Project Blue Fist is the next iteration of my P.O.C. project, FistBump, a handheld pentesting tool that can be used to grab WPA handshakes and PMKID hashes on Red Team engagements. It was designed to allow one to get close to a given target allowing the attack to be more effective, without raising suspision. The original proof of concept was a stand alone device that launched a very effective attack via the push of a button, but was not exactly stealthy with its' use of blinking lights to indicate various stages of the attack as well as the outcome. It was also a bit bulky and difficult to conceal.
Project Blue-Fist aims to remedy these short comings by removing the array of led lights as well as the trigger button, leaving only a single button to power on or off the device. This greatly lowers its' physical footprint allowing for the device to gracefuly fit in your pocket. This iteration also now makes use of bluetooth and an android app so that the device can be completely controlled from your android phone. It still saves the hashes to removable storage, but now allows for on the fly targeting and detailed results which include new naming conventions for targeted vs broad attack results, and catalog file generation on broad attacks that details what essids can be found in the hashfile of the same file name.
To power on the device, hold down the power button. A red and blue light will turn on, hold the power button until the red light turns off indicating the boot process has begun. The boot process takes about 30 seconds.
Once the device is on, open the FistBump app on your bluetooth enabled android device. The app will attempt to conect to the FistBump Device
If it fails, simply press retry. Sometimes it maybe required to quit the app and try again, should it be unable to connect after the second or thrid attempt.
Once you have connected to the FistBump Device, the app will display a list of wifi networks around you, available to attack.
At this point you can conduct a "Broad Attack" which will target anything in range, by pressing the red attack button or a Targeted Attack simply by selecting one of the displayed networks before tapping the attack button.
When attacks are successful, the booty/loot is stored to your removable usb storage. Booty is currently organized into two folders, PMKID and Handshakes.
Note that actual hash files have an extension of .2500 or .16800. These correspond to the hashing mode you would use in hashcat to bruteforce those hashes. 2500 being standard WPA handshakes and 16800 being PMKID hashes. i.e. $ hashcat -m 2500 ...
or $ hashcat -m 16800 ...
When you drill into the appropriate directory, you will find broad attack results named with a date/time stamp while targeted attacks will be named with the convention "targeted-[ESSID NAME]"
Above is the Handshake Directory. You will notice that each hash file has a corresponding .catalog file. Because an individual hash file may contain more than one hash, and in the case of broad attacks, even more than one target, this catalog file is there to list the targets found in it's corresponding hash file.
This Device was developped as a proof of concept and for White Hat Purposes. You should only use this device on your own or a consenting network and in a controlled enviroment, as sending the necessary deauth packets used in the contained scripts could be illegal in your given part of the world. I do not endorse or warrent breaking the law or invading the privacy of others. You alone are fully responsible for what you do with this info/device, and how you use it. I am not responsible for your actions. Please do not hack Wifi points that you are not allowed to!!! Don't be a jerk!
This repository contains all the Schematics, Reference Photos, Boot images, scripts, Android app source code and even 3d printable encloser parts for creating a FistBump prototype device.
-
1 pi zero v1.3 Do NOT use the wifi model as the chip doesn't support monitor/package injection and creates interferience on usb hub
-
1 usb wifi adapter with a small profile and capable of monitor mode
-
1 lo profile sandisk flash storage for saving handshakes in a removable manner
-
1 3.7V 1200mAh PKCELL LP503562 size matters we want a low profile as we will have a tight fit but feel free to alter this as you see fit espcially if you deisgn your own enclosuer etc
For instructions on the physical assmebly follow the README file, here.
I have also supplied freecad/stl files for the 3d printable encloser here.
If you enjoyed this project, help me make more by buying me a coffee or something.
1KuntExCV54WJaVxyBMDbAXMye6zWcZfR
If you are one of those who would rather have one built for them, send inquiries to liddell.erik@gmail.com subject:FistBumpBLE
Credit where credit is due:
-
ZerBera for their development of hcxdumtool and hcxtools used in this prototype
-
The powering on/off schematic and script were designed by NeonHorizon
-
Call out to 'atom' of the hashcat forums for this post: https://hashcat.net/forum/thread-7717.html