Hacking Adventures 42
2015-10-08
Raspberry PI as WiFi MitM accesspoint part 2
I also upgraded to the latest Raspbian (2014-09-24). I got some problems with /etc/network/interfaces. Mysteriously a wlan1 was configured there. When I commented out everything with wlan1, everything worked again.
2015-03-15
Raspberry Pi Camera Module and 1-Wire
I had a small project for my kids, to create a timelapse video of growing plants. So I bought a Camera Module for my Raspberry Pi, and let it take a snapshot every 15 minutes. So far so good.
Then came the idea to also record the temperature as well. At first I thought 'no problem', I had a DS18B20 digital temperature sensor lying around. Simply attaching pin 3 to GPIO pin 1 (3.3V), pin 1 to GPIO pin 6 (GND), and pin 2 to GPIO pin 7 (GPIO4), and then a pull-up resistor 4.7K Ohm between pin 2 and 3 (See the Adafruit lesson for the details).
And then...
...Nothing
Hmmm, maybe the sensor is broken. Let's try another one.
And then...
...Still nothing
After a lot of Googling, I discovered that the Camera Module uses GPIO 4 somehow which conflicts with the 1-Wire module, which uses GPIO 4 by default. So the fix for this is to let the 1-Wire module use a different GPIO pin. E.g. pin 18. This can easily be configured by adding the following to /boot/config.txt:
dtoverlay=w1-gpio-pullup,gpiopin=18
(See https://github.com/raspberrypi/firmware/tree/master/boot/overlays).
After this, both the DS18B20 worked fine, as well as the camera module.
2015-02-09
Raspberry PI as WiFi MitM accesspoint
Introduction
I wanted to intercept WiFi traffic of my mobile phone, to see what certain apps are doing. I had a Raspberry Pi and a USB WiFi dongle lying around, so let's see what we can do with it. The idea is to make a cheap WiFi accesspoint/router of the Raspberry Pi, and to be able to sniff the traffic and/or redirect the traffic to an intercepting proxy.Shoppinglist
Setup
The setup is straightforward. Download the latest Raspbian image, write is to an SD card, and boot up the Raspberry Pi. Make sure it is connected to the network via the ethernet port. You'll enter a configuration menu. First configure the basics, like "Expand Filesystem", "Change User Password" and "Internationalisation Options". Finish and reboot.Next, log in into the Raspberry Pi, and update it:
sudo apt-get update; sudo apt-get dist-upgrade
So now we have a basic Raspberry Pi running Raspbian.
Install the software
First install hostapd and a DHCP server:sudo apt-get install hostapd isc-dhcp-server
Sidestep for the TL-WN823N
The TP-Link TL-WN823N is based on the Realtek RTL8192CU chipset, and doesn't work with the out-of-the-box hostapd. So we have to compile our own version.Download RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip from the Realtek website, and copy it to the home folder of the pi user.
Log in as he pi user, and compile the hostapd:
sudo cp RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip /tmp cd /tmp sudo unzip RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip sudo rm RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip sudo tar -xvf RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911/wpa_supplicant_hostapd/wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz sudo rm -rf RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911 cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812 cd hostapd sudo make sudo cp /usr/sbin/hostapd /usr/sbin/hostapd.bak sudo cp -p hostapd /usr/sbin/hostapd sudo chown root.root /usr/sbin/hostapd sudo chmod 755 /usr/sbin/hostapd sudo cp /usr/sbin/hostapd_cli /usr/sbin/hostapd_cli.bak sudo cp -p hostapd_cli /usr/sbin/hostapd_cli sudo chown root.root /usr/sbin/hostapd_cli sudo chmod 755 /usr/sbin/hostapd_cliNow we have a compatible hostapd.
Configuration
For the setup, I created a script that does everything. It sets up the wlan0 adapter with the static ip 192.168.42.1, and configures the DHCP server to give out ip addresses in the range 192.168.42.10-192.168.42.50. The SSID is set to 'Pi_AP', with a passphrase of 'Raspberry'. If you want to have different settings, change the script accordingly.#!/bin/bash sudo cp -p /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak sudo sed -i -e 's/^\(option domain-name "example.org";\)$/#\1/' \ -e 's/^\(option domain-name-servers ns1.example.org, ns2.example.org;\)$/#\1/' \ -e 's/^#\(authoritative;\)$/\1/' /etc/dhcp/dhcpd.conf sudo sh -c 'echo " subnet 192.168.42.0 netmask 255.255.255.0 { range 192.168.42.10 192.168.42.50; option broadcast-address 192.168.42.255; option routers 192.168.42.1; default-lease-time 600; max-lease-time 7200; option domain-name \"local\"; option domain-name-servers 8.8.8.8, 8.8.4.4; } " >> /etc/dhcp/dhcpd.conf' sudo cp -p /etc/default/isc-dhcp-server /etc/default/isc-dhcp-server.bak sudo sed -i -e 's/^INTERFACES=""$/INTERFACES="wlan0"/' /etc/default/isc-dhcp-server sudo ifdown wlan0 sudo cp -p /etc/network/interfaces /etc/network/interfaces.bak sudo sed -i -e '/^allow-hotplug wlan0/a\ \ iface wlan0 inet static\ address 192.168.42.1\ netmask 255.255.255.0\ ' \ -e 's/^\(iface wlan0 inet manual\)/#\1/' \ -e 's/^\(wpa-roam \/etc\/wpa_supplicant\/wpa_supplicant.conf\)/#\1/' \ -e 's/^\(iface default inet dhcp\)/#\1/' /etc/network/interfaces sudo ifconfig wlan0 192.168.42.1 sudo sh -c 'echo "interface=wlan0 driver=rtl871xdrv ssid=Pi_AP hw_mode=g channel=6 macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 wpa=2 wpa_passphrase=Raspberry wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP rsn_pairwise=CCMP ctrl_interface=/var/run/hostapd" > /etc/hostapd/hostapd.conf' sudo cp -p /etc/default/hostapd /etc/default/hostapd.bak sudo sed -i -e 's/^#DAEMON_CONF=""/DAEMON_CONF="\/etc\/hostapd\/hostapd.conf"/' /etc/default/hostapd sudo cp -p /etc/sysctl.conf /etc/sysctl.conf.bak sudo sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT sudo sh -c "iptables-save > /etc/iptables.ipv4.nat" sudo sh -c 'echo " up iptables-restore < /etc/iptables.ipv4.nat " >> /etc/network/interfaces' sudo service hostapd start sudo service isc-dhcp-server start sudo update-rc.d hostapd enable sudo update-rc.d isc-dhcp-server enableWhen this script is run, it updates all configuration files, such that it will come up when the Raspberry is booted.
You should be able now to connect to the Pi_AP access point with your mobile phone, and be able to use internet related apps. All traffic passes through the Raspberry now.
Intercepting
In this case, the Raspberry Pi is connected to the network (via reguar DHCP).We could snif directly on te Raspberry using tcpdump. But I want to do something different, I want to place an intercepting proxy (Burp Suite) in between.
We can simply divert HTTP/HTTPS traffic to Burp Suite, by adjusting the routing on the Raspberry. By running the next two statements, all outgoing traffic to port 80 and 443 will be diverted to another machine running Burp Suite.
sudo iptables -t nat -A PREROUTING -i wlan0 -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.10.135.55:5678 sudo iptables -t nat -A PREROUTING -i wlan0 -m tcp -p tcp --dport 443 -j DNAT --to-destination 10.10.135.55:5678In this case, Burp Suite is running and listening on 10.10.135.55 on port 5678. Burp Suite is also configured to be a transparent proxy. (Mental note: make sure the firewall on the machine running Burp Suite is opened up for incoming traffic on that port).
sslstrip
We can also use the same setup to put sslstrip in the middle, instead of Burp Suite. Just change the--to-destination
host and port accordingly. And make sure you've got sslstrip running.You can even run ssltrip on the Raspberry Pi itself. Just
sudo apt-get install sslstrip
, let the --to-destination
point to either the IP-address of the ethernet 'internet'-link (eth0) or the IP-address of wlan0, and run sslstrip.
2015-02-02
Intercepting web traffic using WiFi Pineapple Mark V with Burp Suite in virtual Kali linux
Introduction
A colleague got hold of a WiFi Pineapple Mark V, and I could borrow it for a couple of days, to play around with it.
After the initial goofing around with it, I wanted to go further, and intercept some specific traffic. Simply said, have the Pineapple connected to my laptop, pass all traffic straight through to the internet, except for port 80 and 443, which should go to BurpSuite, to do some stuff with it.
To connect the Pineapple to either Windows or Linux is rather straitforward, but when it comes to routing network traffic, I prefer Linux.
Shoppinglist
I already have a laptop with Windows 8 installed, and running Kali in VirtualBox.
- Laptop with Windows 8.1 Pro
- VirtualBox 4.3.20
- Kali Linux 64-bit 1.0.9a with lates updates
- WiFi Pineapple Mark V running firmware 2.2.0
- USB Ethernet dongle connected to the WiFi Pineapple (being an USB dongle itself is not important, my laptop just doesn't have any Ethernet ports).
Fixing the routing on the Windows host
When the Pineapple is connected to the laptop via the USB Ethernet dongle, the route table in Windows gets an additional default route to the Pineapple (see image below). This default route causes issues when you want to go to the internet. So first we have to get rid of this default route.
Open a command prompt in Admin mode ([WinLogo]+X).
First run route print -4 to see which adapters are there, and that there is a default route to the Pineapple.
Route table in Windows after connecting Pineapple via USB Ethernet dongle |
Take note of the interface number of the adapter connected to the Pineapple. In this case it is number 24. The default route can be removed by running
route DELETE 0.0.0.0 IF <if>
where <if> is the interface number (24 in this case).
You'll also see other routes to the interface. I didn't experience any problems with these, but you can delete them as well by running:
route DELETE 172.16.42.0 IF <if>
route DELETE 172.16.42.124 IF <if>
route DELETE 224.0.0.0 IF <if>
route DELETE 255.255.255.255 IF <if>
Now the Windows host is configured.
Note: it is possible that the default route to the Pineapple interface is added in a later stage, i.e. when Kali is setup and running. In that case do the deletion of the route when this happens.
Setting up Kali
Kali is configured with default settings. Networking details are as follows:Adapter 1 is enabled and attached to 'NAT'. Make sure that the 'Cable Connected' checkbox is on. Adapter 2 is enabled and attached to 'Bridged Adapter', with the correct adapter on the host computer that is attached to the Pineapple. Make sure that the 'Cable Connected' checkbox is on.
Now the virtual machine can be started.
When Kali is running, open a terminal and download the configuration script for the Pineapple:
wget http://wifipineapple.com/mk5/wp5.sh
and make it executable:
chmod +x wp5.h
Run the script with ./wp5.sh
I could work with the defaults, but had to change the interfaces: eth0 is connected to the internet and eth1 is connected to the Pineapple.
Pineapple Netmask: 255.255.255.0
Pineapple Network: 172.16.42.0/24
Interface between PC and Pineapple: eth1
Interface between PC and Internet: eth0
Internet Gateway: 10.0.2.2
IP Address of Host PC: 172.16.42.42
IP Address of Pineapple: 172.16.42.1
After this is done, the Pineapple can be accessed via http://172.16.42.1:1471/
Also check that the internet is still accessible by requesting a regular page.
When everything is working on Kali, we can try to connect a phone to the Pineapple, and check that it has internet access.
Connecting mobile device to the Pineapple
First we're connecting a mobile device to the Pineapple by selecting it's SSID. We'll leave the Karma stuff for later.Check that the device can access the internet now.
Burp Suite
Start Burp Suite, and configure it, such that it listens to the IP address of eth0 (10.0.2.15 in my case) or eth1 (172.16.42.42) on port 8080.Depending on the chosen adapter, configure the routine for port 80 (and optionally port 443)
iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.2.15:8080
iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 443 -j DNAT --to-destination 10.0.2.15:8080
or
iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 80 -j DNAT --to-destination 172.16.42.42:8080
iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 443 -j DNAT --to-destination 172.16.42.42:8080
It is also important to turn on 'Transparent Proxy Mode' in Burp Suite.
That's it. Burp Suite now intercepts traffic.