2015-02-09

Raspberry PI as WiFi MitM accesspoint

Introduction

I wanted to intercept WiFi traffic of my mobile phone, to see what certain apps are doing. I had a Raspberry Pi and a USB WiFi dongle lying around, so let's see what we can do with it. The idea is to make a cheap WiFi accesspoint/router of the Raspberry Pi, and to be able to sniff the traffic and/or redirect the traffic to an intercepting proxy.

Shoppinglist

Setup

The setup is straightforward. Download the latest Raspbian image, write is to an SD card, and boot up the Raspberry Pi. Make sure it is connected to the network via the ethernet port. You'll enter a configuration menu. First configure the basics, like "Expand Filesystem", "Change User Password" and "Internationalisation Options". Finish and reboot.
Next, log in into the Raspberry Pi, and update it:
sudo apt-get update; sudo apt-get dist-upgrade
So now we have a basic Raspberry Pi running Raspbian.

Install the software

First install hostapd and a DHCP server:
sudo apt-get install hostapd isc-dhcp-server

Sidestep for the TL-WN823N

The TP-Link TL-WN823N is based on the Realtek RTL8192CU chipset, and doesn't work with the out-of-the-box hostapd. So we have to compile our own version.
Download RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip from the Realtek website, and copy it to the home folder of the pi user.
Log in as he pi user, and compile the hostapd:
sudo cp RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip /tmp
cd /tmp
sudo unzip RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
sudo rm RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
sudo tar -xvf RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911/wpa_supplicant_hostapd/wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz
sudo rm -rf RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911
cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812
cd hostapd
sudo make

sudo cp /usr/sbin/hostapd /usr/sbin/hostapd.bak
sudo cp -p hostapd /usr/sbin/hostapd
sudo chown root.root /usr/sbin/hostapd
sudo chmod 755 /usr/sbin/hostapd

sudo cp /usr/sbin/hostapd_cli /usr/sbin/hostapd_cli.bak
sudo cp -p hostapd_cli /usr/sbin/hostapd_cli
sudo chown root.root /usr/sbin/hostapd_cli
sudo chmod 755 /usr/sbin/hostapd_cli
Now we have a compatible hostapd.

Configuration

For the setup, I created a script that does everything. It sets up the wlan0 adapter with the static ip 192.168.42.1, and configures the DHCP server to give out ip addresses in the range 192.168.42.10-192.168.42.50. The SSID is set to 'Pi_AP', with a passphrase of 'Raspberry'. If you want to have different settings, change the script accordingly.
#!/bin/bash

sudo cp -p /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
sudo sed -i -e 's/^\(option domain-name "example.org";\)$/#\1/' \
-e 's/^\(option domain-name-servers ns1.example.org, ns2.example.org;\)$/#\1/' \
-e 's/^#\(authoritative;\)$/\1/' /etc/dhcp/dhcpd.conf

sudo sh -c 'echo "
subnet 192.168.42.0 netmask 255.255.255.0 {
  range 192.168.42.10 192.168.42.50;
  option broadcast-address 192.168.42.255;
  option routers 192.168.42.1;
  default-lease-time 600;
  max-lease-time 7200;
  option domain-name \"local\";
  option domain-name-servers 8.8.8.8, 8.8.4.4;
}
" >> /etc/dhcp/dhcpd.conf'


sudo cp -p /etc/default/isc-dhcp-server /etc/default/isc-dhcp-server.bak
sudo sed -i -e 's/^INTERFACES=""$/INTERFACES="wlan0"/' /etc/default/isc-dhcp-server

sudo ifdown wlan0

sudo cp -p /etc/network/interfaces /etc/network/interfaces.bak
sudo sed -i -e '/^allow-hotplug wlan0/a\
\
iface wlan0 inet static\
  address 192.168.42.1\
  netmask 255.255.255.0\
' \
-e 's/^\(iface wlan0 inet manual\)/#\1/' \
-e 's/^\(wpa-roam \/etc\/wpa_supplicant\/wpa_supplicant.conf\)/#\1/' \
-e 's/^\(iface default inet dhcp\)/#\1/' /etc/network/interfaces

sudo ifconfig wlan0 192.168.42.1

sudo sh -c 'echo "interface=wlan0
driver=rtl871xdrv
ssid=Pi_AP
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Raspberry
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/var/run/hostapd" > /etc/hostapd/hostapd.conf'

sudo cp -p /etc/default/hostapd /etc/default/hostapd.bak
sudo sed -i -e 's/^#DAEMON_CONF=""/DAEMON_CONF="\/etc\/hostapd\/hostapd.conf"/' /etc/default/hostapd

sudo cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
sudo sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

sudo sh -c 'echo "
up iptables-restore < /etc/iptables.ipv4.nat
" >> /etc/network/interfaces'

sudo service hostapd start
sudo service isc-dhcp-server start

sudo update-rc.d hostapd enable
sudo update-rc.d isc-dhcp-server enable
When this script is run, it updates all configuration files, such that it will come up when the Raspberry is booted.
You should be able now to connect to the Pi_AP access point with your mobile phone, and be able to use internet related apps. All traffic passes through the Raspberry now.

Intercepting

In this case, the Raspberry Pi is connected to the network (via reguar DHCP).
We could snif directly on te Raspberry using tcpdump. But I want to do something different, I want to place an intercepting proxy (Burp Suite) in between.
We can simply divert HTTP/HTTPS traffic to Burp Suite, by adjusting the routing on the Raspberry. By running the next two statements, all outgoing traffic to port 80 and 443 will be diverted to another machine running Burp Suite.
sudo iptables -t nat -A PREROUTING -i wlan0 -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.10.135.55:5678
sudo iptables -t nat -A PREROUTING -i wlan0 -m tcp -p tcp --dport 443 -j DNAT --to-destination 10.10.135.55:5678
In this case, Burp Suite is running and listening on 10.10.135.55 on port 5678. Burp Suite is also configured to be a transparent proxy. (Mental note: make sure the firewall on the machine running Burp Suite is opened up for incoming traffic on that port).

sslstrip

We can also use the same setup to put sslstrip in the middle, instead of Burp Suite. Just change the --to-destination host and port accordingly. And make sure you've got sslstrip running.
You can even run ssltrip on the Raspberry Pi itself. Just sudo apt-get install sslstrip, let the --to-destination point to either the IP-address of the ethernet 'internet'-link (eth0) or the IP-address of wlan0, and run sslstrip.

2015-02-02

Intercepting web traffic using WiFi Pineapple Mark V with Burp Suite in virtual Kali linux

Introduction

A colleague got hold of a WiFi Pineapple Mark V, and I could borrow it for a couple of days, to play around with it.

After the initial goofing around with it, I wanted to go further, and intercept some specific traffic. Simply said, have the Pineapple connected to my laptop, pass all traffic straight through to the internet, except for port 80 and 443, which should go to BurpSuite, to do some stuff with it.

To connect the Pineapple to either Windows or Linux is rather straitforward, but when it comes to routing network traffic, I prefer Linux.

Shoppinglist

I already have a laptop with Windows 8 installed, and running Kali in VirtualBox.

Fixing the routing on the Windows host

When the Pineapple is connected to the laptop via the USB Ethernet dongle, the route table in Windows gets an additional default route to the Pineapple (see image below). This default route causes issues when you want to go to the internet. So first we have to get rid of this default route.

Open a command prompt in Admin mode ([WinLogo]+X).

First run route print -4 to see which adapters are there, and that there is a default route to the Pineapple.


Route table in Windows after connecting Pineapple via USB Ethernet dongle

Take note of the interface number of the adapter connected to the Pineapple. In this case it is number 24. The default route can be removed by running

route DELETE 0.0.0.0 IF <if>

where <if> is the interface number (24 in this case).

You'll also see other routes to the interface. I didn't experience any problems with these, but you can delete them as well by running:

route DELETE 172.16.42.0 IF <if>
route DELETE 172.16.42.124 IF <if>
route DELETE 224.0.0.0 IF <if>
route DELETE 255.255.255.255 IF <if>

Now the Windows host is configured.

Note: it is possible that the default route to the Pineapple interface is added in a later stage, i.e. when Kali is setup and running. In that case do the deletion of the route when this happens.

Setting up Kali

Kali is configured with default settings. Networking details are as follows:

Adapter 1 is enabled and attached to 'NAT'. Make sure that the 'Cable Connected' checkbox is on. Adapter 2 is enabled and attached to 'Bridged Adapter', with the correct adapter on the host computer that is attached to the Pineapple. Make sure that the 'Cable Connected' checkbox is on.

Now the virtual machine can be started.

When Kali is running, open a terminal and download the configuration script for the Pineapple:

wget http://wifipineapple.com/mk5/wp5.sh

and make it executable:

chmod +x wp5.h

Run the script with ./wp5.sh

I could work with the defaults, but had to change the interfaces: eth0 is connected to the internet and eth1 is connected to the Pineapple.

Pineapple Netmask: 255.255.255.0
Pineapple Network: 172.16.42.0/24
Interface between PC and Pineapple: eth1
Interface between PC and Internet: eth0
Internet Gateway:  10.0.2.2
IP Address of Host PC: 172.16.42.42
IP Address of Pineapple: 172.16.42.1

After this is done, the Pineapple can be accessed via http://172.16.42.1:1471/

Also check that the internet is still accessible by requesting a regular page.

When everything is working on Kali, we can try to connect a phone to the Pineapple, and check that it has internet access.

Connecting mobile device to the Pineapple

First we're connecting a mobile device to the Pineapple by selecting it's SSID. We'll leave the Karma stuff for later.

Check that the device can access the internet now.

Burp Suite

Start Burp Suite, and configure it, such that it listens to the IP address of eth0 (10.0.2.15 in my case) or eth1 (172.16.42.42) on port 8080.

Depending on the chosen adapter, configure the routine for port 80 (and optionally port 443)

iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.0.2.15:8080
iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 443 -j DNAT --to-destination 10.0.2.15:8080

or

iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 80 -j DNAT --to-destination 172.16.42.42:8080
iptables -t nat -A PREROUTING -i eth1 -m tcp -p tcp --dport 443 -j DNAT --to-destination 172.16.42.42:8080

It is also important to turn on 'Transparent Proxy Mode' in Burp Suite.

That's it. Burp Suite now intercepts traffic.