How to Build Your Own Pwnagotchi (Cute AI Powered WiFi Hacking Tool)
Given that I am taking a course in Cyber Security, it will help with the understanding to build some of the recon tools, and one of those tool is actually a cute PWNAGOTCHI. I know that this is not something new, it had been in existence since Rapsberry Pi Zero, which is launched a couple of years ago. But I just come to know about it, and fell in love with it, so I am sharing here my journey of building one and some of the lessons learnt along away as part of the process.
So that is behind it? It is exploiting the vulnerability of the Wireless protocol from 4-Way-Handshake. I won’t go into the details here as you can read all about it from here.
Step 1. Gather all the materials
You will need a raspberry pi for this build, so if you don’t already have one lying around then please get the Raspberry Pi Zero 2W, this is the latest at the time of the writing. You will also need a cute display to show the expression, you can use the 2.13 inch E-Ink BW HAT for this purpose. So here are the list of the materials:
- Raspberry Pi Zero 2W (with soldered 2×20 headers if you want to use the E-Ink HAT)
- 2.13 inch E-Ink HAT (Optional, but required if you need the cute display)
- 16GB or more Micro SD card
- USB Micro SD card reader (to write the sd card from PC)
- USB Charging cable (the one with data as well)
- Latest pwnagotchi image
- Powersupply/Battery bank
- Raspberry Pi Imager or Balena Ether (copy the image to micro SD card)
Step 2. Download and Copy the latest pwnagotchi image
You can download the latest pwnagotchi image version 1.8.5 at the time of writing. I am having issue with previous version which is apprently no longer being maintained. This version is forked by aluminum-ice.
There is also another fork of the same that was maintained by different person jayofelony https://github.com/jayofelony/pwnagotchi, but I haven’t tested this version yet.
Once you downloaded the software you will need to unzip it and do sha256 comparison to make sure that the image is not corrupted in transit. This instruction is assuming you are using the version 1.8.5
shasum -a 256 pwnagotchi-raspios-lite-1.8.5.img
2f172f8880d0051adf61a81ad2efa919143cd79aca6bddc26cf237c95f49eed8 pwnagotchi-raspios-lite-1.8.5.img
Step 3. Copy the image to micro sdcard using Raspberry Pi Imager
Put your micro sd card into the USB microsd card reader and plug it into your usb slot, then open your favourite image copier, I am using the Rapsberry Pi Imager as shown below:
First, select your Raspberry Pi device as Raspberry Pi Zero 2W, then for the operating system, select “use custom” and pick the version of pwnagotchi, keep in mind my version is 1.8.5, then select your storage which is your micro usb card reader, only then the “NEXT” button will be available. Follow the instruction complete the copy. It will do two passes, the first pass to write the image then to verify that it is correctly written. For some reason if it failed, you can try again, sometimes what I found is my computer will go on standby mode and the writing will stop resulting the bad image, so be patience on this one, it might take sometime for the image to be copied.
Step 4. Getting your Pi zero Ready
Install your 2.13 inch E-Ink Hat to your Raspberry Pi Zero. You will need to configure the startup file in your pwnagotchi image. In order to do this you will need to mount the image back into your computer. Then create a file called config.toml in the boot partition. The content of this file will be copied to /etc/pwnagotchi/config.toml and the file in the boot partition will get deleted. So here is the content of the config.toml file
main.name = "pwnagotchi"
main.lang = "en"
main.whitelist = [
"EXAMPLE_NETWORK",
"ANOTHER_EXAMPLE_NETWORK",
"fo:od:ba:be:fo:od",
"fo:od:ba"
]
main.plugins.grid.enabled = true
main.plugins.grid.report = true
main.plugins.grid.exclude = [
"YourHomeNetworkHere"
]
ui.display.enabled = true
ui.display.type = "waveshare_3" #Change this to match your screen
ui.display.color = "black"
ui.fps = 1
The first line allows you to configure the name for your pwnagotchi, you can call this whatever you like, then the main.whitelist contains the list of wireless access point that you don’t want pwnagotchi to pwned, this would be your home wifi for example.
If you are experiencing issue the screen doesn’t show up, you might want to change the display.type to waveshare_2, mine works with waveshare_3 in the configuration. The main.plugins.grid section controls the way how pwnagotchi reporting the wifi that it had manage to collect, so you will want to exclude your home network from the reporting.
There are a bunch of other configurations, but you can probably read it up in the following pwnagotchi.org site.
Once you have the config.toml file created you can plug the SDcard into your Raspberry Pi zero, and then plug the power in. One thing to note about the power, Raspberry Pi zero comes with 2 USB micro B connector, the one near the edge is only used for power and the one in the middle can be connected to Host to transfer data. If you plug the USB micro B to your pwnagotchy through the outside connector, it will startup in automatic mode and start searching for network after it booted up, and if you plug the cable to the middle connector, it will start in manual mode, which allow you to connect to it from the computer to download the handshake files or changing the configuration files via ssh.
So for the first run, plug your power to the outside connector and wait for a couple of minutes, make sure the green LED of the raspberry Pi is blinking, that indicates that it is powering up, and you should see the cute face on your e-paper display. If the LED is not blinking, that is a sign that the SD card is not recognised or you might have issue with the raspberry pi itself, so you will need to try to isolate where the problem is. But most of the time it is related to the SD card.
Step 5. Enjoy your pwnagotchi
So the first time pwnagotchi startup, it will start detecting all the close wireless access point and trying to handshake with each one of them. Upon successful handshake, it will be collected and saved in the handshake folder located in /root/handshakes by default, unless if you change the location in the config.toml file.
Step 6. What to do with the handshake files
So you might be wondering what are you going to do with all these handshakes files? Well you can start trying to crack the password of those files. This will be for another post, in the mean time you can see the detail build in the following video.