Building a pwnagotchi: The little wifi-sniffing pet

Here is where I’d just started to learn the ropes with Linux OS. I was eager to find a small project to dig into new concepts while I was in Cybersecurity Bootcamp, and this fit the bill perfectly.

Pwnagotchi is a reinforcement-learning powered wifi-sniffer that intercepts WPA-key information passively, and through de-authentication attacks. This information is stored as PCAP files on the local SD card, and can be later processed by password-cracking programs like Hashcat.

It is built on:
-A Raspberrypi Zero W (You can also build it on more powerful models like Pi 3, 4, Zero 2, etc. But I wanted to keep it cheap)
-A Pisugar2 Battery Module
-A Waveshare e-ink display 2.13″ V3
-A microSD card of choice. (I used a 32GB, I don’t see myself needing anything more for something like this)
-A 3D printed case my buddy kindly printed for me.

The official documentation is available at:
https://pwnagotchi.ai/intro/

This guy has an excellent setup video.
https://youtu.be/gyKT_mASSuc?si=vZm2NoWGM7ifWDSK

-If anyone else decides to give this a go, remember to follow ALL instructions completely. I spent way too much time troubleshooting why I couldn’t download/update any packages to the pwnagotchi, only to find that the pwnagotchi image doesn’t preset your DNS settings for you.
-Also, if following the video pay special attention to the section on configuring the pwnagotchi as a network gadget so you can share your internet connection over the micro usb port! This will save you some headache, as the default way the device interacts with networks when powered on is to start pwning.
… On a similar note, make sure to whitelist any networks you don’t want receiving deauth attacks in the config.toml file. We had a few devices go offline during my “tinkering” phase, and my roommates all work from home. Oops!

Personally, I just find it fun to run around picking up handshakes as I go about my day. I was also able to learn a lot about hashcat and aircrack-ng by messing around on my home network.

The typical process once it’s all set up usually goes something like:
-Turn on Pwnagotchi.
-Wait for it to capture handshakes of devices connecting (or reconnecting after deauth).
-Power down when finished collecting.
-Connect data port (middle micro usb) of pwnagotchi to your PC.
-SSH in, cd to handshakes directory.
-Transfer files with FTP (OR use a GUI application like FileZilla if that is more comfortable)
-If you are on a Linux system, you would run hcxpcapngtool to convert the PCAP files into something that hashcat understands. Otherwise, they have also made the tool available via browser: https://hashcat.net/cap2hashcat/
-This should let you know if it was able to put together a complete handshake or PKID from the hash. You can also utilize Wireshark or something similar to dive a bit deeper into the pcap files if you want to learn more about the data you captured.
-Once you have a complete handshake, it’s time to run hashcat! The syntax of a hashcat command goes:
hashcat -a <$attack mode> -m <$hash_algorithm> <$hash (stdin/file)> <$dictionary>
There are a lot of ways you can change up your hashcat attack to improve chances of success. Since they’ll do a much better job of explaining that than I will, I’ll link that here:
https://hashcat.net/wiki/doku.php?id=hashcat
-If all goes well, you’ve cracked your first password! It took me a while, and a lot of experimenting before I got my first password cracked. It feels great to see it all work in action though.

This project gave me a lot of respect for how far modern-cybersecurity measures have come. I quickly came to realize that brute forcing a password is exponentially more resource heavy than I had assumed! Adding a mixture of different case-letters, numbers, and special characters can change the cracking time from under an hour to over a decade (by my graphics card’s capabilities). With enough time and dedicated hardware someone (or some organization) could crack most passwords.

Dictionary attacks would probably be my first “go-to” for password recovery, since brute forcing takes a long time. But as is the case with most things, it all depends on the situation! If you happen to have a rough idea of the password you are trying to recover, that could make it much faster. Additionally, my home network is WPA2, which uses the HMAC-SHA1. This means it has been “salted” with the SSID and some other handshake data and makes the calculable hashes unique to the network, rendering rainbow attacks less effective.

But now I understand, for most people it wouldn’t be worth the trouble. So don’t make yourself the low-hanging fruit with a simple or common password and you should be fine 🙂