Raspberry Pi Zero W WiFi Hacking Gadget

Pi Zero W, Micro USB Cable, and USB Power Bank

Resources

To complete this project you will need a Raspberry Pi Zero W, a micro SD Card (I used a 32 GB Samsung EVO Select), a case, a micro USB cable (a sturdy one is preferable), and optionally a USB battery bank. You will also need a computer to configure the SD Card and Pi, and a mobile phone with Bluetooth to control the Pi if you’re going to be mobile. The power requirements of the Pi Zero are not significant so a small battery bank is adequate; mine is marked 5000mAh but I’m sure it’s closer to 3000.

The article is informational. Do not break the law.

Getting Started

Download the latest image for Raspbian Buster Lite from raspberrypi.org and flash it to the SD Card. There are many ways to do this, Etcher is a popular one. After the image is flashed, some of the config files need to be modified on the root directory of the micro SD card (Boot). Circuit Basics has a good guide for Windows, but config.txt needs “dtoverlay=dwc2” added as a new line to the end, and cmdline.txt needs “modules-load=dwc2,g_ether” added after rootwait. Also add a “ssh” file with no extension using touch or New — Text Document, and remove the .txt file extension.

You can now ssh to the pi over USB using raspberrypi.local. Connect and run raspi-config to set localization, expand the file system, and set the GPU memory. Reboot.

Basic Setup

Update Raspbian

sudo apt-get update && sudo apt-get upgrade -y

Install Re4son kernel for Raspberry Pi (kalipi)

wget -O re4son-kernel_current.tar.xz https://re4son-kernel.com/download/re4son-kernel-current/tar -xJf re4son-kernel_current.tar.xz
cd re4son-kernel_4*
sudo ./install.sh

After reboot, check if you can set the WiFi interface to monitoring mode.

iw phy phy0 info

In the results we should see:

Supported interface modes:* IBSS* managed* AP* monitor* P2P-client* P2P-GO* P2P-device

Let’s setup a monitoring interface by editing rc.local

sudo nano /etc/rc.local

Add the line

sudo iw phy phy0 interface add mon0 type monitor
sudo ifconfig mon0 up

Save and exit, reboot. Type ifconfig and verify mon0 is present.

mon0 is Present

Installing Tools (Fun Stuff)

Now that we have a WiFi in monitoring mode, let’s get some fun stuff going to take advantage of that. We can start with Aircrack-ng.

curl -s https://packagecloud.io/install/repositories/aircrack-ng/release/script.deb.sh | sudo bashsudo apt install aircrack-ng

Test monitoring mode:

sudo airodump-ng mon0

Give injection a quick test:

sudo aireplay-ng -test mon0
Injection is working!

Aircrack-ng is successfully installed and working.

Another great tool is Bettercap. This will require some prereqs, but its well worth it.

Bettercap dependencies
sudo apt install build-essential libpcap-dev libusb-1.0 libnetfilter-queue-dev git

You will also need a correctly configure Go environment. I found a good script here that will do the job..

wget -q -O - https://git.io/vQhTU | bash
Go Successfully Installed.

After you source Go, you can then proceed with compiling Bettercap:

go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build
sudo make install

You can then update Bettercap and use the web UI or jump right in with the command line interface.

Mobile Bettercap on Mass Transit using SSH via Bluetooth

Where to Go From Here?

The options are limitless. Setup Bluetooth and pair with your phone for mobile WiFi hacking, use with a tablet and the Bettercap web UI, keep tethered via USB to your laptop if you don’t have a WiFi adaptor that supports monitoring mode. I have a bash script in my rc.local to blink the LED ten times when it boots fully, which is useful when using headless. Between Aircrack and Bettercap you can have a lot of fun, learn a lot, and for very little money.

Addendum: Bluetooth Pairing

I had trouble with the Bluetooth setup I had linked above, so I figured there was a better way. The Re4son kernel ships with BlueZ, so I looked into creating a PAN with BlueZ natively, and I was able to do that without too much trouble.

First install bluez-tools.

sudo apt install bluez-tools

Create the following files:

sudo nano /etc/systemd/network/pan0.netdev

[NetDev]
Name=pan0
Kind=bridge

sudo nano /etc/systemd/network/pan0.network

[Match]
Name=pan0
[Network]
Address=172.20.1.1/24
DHCPServer=yes

sudo nano /etc/systemd/system/bt-agent.service

[Unit]
Description=Bluetooth Auth Agent
[Service]
ExecStart=/usr/bin/bt-agent -c NoInputNoOutput
Type=simple
[Install]
WantedBy=multi-user.target

sudo nano /etc/systemd/system/bt-network.service

[Unit]
Description=Bluetooth NEP PAN
After=pan0.network
[Service]
ExecStart=/usr/bin/bt-network -s nap pan0
Type=simple
[Install]
WantedBy=multi-user.target

Then run the following:

sudo systemctl enable systemd-networkd
sudo systemctl enable bt-agent
sudo systemctl enable bt-network
sudo systemctl start systemd-networkd
sudo systemctl start bt-agent
sudo systemctl start bt-network

Finally, to pair, run:

sudo bt-adapter — set Discoverable 1

I had to set “Use for Internet access” to On in my phone’s Bluetooth settings, and disable WiFi and mobile data to get traffic to route to the Pi. I can SSH to 172.20.1.1 with no issues.

Note: I have written a follow up article that can be found here.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mr.smashy

mr.smashy

440 Followers

Infrastructure architect. Security dev and researcher. Infosec nerd. Linux enthusiast. All opinions and views are my own. Polite, professional, prepared.