How to Phish Usernames and Passwords from a Rogue Access Point using the Raspberry Pi

Share on Facebook3Share on Google+0Tweet about this on TwitterShare on Reddit306Share on StumbleUpon0Pin on Pinterest0

About: Setting up a Rogue Access Point on the Raspberry Pi is very easy. Our Access Point will act as a fake network providing free WiFi for our victim. It will have a captive portal which means any website that a user visits will be redirected to our login page where they will need to enter in their credentials to login. You can set the login page up to look like a Facebook or Google login page and name your network “Free Facebook WiFi”. The network I am setting up will not have any internet so everything will be contained on the Raspberry Pi. You can eventually bridge your connection with a 4G network or Ethernet to provide full internet access for users.

The tutorial today will demonstrate how unsafe public WiFi’s are and to never send any personal information over a public WiFi network. We can also setup our Access Point SSID to “attwifi” or “Starbucks”. If you set your access point’s SSID to a popular WiFi SSID then your victims phone will automatically connect to your network if they have been connected to the same SSID before.  The reason for this is that your phone just looks at SSID names and not a MAC Address for a wireless network. This doesn’t apply to phones only, laptops or any WiFi enabled devices will all act the same way.

Objective: To setup a Rogue Access Point and make our network act as a Captive Portal to Phish Passwords

Material: You will need the following:

  • Raspberry Pi (Click the link to check out the price on Amazon. Usually around $36 with free shipping)
  • USB Wireless Adapter (I use the Alpha AWUS036H in this tutorial)

Instructions: Lets start off with a fresh Raspbian install. I installed Rasbian-Lite on my Raspberry Pi since I will be running it headless and will use SSH to connect to my Raspberry Pi.  After you setup your Raspberry Pi lets run the update and upgrade

Net we will need to install the tools needed to setup our Access Point.

isc-dhcp-server is our DHCP server. We’ll need this to assign users an IP Address when they connect to our network. Hostapd is a user space daemon for wireless access point and authentication servers. DNSMasq is used as our DNS server and finally Apache2 is our web server. PHP5 will be used to get the login information and store it. Install these programs using the following command:

Next we will need to find the name of our Wireless card interface. I am using the Raspberry Pi 3 which has a built in WiFi card, however the Raspberry Pi 3 WiFi card is unable to act as an Access Point so I am using an external USB WiFi adapter. Use the following command to view a list of your interfaces:

You should see a list of all your interfaces. If you have a USB WiFi adapter attached it will most likely be name wlan1 and wlan0 will be the builtin WiFi card. Since I am using an external USB WiFi adapter my wireless interface name is “wlan1”.

Now lets edit the hostapd configuration file. We will setup the SSID name of our Rogue Access Point here as well as setting the channel number you want your access point to run on. Run the following command to edit your hostapd configuration file. You configuration file should be empty.

Now enter the following into the configuration file:

rouge_1
Our hostapd configuration file

Now hit CTRL+X to exit and save the configuration file.

Next we will edit the hostapd settings and link our configuration file in the setting. Type the following command:

Now look for DAEMON_CONF. It should be blank. We will add the path to the hostapd configuration file we created earlier here. Your DAEMON_CONF line should look like this now “DAEMON_CONF=/etc/hostapd/hostapd.conf”.

rougue_2
Our /etc/init.d/hostapd file without any editing
rouge_3
/etc/init.d/hostapd after editing the DAEMON_CONF line

Now hit CTRL+X to exit and save the configuration file.

Next we will edit the dnsmasq configuration file. Open the file with the following command:

Now scroll all the way to the bottom and add the following lines. Remember to keep the same interface name that you got before.

The address line will redirect all traffic to 10.0.0.1 which we will set as our WiFi IP Address in the next step. The interface is our interface name. The dhcp-range line is the available IP Addresses that will be assigned to users who connect to our access point.

Hit CTRL+X to exit and save the configuration file.

Now lets set up our wlan1 interface to be static and to match the IP Address we assigned earlier from the dnsmasq configuration file. Type the following command to edit the interfaces:

rouge_5
This is the unedited network interface file

We will need to edit the interface for the wireless card you are working with. I will be editing the wlan1 interface settings. Change your interface settings to the following:

rouge_5a
Our network interface file edited for our wireless card

Now hit CTRL+X to exit and save the configuration file.

Run the following commands to update the changes to our system:

 

We are almost done, lets create a fake SSL certificate so that if someone browses a site that needs an SSL certificate our’s will be provided. This may not always work depending on the users browser and they might get a warning saying that the certificate is invalid.

Lets create the folder where we will store our certificate:

Run the following command to create the certificate. Fill out the requested data. The answer’s don’t matter. The only one that matters is the Common Name. Put “*” for the Common Name.

r-1
It is important for the Common Name to be *

Now lets enable SSL on the Apache web service with the mod rewrite command:

Now we will create a hard link between the 2 Apache web directories

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

Now lets modify the Apache SSL config file and link it to our created SSL certificate:

Scroll down a bit and find the two lines that start with SSLCertificate and change them as follows:

Our Apache SSL config file before editing.
Our Apache SSL config file before editing.

Our Apache SSL config file after editing.
Our Apache SSL config file after editing.

Finally restart the Apache server for all our changes to take affect:

That’s basically it. We have created a Rogue Wireless Access Point and all websites will redirect to our web server. There is no internet connection so whoever connects will not have any internet access. You can redirect all WiFi traffic to another 4G data card or Ethernet but I will not be showing you that in this tutorial. What I will show you is how to use this to steal user names and passwords using a fake login.

Have you ever logged into a free WiFi hot-spot and you have to accept the terms and conditions before you can access the internet? Well I will show you how to create a very basic login which you will be able to recover the users inputted data. You can disguise the website to make it look like a Facebook or Google login if you like.

Let’s start by changing the permissions for our web servers directory and then remove the default home page:

Create a folder to store our usernames and passwords:

Now lets create our main login homepage which every site will redirect to:

Put the following HTML code into the file we just created and then hit CTRL+X to exit and save the file:

This will create a basic login page where the user can enter an email and password. Now lets create the submit.php file which will store the email and password that the user enters.

Put the following code into the submit.php file we just created and then hit CTRL+X to exit and save the file:

This will store the emails and passwords that are entered on our form. Everything will be stored as a text file in the “passwords” folder we created earlier. The filenames will be the email followed by the unix time.

Restart your Raspberry Pi for everything to start working and your access point starts to show up.

That’s it! To test it out use your phone or laptop to connect to your created WiFi and navigate to any website. You should see the following:

Our Fake Login page we created
Our Fake Login page we created

Now if we add /passwords/ to the end of any website we should see a list of all the submitted forms:

fakelogin2

Clicking on the files will show you the email and password that was entered:

fakelogin3

Share on Facebook3Share on Google+0Tweet about this on TwitterShare on Reddit306Share on StumbleUpon0Pin on Pinterest0

6 Comments

  • Bunny Bun Bun

    November 25, 2016

    So once you’ve got that how would you redirect them to the Interneg and not automatically forwarded back to the login page ?

    Reply
  • YoMomma

    November 25, 2016

    You mention Google and Facebook. How do you impersonate the certificate and chain or are you just relying on really stupid people to give you their info ?

    Reply
    • dayz

      November 29, 2016

      This is more of a Social Engineering type of hack were you rely on the user giving you their username and password thinking it is an official login page. It would be difficult to impersonate a Facebook or Google certificate and I honestly wouldn’t know how to do that or even if its possible.

      Reply
  • John

    November 26, 2016

    Great tutorial thanks! One thing I noticed is that unlike “normal” wifi hotspots my android phone does not prompt me to go to the login page when I connect. Any idea how to achieve this. I think less tech savvy users might not know they need to open a http page on their browser to connect.

    Reply
    • dayz

      November 29, 2016

      I noticed this on my phone as well where it opens the last page you were on and stores it in memory, however once the user clicks on a link or goes to another page it should redirect them to the login page.

      Reply
  • Magnus

    November 28, 2016

    Hello! This all looks cool but i have this problem at the DAEMON_CONF part! Insted of going to the page you reached it goes to a page that look just like out hostapd. We have tried to go to etc and wlan1 but it still goes to the other side. Any work out

    Reply

Leave a Reply