What is a Pwnagotcchi ?
A pwnagotchi is a Tamagotchi like digital toy,but it feeds on Wi-Fi handshakes.The pwnagotchi is made with the help of a raspberry pi zero. It sniff around for the Wi-Fi signals around it and deauthenticate the client from the access point and captures the handshakes while they try to reconnect. This handshakes will be saved as a .pcap file which can later be decrypted into plain text.This paper is to show why we should be carefull while connecting to public Wi-Fi or unknown access point and why it is important to use a strong password.
UNDERSTANDING WHAT IS WI-FI
Wi-Fi or wireless fidelity is a wireless networking technology which allows devices to interface with the internet without any wires, devices are connected to the internet through a wireless router which uses radio frequency to transfer data, which act as the access point (AP) to the devices. WI-FI allows local area networks (LANs) to operate without cables and wiring, so it became a popular choice for business and home uses since we can connect our devices from anywhere in the range of the router to the internet without wires which gives us a freedom to move around.
HOW THE NAME WI-FI
Wi-fi was developed in 1997 by organisation called IEEE with its first standard 802.11 its speed was 2Mbps. In 1999, the Wi-Fi alliance formed as a trade association to hold the Wi-Fi trademark under which most products are sold. The name Wi-Fi, commercially used at least as early as August 1999, was coined by the brand-consulting firm
Interbrand. The Wi-Fi Alliance had hired Interbrand to create a name that was “a little catchier than ‘IEEE 802.11b Direct Sequence.’ ” Phil Belanger, a founding member of the Wi-Fi Alliance who presided over the selection of the name “Wi-Fi,” has stated that Interbrand invented Wi-Fi as a pun upon the word hi-fi. Interbrand also created the Wi-Fi logo.
HOW DOES WI-FI WORK
We know that we can send data through a Wi-Fi network, and it uses radiowaves to send and receive data between the router. These are measured in Gigahertz.
Imagine we are sitting at the beach and counting the waves crashing on the shore, the time between each wave crash is called the frequency of the waves. Let’s assume time taken between each wave to hit the shore is one second, that second is calculated in Hertz, ie 1 Hertz =1 second so 1 Gigahertz = 1 Billion seconds.
Wi-Fi uses 2.4 or 5 Gigahertz per second. That is why our Wi-Fi’s are so fast in transferring data even without any physical medium.
WI-FI SECURITY WITH WPA AND WPA2
The number of devices using wifi technology is increasing day by day and the security of these devices should be a great concern. When more number of devices are using Wi-Fi, the weakness in the wi-fi system can cause a lot of trouble. So it is very important to protect and secure the devices using Wi-Fi for the better functionality of the device and for the protection of data and the network and the user or the client. In order to protect the data transferred through the Wi-Fi the idea of encryption of data was introduced, WEP(Wired Equivalent Privacy) was the original standered encryption for wireless but since 2001 security issues are known on this and can be cracked in less than 1 minute.so later WPA (Wireless Protected Access) was introduced and to replace WEP,WPA uses TKIP(Temporal Key Integrity Protocol) for encryption, later vulnerabilities was found in the TKIP and WPA2 was introduced which uses AES(Advanced Encryption Standard) which is believed to resist a bruteforce attack.
COMMON TYPES OF WI-FI ATTACK
Packet sniffing:-It is relatively a small computer programs that can monitor traffic on a given network. They can also intercept some data packages, and provide info about their contents. These types of programs can be used in a non-malicious way, simply to gather data about traffic. Some are also capable of introducing errors, to test out whether or not the network is able to handle them.
-Rouge Access point:- There are a number of threats that fall into this category, but for the sake of clarity, we will include only the most straightforward form of rogue Wi-Fi networks. Basically, what it involves is a hacker setting up a Wi-Fi network that looks legitimate, or perhaps even mimics a trusted network. You may recognize such fake networks because they mention something that makes them look appealing like “Free Access” or “No Password.” Avoid these networks as much as possible. If you are accessing a public Wi-Fi in a public place or restaurant, they will have a password in place for customers..
-Jamming or DOS :-When many number of packets are sent to a access point it won’t be able to function properly.
- Evil Twin:- An evil twin is very similar to a rogue AP, but it’s much more sophisticated when it comes to masking its purpose. Evil twins are designed to look, and act exactly like a legitimate AP. Hackers can clone an AP you know and trust, and create one that is identical. When you connect via this AP, you’re actually connecting to the evil twin, which then proceeds to send info to the hacker. Wi-Fi networks are extremely vulnerable to these types of attacks.
