Pwnagotchi is an A2C-based “AI” powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures (either through passive sniffing or by performing deauthentication and association attacks). This material is collected on disk as PCAP files containing any form of handshake supported by hashcat, including full and half WPA handshakes as well as PMKIDs.
In case you're curious about the name: Pwnagotchi (ポーナゴッチ) is a portmanteau of pwn and -gotchi. It is a nostalgic reference made in homage to a very popular children's toy from the 1990s called the Tamagotchi. The Tamagotchi (たまごっち, derived from tamago (たまご) "egg" + uotchi (ウオッチ) "watch") is a cultural touchstone for many Millennial hackers as a formative electronic toy from our collective childhoods.
I am not an attorney.
Attacking wireless devices without permission is likely a violation of the Computer Fraud and Abuse Act (CFAA).
Each state and country has their own laws pertaining to the unauthorized access and collection of data.
No soldering required if you buy the Raspberry Pi Zero with the preinstalled headers.
Cases can be printed, the one used in this build: (https://www.thingiverse.com/thing:3920904).
Flashing an Image
The easiest way to create a new Pwnagotchi is downloading the latest stable image from our release page and writing it to your SD card.
Once you have downloaded the latest Pwnagotchi image, you will need to use an image writing tool to install that image on your SD card. We recommend using balenaEtcher, a graphical SD card writing tool that works on Mac OS, Linux, and Windows; it is the easiest option for most users. (balenaEtcher also supports writing images directly from the ZIP file, without any unzipping required!)
To write your Pwnagotchi image with balenaEtcher:
- Download the latest Pwnagotchi .img file.
- Verify the SHA-256 checksum of the .img
- Download balenaEtcher and install it.
- Connect an SD card reader with the SD card inside.
- Open balenaEtcher and select from your hard drive the Raspberry Pi
.zipfile you wish to write to the SD card.
- Select the SD card you wish to write your image to.
- Review your selections, then click
Flash!to begin writing data to the SD card.
Pwngrid is enabled by default (Pwngrid is a cloud database controlled by ¯\_(ツ)_/¯)
Whitelist networks, like your own, before connecting it to the internet
Whitelisting alone will not prevent the handshake from being passively captured
YML is very picky about syntax
YML errors will cause screen not to function even when the logs look fine
Edit the config located in /etc/pwnagotchi/config.yml, restart, and you should be good-to-go.
# Add your configuration overrides on this file any configuration changes done to default.yml will be lost! # Example: # # ui: # display: # type: 'inkyphat' # color: 'black' # main: name: '<NAMEOFPWNAGOTCHI>' whitelist: - '<YOURNETWORK>' plugins: grid: enabled: false report: false exclude: - '<YOURNETWORK>' ui: display: enabled: true type: 'waveshare_2' color: 'black' web: username: pi password: <YOURPASSWORD>
In the hit Netflix series 'Stranger Things', the Upside Down is the parallel dimension inhabited by a monster. It is a dark and cold reflection of the dimension inhabited by humans, containing the same locations and infrastructure. When assessing wireless networks, I like to think of 5GHZ as 'the upside down'; a dark and cold spectrum where assessors have historically had limited visibility to see what is lurking within when compared to its 2.4GHZ peer.
Wireless networks have two common spectrums, 2.4GHZ and 5GHZ. Since 2010, 5GHZ networks have become more prevalent as hardware support became available offering users higher data rates and less radio congestion when compared to its 2.4GHZ peer. The business of wireless assessments and penetration testing, historically we've been stuck focusing on 2.4GHZ frequencies and attack vectors. This is due to the fact that most scripts only support 2.4GHZ channels, hardware support with monitor and packet injection is limited to 2.4GHZ, and most rogue AP attacks work regardless of RF frequency. This leaves the 5GHZ spectrum a mysterious place which is often overlooked, resulting in a potentially large user base and entire RF spectrum untested.
The topic was brought up to me by my boss asking if we could harvest users using my crEAP utility on 802.11ac/n frequencies. The case was simple, many organization have both 2.4GHZ and 5GHZ deployed in their environments and we were not seeing the full picture; we set off to fix that.
