pwnagotchi-meets-another-pwnagotchi)
[**Caring for Your Pwnagotchi**](#caring-for-your-pwnagotchi)
* What do all my Pwnagotchi's faces mean?
* Oh no, my Pwnagotchi is sad and bored! How do I entertain it?!
* How do I turn off my Pwnagotchi?
* [What do all my Pwnagotchi's faces mean?](#what-do-all-my-pwnagotchis-faces-mean)
* [How do I feed my Pwnagotchi?](#how-do-i-feed-my-pwnagotchi)
* [Oh no, my Pwnagotchi is sad and bored! How do I entertain it?!](#oh-no-my-pwnagotchi-is-sad-and-bored-how-do-i-entertain-it)
* [How do I update my Pwnagotchi?](#how-do-i-update-my-pwnagotchi)
* [I'm extremely emotionally-attached to my Pwnagotchi. How can I back up its brain?](#im-extremely-emotionally-attached-to-my-pwnagotchi-how-can-i-back-up-its-brain)
* [How do I turn off my Pwnagotchi?](#how-do-i-turn-off-my-pwnagotchi)
* [Uh. So. What do I do with all these handshakes my Pwnagotchi has been eating?](#uh-so-what-do-i-do-with-all-these-handshakes-my-pwnagotchi-has-been-eating)
[**Known Quirks**](#known-quirks)
* My Pwnagotchi's log timestamps seem...unreliable. Huh?
* Help! My Pwnagotchi's SD card got corrupted. What gives?
* [My Pwnagotchi's log timestamps seem...unreliable. Huh?](#my-pwnagotchis-log-timestamps-seemunreliable-huh)
* [Help! My Pwnagotchi's SD card got corrupted. What gives?](#help-my-pwnagotchis-sd-card-got-corrupted-what-gives)
---
## What can Pwnagotchi actually do?
## **What can Pwnagotchi actually do?**
### Why does Pwnagotchi eat handshakes?
lorem ipsum dolor sit amet
## Building Your Pwnagotchi
---
### What kinds of handshakes does Pwnagotchi eat?
lorem ipsum dolor sit amet
## Customizing Your Pwnagotchi
---
### Does Pwnagotchi support both 2.4 GHz and 5.0 GHz?
lorem ipsum dolor sit amet
## Getting to Know Your Pwnagotchi
---
### Just how politely *does* Pwnagotchi deauth?
lorem ipsum dolor sit amet
## Caring for Your Pwnagotchi
---
### Hey, I want to learn more about how Pwnagotchi actually works.
lorem ipsum dolor sit amet
## Known Quirks
---
### How is Pwnagotchi using bettercap?
lorem ipsum dolor sit amet
---
### What happens if I run a Pwnagotchi without the AI enabled?
lorem ipsum dolor sit amet
---
### How easy is it to hack Pwnagotchi to add additional functionality?
lorem ipsum dolor sit amet
---
## **Building Your Pwnagotchi**
### What hardware do I need to create my very own Pwnagotchi?
lorem ipsum dolor sit amet
---
### Is there any way to see my Pwnagotchi's face even if I don't have a display?
lorem ipsum dolor sit amet
---
### How do I attach the screen to the Raspberry Pi?
lorem ipsum dolor sit amet
---
### I love my new Pwnagotchi, but it kinda looks like a bomb. Where can I find a decent case?
lorem ipsum dolor sit amet
---
### Why does everybody use e-ink screens for their Pwnagotchis?
lorem ipsum dolor sit amet
---
### How do I connect to my Pwnagotchi?
lorem ipsum dolor sit amet
---------------------------------------------------------------------------------------------------------------
## **Customizing Your Pwnagotchi**
### How do I change my Pwnagotchi's name?
lorem ipsum dolor sit amet
---
### I want to change the faces. What do I hack?
lorem ipsum dolor sit amet
---
### I want my Pwnagotchi to speak a different language. Can it?
lorem ipsum dolor sit amet
---
### I have a great idea for something cool I wish Pwnagotchi could do!
lorem ipsum dolor sit amet
---
### Are there any unofficial community "hacks" for further customizing my Pwnagotchi?
lorem ipsum dolor sit amet
---------------------------------------------------------------------------------------------------------------