A Pwnagotchi is an A2C-based AI(artificial inteligance), powered by a tool bettercap (made by evilsocket).It has 3 modes “manu” ,”auto” and “AI”, manual mode is used to retrieve the handshakes captured by the pwnagotchi. In auto mode the pwnagotchi does it’s job smoothly, it listens to it’s environment and looks for wifi singnals and sends deauthentication signal to the AP(access point) and the clients connected to the AP gets disconnected and the client device immediately tries to reconnect but the pwanogotchi listens to the handshake and captures it and save sit in a “.pcap” file in the root directory.In AI mode the pwanogotchi learns about the wifi signal and the captured handshakes and cracks the wifi handshakes in a better way day by day
Components required to make an pwanogotchi are a Raspberry pi zero WH (W stands for wifi enabled, H stands for pre soldered hedder pins),a E-ink display, a memory card (minimum 8 GB),a good card reader, data cables.
WPA is not secure and WPA2 is also not secure if you don’t have a good strong password but it’s everywhere so pwnnagotchi feeds on these wifi handshakes.
In order to understand how this hardware is able to capture handshake it will be helpful to know how handshakes are used in WPA/WPA2 wireless protocol.Let’s assume that our laptop or mobile phone is trying to connect to a WI-FI network and is able to securely transmit to and receive data from that access point, because of a process called the 4-Way Handshake. A 4-Way Hand needs to happen in order for the WPA encryption keys to be generated. This process consists of the exchange of four packets (hence the “4” in “4-Way”) between the client device and the Access point; these are used to derive session keys from the access point’s Wi-Fi password. Once the packets have been successfully exchanged and the keys are generated, the client device is authenticated and can start sending and receiving data packets (now secured by encryption) to and from wireless AP.
So…what’s the catch? Well, these four packets can easily be “sniffed” by an attacker monitoring nearby environment (in our case, with a Pwnagotchi ). And once hand shake is captured, that attacker can use dictionary or bruteforce attacks to crack the handshakes and recover the original WiFi key.As a matter of fact, successful recovery of the Wi-Fi key doesn’t necessarily even need all four packets! A half-handshake (containing only two of the four packets) can be cracked, too — and in some other (most) cases, just a single packet is enough, even without any clients.
In order to eat collect as many of these crackable handshake packets as possible, Pwnagotchi uses two strategies:
1. Deauthenticating the client stations it detects. A deauthenticated device must reauthenticate to its access point by re-doing the 4-Way Handshake process with the AP, thereby giving Pwnagotchi another chance to sniff the handshake packets and collect more crackable material.
2. Sending association frames directly to the access points themselves to try to force them to leak the PMKID of the device.
3. All the handshakes captured by our pwnagotchiiii are saved to a .pcap file in the file system of the pwnagotchi it can be copied from there and the handshakes captured can be cracked with proper hardware and software.
To demonstrate this process let’s set up a personal testing lab setup. I have setup a personal Wi-Fi access point “Hidden network” and I am going to power up the pwanogotchi. After some time the pwonogotchi might have captured the wifi handshakes. To see these let’s connect the device to our computer using the data port and SSH into it.
Then go to the handshakes directory and copy the files to the pi directory so that we can copy the .pcap files to our machine and we can test a bruteforce attack on it
Eventhough our intention was to test only the setup lab wifi, the weakly protected wifi signals in the environment was also captured by the pwanogotchi.Copy only the file we need ie, “Hidden network” to the pi directory.
Now we have the .pcap file,let’s take it to the kali linux operating system, there we have sophisticated tools for this purpose.
The handshake contains many information about your Wi-Fi network which can be used by hackers.
to do further attacks on your Wi-Fi network. It can be brute forced easily. Let’s see that on our test file itself.
Here we used a custom wordlist to crack it for the demonstration purpose. All it took was less than a second to brute force the .pcap file and we got the password.
Perfect security is a myth,but it is our responsibility and right to be safe in this digital century.
- Change the default name of your home Wi-Fi.
- Make your wireless network password unique and strong.
- Enable network encryption.
- Turn off network name broadcasting.
- Keep your router’s software up to date.
- Make sure you have a good firewall.
Use VPNs to access public network