The Flipper Zero is a fun little hacking tool, and I've been playing around with one that I purchased for my own usage recently. It's a learning process, and is a great way to figure out how the various protocols that I interact with in my day to day life actually work. One thing I put to the test was its ability to help test the security of my own home internet, using the Flipper Zero to break into my own network without even the password.

Testing your own home internet security: What you need

You'll need a Wi-Fi board

To follow this tutorial, you'll need a Flipper Zero with a Wi-Fi board that's compatible with Marauder, a custom firmware for the board. I'm using the official Flipper Zero Wi-Fi dev board, but there are others that are compatible with this too. I used FZEE Flasher to install Marauder on my Wi-Fi dev board.

You'll also need to install a custom firmware. I'm using Xtreme firmware, but you can use any that's compatible with Marauder. There are a few out there, such as Unleashed or Momentum. Once you have those set up, we can continue.

This also requires the network to have a 2.4GHz frequency available. This won't work on higher frequency networks.

Step 1: Launch Marauder and scan for networks

On the Flipper Zero with your Wi-Fi board plugged in:

1. Open Apps and scroll to GPIO
2. Open [ESP32] Wi-Fi Marauder
3. Select Scan making sure that ap is selected

This will initiate a scan for networks nearby. Mesh networks will repeat their SSID several times here, and your success may vary depending on which node you select.

Step 2: List your networks and select the one you need

The next step is to list the networks and see which number has been assigned to your access point.

1. Scroll down to List, again making sure ap is selected, and select enter
2. Scroll down to the access point that you're looking for, and note the number
3. Press back and choose Select, making sure it's on ap. Type the number of the access point you wanted, and press Save

Now your Flipper Zero will be ready to target the network of your choosing.

Step 3: Sniff on handshakes

Now that you're ready to go, we're going to forcibly deauthenticate devices from the network, eavesdropping on their attempts to reconnect. This works by the Flipper Zero sending de-authentication packets to client devices on the network. PMKID stands for Pairwise Master Key Identifier, and it's part of the WPA/WPA2 4-way handshake. It can be obtained from the first message of the handshake, making it possible for an attacker to eavesdrop and collect the data.

In this case, Hashcat takes the PMKID and the associated information (such as the SSID of the Wi-Fi network) and compares it against the potential passwords from the dump. It does this by computing the Pairwise Master Key, or PMK, for each password against the SSID and then deriving a PMKID from the PMK. If the computed PMKID matches the captured PMKID, the password used in the computation is the correct one for the network.

1. On your Flipper Zero, scroll down and hover over Sniff
2. Scroll to the right and select pmkid
3. Choose Active (Force Deauth) and try reconnecting your devices to your network

If it worked, you should see Received EAPOL on the Flipper Zero. This means that your PCAP files with the data from the handshake has now been stored on the SD card.

Step 4: Cracking the Wi-Fi password

Now that you have your PCAP files, connect your Flipper Zero to your computer and, using the qFlipper application, copy the latest PCAP files over. These are stored in the SD card, under apps_data/marauder/pcaps. Copy this to your computer. We'll be using Hashcat to crack the PCAP file, but first, you'll need to convert the PCAP file to a format that Hashcat supports. You can either use hcxpcaptool or simply use the web-based Hashcat cap2hashcat converter. We'll be using the latter.

Firstly, download Hashcat and save it to a folder for later access. You should also download a list of the most commonly used passwords. We are using the rockyou password database, but you can use any.

1. Upload your PCAP to Hashcat's cap2hashcat converter. Click convert
2. You should immediately be brought to a Handshake extraction successful page. If you weren't, you'll need to run the forced deauthentication attack again.
   1. Note that if the PCAP files you get are 0kb, you'll need to reflash Marauder onto your Wi-Fi dev board again.
3. Download the file Hashcat gave you, and place it in your Hashcat folder.
4. Open a command prompt in the Hashcat folder, and run the following command: hashcat -m 22000 file.hc22000 passwordlist.txt
5. This will take a while to run. It will compute hashes for every password in the list and check if they match the hash in your extracted PMKID. If it matches, it will then print the password that matched. In the below screenshot, you'll see that our password was cracked, revealing it to be "password"

If your password was in the password list, at this stage you'll see it printed on the screen. Otherwise, if Hashcat says Exhausted, then that means it tried the entire password list against the SSID and couldn't find a match. This is a good sign for your network security, but doesn't necessarily mean you're safe against other attacks.

For now, though, you can rest assured that your Wi-Fi network is safe against this basic form of attack. Many people reuse passwords everywhere, and you'd be amazed how many people are probably vulnerable to an attack like this!