Recently I was demonstrating the dangers of public WiFi, or indeed any untrusted network. Regardless of whether the WiFi has a password or not, the owner of the wireless access points can read, inspect and modify all the data you send over the connection.
To best demonstrate this I set up a rogue WiFi hotspot using a Raspberry Pi 3. The Raspberry Pi was setup to do 4 things:
- Act as a WiFi hotspot broadcasting a wireless network that did not have a password.
- Respond to DNS requests from all clients connected to it’s WiFi and had DNS server information obtained by DHCP.
- Return the access points IP address when a client requested the IP address of a well known website.
- Run a web server that returns a modified version of the well known website.
Below I take you through the installation and configuration steps necessary to achieve this.
I used Arch Linux on the Raspberry Pi 3 and so it is necessary to follow the ARMv7 installation instructions at https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3 before continuing.
SSH into the Raspberry Pi using the alarm user with password alarm, change both root and alarm user passwords. (See https://wiki.archlinux.org/index.php/Users_and_groups for those unfamiliar with Arch Linux).
For convenience and security it is recommended to disable password authentication and enable public key authentication. (see https://wiki.archlinux.org/index.php/Secure_Shell#Force_public_key_authentication for those unfamiliar with Arch Linux)
Prepare the Raspberry Pi by executing the following commands as root (using su, see here for more information for those unfamiliar with su).
NOTE: Confirm any prompts that you receive
usermod -aG sudo alarm
pacman -S --needed base-devel
pacman -S git-core nodejs npm dnsmasq hostapd screen wget
At this point logout and log back in and you should be able to prefix commands that need root privileges with sudo
Create a directory called wifi
create a file called hostapd.conf, in the current directory and populate it’s contents with the following:
create a file called dnsmasq.conf, in the current directory and populate it’s contents with the following:
# Configuration file for dnsmasq.
NOTE: Replace line 8 with whatever website you wish to redirect to the Pi for modification.
Now we need to update the system to use our local DNS server
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo rm /etc/resolv.conf
sudo touch /etc/resolv.conf
modify /etc/resolv.conf so it’s contents are as follows:
modify hostapd.conf and dnsmasq.conf to suit your needs and then you’re almost ready.
create a file called start_ap.sh in the current directory and make it executable. Populate it’s contents with the following:
ip link set up dev wlan0
ip addr add 192.168.30.1/24 broadcast 192.168.30.255 dev wlan0
hostapd ./hostapd.conf &
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 67 -i wlan0 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -s 192.168.30.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -s 192.168.30.0/24 -j ACCEPT
dnsmasq -C ./dnsmasq.conf
node server.js &
Optionally now download an example modified page for the example.com:
tar -xzvf example.tar.gz
You can now start the wifi hotspot using the following:
#start the WiFi
As soon as you disconnect from the SSH then the processes launched to create the AP and node server will be terminated. To prevent this run the start wifi command inside of a screen session:
screen -S wifi
You can detach from the screen by pressing ctrl+a and then ctrl+d. To reattach to the screen at a later date then SSH onto the Raspberry Pi and type
screen -x wifi
Protect against rogue hotspots
Any websites that use HTTPS should create a secure channel that the hotspot cannot read, however the hotspots will still be able to see that you are connecting to those secure sites though they will not be able to see the data you exchange.
The best possible protection is to use a VPN. This creates a secure tunnel to a third party and so all your traffic is secure against the hotspot owner.