Revisiting the Raspberry Pi Zero WiFi Hacking Gadget

Fun and adventure with the $10 Raspberry Pi

Why Are We Revisiting This?

The Raspberry Pi Zero is very flexible and can provide a lot of capabilities for the low end of the Raspberry Pi range. We’re going to look at adding more capabilities and what you actually get with them. This isn’t a “how to” guide for WiFi penetration testing, but we will look at those capabilities, and how to appropriately leverage the Pi Zero in different scenarios.

The article is informational. Do not break the law.

Requirements and Setup

To get the most out of this setup, you’ll need a Raspberry Pi Zero W ($10 at adafruit), a decent case (mine was $7 from Amazon), a sturdy micro USB cable (there are a lot of choices, but realistically this is around $6), and a USB battery bank (this Amazon bank is overkill, and is $22, shop around.) You’ll also need a Micro SD Card, I personally recommend the Samsung PRO Endurance for all Raspberry Pi projects, it’s $11 for 32 GB, more than enough space. On the high end this project comes out to $56, but I’m sure you have a cable hanging around and possibly a small USB battery bank. You can also find a case that doesn’t cost 70% the cost of the Pi, and use a cheaper SD Card. I just like nice things that last.

Setup is very similar to my previous write up on the Pi Zero W WiFi hacking gadget. Image the SD Card with Rasbian Lite. Configure the boot partition for headless NDIS/Ethernet Gadget connection. Circuit Basics has a good tutorial, but essentially, besides adding a ssh file to boot, edit config.txt and add dtoverlay=dwc2 to the end of the file. This file is formated LF, keep that in mind. Edit cmdline.txt and add modules-load=dwc2,g_ether after rootwait. Inset the SD Card and plug the USB cable into the Pi and your computer. If you’re using a Windows PC, you will want to install Bonjour so you can find the Pi using the address raspberrypi.local (Macs can do this by default.)

Once you can find your Pi, we’ll SSH to it and configure a static IP for the USB network. Adafruit has a good tutorial, but it’s missing some setups, but essentially we’ll assign a static in /etc/network/interfaces. Type ifconfig and check your IP configuration for your current USB network.

Configure the fixed address by typing sudo nano /etc/network/interfaces

At the bottom of the file paste the following config:

allow-hotplug usb0
iface usb0 inet static
address 192.168.7.2
netmask 255.255.255.0
network 192.168.7.0
broadcast 192.168.7.255
gateway 192.168.7.1

Exit and save. Now type sudo nano /etc/resolv.conf

Change the IP of the nameserver to a valid DNS server (like your PiHole) and exit and save. Reboot your Pi.

Change the IPv4 address and gateway IP of your Ethernet Gadget to 192.168.7.1 and ping 192.168.7.2. The Gadget now has a static IP.

We should also be able to resolve external IPs.

Continue to build the WiFi Gadget. Run raspi-config to set localization, expand the file system, and set the GPU memory. Reboot.

Update Rasbian.

sudo apt-get update && sudo apt-get upgrade

Install Re4son kernel for Raspberry Pi (kalipi)

wget -O re4son-kernel_current.tar.xz https://re4son-kernel.com/download/re4son-kernel-current/tar -xJf re4son-kernel_current.tar.xz
cd re4son-kernel_4*
sudo ./install.sh

Setup a monitoring interface (mon0) by editing rc.local, sudo nano /etc/rc.local

sudo iw phy phy0 interface add mon0 type monitor
sudo ifconfig mon0 up

Exit and save, then reboot. Type ifconfig and verify mon0is present.

Installing (and using) Tools

The two main tool sets we can leverage on the WiFi Gadget are Aircrack-ng and Bettercap. Depending on the objective, each tool overlaps somewhat, but they are both powerful and useful. Aircrack has been around for quite a while, and has been part of Kali for years, so there are quite a lot of resources on how to utilize it for different tasks.

Installing aircrack-ng is rather straight forward. Add the aircrack-ng release into the package manager and install.

curl -s https://packagecloud.io/install/repositories/aircrack-ng/release/script.deb.sh | sudo bashsudo apt install aircrack-ng

A good article on getting started with aircrack-ng can be found here. Basically you have several options to attack, but you want to use the Pi Zero to capture a handshake, then transfer the captured handshake off the Pi using SCP to a more powerful computer for cracking.

Use sudo airmon-ng check kill to stop any processes that could cause trouble with aircrack. The usual culprit will be the wpa_supplicant process. Use sudo airodump-ng mon0 to view all the APs and clients that the Pi can reach. Refine airodump to scan a BSSID to search for handshakes by breaking out of the scan and running a new scan with switches refining the search to a channel and BSSID like sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one where -c is for “channel”, — bssis is a specific BSSID, and -w is the file name prefix for the file which will contain authentication handshake.

If your successful, you will have a .cap file. There will also be some logs and CSVs with info on the recon.

You can now use aircrack-ng with the cap file to crap the handshake. I would not use the Pi Zero for this! SCP it to a more powerful system, and possibly use it in conjunction with John the Ripper. The more power you have behind the crack attempt, the faster it will go, and running it on the Pi Zero is a terrible idea.

Bettercap

Bettercap is a newer, more flexible tool. You can run it from the shell or a web interface. With a static IP on the USB port, running it connected to a laptop is very easy. I also like to run it from my mobile phone over SSH via Bluetooth.

Install the prereqs for Bettercap:

sudo apt install build-essential libpcap-dev libusb-1.0 libnetfilter-queue-dev git

You will also need a correctly configure Go environment. I found a good script here that will do the job.

wget -q -O - https://git.io/vQhTU | bash

After you source Go, you can then proceed with compiling Bettercap:

go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build
sudo make install

After installing Bettercap, install the latest capletes and web UI: sudo bettercap -eval “caplets.update; ui.update; q”

To allow use of the remote UI, run sudo bettercap -caplet https-ui and connect to https://192.168.7.2 in a browser of the machine you’re connected to the Pi via USB. The default username and password are “user” and “pass”.

The Bettercap Web UI is a rich, modern interface showing a lot of data. If a network has clients, you can drill down an view the details.

The Command section has a variety of commands based on the types of connectivity you are working with. In the WiFi commands, you have the ability to turn recon off and on, and deauth a BSSID. From the WiFi table, BSSIDs can be copied with a click.

You also have the ability to setup a fake access point and set the parameters there.

Bettercap has a Bluetooth recon section that I won’t go into detail on, but it is very interesting and worth mentioning.

Once Bettercap has captured a handshake, it saves it to the bettercap-wifi-handshakes.pcap file. This may be one or several handshake from one or more BSSIDs. This file can then be converted to to the hccapx format that hashcat can read. You can use hashcat-utils or an online service. The key here is copying the pcap off the Pi Zero to a more powerful machine and running Hashcat on the handshake to crack it. There are even cloud based POCs if you don’t have a GPU that can handle Hashcat. Look around.

Mobile Use

Please see the original article at the end for a guide to setup Bluetooth. With Bluetooth you can pair the Pi Zero with a mobile phone and use an SSH client to control the Pi. You can also tether the Pi Zero to a Windows or Mac laptop using USB and use SSH and a browser to run the tools. This decouples the need for a compatible WiFi device and a Kali VM or dual boot setup. When there are a lot of passengers on the train, I enjoy plugging in my Pi Zero to the USB battery bank inside my backpack and connecting my mobile phone via Bluetooth and doing WiFi recon. It’s very inconspicuous; I’m just another passenger on their phone.

Final Thoughts

I hope this provides more utility to the Pi Zero W. I like to explore with Bettercap, it’s recon abilities are impressive and the ability to run caplets is also impressive. There are even a pwnagotchi caplets to mess around with, so if you ever wanted to build one but never wanted to mess with an e-ink display, building this and running Bettercap with the right caplet essentially does the same thing. I hope you learn and grow and find a use for this tool in your tool box.

Communication architect. Security dev and researcher. Infosec nerd. Linux enthusiast. All opinions and views are my own. Polite, professional, prepared.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store