Fun and adventure with the $10 Raspberry Pi
Why Are We Revisiting This?
The Raspberry Pi Zero is very flexible and can provide a lot of capabilities for the low end of the Raspberry Pi range. We’re going to look at adding more capabilities and what you actually get with them. This isn’t a “how to” guide for WiFi penetration testing, but we will look at those capabilities, and how to appropriately leverage the Pi Zero in different scenarios.
The article is informational. Do not break the law.
Requirements and Setup
To get the most out of this setup, you’ll need a Raspberry Pi Zero W ($10 at adafruit), a decent case (mine was $7 from Amazon), a sturdy micro USB cable (there are a lot of choices, but realistically this is around $6), and a USB battery bank (this Amazon bank is overkill, and is $22, shop around.) You’ll also need a Micro SD Card, I personally recommend the Samsung PRO Endurance for all Raspberry Pi projects, it’s $11 for 32 GB, more than enough space. On the high end this project comes out to $56, but I’m sure you have a cable hanging around and possibly a small USB battery bank. You can also find a case that doesn’t cost 70% the cost of the Pi, and use a cheaper SD Card. I just like nice things that last.
Setup is very similar to my previous write up on the Pi Zero W WiFi hacking gadget. Image the SD Card with Rasbian Lite. Configure the boot partition for headless NDIS/Ethernet Gadget connection. Circuit Basics has a good tutorial, but essentially, besides adding a
ssh file to boot, edit
config.txt and add
dtoverlay=dwc2 to the end of the file. This file is formated LF, keep that in mind. Edit
cmdline.txt and add
rootwait. Inset the SD Card and plug the USB cable into the Pi and your computer. If you’re using a Windows PC, you will want to install Bonjour so you can find the Pi using the address raspberrypi.local (Macs can do this by default.)
Once you can find your Pi, we’ll SSH to it and configure a static IP for the USB network. Adafruit has a good tutorial, but it’s missing some setups, but essentially we’ll assign a static in /etc/network/interfaces. Type
ifconfig and check your IP configuration for your current USB network.
Configure the fixed address by typing
sudo nano /etc/network/interfaces
At the bottom of the file paste the following config:
iface usb0 inet static
Exit and save. Now type
sudo nano /etc/resolv.conf
Change the IP of the nameserver to a valid DNS server (like your PiHole) and exit and save. Reboot your Pi.
Change the IPv4 address and gateway IP of your Ethernet Gadget to 192.168.7.1 and ping 192.168.7.2. The Gadget now has a static IP.
We should also be able to resolve external IPs.
Continue to build the WiFi Gadget. Run raspi-config to set localization, expand the file system, and set the GPU memory. Reboot.
sudo apt-get update && sudo apt-get upgrade
Install Re4son kernel for Raspberry Pi (kalipi)
wget -O re4son-kernel_current.tar.xz https://re4son-kernel.com/download/re4son-kernel-current/tar -xJf re4son-kernel_current.tar.xz
Setup a monitoring interface (mon0) by editing rc.local,
sudo nano /etc/rc.local
sudo iw phy phy0 interface add mon0 type monitor
sudo ifconfig mon0 up
Exit and save, then reboot. Type
ifconfig and verify
Installing (and using) Tools
The two main tool sets we can leverage on the WiFi Gadget are Aircrack-ng and Bettercap. Depending on the objective, each tool overlaps somewhat, but they are both powerful and useful. Aircrack has been around for quite a while, and has been part of Kali for years, so there are quite a lot of resources on how to utilize it for different tasks.
Installing aircrack-ng is rather straight forward. Add the aircrack-ng release into the package manager and install.
curl -s https://packagecloud.io/install/repositories/aircrack-ng/release/script.deb.sh | sudo bashsudo apt install aircrack-ng
A good article on getting started with aircrack-ng can be found here. Basically you have several options to attack, but you want to use the Pi Zero to capture a handshake, then transfer the captured handshake off the Pi using SCP to a more powerful computer for cracking.
sudo airmon-ng check kill to stop any processes that could cause trouble with aircrack. The usual culprit will be the wpa_supplicant process. Use
sudo airodump-ng mon0 to view all the APs and clients that the Pi can reach. Refine airodump to scan a BSSID to search for handshakes by breaking out of the scan and running a new scan with switches refining the search to a channel and BSSID like
sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one where -c is for “channel”, — bssis is a specific BSSID, and -w is the file name prefix for the file which will contain authentication handshake.
If your successful, you will have a .cap file. There will also be some logs and CSVs with info on the recon.
You can now use aircrack-ng with the cap file to crap the handshake. I would not use the Pi Zero for this! SCP it to a more powerful system, and possibly use it in conjunction with John the Ripper. The more power you have behind the crack attempt, the faster it will go, and running it on the Pi Zero is a terrible idea.
Bettercap is a newer, more flexible tool. You can run it from the shell or a web interface. With a static IP on the USB port, running it connected to a laptop is very easy. I also like to run it from my mobile phone over SSH via Bluetooth.
Install the prereqs for Bettercap:
sudo apt install build-essential libpcap-dev libusb-1.0 libnetfilter-queue-dev git
You will also need a correctly configure Go environment. I found a good script here that will do the job.
wget -q -O - https://git.io/vQhTU | bash
After you source Go, you can then proceed with compiling Bettercap:
go get github.com/bettercap/bettercap
sudo make install
After installing Bettercap, install the latest capletes and web UI:
sudo bettercap -eval “caplets.update; ui.update; q”
To allow use of the remote UI, run
sudo bettercap -caplet https-ui and connect to https://192.168.7.2 in a browser of the machine you’re connected to the Pi via USB. The default username and password are “user” and “pass”.
The Bettercap Web UI is a rich, modern interface showing a lot of data. If a network has clients, you can drill down an view the details.
The Command section has a variety of commands based on the types of connectivity you are working with. In the WiFi commands, you have the ability to turn recon off and on, and deauth a BSSID. From the WiFi table, BSSIDs can be copied with a click.
You also have the ability to setup a fake access point and set the parameters there.
Bettercap has a Bluetooth recon section that I won’t go into detail on, but it is very interesting and worth mentioning.
Once Bettercap has captured a handshake, it saves it to the
bettercap-wifi-handshakes.pcap file. This may be one or several handshake from one or more BSSIDs. This file can then be converted to to the hccapx format that hashcat can read. You can use hashcat-utils or an online service. The key here is copying the pcap off the Pi Zero to a more powerful machine and running Hashcat on the handshake to crack it. There are even cloud based POCs if you don’t have a GPU that can handle Hashcat. Look around.
Please see the original article at the end for a guide to setup Bluetooth. With Bluetooth you can pair the Pi Zero with a mobile phone and use an SSH client to control the Pi. You can also tether the Pi Zero to a Windows or Mac laptop using USB and use SSH and a browser to run the tools. This decouples the need for a compatible WiFi device and a Kali VM or dual boot setup. When there are a lot of passengers on the train, I enjoy plugging in my Pi Zero to the USB battery bank inside my backpack and connecting my mobile phone via Bluetooth and doing WiFi recon. It’s very inconspicuous; I’m just another passenger on their phone.
I hope this provides more utility to the Pi Zero W. I like to explore with Bettercap, it’s recon abilities are impressive and the ability to run caplets is also impressive. There are even a pwnagotchi caplets to mess around with, so if you ever wanted to build one but never wanted to mess with an e-ink display, building this and running Bettercap with the right caplet essentially does the same thing. I hope you learn and grow and find a use for this tool in your tool box.