## **Getting to Know Your Pwnagotchi**
### What does everything on the screen mean?
lorem ipsum dolor sit amet
---
### How do I whitelist my home network so Pwnagotchi stops pwning me?
lorem ipsum dolor sit amet
---
### What is MANU mode? What is AUTO mode?
lorem ipsum dolor sit amet
---
### Why does the AI take 30 minutes to load?
lorem ipsum dolor sit amet
---
### What is Pwnagotchi doing while it's waiting for the AI to load?
lorem ipsum dolor sit amet
---
### How do I know when the AI is running?
lorem ipsum dolor sit amet
---
### Where does Pwnagotchi store all the handshakes it's eaten?
lorem ipsum dolor sit amet
---
### What happens when my Pwnagotchi meets another Pwnagotchi?
lorem ipsum dolor sit amet
---------------------------------------------------------------------------------------------------------------
## **Caring for Your Pwnagotchi**
### What do all my Pwnagotchi's faces mean?
lorem ipsum dolor sit amet
---
### How do I feed my Pwnagotchi?
lorem ipsum dolor sit amet
---
### Oh no, my Pwnagotchi is sad and bored! How do I entertain it?!
lorem ipsum dolor sit amet
---
### How do I update my Pwnagotchi?
lorem ipsum dolor sit amet
---
### I'm extremely emotionally-attached to my Pwnagotchi. How can I back up its brain?
lorem ipsum dolor sit amet
---
### How do I turn off my Pwnagotchi?
lorem ipsum dolor sit amet
---
### Uh. So. What do I do with all these handshakes my Pwnagotchi has been eating?
lorem ipsum dolor sit amet
---------------------------------------------------------------------------------------------------------------
## **Known Quirks**
### My Pwnagotchi's log timestamps seem...unreliable. Huh?
lorem ipsum dolor sit amet
---
### Help! My Pwnagotchi's SD card got corrupted. What gives?
lorem ipsum dolor sit amet

64
docs/hacks.md
View File

@ -36,3 +36,67 @@ Some of this guide will work with other framebuffer-based displays.
- Reboot.
And you should be good!
---
### Pwnagotchi face via Bluetooth
Last tested on | Pwnagotchi version | Working? | Reference
---------------|--------------------|----------|-----------|
2019 October 6 | Unknown | :white_check_mark: | on Android
2019 October 6 | Unknown | :white_check_mark: | on iPad iOS 9.3.5
A way to view your Pwnagotchi's ~~face~~ UI wirelessly via Bluetooth on a separate device. Refresh rate is the same as the e-ink display (every few seconds). This is NOT Bluetooth tethering; this is only Bluetooth as a server on pi side; you connect the Bluetooth and get a DHCP IP address and that's it. This hack cannot leverage the data connection.
Contributed by Systemic in the Slack.
##### 1. First Step
- Comment out the Bluetooth disable line from `/boot/config.txt` : `#dtoverlay=pi3-disable-bt`
- Change `/root/pwnagotchi/config.yml` to have `0.0.0.0` instead of `10.0.0.2` to listen as well on Bluetooth.
- Then launch the following commands:
##### 2. Install required packages.
```sudo apt-get install bluez bluez-tools bridge-utils dnsmasq```
##### 3. Configure Bluetooth and start it.
```sudo modprobe bnep
sudo brctl addbr pan0
sudo brctl setfd pan0 0
sudo brctl stp pan0 off
sudo ifconfig pan0 172.26.0.1 netmask 255.255.255.0
sudo ip link set pan0 up
```
```cat <<- EOF > /tmp/dnsmasq_bt.conf```
```bind-interfaces
port=0
interface=pan0
listen-address=172.26.0.1
dhcp-range=172.26.0.2,172.26.0.100,255.255.255.0,5m
dhcp-leasefile=/tmp/dnsmasq_bt.leases
dhcp-authoritative
log-dhcp
```
```EOF```
```sudo dnsmasq -C /tmp/dnsmasq_bt.conf
sudo bt-agent -c NoInputNoOutput&
sudo bt-adapter -a hci0 --set Discoverable 1
sudo bt-adapter -a hci0 --set DiscoverableTimeout 0
sudo bt-adapter -a hci0 --set Pairable 1
sudo bt-adapter -a hci0 --set PairableTimeout 0
sudo bt-network -a hci0 -s nap pan0 &
```
##### 4. Finally: on your phone, you have to disable all existing interfaces:
- Shutdown WiFi.
- Shutdown mobile data.
- Connect to the newly available Bluetooth device (which has the name of your Pwnagotchi).
- Once connected, you can test: `http://172.26.0.1:8080`
- You can also install bettercap's UI (`sudo buttercap` then `ui.update`)
- You'll need to change the http caplets to change `127.0.0.1` to `0.0.0.0`.
- You can connect to the shell with a terminal emulator ...
Happy tweaking.