
Weaponizing and Gamifying AI for WiFi Hacking: Presenting Pwnagotchi 1.0.0 - dyslexit
https://www.evilsocket.net/2019/10/19/Weaponizing-and-Gamifying-AI-for-WiFi-Hacking-Presenting-Pwnagotchi-1-0-0/#.Xas1JEBAewV.reddit
======
88840-8855
My approach to get into wifi networks is not as sexy or cute, but it works:

1) You need a device that can connect to wifi

2) Approach your neighbor/shop owner/coffee owner

3) Ask: "Can I connect to your wifi, please?"

4) It takes about 4-5 seconds to get the password to the ssid

5) Works on WPA2, WPA / TKIP/AES and WEP

6) Success rate: 70-80%

Cheers

~~~
bluegreyred
your sophisticated technique assumes social skills!

~~~
nothis
Ah, social engineering, the most elusive tech skill of all!

------
rhn_mk1
The fun part of this to me is all but the WiFi aspect. It has:

\- a mesh-based social network \- a cute character \- a builtin game \-
adjusts to the environment

It sounds like an awesome social game, even if it doesn't have any purpose,
and turning this into a mesh communication network would even give it an
aspect of usefulness. I can see two ways this could blow up:

\- at big parties, think Burning Man or Chaos Communication Congress, where
people get embedded devices (like the CardIO) which encourage meeting others
\- everyday, to find connections in unlikely places, with a similar app
running on your phone (the Librem5 would be a good starting point)

------
55555
What does this thing actually achieve? (If nothing, that's fine too. It's
cute, impressive, etc.) But if it can't actually get you onto wifi networks,
it seems like a weird project to spend so much time on. How often does it snag
a useable handshake?

~~~
gdy
So what is it? Fine or weird?

~~~
TheAceOfHearts
Yes, it is.

------
elif
I get that this things purpose is for fun and not so much cracking a lot of
networks, but I can't help but wonder how useful it would be to collate the
ssid/gps/key data for public consumption. Even reward pwnagotchis for
sumbmission

~~~
latchkey
Wifi Chua is a human version of that. It is a public database of wifi
passwords that even integrates with iOS such that it will log you directly
into the network.

~~~
aphroz
It works very well in Vietnam, I didn't know it could work internationally.

------
sdan
So it finds Wifi passwords? Sorry I didn't get what exactly what this project
is getting to. A TLDR about what exactly it does would a bit helpful.

~~~
mkagenius
Yes it can find passwords. First it kicks someone off the network by
pretending to be the router, then when the person tries to reconnect it sees
the handshake information and password.

~~~
the_pwner224
So WiFi authentication is trivially crackable? What should I do to protect my
network?

~~~
y4mi
Use enterprise authentication with PKI instead of PSK (you'll have to give
each device a certificate)

Everything else is trivial to compromise if a sufficiently motivated person
wants to access it.

~~~
nroets
A shared passphrase with sufficient entropy is not trivial to compromise [1]

My WiFi router was programmed with a 55 bit key in the factory. (Represented
as a 11 letter alphanumeric word).

[1]:
[https://hashcat.net/wiki/doku.php?id=combination_count_formu...](https://hashcat.net/wiki/doku.php?id=combination_count_formula)

~~~
y4mi
It is with the strategy used by this device.

You don't need to bruteforce the password if another device tells you what it
is.

Read the article if you don't believe it.

~~~
mlyle
The article is about collecting WPA handshakes.

WPA handshakes do not tell you the network password.

You use e.g. hashcat to brute force the network password using a stored
handshake.

~~~
y4mi
No, it's not.

As a previous comment had pointed out before as well:

You wait for handshakes, fake a deauth packet of the handshaking client, spoof
an access point with the same SID and wait for the deauth'd client to try a
reconnect.

Voila, cleartext PSK without any bruteforcing.

And it's not solveable either. You can't use fingerprinting as this would make
mesh lans and quick access point failover impossible.

~~~
mlyle
> spoof an access point with the same SID

Pwnagotchi does not do this, despite your errant assertions. E.g. source code:
[https://github.com/evilsocket/pwnagotchi/blob/64e677f5df8f9b...](https://github.com/evilsocket/pwnagotchi/blob/64e677f5df8f9bffd6fc56b71c94cbddc07c13e1/bin/pwnagotchi#L92)

> Voila, cleartext PSK without any bruteforcing.

Pretending to be an access point and going through a handshake doesn't let you
retrieve the pre-shared key. (Unless the client is vulnerable to downgrade
attacks-- which hasn't been a big consideration in more than a decade). Evil
twin attacks are powerful but don't achieve what you say.

The station sends to the access point a message authentication code based on
nonces and the pairwise master key, which in turn is based on the "network
password". It's produced using a series of HMACs and isn't an operation that
can be inverted without brute force.

[https://en.wikipedia.org/wiki/IEEE_802.11i-2004#/media/File:...](https://en.wikipedia.org/wiki/IEEE_802.11i-2004#/media/File:4-way-
handshake.svg)

------
yobananaboy
I've had one of these running since the first week evilsocket put the source
out. With $50 in parts from Amazon I was up and running with a battery powered
unit within a few hours, that I ended up taking with me on vacation. The new
build process is extremely simple though, and I'm excited to see where this
project goes.

------
djmips
This is more like Pokepwn Go

------
carapace
> Each Pwnagotchi is also an end-to-end encrypted messaging device.

------
cryptofits
That's the first time I've seen your website. I didn't read the entire
pwnagotchi article yet but it looks great! Keep up the good work, projects
like these really motivate me to get into IT

