Cleanskin Jogo De Interesses Critical Thinking

This guide builds on the Auto-Rickroll payload for the WiFi Pineapple. Following this guide you will be able to create a self-contained WiFi Pineapple or similar OpenWRT based wireless access point serving up faux websites to capture login credentials. The purpose of this article is to point out the simplicity of a phishing attack using the dnsmasq technique of the Auto-Rickroll payload, and how you can protect yourself from similar attacks. See the mitigation section at the bottom of the article for defense advice.

Demonstration

Before beginning please follow the instructions outlined in the Auto-Rickrolling WiFi-Pineapple article. Once complete we will:

  1. Install PHP and dependencies
  2. Configure PHP and HTTPD
  3. Testing the PHP installation
  4. Write redirection and capture scripts
  5. Modify a website to capture credentials

Install PHP and dependencies

The installation of PHP on OpenWRT is pretty straight forward. Considering the size limitations and power of your typically embedded device such as the WiFi Pineapple and what we’re trying to achieve I have opted for the 4x build of PHP, rather than the newer 5x. Feel free to deviate if your needs require the newer features of 5.

Begin by downloading and installing the following packages from downloads.openwrt.org: libopenssl_0.9.8i-3.2_mips.ipk, php4_4.4.7-1_mips.ipk, php4-cgi_4.4.7-1_mips.ipk and zlib_1.2.3-5_mips.ipk

Alternatively, everything required for this hack can be downloaded in this archive.

Copy the package files (*.ipk) to the WiFi Pineapple in /root/ using the scp command in Linux or an SCP utility in Windows like WinSCP or Plink.

Open a shell on the WiFi Pineapple using your ssh client of choice (on Windows I recommend PuTTY) and login as root. You should already be located in /root/ after logging in. Issue the “pwd” command to be sure, or change directory to /root/ with “cd /root/”. Verify that the packages have been copied by issuing the “ls” to list the contents of the directory. You should see the four package files listed. To install them all issue “opkg install *.ipk”

After a few moments each package should be installed. Now it is time to configure PHP and the HTTP server.

Configure PHP and HTTPD

Two changes need to be made in order for the HTTP server to recognize .php files and process them correctly.

First we’ll need to add a line to the httpd.conf file in /etc/ so either open it with your favorite text editor (vi is already installed) or simply issue the command “echo “*.php:/usr/bin/php” >> /etc/httpd.conf”. Verify that the line has been added with “cat /etc/httpd.conf”

Next we’ll need to add a line to the php.ini file in /etc/. Again open the file in an editor or add the line with “echo “cgi.force_redirect 0″ >> /etc/php.ini” and verify with “grep cgi.force_redirect /etc/php.ini”

Now restart the web server either by issuing “/etc/init.d/httpd restart” or simpy rebooting the WiFi Pineapple with the “reboot” command. It’s also safe to simply unplug the power and plug it back in.

Once the HTTPD and PHP configuration files have been modified and the server has restarted we can move on to testing the PHP installation.

Testing the PHP installation

PHP has a handy little function for testing the its installation. If you rebooted your WiFi Pineapple you’ll need to log back into a shell as root. Once situated, change directory to /www/ with the “cd /www/” command. Now we’ll need to create a test.php file so issue “touch test.php”. Next issue “<?php phpinfo(); ?>” > test.php”. Verify that the string has written to the file with the command “cat test.php”.

With the file written we can test the php install by navigating to test.php on the web server. Remember, following the instructions from the Auto-Rickrolling WiFi Pineapple article we’re able to get to the web server from any URL requested. Based on the dnsmasq.conf, there is no difference between example.com and google.com. Pointing your browser to, say, http://example.com/test.php should yield the following results:

Write redirection and capture scripts

Given that the dnsmasq.conf file will send any URL requested to the root of the web server we will need to write a small PHP script to identify the requested URL and present the user with the corresponding page. Once the user logs into the faux page we’ll use an error.php script to capture the credentials and log them in a file.

Unfortunately at the time of writing I have been unable to convince the tiny web server to process php files as indexes. The cheap workaround for now is to write a simple meta redirect index.html file that points to our redirect.php script for the actual processing. Hopefully this step can be removed in the future, but for now you’ll need to open the index.html file in /www/ using your favorite editor and replace the contents with the following:

<html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php">

Now for the fun page. Create a redirect.php file with the command “touch redirect.php” and open it with a text editor, for example “vi redirect.php”.

Note: If you’re new to vi here’s a bare-minimum introduction: There are two modes to vi, command mode and insert mode. By default you’ll be in command mode. Press “i” to enter insert mode allowing you to type into the file. Press ESC to get back to command mode. The command “:x” saves and quits. Learn more about using vi.

Here’s an example redirect.php script. Modify as you see necessary. We’ll break it down line by line.

<?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } require('peets.html'); ?>

The first line tells PHP to start processing the following lines of code.

The second sets the value of the variable “ref” as the HTTP_REFERER. This variable is obtained from “_SERVER” and basically tells us what URL the client is coming from. Since dnsmasq.conf is set to send any website to the root of our web server this could be anything.

The third line uses the srtpos function to look inside the “ref” variable that we just set and see if the word “facebook” is somewhere inside. This means that both “http://facebook.com” and “http://www.facebook.com” would return true. Note: Same goes for facebooksucks.com or any variation that contains the string “facebook”.

If the word “facebook” is found in the variable “ref” the function header will set the location of the browser to facebook.html – a file we’ll create here in a minute.

To phish multiple domains you would create additional similar if statements customized to the urls desired.

The fourth line will only be processed if the statements above aren’t found to be true. In our example we’re only looking for facebook but the list could be more extensive. The require function tells php to load up the contents of the file—in our case peets.html. This could be anything from terms of service agreement, an in-flight Internet purchase page or the old index file from our beloved Auto-Rickroll.

The fifth line closes the PHP processing.

In order to capture the data posted from our faux pages we’ll need to craft an error.php file. Without going into a line-by-line explanation, basically this file looks for two variables posted to it – name and pass – and writes them to the file bitches.txt

We’ll need to create the bitches.txt file in /www/ and change its permissions so issue both “touch /www/bitches.txt” and “chmod 777 /www/bitches.txt”

I have included a few lines to prevent tampering and add logging. The end of the file is basic html to display a faux “503 Service Unavailable” error. Again, this can be customized to your hearts content. For example, returning to the login page may convince an unwitting user that their password wasn’t accepted and give them the opportunity to try “their other password”.

Modify a website to capture credentials

The last step in this phishing attack is to actually rip and modify the pages of our faux sites. In our example so far we’ve been using facebook.com as the target, so follow this example. Using a web browser (or getting fancy with curl or wget) save the homepage of your target site. In chrome click the wrench and choose “Save page as”. Save the site as “Web page complete”. This will save not only the HTML but create a folder including the additional image and javascript components.

Open the html file in your favorite text editor and look for the following string: “form method=”post””. Set the action variable to equal “error.php”.

Now check for the string “input type=”text”” and find the username field. Change the name variable to equal “name” if it is not so already.

Finally check for the string “input type=”password”” and change the name variable to “pass”.

Your faux login page is now ready to be uploaded to the WiFi Pineapple. Using a tool such as WinSCP copy the facebook.html and accompanying facebook folder to /www/ on the device.

With these three modifications your error.php script will pickup the contents of the name and pass text fields. Test this by browsing to facebook.com while connected to your WiFi Pineapple. You should see your faux login page. Entering fake credentials should bring you to the error.php displaying a fake 503 error, and checking facebook.com/bitches.txt should display the captured information.

How not to fall victim to this attack

Obviously disk limitations on the WiFi Pineapple are going to prevent one from serving up face versions of every site on the Internet – so if you’re connected to one of these devious devices and can’t access an obscure URL, something is up. You’ll also notice that navigating to facebook.com in this example forwards you to facebook.com/facebook.html – which should be a sure sign of trouble. The most obvious part about this attack is that every domain you could possibly ping is going to report back a response from 192.168.1.1 – a huge red alert that you’re not in Kansas anymore.

Finally keep in mind that having two or three passwords isn’t enough. Every site needs its own secure and unique password. Consider using a password manager such as LastPass, 1Password or KeePass.

For further reading and advice on identifying phishing sites see antiphishing.org.

Phishing with a WiFi Pineapple

ГЛАВА 17 Дэвид Беккер ступил на раскаленные плиты площади Испании. Прямо перед ним над деревьями возвышалось Аюнтамьенто - старинное здание ратуши, которое окружали три акра бело-голубой мозаики азульехо. Его арабские шпили и резной фасад создавали впечатление скорее дворца - как и было задумано, - чем общественного учреждения.

За свою долгую историю оно стало свидетелем переворотов, пожаров и публичных казней, однако большинство туристов приходили сюда по совершенно иной причине: туристические проспекты рекламировали его как английский военный штаб в фильме Лоуренс Аравийский.

0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *