Fully Automatic Wireless Hacking Station With Raspberry Pi #piday #raspberrypi @Raspberry_Pi

All-in-one standalone mobile wireless attack station using Raspberry Pi that can perform Man-In-The-Middle type attacks on clients automatically and without any internet access or other external connectivity or influence. by Adam Palmer via iodigitalsec

In laypersons terms; this portable battery powered device can automatically entice wireless devices to connect to it, be that iPhones/iPads, Androids and other phones or laptops and PCs. Most devices will connect to it automatically without the user even realizing. The device will provide a fake network running fake email and web servers and using some network trickery, will capture the hostname, username and password of any attempted connection and log it, along with the GPS co-ordinates of where the details were captured. This device could be used to hijack corporate and personal email logins, facebook logins, and so on.

Messing around with airbase-ng, part of the aircrack-ng suite over the last few months and researching wireless client vulnerabilities has led to an interesting proof of concept project. There are several weaknesses within the current wireless technologies in widespread use. First however, an explanation of the project. The project description was to launch a wireless man in the middle (MITM) attack, without having another end to connect the victim to. We need to create a MITM attack without having any internet access. Such an attack could theoretically be used on the tube, in locked down buildings, on the move, and so on, and without the use of a mobile data card. Built on top of a modified raspberry pwn release, although any Linux distribution would have been suitable, I have set my wireless device with a power output of 30dBm and started the following automated process:

Firstly, an airbase instance on my rtl8187 card as follows;

/usr/local/sbin/airbase-ng -c 3 wlan0 –essids “/root/pen/code/scripts/essids” -P -C 60 -I 60 -vv|grep –line-buffered “directed probe request”|tee /run/probes

This starts an access point on channel 3, beaconing the SSIDs contained within /root/pen/code/scripts/essids as well as any probe requests that the access point may receive from clients looking to connect to an access point. Now, in a little more detail, regular ‘non-hidden’ access points will broadcast ‘beacons’ which are pieces of data that specify the SSID (wireless network name) as well as the supported encryption types and so on. These beacons are usually sent every 100msec. Wireless clients will send probe packets, containing the SSIDs of all wireless networks that they have stored, and asking if any of them are here.

The -P switch to airbase-ng will have airbase respond to all probes saying “yes, that’s me” at which point assuming the encryption or lack thereof matches the stored profile, the client will attempt to associate. Mid way through building this test however, Apple released IOS 6, and one of the changes seems that the iPhone will now only send out broadcast probes rather than directed probes, rendering the -P feature useless against them. The broadcast probe is where the device sends out a “is anyone there?” probe, and waits to see which access points reply. Most iPhones however have connected at some point to a wireless hotspot, and so the SSIDs I chose for the essids file are “Boingo Hotspot”, “BTOpenzone” and “BTWiFi” in the UK. I believe that “attwifi” is a popular one in the US.

We then wait for airbase-ng’s `at0′ interface to come up, before starting a DHCP server handing IPs out on the 10.0.0.0/16 range whilst at0 itself is set to 10.0.0.1. Clients are set with DNS and router set to 10.0.0.1.

We then create a DNAT entry with iptables to redirect any traffic that comes in on at0 that would have been routed back to ourselves on 10.0.0.1;

iptables -t nat -A PREROUTING -i at0 -j DNAT –to-destination 10.0.0.1

Remembering that we have no default gateway, the biggest issue we have is that whilst we can run fake services on our device, we have no way of performing DNS lookups, and therefore even if we respond to all DNS A requests with ’10.0.0.1′, we’ll most likely be logging useless credentials.

At this point, I thought it would be a good idea to brush up on my programming skills and relearn PERL. Using the POE framework and sqlite3, we next run a fake DNS server. The DNS server is assigned a range, in this case 199.0.0.0/8 on which to hand out IPs. The first request is assigned 199.0.0.1 and logged in the database, the second request 199.0.0.2, and so on. If we already have a record of that request, we’ll hand out the IP we handed out the last time. Whether the client accepts our DNS or has their own hardcoded, the DNAT will redirect any DNS request to our device.

Now, iDevices and Blackberries attempt to connect to a URL to confirm internet service. If they do not receive the expected response, they assume they are on a wireless hotspot and pull up a login page. We must satisfy the query to pretend to the devices that they have valid internet access.

The next step in the process is where the client tries to connect to a service. I have currently built protocol support for POP3, IMAP, HTTP and their SSL versions, and additional services can be added easily.

Once the client initiates a connection, it is redirected back to us over DNAT. Under Linux, we have the originally requested destination IP available by using the socket option SO_ORIGINAL_DST. Assuming the client attempts to connect to 199.0.0.3 now over IMAP, our IMAP server implements enough of the protocol to log the credentials and keep the client happy, as well as looking up the requested hostname ‘m.google.com’ in the sqlite3 database and presenting it as the banner.

Should SSL be in use, we dynamically create a self signed certificate for ‘m.google.com’ and present it to the client. It will yield the usual SSL warning although having a matching hostname, the non-technical user is more likely to accept. The iPhone [4 at least] had an annoying feature where no matter how many times ‘cancel’ is clicked, it will keep presenting with the same SSL warning until ‘continue’ is clicked or wifi is shut off. This almost guarantees that the user will click continue. In addition, whilst testing, I did not even realise at first that the warning I was presented with on the iPhone was even an SSL certificate warning. I am very surprised that the warning is not worded in stronger terms than it is.

Once we have credentials, these are logged in a separate table and related back to an IP entry which ultimately relates back to the original host the user attempted to connect to. Thus we are able to log host details, username and passwords on a standalone portable device with no network connectivity. Lastly, the device was kitted out with a BlueNEXT GPS dongle, and so GPS coordinates can be logged if they are available for where credentials were sniffed.
It is not legally possible to actively run such a device in public, however based on internally testing the system with my own devices, as well as passively collecting some of the broadcast probes sent over the air in public places, running such a device in public could very easily harvest many hundreds of passwords ranging from home to corporate in only a few minutes at a suitably busy location. Furthermore, as the device has no internet or external connectivity of its own, and the attacker would be entirely untraceable.

In my next posting, I will discuss some of the weaknesses we touched upon and how they can be overcome.

Read more

998Each Friday is PiDay here at Adafruit! Be sure to check out our posts, tutorials and new Raspberry Pi related products. Adafruit has the largest and best selection of Raspberry Pi accessories and all the code & tutorials to get you up and running in no time!


Adafruit publishes a wide range of writing and video content, including interviews and reporting on the maker market and the wider technology world. Our standards page is intended as a guide to best practices that Adafruit uses, as well as an outline of the ethical standards Adafruit aspires to. While Adafruit is not an independent journalistic institution, Adafruit strives to be a fair, informative, and positive voice within the community – check it out here: adafruit.com/editorialstandards

Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7:30pm ET! To join, head over to YouTube and check out the show’s live chat and our Discord!

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Join over 38,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org


New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — New Products 11/15/2024 Featuring Adafruit bq25185 USB / DC / Solar Charger with 3.3V Buck Board! (Video)

Python for Microcontrollers – Adafruit Daily — Select Python on Microcontrollers Newsletter: PyCon AU 2024 Talks, New Raspberry Pi Gear Available and More! #CircuitPython #Python #micropython @ThePSF @Raspberry_Pi

EYE on NPI – Adafruit Daily — EYE on NPI Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

Adafruit IoT Monthly — Halloween, WiLo, and more!

Maker Business – Adafruit Daily — Checking in on Intel

Electronics – Adafruit Daily — Probe Compensation

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !



1 Comment

  1. "Furthermore, as the device has no internet or external connectivity of its own, and the attacker would be entirely untraceable." Meaning you don’t expect somebody to triangulate the position of the radio? Or just that because the service isn’t dependent on an ISP, you expect to be able to act with impunity?

Sorry, the comment form is closed at this time.