Would you like to have a portable WiFi capture tool that fits in your pocket? A device that saves PCAP captures into micro sd card to later review them on Wireshark or crack those WPA / WPA2 passphrases. Sounds like something out of the NSA spy WiFi toolset but It's very easy to setup with the ESP32 WiFi Hash Monster and the $65 M5Stack CORE IoT Development Kit.
The Hash Monster
If you are now thinking it seems similar to the Pwnagotchi project and is not causal, G4lile0 the author of Hash Monster was inspired by it to make an alternative that runs on the M5 Stack Development Kit, an ESP32 powered portable platform. ESP32 is a series of dual-core up to 240Mhz, low-cost, low-power system on a chip microcontroller with integrated Wi-Fi and dual-mode Bluetooth/BLE.
Pwnagotchi is a tamagochi like device powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures (either through passive sniffing or by performing deauthentication and association attacks). This material is collected on disk as PCAP files containing any form of handshake supported by hashcat, including full and half WPA handshakes as well as PMKIDs. Or put quickly, it's a tamagochi who eats WiFi handshakes to be happy.
Hash Monster runs in a smaller size and cheaper platform superior to the Pwnagotchi in several aspects. While Pwnagotchi is based on the Raspberry Pi Zero and requires assembling a DIY kit with various components such as an eInk screen and an external powerbank, the Hash Monster works on directly on the tiny M5Stack device. M5 Stack couples an ESP32 with a small LCD display, buttons and internal battery. It’s a modular, stackable, scalable, and portable device which is powered with an ESP-32 core, which makes it open source, low cost, full-function, and easy for developers to handle ESP32 IoT product development. You can program M5Stack through Arduino, C++, Blockly or MicroPython to name a few. The complete development kit for M5 Stack provides a friendly price and full-featured resources which makes it a good starter kit for you to explore ESP32. While the M5 Stack includes a built-in battery 110mAh, it can be upgraded with a stackable 700 mAh lipo battery extension module.
The similarity between Pwnagotchi and Hash Monster is that they capture both PSK handshakes from WPA / WPA2 networks and PSK hashes contained in beacon frames with PMKID. A great advantage of PMKID cracking is that everything you need is available over the air even if there are no stations connected and only a single packet capture is required. Later we can crack these hashes with standard tools such as aircrack or hashcat, and thus obtain the credentials. Of course, we should only do this in networks that we manage ourselves or that we have permission to audit.
The process.
Hardware requirements:
- M5Stack CORE 2 Development Kit with built-in 110mAh Battery ($65)
Optionally:
- Extended Battery M5Stack Core Development Kit Capacity 700mAh Stackable Module (USD$18)
- Smart Watch Module with 700mAh Battery for M5Stack ESP32 Core ($25)
The software installation is pretty straight forward:
1.Setup Arduino IDE environment.
M5Stack Arduino IDE Setup in 5 minutes https://www.youtube.com/watch?v=U2es-l4z2Zg
2. Add M5 stack / ESP32 library. (read the M5 Stack documentation , its pretty solid. As far as “installation” goes)
3. Git clone G4lile0 code.
https://github.com/G4lile0/ESP32-WiFi-Hash-Monster
4. Compile & upload the file to the M5Stack.
5. Go handshake/PMKID fishing.
6. Review captures.
The monster hash saves the files in the micro sd card in pcap format so they can be used by most network analysis tools directly. The files are saved sequentially with the pattern 1.pcap, 2.pcap, etc.
Cracking notes: Aircrack & hashcat.
In order to complete this tutorial, we will try doing dictionary attacks against a handshake file from Hash Monster. We will do this with two known tools – Aircrack-ng and Hashcat, which relies respectively on CPU and GPU power. We will be running these tools from linux, even though they are both found in a Windows version as well. Remember to use recent versions to benefit from the PMKID attack in addition to the traditional cracking of handshakes.
Aircrack-ng can be used for very basic dictionary attacks running on your CPU. Before you run the attack you need a wordlist. I recommend using the infamous rockyou dictionary file:
# download the 134MB rockyou dictionary file
curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt
Note, that if the network password is not in the wordlist you will not crack the password.
# -a2 specifies WPA2, -b is the BSSID, -w is the wordfile
aircrack-ng -a2 -b AC:FC:E3:C9:AB:C0 -w rockyou.txt 3.cap
If the password is cracked you will see a KEY FOUND! message in the terminal followed by the plain text version of the network password.
Cracking an WiFi password using brute force attack for a long WiFi password without GPUs or Cloud help, will be a nightmare but if the password is short or you know the key pattern it will be "easily" cracked.
Here you have a small guide for linux (Ubuntu) to crack the WiFi password using the files stored on the SD_Card of the Purple Hash Monster using your computer.
First we need to install hashcat
sudo apt-get update
sudo apt install hashcat
EAPOL/PMKID stored on the SD-Card are pcap files, we have to convert to hccapx format to work with hashcat. In terminal from the directory were we have the pcap file from the SD-CARD:
wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c
gcc -o cap2hccapx cap2hccapx.c
./cap2hccapx 1.pcap 1.hccapx
For example if we know that the wifi password has a lenght of 8 digits we can run the following command, and in few seconds we will have the WiFi Password :)
hashcat --force -m 2500 -a 3 -1 ?d -o cracked 1.hccapx ?1?1?1?1?1?1?1?1
Final notes
Although in my case I exclusively use the M5Stack for the pocket Hash Monster, there are undoubtedly several projects that run on the M5Stack and you will certainly want to take a look if you are interested in wifi and bluetooth security attack tools for this platform.
M5 Stack WiFi SSID Scanner by Elkentaro
https://github.com/elkentaro/M5_SSID_scanner_collector
Covid Sniffer: BLE COVID exposure app sniffer using M5Stack , uses Bluetooth LE wireless technology to detect and record the unique user ID of every other Covid-19 enabled App around you.