Hacker News new | past | comments | ask | show | jobs | submit login
Weaponizing and Gamifying AI for WiFi Hacking: Presenting Pwnagotchi 1.0.0 (evilsocket.net)
336 points by dyslexit on Oct 20, 2019 | hide | past | favorite | 51 comments



My approach to get into wifi networks is not as sexy or cute, but it works:

1) You need a device that can connect to wifi

2) Approach your neighbor/shop owner/coffee owner

3) Ask: "Can I connect to your wifi, please?"

4) It takes about 4-5 seconds to get the password to the ssid

5) Works on WPA2, WPA / TKIP/AES and WEP

6) Success rate: 70-80%

Cheers


At least in Europe, success rate is 10-20%. If you spend money, and we're talking 1-3€/hour, it reaches 80%-100%.

Public, municipality-sponsored Wi-Fi is usually a joke (slow, non functioning, requiring you to like a certain facebook page or follow a twitter account, etc.)

In Greece I suggest trying the business' phone number, you can find it on discarded receipts on the ground or on tables.

It's always worth it to try and snoop the password hanging by the counter.

Other good combos are companynamewifi, wirelesscompanyname, wireless, internet, internet123.

t. scrooge that never wastes money on mobile internet subscription and survives on leeched public Wi-Fi


During my university years, back when having a mobile Internet (or even a functioning smartphone) was somewhat uncommon, I've managed to set up quite a collection of such Wi-Fi access points :). I'd casually ask people I spent time with for Wi-Fi access when opportunity arised (I didn't have to invent a reason, there eventually always was a good one). Student life being what it is, I was often out and about at weird hours - so it sometimes happened that on the way from one place to another, I would detour to park my bike in front of some colleague's block of flats, and use their Wi-Fi to sync my e-mails and conversations.


your sophisticated technique assumes social skills!


Ah, social engineering, the most elusive tech skill of all!


Social engineering is also engineering. Can be very interesting to experiment, reverse-engineer, and develop. I do not believe that devs lack social skills, it’s just an area of engineering that we haven’t touched properly yet.

Also when I see NLP, my first thought is Neuro-Linguistic Programming (https://en.m.wikipedia.org/wiki/Neuro-linguistic_programming) , not Natural Language Processing.


The North Wind and the Sun had a quarrel about which of them was the stronger...


Social engineering, huh? Reminds me of the xkcd cartoon with a $5 wrench https://xkcd.com/538/


The fun part of this to me is all but the WiFi aspect. It has:

- a mesh-based social network - a cute character - a builtin game - adjusts to the environment

It sounds like an awesome social game, even if it doesn't have any purpose, and turning this into a mesh communication network would even give it an aspect of usefulness. I can see two ways this could blow up:

- at big parties, think Burning Man or Chaos Communication Congress, where people get embedded devices (like the CardIO) which encourage meeting others - everyday, to find connections in unlikely places, with a similar app running on your phone (the Librem5 would be a good starting point)


What does this thing actually achieve? (If nothing, that's fine too. It's cute, impressive, etc.) But if it can't actually get you onto wifi networks, it seems like a weird project to spend so much time on. How often does it snag a useable handshake?


So what is it? Fine or weird?


Yes, it is.


I get that this things purpose is for fun and not so much cracking a lot of networks, but I can't help but wonder how useful it would be to collate the ssid/gps/key data for public consumption. Even reward pwnagotchis for sumbmission


Wifi Chua is a human version of that. It is a public database of wifi passwords that even integrates with iOS such that it will log you directly into the network.


It works very well in Vietnam, I didn't know it could work internationally.


So it finds Wifi passwords? Sorry I didn't get what exactly what this project is getting to. A TLDR about what exactly it does would a bit helpful.


Yes it can find passwords. First it kicks someone off the network by pretending to be the router, then when the person tries to reconnect it sees the handshake information and password.


So WiFi authentication is trivially crackable? What should I do to protect my network?


Use enterprise authentication with PKI instead of PSK (you'll have to give each device a certificate)

Everything else is trivial to compromise if a sufficiently motivated person wants to access it.


A shared passphrase with sufficient entropy is not trivial to compromise [1]

My WiFi router was programmed with a 55 bit key in the factory. (Represented as a 11 letter alphanumeric word).

[1]: https://hashcat.net/wiki/doku.php?id=combination_count_formu...


It is with the strategy used by this device.

You don't need to bruteforce the password if another device tells you what it is.

Read the article if you don't believe it.


The article is about collecting WPA handshakes.

WPA handshakes do not tell you the network password.

You use e.g. hashcat to brute force the network password using a stored handshake.


No, it's not.

As a previous comment had pointed out before as well:

You wait for handshakes, fake a deauth packet of the handshaking client, spoof an access point with the same SID and wait for the deauth'd client to try a reconnect.

Voila, cleartext PSK without any bruteforcing.

And it's not solveable either. You can't use fingerprinting as this would make mesh lans and quick access point failover impossible.


> spoof an access point with the same SID

Pwnagotchi does not do this, despite your errant assertions. E.g. source code: https://github.com/evilsocket/pwnagotchi/blob/64e677f5df8f9b...

> Voila, cleartext PSK without any bruteforcing.

Pretending to be an access point and going through a handshake doesn't let you retrieve the pre-shared key. (Unless the client is vulnerable to downgrade attacks-- which hasn't been a big consideration in more than a decade). Evil twin attacks are powerful but don't achieve what you say.

The station sends to the access point a message authentication code based on nonces and the pairwise master key, which in turn is based on the "network password". It's produced using a series of HMACs and isn't an operation that can be inverted without brute force.

https://en.wikipedia.org/wiki/IEEE_802.11i-2004#/media/File:...



Isn't that link telling people how to crack a password?

What can we glean about how to secure a password?


WPA2 cracking is usually done with rainbow tables generated based on some dictionary and its mutations, basically don't have a dictionary password and you should be secure from /most/ attackers.


Your passsword should be made up of dictionary words though. If you do the math an 8 word sentence from the 10k most common words (just lowercase) is equivalent to a 16 character password from a full set of 100 characters and far easier to remember. Use some exotic words and punctuation and have a few random special characters in there and it is far far superior. WPA2 has a minimum of 8 characters and would take the same time to check every character as it would to check all combos of 4 lowercase words from the 10k most common set.


WiFi passwords aren't typed in frequently and can trivially be written down on the home router itself, CorrectHorseBatteryStaple has lower entropy than a random one of a bit smaller length.


Wifi passwords are typed all the time if you have any friends that come over. And typing randomly generated special characters on a mobile device is especially awful.


No, they aren't if you create a nice QR code for people to scan.


You should have your friends on a guest network instead, have this on a DMZ, and tell them to use a VPN over such guest network.


Rainbow tables aren't really applicable to WPA2 due to the way offline cracking is done.

You would have to pre-generate them for each possible SSID. You're much better off using a small targeted dictionary with rules.


You are absolutely correct, it's usually indeed dictionary-based but there are rainbow tables as well http://www.renderlab.net/projects/WPA-tables/


As much as a tutorial on how leaving your front door open lets burglars in your house.


It does NOT see plaintext password [0].

A sufficiently high entropy password will keep you secure against this attack.

0. https://security.stackexchange.com/questions/66008/how-exact...


I've had one of these running since the first week evilsocket put the source out. With $50 in parts from Amazon I was up and running with a battery powered unit within a few hours, that I ended up taking with me on vacation. The new build process is extremely simple though, and I'm excited to see where this project goes.


This is more like Pokepwn Go


> Each Pwnagotchi is also an end-to-end encrypted messaging device.


That's the first time I've seen your website. I didn't read the entire pwnagotchi article yet but it looks great! Keep up the good work, projects like these really motivate me to get into IT


[flagged]


Therefore let's flag any content that mentions it on public forums, so only the bad guys keep doing it completely unchecked as they have been for over a decade, and we continue not doing anything about actually fixing it?

Hey let's ban all youtube content about the use of tools like ettercap while we're at it.

In fact let's just make any research or discussion of security and pentesting illegal and bury our heads in the sand.


From the article: "ESP based deauthers, to name one, always existed. Don’t yell at us “OMG they’re deauthing all over the city!!!”. Despite this stuff always existing, nobody bothered updating to technologies that work better and are more secure. That is the people you should be yelling at."

I'm not saying you're wrong, or that they're right. However, it seems to me that there has to be a middle ground between draconian signed blobs (which I'm not convinced will solve much for long, either) and the silliness that is the current state of things. Deauths have been used in so many wifi cracking schemes over the years and the fact we still don't seem to care about them (or treat them as harmful interference and blame the device) is getting silly.


802.11w has existed for a while, consumer routers not supporting it is what we should blame.


That's the point? You are not being a whiz-bang whitehat running around your neighborhood sending deauths. That is not a novel attack or research. Nothing is being learned. You are just a lowlife script kiddy fucking with the devices of your neighbors.

It's like running a GPS jammer from your car battery because "wow, GPS is so insecure and easily jammed at -90dB SNR!".


To be fair, GNSS integrity should be a consumer feature.


Ironically you are trying to censor hacking from hacker news.

If you follow the point logically then surely you feel the same about the entire scope of computer security - "If it can be abused, then it must be flagged and removed", no?

I feel that this is a dangerous attitude that promotes ignorance and forbidden knowledge.


This is not "hacker" news, as in illegal hacking, this is hacker news as in the old-school definition of hacking whereby you'd self-learn and figure things out... the word hacker in this context doesn't condone illegal activities


> whereby you'd self-learn and figure things out

Which the author of this submission did. Fearmongering about the unethical motives one might have about a vulnerability that is now about two decades old seems pretty pointless. I don't particularly enjoy the hackfluencer style of writing of the post or condone what it's supposed to do but it's at least an interesting read. Let's face it, you can get an ESP deauth image in 5 minutes if you have malicious intent, you wouldn't bother to go into the depth the author did here, which makes it interesting and imho relevant to this site.


Aye, has parent read any hacking zines?


There is an option to turn off the deauthing. But I don't believe it is off by default


Maybe that is the point. Perhaps a more well thought out strategy for the long term security profile for router updates should, by default from firmware update, be made do deny deauth deny. However, this fact would also be lost on us if we weren't updated with a warning on the router admin page. Which by the way, anyone can get there. That is, if the router admin Page's IP is known. Otherwise, you'll need to pack a lunch. Because it'll be a while if you have to type in each private IP, or if a 11 digit phrase with some capitalized letters & special characters set for the password.

You are arguing on the knowledge that the rest of us would like to know about. So, you should take your argument to the FCC, or the entity that owns the page you're at & let the class continue.

You know, book burning went out with the digital age?

I believe everyone should get their say. Within reason. Would you have struck down any legalization of your own rights? We'll, now you are, to ours. There are venues to continue this & maybe even have your points be heard.

Thank you.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: