This Repo was a P.O.C. and is deprecated for a BLE peripheral Edition. STAY TUNED!
When performing a typical deauth/wpa 4way handshake attack, one must get close enough to the target/clients for the deauth and capture to be effective. This can prove difficult in a typcial engagement, as one would draw suspicion setting up a laptop with a big wifi adapter sticking out and a bunch of terminal windows open. It just screams hacker right?
But what if you had a portable device that could launch such an attack with the click of a single button, while being small enough to be comfortably hidden in your hacker hoody pocket. A device with a low profile wifi adapter and removable storage where the handshakes are automatically stored so that you can easily transfer them to your hashcat rig when you get home. FistBump is a prototype of such a device. Did I mention it charges with a standard mini usb charger? Well it does.
UPDATES
As of Version 2.0 it will now also capture PMKID hashes as well. I migrated from aircrack to hcxdumptool. I have left the old fistbump.sh which utilizes the aircrack method in the repository incase for some reason someone wants that, but now the attack script is wpa_hashgrab.sh. (It not only adds the capability to capture the PMKID hashes as well as 4 way handhsakes but its also much faster and a cleaner execution overall)
As of Version 2.1 you can now target specific networks by saving a file named targets.txt to the removable USB drive with the BSSID(s) of your target(s) minus the colons. For instance, if your target BSSID is XX:XX:XX:XX:XX:XX, your targets.txt file will say XXXXXXXXXXXX. For multiple targets just put each BSSID on a new line. HcxDumptool supports up to 64 specific targets. To revert back to a broad untargeted attack, simply remove the targets.txt file from your removable storage.
As of version 2.2 For every .2500 file created a .catalog file is also created of the same name. This file is a catalog BSSIDs & ESSIDs of which handhsakes were captured.
As of version 2.3 Removed all aircrack dependencies and killed wpa_supplicant instead of using aircrack-ng check kill
Planned for Next Release
- support potential capturing of plainmasterkeys, usernames and password
To power on FistBump, hold down the small button for about a second or until the red light on the bottom of the device goes off. When the device is ready it will show either a single green light or a blue pulsing pattern on the strip of leds at the top of the device. Both indicate that the device is armed and ready to attack. The single green light simply means there are currently no hashes stored on the device, while the blue pulsing pattern indicates how many hash files are currently saved on the device.
Note: (pulse, pulse, pause, repeat) would mean 2 hash files are saved. Hash files can contain more than one hash and from more than one network. The hash files are saved to the external usb drive with the naming convention {date_time_Captured}.{hashcat mode}. For example, 4 way handshakes are cracked using $ hashcat -m 2500... , so a file containing 4 way handshakes would be named 201810290107.2500 while a PMKID hash file captured from the same attack would be 201810290107.16800, as the hashcat mode forcracking PMKID is 16800. As of Version 2.1 if you specified a target (see updates section for v2.2), the captured hashes will be prepended with "targeted_" example: targted_201810290107.2500
To start an attack simply press the larger button.
Before the actual attack begins, FistBump will make sure you have a USB thumb drive attached, where it will store the hashes it collects. If no USB drive is present. it will light the strip up solid red to indicate the missing drive and abort, sending you back to the ready state mentioned above. Don't worry, you can simply insert your USB thumbdrive and try again.
With a thumb drive present it will begin by putting your wifi adapter into the proper state, monitor mode, and kill any processes, like wpa_supplicant, that may interfere. This stage will be indicated by a purple scan pattern.
When you see a random flashing rainbow pattern or random flashing purple pattern, the attack has begun! The Rainbow pattern indicates you are doing a broad attack while the purple pattern indicates that you have specified a target (see updates section for v2.1)
The attack leverages the latest WPA/WPA2 attack tool, hcxdumptool and is set to run for 40 seconds, which in my experience should be plenty of time to at least grab some handshakes. If you wish to change this, you can edit the wpa_hashgrab.sh script found in scripts/FistBump/hashgrab.sh of this repository or in /home/pi/FistBump/ on the actual pi.
When the attack is complete you will see the strip of LEDs light up solid purple if new hashes were collected during the attack, or solid yellow if no new hashes were collected.
Now one might say, "If I'm trying to be stealthy, whats with all these beautiful flashy LEDs?" Thats a valid point. Again, this is merely a proof of concept, but should you really have the need, the LED strip can be easily removed and replaced with out any altercations to the code. Of course then you just have to assume your attack went through and completed as you will have no indication.
To power off FistBump, simply press the small power button again. The device will flash solid yellow indicating a shutdown has begun. Once all lights, external and internal are off, the device is off. The device will also begin a shutdown on its own when the battery gets dangerously low. This will also be indicated by the solid yellow indicator and may come unexpectedly. Don't be alarmed as it is for the safety and integrety of the device img.
This Device was developped as a proof of concept and for White Hat Purposes. You should only use this device on your own or a consenting network and in a controlled enviroment, as sending the necessary deauth packets used in the contained scripts could be illegal in your given part of the world. I do not endorse or warrent breaking the law or invading the privacy of others. You alone are fully responsible for what you do with this info/device, and how you use it. I am not responsible for your actions. Please do not hack Wifi points that you are not allowed to!!! Don't be a jerk!
This repository contains all the Schematics, Reference Photos, Boot images, scripts, and even 3d printable encloser parts for creating a FistBump prototype device.
-
1 pi zero v1.3 Do NOT use the wifi model as the chip doesn't support monitor/package injection and creates interferience on usb hub
-
1 usb wifi adapter capable of monitor mode/ packet injection. I'd recommend the Panda 300Mbps Wireless N USB Adapter or even the canaKit Wifi adapter both are capable of packet injection and fairly small YAY! or you could also use this guy if you want and even smaller profile but its not as strong For a more complete list of recommended devices click here
-
1 lo profile sandisk flash storage for saving handshakes in a removable manner
-
1 3.7V 1200mAh PKCELL LP503562 size matters we want a low profile as we will have a tight fit but feel free to alter this as you see fit espcially if you deisgn your own enclosuer etc
-
1 Pimoroni Blinkt! this will be your status indicator
For instructions on the physical assmebly follow the README file, here.
I have also supplied freecad/stl files for the 3d printable encloser here.
This repository will supply a disk image built off Raspbian STRETCH OS in the releases section, that you can just write to a micro sd, pop into your piZero and be good to go! username:pi password: fistbump That said, should you choose to build this yourself off of another OS or with modifications, be aware of the following dependencies. The scripts for powering on and off the device as well as the attack button and actual attack have been suplied in the scripts folder
I chose to start the "arm_trigger" python script @reboot in crontab and the lipopi python script (for powering on and off the device) is set to start via /etc/rc.local
-
aircrack-ng
sudo apt install aircrack-ng -
cowpatty
wget http://www.willhackforsushi.com/code/cowpatty/4.6/cowpatty-4.6.tgz tar zxfv cowpatty-4.6.tgz cd cowpatty-4.6 make cowpatty sudo cp cowpatty /usr/bin
- blinkt! python library
curl https://get.pimoroni.com/blinkt | bash
Credit where credit is due:
-
ZerBera for their development of hcxdumtool and hcxtools used in this prototype
-
The powering on/off schematic and script were designed by NeonHorizon
-
Call out to 'atom' of the hashcat forums for this post: https://hashcat.net/forum/thread-7717.html
-
special call out to icarus255 and the rest of the Hak5 Community for being inspirational and all that.