This article is for people experienced with wireless hacking. It is not written to show the hacking from the basics. I assume you have some knowledge about it. If not, please google the phrase ‘wireless hacking’ and come back! Unless you’re just curious about the methodology.
Hacking of wireless networks requires being close to the target. Of course you can use a strong antenna, but anyway someone can easily spot you sitting with your notebook with strange things on your screen. To solve this problem I came up with the Raspberry Pi setup which can be hidden in your pocket.
The idea is Raspberry Pi powered from a power bank with an external WiFi antenna attached. But how to control it? With help comes the internal WiFi interface which can be configured as Access Point. Then we can simply connect to this network using a smartphone with SSH or VNC client installed. The below picture is showing the concept.
Kali Linux is needed, if you do not know how to install it on Raspberry, check this tutorial. I will skip this process.
Rasrpberry Pi configuration
Configuration of built-in network interface
The first thing we have to do is to set the static IP address of Raspberry. Connecting through SSH will be easier when we know the IP address. To do it edit the file /etc/network/interfaces.
nano /etc/network/interfaces
And edit the content as below.
auto wlan0
iface wlan0 inet static
address 192.168.200.1/24
gateway 192.168.200.1
As you can see I’ve set the subnet to 192.168.200.0, because I don’t want to have and collision with the victim’s network. The probability that someone has also set that network is low.
Raspberry as Access Point
Secondly we need to configure interface wlan0 as Access Point. We need to install and configure hostapd
apt-get install hostapd
When package is downloaded create the file /etc/hostapd/hostapd.conf and pase the below text. If you know the channel of the victim’s network, change the channel in the file to different, which is further to avoid the same frequency band. For example if the attacked network uses the 3’rd channel, set it to 11’th. Set SSID and wpa_passphrase as you want. SSID is the name of the network which you will connect from mobile phone and wpa_passphrase is the password to this network. I’ve set the name to AndroidAP to make it unsuspected (looks like default network name when using a phone as a Wi-Fi router).
# Wifi interface and driver to be used
interface=wlan0
driver=nl80211# WiFi settings
hw_mode=g
channel=6
ieee80211n=1
wmm_enabled=1
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
macaddr_acl=0
ignore_broadcast_ssid=0# Use WPA authentication and a pre-shared key
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP# Network Name
ssid=AndroidAP# Network password
wpa_passphrase=strong_pass
Set default config of hostapd by editing the file /etc/default/hostapd and set the DAEMON_CONF variable.
DAEMON_CONF=”/etc/hostapd/hostapd.conf”
Enable hostapd service to start it automatically when Raspberry is turning on (I had to unmask hostapd).
systemctl unmask hostapd
systemctl enable hostapd
systemctl start hostapd
DHCP Server
To make life easier and avoid setting static IP of the mobile phone when connecting with the network, we have to set up the DHCP server.
apt-get install dnsmasq
mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
Create file /etc/dnsmasq.conf and paste the below text.
# DHCP server active for WLAN interface
interface = wlan0# DHCP server not active for existing network
no-dhcp-interface = eth0# IPv4 address range and lease time
dhcp-range = 192.168.200.100,192.168.200.150,24h
Before commissioning, it is recommended to test the configuration.
dnsmasq --test -C /etc/dnsmasq.conf
The syntax check should succeed with “OK”.
Enable IP forwarding to make Raspberry function as a router and connect different networks together. Edit file /etc/sysctl.conf and uncomment the below line.
net.ipv4.ip_forward=1
Enable dnsmasq service.
systemctl restart dnsmasq
systemctl enable dnsmasq
After the upper instructions you should be able to connect with the AndroidAP Wi-Fi network, have assigned IP address and connect to the RaspberryPi through SSH.
I would recommend installing some hacking automation tools (ex. Wifite).
apt-get install wifite
Of course you can do it just with aircrack-ng tools, but it will be faster and simpler to do it for example with Wifite. Using this tool you will not need to open more terminal windows and type complicated commands in your smartphone that are not comfortable.
Hacking
When we have configured the Raspberry Pi, we have to connect the rest of the parts. I’m using the power bank with a capacity of 10 000 mAh, that should be enough for many hours of work. As an external WiFi adapter I’m using TP-LINK TL-WN722N which supports monitor mode and frames injection, and is one of the most popular adapters for that work. After joining the parts, we can connect to Raspberry from the phone.
Configuration of the connection
When Raspberry is turned on we should be able to notice the AndroidAP wireless network and to connect. Of course, the internet will not be available.
We can use the JuiceSSH app for Android to connect through SSH to the Raspberry Pi. After the installation configure the app as below and add the identity for the root user.
Attack
When the connection is added, we can switch to the Connections tab and tap the created connection to initialize it. Accept the host verification and after a while you will be connected and able to execute commands on the Raspberry Pi. To initiate the attack with Wifite use the below command.
wifite --showb
Wifite will scan for the nearby networks. When you will notice the target network of the victim, press CTRL+C and enter the number of that network to start the attack. Wifite will automatically perform a deauthentication attack.
After capturing the handshake Wifite will try to crack it with a simple passwords dictionary. Otherwise you can later copy the handshake from Raspberry Pi and try to crack on a more powerful machine with Hashcat.
Summary
The article was created to show the possibilities of hacking with the Raspberry Pi. The set allows being stealth because it can hide in a pocket or under a jacket. A malicious person who could perform an attack would look like any other person with a smartphone. Anyone will think that person is checking social media and not conducting an attack on a WiFi network. Remember that performing such tests it is illegal without written permission. I hope the article made you curious and you have enjoyed it.