One of the big issues I came across is the lack of wireless adapter support. Not many adapters support chipsets which allow for monitor mode and packet injection. Various articles exist covering this, but after testing, I found the Alfa AWUS051NH to be the best option for our use cases.
The crEAP script which we dropped in Fall 2015 identifies weakness in WPA-Enterprise wireless networks. The script relies heavily on Airodump-ng framework under the hood to do our dirty work. With a few modifications to the script, we had crEAP listening in the 5GHZ spectrum on AC/N bands with supported hardware. During onsite client engagements, we could now tap into a previously untapped RF spectrums and pull usernames, handshakes and other data - data that would have otherwise been overlooked. The 'upside down' wasn't so mysterious any longer. It also yields lots of juicy wifi traffic.
The AWUS051NH adapter will be effective for wifi assessment scripts such as crEAP allowing traffic on 5GHZ spectrum to be monitored and inspected. Through our testing, it was apparent other common wifi utilities are still fragile when supporting 5GHZ (such as Wifite). Attack vectors such as rogue APs don't necessarily depend on 5GHZ frequencies and thus attacks such as Karma should function regardless of RF frequency.
The updated crEAP script is located in the Shellntel repo.
Good luck with your ventures into 'the upside down'.
With the demands of a mobile workforce, wireless networks in enterprise environments are quite common. Typically, enterprise wireless networks employ WPA-Enterprise security features, which removes the need for preshared keys (WPA2-PSK) that float around between employees creating security concerns of sharing or unauthorized access upon termination, etc.
These WPA-Enterprise (802.1x) wireless networks often make use of protocols known as Extensible Authentication Protocol (EAP) types. Here is a quick breakdown of commonly seen EAP types including some pros/cons:
Knowing that a large percentage of enterprise wireless networks deploy EAP types other than EAP-TLS (due to the administrative burden of managing client certificates), we can leverage known weaknesses in EAP types to harvest valuable information. This information can include usernames, certificates, and weak challenge/response hash functions that can be cracked. While these EAP weaknesses are nothing new, I struggled to find a tool to help penetration testers quickly identify EAP types and weaknesses. This is where the idea for crEAP came from.
There are plenty of wireless assessment utilities that exist such as Kismet, Wifite, etc. These all do a great job of identifying WPA-Enterprise mode networks and authentication protocols such as TKIP/CCMP, but do not give details regarding the EAP type. In the past, a tester would have to obtain PCAPs for each network and sift through them to extract useful information. This was a burden on engagements with multiple networks within scope. We sought a utility to help automate identifying WPA EAP types and insecurities. This lead us to the development of crEAP.
crEAP is a python script that will identify WPA Enterprise mode EAP types and if insecure protocols are in use, will attempt to harvest usernames and/or handshakes. The most commonly deployed EAP types (such as EAP-PEAP) identify users in clear-text by default, which can be gold for a penetration tester looking to harvest employee lists. The crEAP utility attempts to monitor for wireless EAPOL handshakes on the fly and extract data such as usernames and challenge/responses coming over the air. This tool expands on eapmd5crack by running against live captures while adding support for different EAP types (such as PEAP username harvesting).
For EAP-PEAP authentication, once the client identifies, the remainder of the authentication is encrypted via a TLS tunnel. Our simplistic use case is for red or blue teams to run crEAP and passively harvest usernames over the airwaves. This script doesn't attempt to replace the rogue radius server attacks, rather we're interested in simply filling the void of passively identifying EAP types and harvesting users.
Remediation: Some wireless clients offer 'Enable Identify Privacy' under advanced Protected EAP options. This setting provides an anonymous username during the unencrypted phase 1 negotiation of PEAP, then once the TLS tunnel is built, securely identifies with the username. This modification would thwart an attacker's ability to harvest clients that have this enabled.
You can download the crEAP script from Shellntel's Github (here):
git clone https://github.com/Shellntel/scripts.git
Travis - @w9hax