Spying Wi-Fi on the Raspberry Pi Zero - Educational Article

Why are we going through this again?

Wi-Fi Hacking on the Raspberry Pi Zero

The Raspberry Pi Zero is a very versatile device that can offer a wide range of features for a Raspberry Pi at its low end. We'll look at how to integrate more features and what you get as a result. This isn't a "how to" tutorial for Wi-Fi penetration checking, so we'll go over the features and how to use the Pi Zero correctly in various situations.

The content of the article is educational. Do not disobey the rules.

Setup and Guidelines

You'll need a Raspberry Pi Zero W (From Raspberry Pi Official Partner), a good case, a robust micro USB cable, and a USB battery bank. You'll also need a Micro SD Card; for all Raspberry Pi ventures, This project costs approx. $55 on the high end, but I'm sure you have a cable and maybe a small USB battery bank lying around. 

Important Update: 

Competition for Young Makers in China and the United States in 2021

The configuration is somewhat similar to what I mentioned in my previous article about the Pi Zero W Wi-Fi hacking system. Raspbian Lite is used to image the SD Card. Configure the boot partition for NDIS/Ethernet Gadget link without a display. Circuit Basics has a decent guide, but basically, update config.txt and add dtoverlay=dwc2 to the end of the file, in addition to adding an ssh file to boot. Bear in mind that this file is in LF format. After rootwait, edit cmdline.txt and add modules-load=dwc2,g ether. Attach the SD Card and link the Pi to your device with the USB cable. If you're using a Windows PC, you'll need to update Bonjour so you can locate the Pi by typing raspberrypi.local into your browser. (Macs have this capability by default.)

Finding your Pi using raspberrypi.local

We'll SSH into your Pi and configure a static IP for the USB network once you've located it. We'll assign a static in /etc/network/interfaces. Adafruit has a decent guide, but it's lacking certain configurations. Test your IP setup with your new USB network with ifconfig.

configuration for your current USB network

Type sudo nano /etc/network/interfaces to set the fixed address.

Copy and paste the following configuration at the bottom of the file:

Configure the fixed address

Exit to save your job. Now type sudo nano /etc/resolv.conf to complete the process.

Exit and save after changing the nameserver's IP to a legitimate DNS server (like your PiHole). Restart your Raspberry Pi.

Adjust your Ethernet Gadget's IPv4 address and gateway IP to 192.168.7.1 and ping 192.168.7.2.

Change the IPv4 address and gateway IP

We should be able to resolve external IP addresses as well.

resolve external IPs

Keep running on the Wi-Fi Gadget. Set localization, extend the file system, and set the GPU memory with raspi-config. Restart the computer.

Rasbian should be revised.

sudo apt-get update && sudo apt-get upgrade

For Raspberry Pi, mount the Re4son kernel (kalipi) 

wget -O re4son-kernel_current.tar.xz https://re4son-kernel.com/download/re4son-kernel-current/tar -xJf re4son-kernel_current.tar.xz
cd re4son-kernel_4*
sudo ./install.sh

Edit rc.local to build a monitoring interface (mon0). sudo nano /etc/rc.local

sudo iw phy phy0 interface add mon0 type monitor
sudo ifconfig mon0 up

Exit, save, and then restart. Type ifconfig to see if mon0 is active.

Tool Installation (and Also use)

Aircrack-ng and Bettercap are the two key tool sets we will use for the Wi-Fi Gadget. Each method has some overlap depending on the goal, but they are both effective and useful. Since Aircrack has been around for a long time and has been a part of Kali for a long time, there are a lot of tools about how to use it for various tasks. 

The installation of aircrack-ng is fairly easy. Install the aircrack-ng release using the package manager.

curl -s https://packagecloud.io/install/repositories/aircrack-ng/release/script.deb.sh | sudo bashsudo apt install aircrack-ng

Here's a nice post about how to get started with aircrack-ng. Essentially, you have some attack choices, but you want to use the Pi Zero to grab a handshake, then pass the caught handshake off the Pi to a more powerful device for cracking using SCP.

To stop any processes that could interfere with aircrack, run sudo airmon-ng search kill. The wpa supplicant method is typically to blame. To see all of the APs and clients that the Pi can reach, run sudo airodump-ng mon0. By breaking out of the scan and running a new scan with switches refining the check to a channel and BSSID like sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one The -c option stands for "channel," — bssis is a basic BSSID, and -w is the file name prefix for the authentication handshake file.

Running airodump-ng targeted at a specific channel and BSSID

You will have a.cap file if you are good. There will also be logs and CSVs containing information from the recon.

airodump-ng

You can now cram the handshake with aircrack-ng and the cap register. This isn't what I'd do for a Pi Zero! It could be transferred to a more powerful machine and used in combination with John the Ripper.

The more strength behind the crack attempt, the further it can go, so running it on a Raspberry Pi Zero is a bad idea.

Bettercap

Bettercap is a more recent and robust tool. You may use a shell or a web interface to run it. It's simple to connect it to a laptop with a static IP on the USB port. I still want to use SSH over Bluetooth to run it from my laptop.

Install the Bettercap prerequisites:

sudo apt install build-essential libpcap-dev libusb-1.0 libnetfilter-queue-dev git

You'll still need a well set-up Go environment. Here's a decent script that will do the trick.

wget -q -O - https://git.io/vQhTU | bash

After you've compiled Go, you should move on to compiling Bettercap:

go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build
sudo make install

Install the new capletes and web UI after Bettercap is installed: sudo bettercap -eval “caplets.update; ui.update; q”

Run sudo bettercap -caplet https-ui and link to https://192.168.7.2 in a browser on the computer connected to the Pi via USB to allow remote UI access. “user” and “pass” are the default username and password. 

Bettercap WiFi Web UI

The Bettercap Web UI is a sleek, rich interface that shows a lot of details. You can dig down and display the specifics of a network if it has clients.

Client info for a BSSID, note that a Vendor has been populated for a known OUI.

There are a lot of commands in the Command section depending on the kind of communication you're dealing for. You may use the WiFi commands to transform recon on and off, as well as deauth a BSSID. BSSIDs can be copied with a click from the WiFi table.

Point and click deauth.

You can also create a fake access point and customise the parameters there.

Some of the Fake AP parameters.

I won't go into depth about Bettercap's Bluetooth recon segment, but it's really interesting and worth noting.

BLE recon page.

Bettercap transfers handshakes to the bettercap-wifi-handshakes.pcap file until they've been registered. This may be one or two handshakes from various BSSIDs. This file can then be translated to the hccapx format, which is supported by Hashcat. You may use hashcat-utils to do this.

The trick is to copy the pcap from the Pi Zero to a more efficient computer and use Hashcat to break the handshake. If you don't have a GPU that can handle Hashcat, there are also cloud-based POCs. Take a look around.

Usage of a Mobile 

A reference to setting up Bluetooth can be found at the bottom of the original post. You can use an SSH client to control the Pi Zero by pairing it with a mobile phone via Bluetooth. You can also connect the Pi Zero to a Windows or Mac laptop via USB and run the tools using SSH and a browser. This eliminates the need for a Kali VM or dual boot configuration as well as a compatible WiFi system. When there are a lot of people on the train, I like to connect my Pi Zero to the USB battery bank in my backpack and do WiFi recon by attaching my phone via Bluetooth. It's unobtrusive; I'm just another commuter chatting on their phone.

Thoughts for the End

I'm hoping that the Pi Zero W would be more useful as a result of this. I enjoy exploring with Bettercap because its recon abilities are impressive, as is its ability to run caplets. There are also pwnagotchi caplets to play with, so if you've always wanted to make one but don't want to bother with an e-ink show, making this and running Bettercap with the appropriate caplet is basically the same thing. I hope you learn and expand from this experience, and that you find a need for this tool in your toolbox.

Also Check: