Skip to content

PierreGode/Ragnar

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,940 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Ragnar image

ko-fi GitHub stars Python Status License: MIT

Ragnar is a fork of the awesome Bjorn project — a Tamagotchi-like autonomous network scanning, vulnerability assessment, and offensive security tool. It runs on a Raspberry Pi with a 2.13-inch e-Paper HAT, as a headless server on Debian-based systems (AMD64/ARM/ARM64) with Ethernet-first connectivity, or on the WiFi Pineapple Pager with full-color LCD display. On servers with 8GB+ RAM, Ragnar unlocks advanced capabilities including real-time traffic analysis and enhanced vulnerability scanning.

Important

For educational and authorized testing purposes only.


Quick Install

wget https://raw.githubusercontent.com/PierreGode/Ragnar/main/install_ragnar.sh
sudo chmod +x install_ragnar.sh && sudo ./install_ragnar.sh
# On Raspberry Pi: choose between e-Paper HAT, server/headless, or Pineapple Pager deployment.
# On other hardware: choose between server install or Pineapple Pager deployment.
# It may take a while as many packages and modules will be installed. Reboot when it finishes.

For detailed information see the Install Guide. See Release Notes for what's new.


🌐 Web Interface

Access Ragnar's dashboard at http://<ragnar-ip>:8000

  • Real-time network discovery and vulnerability scanning
  • Multi-source threat intelligence dashboard
  • File management with image gallery
  • System monitoring and configuration
  • Hardware profile auto-detection (Pi Zero 2W, Pi 4, Pi 5)

WiFi Configuration Portal — When Ragnar can't connect to a known network, it creates a WiFi hotspot:

  1. Connect to WiFi network Ragnar (password: ragnarconnect)
  2. Navigate to http://192.168.4.1:8000
  3. Configure your WiFi credentials via the mobile-friendly interface
  4. Ragnar will automatically retry known WiFi after some time if the AP is unused
  5. Once configured, Ragnar exits AP mode and connects to your network

The portal supports network scanning with signal strength, manual entry for hidden SSIDs, known network management, and one-tap reconnection.

web will be down during wardrive without ap or wifi connection.


🌟 Features

  • RuSense — Camera-Free Surveillance — Turns ordinary 2.4 GHz WiFi into a no-camera sensor: ESP32 nodes read Channel State Information (CSI) to report presence, motion, people-count, and — with a trained model — coarse pose and resting vital signs (breathing / heart rate). Works in the dark and through walls, with security & health modes, a calibration wizard, browser flashing, and a multi-node offline mesh. See RuSense

  • Authority Verification Across the Stack — A built-in engine for verifying authority at every layer — is the claimed root bridge / default gateway / DNS resolver / DHCP server / routing neighbour / name responder / SMB server genuine, or an impostor? — plus a network engineer's toolbox, in the web UI across three tabs. Diagnostics: ping, traceroute, MTR, WHOIS, internet speed test, DNS Doctor, ARP-poisoning / MITM detection, MAC Watch, Path-MTU / black-hole probe, captive-portal check, iperf3 throughput, Live Flow Telemetry, PTP-timing detection, and IPv6 RA Guard (audits + one-click hardens the host's IPv6 first-hop settings — ICMPv6-redirect and rogue-RA-preference exposure) — plus an opt-in Network Integrity Monitor that reruns the DNS-poison / ARP-spoof / rogue-DHCP / RA-Guard checks on a schedule and, with extended monitoring, round-robins the entire passive-scanner suite (STP/DTP/CDP/VTP/FHRP/OSPF/EIGRP/IS-IS/BGP/SMB/Relay/LDAP/IGMP/IPv6/NDP/ICMP/NTP/SNMP/Cert/TLS) through the background poller, Pushover-alerting on any regression — capture-based scanners default to a link-up wired port (pinnable per config), so a sensor plugged into a switch but managed over WiFi watches the cable, not wlan0. A Watchtower pane then unifies the deep standalone watcher daemons (arp_guard · ndpwatch · wifiwatch · certwatch · snmpwatch · isiswatch · igmpwatch) — tailing each one's JSON-lines log into a single normalized, deduped feed with one Pushover path. Switch & L2/L3: LLDP/CDP/EDP/FDP/SONMP switch discovery with PoE, ARP host scan, DHCP Guardian (with an inline DHCP-snooping mode), L2 link health, plus a detection-only passive security-scanner suite spanning L2→L7IGMP · IPv6 First-Hop · NDP (IPv6 neighbor-cache poisoning) · NTP · ICMP · SNMP · STP/BPDU · DTP · CDP (Cisco Discovery flood/spoof/leak) · VTP (VTP-bomb / VLAN-DB wipe) · SMB (SMBv1 + LLMNR/NBT-NS/mDNS poisoning + Kerberos downgrade/roasting) · Relay/Coercion (NTLM relay + PetitPotam/PrinterBug/DFSCoerce) · LDAP (Active Directory — cleartext binds, StartTLS strip, enumeration, filter injection, CLDAP reflection) · FHRP (HSRP/VRRP/CARP + GLBP AVG and AVF forwarder-plane hijack) · EIGRP · IS-IS · OSPF · BGP Watch and a receive-only BGP collector + path-asymmetry correlator — a TLS Watch passive TLS/QUIC handshake observer (JA4/JA4_r + JA3/JA3S fingerprints, SNI/ALPN, SNI↔cert mismatch, QUIC v1/v2 Initial recovery), the active Cert Watch certificate/hygiene checker (plus a passive, standalone certwatch that triages observed X.509 certs off a tap/SPAN — expiry, name-mismatch, weak-sig/key — and inventories TLS 1.3 flows whose cert is encrypted), a PCAP analyzer, and Locate Port. Every scanner learns a baseline, ships a CLI, and self-tests (Scapy / local-handshake end-to-end). Interfaces: link speed/duplex/auto-neg, DHCP-vs-static + VLAN, DNS/gateway identity, per-interface public-IP / ISP-ASN lookup, and a VPN-egress check. Missing CLI tools install with one click. Co-authored by Solarflere. Full details in the Authority Verification Guide.

  • WiFi Spectrum Analyzer — A passive, tri-band (2.4/5/6 GHz) Wi-Fi RF troubleshooter in the web UI (Network → WiFi Analyzer), a software take on the Ekahau Sidekick. Strictly passive — it only listens for beacons (iw scan passive) and never transmits a probe to any AP. A big center spectrum graph with two views — Bar (bar per AP, width = channel width, height = RSSI) and Cone/Dome (the classic filled bell-curve per AP) — shows every BSS with RSSI, channel + width, SSID, security and AP-advertised channel utilisation. Flags co-/adjacent-channel interference with 1/6/11 recommendations, shades DFS/radar channels (read live from the radio), estimates an AP's coverage radius (log-distance path-loss rings), and builds a walk-around coverage heatmap (floorplan + IDW interpolation on a true-to-scale square plan with metre rulers, adjustable floor size and zoom/pan — from a 10 m² room to a 300+ m² office). Bands are detected per-radio; tuned for the Alfa AWUS036AXM (Wi-Fi 6E, mt7921u) on a Pi Zero 2 W. See WiFi Analyzer Guide

  • WiFi Defense (802.11 WIDS) — A passive wireless intrusion-detection monitor in its own web-UI tab. Listens on a monitor-mode adapter for 802.11 management frames and flags deauth/disassoc floods (the classic Wi-Fi DoS), beacon floods (fake-AP storms), rogue APs / evil twins (a known SSID from an untrusted BSSID, against a trusted baseline), and KARMA/MANA rogue APs (one BSSID answering many SSIDs). Receive-only — it never transmits a frame or deauths back. Monitor mode is set up with plain iw (a separate ragmon0 vif where the driver allows, keeping your link up; else a mode switch) — no aircrack-ng dependency; Scapy captures with optional channel-hopping. Shows a CLEAR/WARNING/UNDER-ATTACK banner, a card per detection with attacker/BSSID detail, and an AP inventory — every flagged BSSID (and AP-table row) is clickable and pivots into the WiFi Spectrum Analyzer, where the rogue is pre-selected and marked with a red ⚠ WIDS locator in the spectrum until dismissed. Includes a passive client-isolation observer: from cleartext 802.11 headers alone it audits whether an AP or mesh actually enforces client isolation (guest/IoT WLANs) — flagging APs seen relaying client-to-client traffic (OPEN), silently filtering it (ISOLATING), plus mesh-wide cross-node forwarding. A standalone daemon-shaped sibling, wifiwatch, extends the same passive stance to the WPA client/handshake layerPMKID harvesting, forced 4-way-handshake capture (deauth-and-capture), WPA3→WPA2 downgrade / SAE-strip evil twins, and PNL leakage (your own devices broadcasting saved SSIDs — the raw material for KARMA attacks). Needs a monitor-capable adapter (e.g. the Alfa AWUS036AXM). See WiFi Defense Guide

  • Wardriving with GPS recovery — Logs WiFi networks, BLE devices, and cell towers with GPS positions while driving. Exports to WiGLE CSV / KML. Most wardrivers log observations with GPS-at-scan-time and discard the rest; Ragnar logs a GPS breadcrumb track during the session and runs a post-pass that backfills missing positions for any observation seen within 5 minutes of a real GPS point. The interpolation is speed-aware — when endpoint speeds differ (slowing for a tunnel, accelerating out the far side), it uses constant-acceleration math instead of constant-velocity, shifting positions toward whichever endpoint the device actually spent more time near. See Wardriving Guide

  • Network Scanning — Identifies live hosts and open ports

  • Vulnerability Assessment — Scans using Nmap and other tools

  • Multi-Source Threat Intelligence — Real-time fusion from CISA KEV, NVD CVE, AlienVault OTX, and MITRE ATT&CK

  • AI-Powered Analysis — GPT-5 Nano integration for security summaries, vulnerability prioritization, and remediation advice. See AI Integration Guide

  • System Attacks — Brute-force attacks on FTP, SSH, SMB, RDP, Telnet, SQL

  • File Stealing — Extracts data from vulnerable services

  • Advanced Server Features (8GB+ RAM) — Real-time traffic analysis, advanced vulnerability scanning with Nuclei/Nikto/SQLMap/ZAP, parallel scanning, and CVE correlation. See Server Mode

  • LAN-First Connectivity — Prefers Ethernet when present, manages WiFi as fallback

  • Smart WiFi Management — Auto-connects to known networks, falls back to AP mode, captive portal for configuration

  • E-Paper Display — Real-time status showing targets, vulnerabilities, credentials, and network info

  • Color TFT / OLED Displays — GC9A01 1.28" round TFT, ST7735S 1.44" LCD HAT (128×128, with 3 keys + 5-way joystick), and SSD1306 0.96" OLED. Selectable under Display settings. The 1.44" HAT's joystick and keys drive On-Screen Network Diagnostic Mode as a standalone field tester (KEY1 toggles it on/off). Full key/joystick mappings for every HAT are in the Display Buttons & Joystick Reference.

  • MAX7219 LED Matrix Display — Cascaded 8×8 LED panel arrays (4-panel 32×8 or 8-panel 64×8). Scrolls SSID, IP, targets, and status. SPI-connected: DIN→GPIO10, CS→GPIO8, CLK→GPIO11.

  • WiFi Pineapple Pager — Full-color LCD display with button controls, LED indicators, and auto-dim. See Pager section

  • Hardware-Bound Authentication — Optional login with full database encryption at rest. See Security & Authentication

  • PiSugar 3 Button — Physical button to swap between Ragnar and Pwnagotchi modes

  • Web Terminal — Optional interactive shell (xterm.js ↔ PTY over Socket.IO) in the dashboard, so you can manage the Pi without SSH. Runs as the non-root ragnar user in the Ragnar folder (sudo available), off by default, and gated by login — enable it in Config → Web Terminal only on trusted networks.

  • Kill Switch — Built-in endpoint (/api/kill) to wipe all databases, logs, and data. See Kill Switch

  • Comprehensive Logging — All nmap commands and results logged to data/logs/nmap.log

image

image

📌 Supported Platforms & Prerequisites

Raspberry Pi (Zero W / W2 / 4 / 5)

  • 64-bit Raspberry Pi OS (Debian Trixie, kernel 6.12+)
  • Username and hostname set to ragnar
  • 2.13-inch e-Paper HAT connected to GPIO pins (for display mode)
  • For 32-bit systems, use Ragnar's predecessor Bjorn

Recommendation: Edit ~/.config/labwc/autostart and comment out /usr/bin/lwrespawn /usr/bin/wf-panel-pi & to free up resources, or run sudo pkill wf-panel-pi temporarily.

Ragnar Gen 2 — reference build

The compact, self-contained reference node: a headless Pi Zero 2 W with an on-board status display, wired networking, and a Wi-Fi 6E monitor-mode radio. In collaboration with Solarflere.

  • Raspberry Pi Zero 2 W — main compute
  • Waveshare 1.44" LCD Display HAT (ST7735S, 3 keys + joystick) — on-device display + controls
  • Waveshare Ethernet/USB HAT — wired uplink + USB-A for the dongle
  • Alfa AWUS036AXM (Wi-Fi 6E, mt7921u) — tri-band scan/monitor radio

See Gen 2 Hardware Requirements for the full BOM, assembly, and setup notes.

Debian-Based Server / Headless

  • Debian 11+ or Ubuntu 20.04+ (AMD64, ARM64, or ARMv7)
  • Minimum: 2GB RAM, 2 CPU cores, 10GB free disk
  • Recommended: 8GB+ RAM for advanced features (traffic analysis, Nuclei, Nikto, SQLMap)

WiFi Pineapple Pager

  • Firmware 1.0.7+
  • PAGERCTL payload installed (provides libpagerctl.so)
  • SSH access from your workstation
  • Python3 + nmap (auto-installed on first run)
  • MIPS-compiled Python libraries bundled in pager_lib/ (or sourced from PAGERCTL payload)

🔨 Installation Details

The installer auto-detects your platform and configures everything:

  • Distro detection — Supports apt, dnf, pacman, zypper
  • Architecture support — AMD64, ARM64, ARMv7, ARMv8
  • Profiles — Pi + e-Paper, Server/Headless, WiFi Pineapple Pager
  • Automatic advanced tools — Systems with 8GB+ RAM get advanced features installed automatically
  • Smart resource management — Pi Zero W/W2 automatically skip resource-intensive tools
  • ARM optimizations — Uses PiWheels on ARM, retries mirrors, skips Pi-only steps on other hardware

For the full installation walkthrough see Install Guide.


🖥️ Server Mode: Advanced Features (8GB+ RAM)

When deployed on systems with 8GB+ RAM, Ragnar automatically unlocks advanced security capabilities.

Fresh installs: The main installer detects 8GB+ RAM and installs advanced tools automatically.

Existing installs: Run the advanced tools installer separately:

cd /home/ragnar/Ragnar
sudo ./scripts/install_advanced_tools.sh
sudo systemctl restart ragnar

Real-Time Traffic Analysis

  • Live packet capture with tcpdump and tshark
  • Connection tracking with detailed TCP/UDP statistics
  • Deep protocol inspection (HTTP, DNS, SMB, SSH)
  • Per-host bandwidth monitoring and top talkers
  • Automated security risk scoring and anomaly detection
  • DNS query logging and port activity monitoring

Advanced Vulnerability Scanning

  • OWASP ZAP — Spider + AJAX spider + active scan with automatic browser detection
  • Authenticated scanning — 8 auth types: form-based, HTTP Basic, OAuth2, Bearer Token, API Key, Cookie, Script-based
  • Nuclei — 5000+ vulnerability templates from ProjectDiscovery
  • Nikto — Comprehensive web server assessment
  • SQLMap — Automated SQL injection detection
  • Parallel scanning — Multi-threaded for faster results
  • CVE correlation — Automatic correlation with NVD, CISA KEV, and threat feeds
  • Live progress — Real-time log panel and animated progress bar
  • Web and API modes — Scan web apps or API endpoints with OpenAPI spec import

What Gets Installed

  • Traffic tools: tcpdump, tshark, ngrep, iftop, nethogs
  • Vulnerability scanners: Nuclei, Nikto, SQLMap, WhatWeb
  • Web app security: OWASP ZAP (requires Java)
  • Nmap scripts: vulners.nse, vulscan database

Ragnar auto-detects available tools and enables corresponding features in the web interface.


📡 RuSense — Camera-Free Surveillance

RuSense turns ordinary 2.4 GHz WiFi into a no-camera surveillance system for home, office, and anywhere a lens is unwelcome. ESP32 sensor nodes read WiFi Channel State Information (CSI) — the tiny distortions a moving body imprints on radio waves — and a bundled sensing engine reports presence, motion, people-count, and (with a trained model) coarse pose and resting vital signs. No images are ever captured; it works in the dark and through walls.

  • Flash a sensor node from your browser — no toolchain needed: RuSense Flasher (ESP32-S3 DevKitC / Seeed XIAO ESP32S3 & Plus / AMOLED / C6, Chrome/Edge).
  • Install the backend: sudo ./scripts/install_sensing.sh (runs as ragnar-sensing.service).
  • View it under the RuSense tabs in the web dashboard at http://<ragnar-ip>:8000.

Powered by RuView (by ruvnet). Full details: RuSense Guide.


🐝 Ragnar + Pwnagotchi Side by Side

A bundled helper script plus dashboard controls make swapping between Ragnar and Pwnagotchi painless:

  1. Run the installer:

    cd /home/ragnar/Ragnar
    sudo ./scripts/install_pwnagotchi.sh

    The script clones pwnagotchiworking into /opt/pwnagotchi, installs dependencies, writes /etc/pwnagotchi/config.toml, and drops a disabled pwnagotchi.service. Re-running is fast — it skips already-installed packages.

  2. Open the web UI → Config tab → Pwnagotchi Bridge → click Switch to Pwnagotchi.

Requirements:

  • USB WiFi adapter (wlan1) with monitor mode support
  • Waveshare 2.13" e-Paper HAT V4 for the pwnagotchi face display

Pwnagotchi web UI: http://<same-ip>:8080 (credentials: ragnar / ragnar)

What the installer configures:

  • Monitor mode scripts (/usr/bin/monstart, /usr/bin/monstop)
  • e-Paper display type (waveshare213_v4) and rotation
  • Web UI on port 8080, Pwngrid disabled
  • RSA keys, log directories, bettercap integration

Swapping via PiSugar 3 button:

Button Action While Ragnar is running While Pwnagotchi is running
Single tap Toggle manual mode
Double tap Switch to Pwnagotchi Switch to Ragnar
Long press Switch to Pwnagotchi Switch to Ragnar

A 10-second cooldown prevents accidental double triggers. If PiSugar is not connected, the listener is silently disabled.

Static IP recommended: When switching modes, WiFi may briefly reconnect with a different DHCP IP. Set a static IP:

sudo nmcli con mod "YOUR_WIFI_SSID" ipv4.method manual \
  ipv4.addresses "192.168.1.211/24" \
  ipv4.gateway "192.168.1.1" \
  ipv4.dns "192.168.1.1"
sudo nmcli con up "YOUR_WIFI_SSID"

Or set a DHCP reservation on your router. This only affects wlan0 — the monitor interface (wlan1/mon0) is not changed.

Service recovery: If Ragnar doesn't start after a reboot:

sudo /home/ragnar/Ragnar/scripts/fix_services.sh

🍍 WiFi Pineapple Pager

Attribution: The WiFi Pineapple Pager port of Ragnar is based on the original work of brAinphreAk — the developer who first ported Bjorn to the Pineapple Pager as PagerBjorn / Loki. The pager adaptation layer (display system, hardware control wrapper, MIPS-compiled binaries and libraries) originated in that project. Full credit and thanks to brAinphreAk for making pager hardware support possible.

Ragnar can be deployed to the WiFi Pineapple Pager as a native payload with full-color LCD display, button controls, and LED status indicators.

Features on Pager:

  • Full-color 480x222 LCD with Viking-themed status display
  • Physical button controls (navigate menus, pause/resume, adjust brightness)
  • LED indicators (blue=idle, cyan=scanning, red=brute force, yellow=stealing)
  • Graphical startup menu with interface selection and Web UI toggle
  • Auto-dim for battery saving and payload handoff support

Installation:

Option A — From the main installer (select option 3):

sudo ./install_ragnar.sh
# Choose: 3. Install on WiFi Pineapple Pager

Option B — Direct deployment:

./scripts/install_pineapple_pager.sh [pager-ip]

Usage:

  1. Launch from Pager menu: Reconnaissance > PagerRagnar
  2. Press GREEN to confirm the splash screen
  3. Select network interface and toggle Web UI on/off
  4. Press GREEN on "Start Ragnar" to begin scanning
  5. Press RED while running to open the pause menu

🤝 Contributing

The project welcomes contributions in new attack modules, bug fixes, documentation, and feature improvements.

See Contributing Docs and Code of Conduct.

📫 Contact


🙏 Credits & Attribution

Ragnar is built on the shoulders of great work by others:

Project Author Role in Ragnar
Bjorn infinition Original project that Ragnar is forked from
PagerBjorn / Loki brAinphreAk WiFi Pineapple Pager adaptation layer — display system, hardware control wrapper (pagerctl.py), pager menu UI, and all MIPS-compiled binaries and libraries
RuView ruvnet WiFi-CSI sensing engine and ESP32 CSI-node firmware behind RuSense — camera-free presence, motion, people-count, pose and vital-sign sensing. Ragnar vendors bins from the PierreGode/RuView fork
Solarflere Co-author of the Authority Verification suite (Diagnostics, Switch & L2/L3, Interfaces)

📜 License

2025 - Ragnar is distributed under the MIT License. See the LICENSE file for details.

About

Ragnar is a Powerful network scanning and offensive security tool for the Raspberry Pi with a 2.13-inch e-Paper HAT and is Father of Bjorn. It discovers network targets, open ports, exposed services, vulnerabilities.

Resources

License

Code of conduct

Contributing

Security policy

Stars

760 stars

Watchers

19 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors