2015-02-09

Raspberry PI as WiFi MitM accesspoint

Introduction

I wanted to intercept WiFi traffic of my mobile phone, to see what certain apps are doing. I had a Raspberry Pi and a USB WiFi dongle lying around, so let's see what we can do with it. The idea is to make a cheap WiFi accesspoint/router of the Raspberry Pi, and to be able to sniff the traffic and/or redirect the traffic to an intercepting proxy.

Shoppinglist

Setup

The setup is straightforward. Download the latest Raspbian image, write is to an SD card, and boot up the Raspberry Pi. Make sure it is connected to the network via the ethernet port. You'll enter a configuration menu. First configure the basics, like "Expand Filesystem", "Change User Password" and "Internationalisation Options". Finish and reboot.
Next, log in into the Raspberry Pi, and update it:
sudo apt-get update; sudo apt-get dist-upgrade
So now we have a basic Raspberry Pi running Raspbian.

Install the software

First install hostapd and a DHCP server:
sudo apt-get install hostapd isc-dhcp-server

Sidestep for the TL-WN823N

The TP-Link TL-WN823N is based on the Realtek RTL8192CU chipset, and doesn't work with the out-of-the-box hostapd. So we have to compile our own version.
Download RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip from the Realtek website, and copy it to the home folder of the pi user.
Log in as he pi user, and compile the hostapd:
sudo cp RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip /tmp
cd /tmp
sudo unzip RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
sudo rm RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911.zip
sudo tar -xvf RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911/wpa_supplicant_hostapd/wpa_supplicant_hostapd-0.8_rtw_r7475.20130812.tar.gz
sudo rm -rf RTL8188C_8192C_USB_linux_v4.0.2_9000.20130911
cd wpa_supplicant_hostapd-0.8_rtw_r7475.20130812
cd hostapd
sudo make

sudo cp /usr/sbin/hostapd /usr/sbin/hostapd.bak
sudo cp -p hostapd /usr/sbin/hostapd
sudo chown root.root /usr/sbin/hostapd
sudo chmod 755 /usr/sbin/hostapd

sudo cp /usr/sbin/hostapd_cli /usr/sbin/hostapd_cli.bak
sudo cp -p hostapd_cli /usr/sbin/hostapd_cli
sudo chown root.root /usr/sbin/hostapd_cli
sudo chmod 755 /usr/sbin/hostapd_cli
Now we have a compatible hostapd.

Configuration

For the setup, I created a script that does everything. It sets up the wlan0 adapter with the static ip 192.168.42.1, and configures the DHCP server to give out ip addresses in the range 192.168.42.10-192.168.42.50. The SSID is set to 'Pi_AP', with a passphrase of 'Raspberry'. If you want to have different settings, change the script accordingly.
#!/bin/bash

sudo cp -p /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak
sudo sed -i -e 's/^\(option domain-name "example.org";\)$/#\1/' \
-e 's/^\(option domain-name-servers ns1.example.org, ns2.example.org;\)$/#\1/' \
-e 's/^#\(authoritative;\)$/\1/' /etc/dhcp/dhcpd.conf

sudo sh -c 'echo "
subnet 192.168.42.0 netmask 255.255.255.0 {
  range 192.168.42.10 192.168.42.50;
  option broadcast-address 192.168.42.255;
  option routers 192.168.42.1;
  default-lease-time 600;
  max-lease-time 7200;
  option domain-name \"local\";
  option domain-name-servers 8.8.8.8, 8.8.4.4;
}
" >> /etc/dhcp/dhcpd.conf'


sudo cp -p /etc/default/isc-dhcp-server /etc/default/isc-dhcp-server.bak
sudo sed -i -e 's/^INTERFACES=""$/INTERFACES="wlan0"/' /etc/default/isc-dhcp-server

sudo ifdown wlan0

sudo cp -p /etc/network/interfaces /etc/network/interfaces.bak
sudo sed -i -e '/^allow-hotplug wlan0/a\
\
iface wlan0 inet static\
  address 192.168.42.1\
  netmask 255.255.255.0\
' \
-e 's/^\(iface wlan0 inet manual\)/#\1/' \
-e 's/^\(wpa-roam \/etc\/wpa_supplicant\/wpa_supplicant.conf\)/#\1/' \
-e 's/^\(iface default inet dhcp\)/#\1/' /etc/network/interfaces

sudo ifconfig wlan0 192.168.42.1

sudo sh -c 'echo "interface=wlan0
driver=rtl871xdrv
ssid=Pi_AP
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Raspberry
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ctrl_interface=/var/run/hostapd" > /etc/hostapd/hostapd.conf'

sudo cp -p /etc/default/hostapd /etc/default/hostapd.bak
sudo sed -i -e 's/^#DAEMON_CONF=""/DAEMON_CONF="\/etc\/hostapd\/hostapd.conf"/' /etc/default/hostapd

sudo cp -p /etc/sysctl.conf /etc/sysctl.conf.bak
sudo sed -i -e 's/#net.ipv4.ip_forward=1/net.ipv4.ip_forward=1/' /etc/sysctl.conf

sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

sudo sh -c 'echo "
up iptables-restore < /etc/iptables.ipv4.nat
" >> /etc/network/interfaces'

sudo service hostapd start
sudo service isc-dhcp-server start

sudo update-rc.d hostapd enable
sudo update-rc.d isc-dhcp-server enable
When this script is run, it updates all configuration files, such that it will come up when the Raspberry is booted.
You should be able now to connect to the Pi_AP access point with your mobile phone, and be able to use internet related apps. All traffic passes through the Raspberry now.

Intercepting

In this case, the Raspberry Pi is connected to the network (via reguar DHCP).
We could snif directly on te Raspberry using tcpdump. But I want to do something different, I want to place an intercepting proxy (Burp Suite) in between.
We can simply divert HTTP/HTTPS traffic to Burp Suite, by adjusting the routing on the Raspberry. By running the next two statements, all outgoing traffic to port 80 and 443 will be diverted to another machine running Burp Suite.
sudo iptables -t nat -A PREROUTING -i wlan0 -m tcp -p tcp --dport 80 -j DNAT --to-destination 10.10.135.55:5678
sudo iptables -t nat -A PREROUTING -i wlan0 -m tcp -p tcp --dport 443 -j DNAT --to-destination 10.10.135.55:5678
In this case, Burp Suite is running and listening on 10.10.135.55 on port 5678. Burp Suite is also configured to be a transparent proxy. (Mental note: make sure the firewall on the machine running Burp Suite is opened up for incoming traffic on that port).

sslstrip

We can also use the same setup to put sslstrip in the middle, instead of Burp Suite. Just change the --to-destination host and port accordingly. And make sure you've got sslstrip running.
You can even run ssltrip on the Raspberry Pi itself. Just sudo apt-get install sslstrip, let the --to-destination point to either the IP-address of the ethernet 'internet'-link (eth0) or the IP-address of wlan0, and run sslstrip.

4 comments:

  1. after sudo apt-get install hostapd isc-dhcp-server
    isc-dhcp-server fail to start

    ReplyDelete
  2. At first it didn't work for me, so foolishly I ran the script several times, just ending up with multiple entries in some files. I also found some weird symbols in some files, possibly this came when copy pasting the commands. So make sure you look carefully through your commands before executing.

    ReplyDelete
  3. How do I set it up with no password?

    ReplyDelete
    Replies
    1. "sudo nano /etc/hostapd/hostapd.conf" then remove or comment out the wpa* and rsn* lines

      Delete