This guide builds on the Auto-Rickroll payload for the WiFi Pineapple. Following this guide you will be able to create a self-contained WiFi Pineapple or similar OpenWRT based wireless access point serving up faux websites to capture login credentials. The purpose of this article is to point out the simplicity of a phishing attack using the dnsmasq technique of the Auto-Rickroll payload, and how you can protect yourself from similar attacks. See the mitigation section at the bottom of the article for defense advice.

Demonstration

Before beginning please follow the instructions outlined in the Auto-Rickrolling WiFi-Pineapple article. Once complete we will:

  1. Install PHP and dependencies
  2. Configure PHP and HTTPD
  3. Testing the PHP installation
  4. Write redirection and capture scripts
  5. Modify a website to capture credentials

Install PHP and dependencies

The installation of PHP on OpenWRT is pretty straight forward. Considering the size limitations and power of your typically embedded device such as the WiFi Pineapple and what we’re trying to achieve I have opted for the 4x build of PHP, rather than the newer 5x. Feel free to deviate if your needs require the newer features of 5.

Begin by downloading and installing the following packages from downloads.openwrt.org: libopenssl_0.9.8i-3.2_mips.ipk, php4_4.4.7-1_mips.ipk, php4-cgi_4.4.7-1_mips.ipk and zlib_1.2.3-5_mips.ipk

packages

Alternatively, everything required for this hack can be downloaded in this archive.

Copy the package files (*.ipk) to the WiFi Pineapple in /root/ using the scp command in Linux or an SCP utility in Windows like WinSCP or Plink.

Open a shell on the WiFi Pineapple using your ssh client of choice (on Windows I recommend PuTTY) and login as root. You should already be located in /root/ after logging in. Issue the “pwd” command to be sure, or change directory to /root/ with “cd /root/”. Verify that the packages have been copied by issuing the “ls” to list the contents of the directory. You should see the four package files listed. To install them all issue “opkg install *.ipk”

After a few moments each package should be installed. Now it is time to configure PHP and the HTTP server.

Configure PHP and HTTPD

Two changes need to be made in order for the HTTP server to recognize .php files and process them correctly.

First we’ll need to add a line to the httpd.conf file in /etc/ so either open it with your favorite text editor (vi is already installed) or simply issue the command “echo “*.php:/usr/bin/php” >> /etc/httpd.conf”. Verify that the line has been added with “cat /etc/httpd.conf”

httpd-conf

Next we’ll need to add a line to the php.ini file in /etc/. Again open the file in an editor or add the line with “echo “cgi.force_redirect 0″ >> /etc/php.ini” and verify with “grep cgi.force_redirect /etc/php.ini”

php-ini

Now restart the web server either by issuing “/etc/init.d/httpd restart” or simpy rebooting the WiFi Pineapple with the “reboot” command. It’s also safe to simply unplug the power and plug it back in.

Once the HTTPD and PHP configuration files have been modified and the server has restarted we can move on to testing the PHP installation.

Testing the PHP installation

PHP has a handy little function for testing the its installation. If you rebooted your WiFi Pineapple you’ll need to log back into a shell as root. Once situated, change directory to /www/ with the “cd /www/” command. Now we’ll need to create a test.php file so issue “touch test.php”. Next issue “<?php phpinfo(); ?>” > test.php”. Verify that the string has written to the file with the command “cat test.php”.

phpinfo1

With the file written we can test the php install by navigating to test.php on the web server. Remember, following the instructions from the Auto-Rickrolling WiFi Pineapple article we’re able to get to the web server from any URL requested. Based on the dnsmasq.conf, there is no difference between example.com and google.com. Pointing your browser to, say, http://example.com/test.php should yield the following results:

phpinfo2

Write redirection and capture scripts

Given that the dnsmasq.conf file will send any URL requested to the root of the web server we will need to write a small PHP script to identify the requested URL and present the user with the corresponding page. Once the user logs into the faux page we’ll use an error.php script to capture the credentials and log them in a file.

Unfortunately at the time of writing I have been unable to convince the tiny web server to process php files as indexes. The cheap workaround for now is to write a simple meta redirect index.html file that points to our redirect.php script for the actual processing. Hopefully this step can be removed in the future, but for now you’ll need to open the index.html file in /www/ using your favorite editor and replace the contents with the following:

index-html


<html> <head> <meta http-equiv="REFRESH" content="0;url=redirect.php">

Now for the fun page. Create a redirect.php file with the command “touch redirect.php” and open it with a text editor, for example “vi redirect.php”.

Note: If you’re new to vi here’s a bare-minimum introduction: There are two modes to vi, command mode and insert mode. By default you’ll be in command mode. Press “i” to enter insert mode allowing you to type into the file. Press ESC to get back to command mode. The command “:x” saves and quits. Learn more about using vi.

Here’s an example redirect.php script. Modify as you see necessary. We’ll break it down line by line.

redirect-php

<?php
$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook")) { header('Location: facebook.html'); }

require('peets.html');

?>

The first line tells PHP to start processing the following lines of code.

The second sets the value of the variable “ref” as the HTTP_REFERER. This variable is obtained from “_SERVER” and basically tells us what URL the client is coming from. Since dnsmasq.conf is set to send any website to the root of our web server this could be anything.

The third line uses the srtpos function to look inside the “ref” variable that we just set and see if the word “facebook” is somewhere inside. This means that both “http://facebook.com” and “http://www.facebook.com” would return true. Note: Same goes for facebooksucks.com or any variation that contains the string “facebook”.

If the word “facebook” is found in the variable “ref” the function header will set the location of the browser to facebook.html – a file we’ll create here in a minute.

To phish multiple domains you would create additional similar if statements customized to the urls desired.

The fourth line will only be processed if the statements above aren’t found to be true. In our example we’re only looking for facebook but the list could be more extensive. The require function tells php to load up the contents of the file—in our case peets.html. This could be anything from terms of service agreement, an in-flight Internet purchase page or the old index file from our beloved Auto-Rickroll.

The fifth line closes the PHP processing.

In order to capture the data posted from our faux pages we’ll need to craft an error.php file. Without going into a line-by-line explanation, basically this file looks for two variables posted to it – name and pass – and writes them to the file bitches.txt

error-php

We’ll need to create the bitches.txt file in /www/ and change its permissions so issue both “touch /www/bitches.txt” and “chmod 777 /www/bitches.txt”

I have included a few lines to prevent tampering and add logging. The end of the file is basic html to display a faux “503 Service Unavailable” error. Again, this can be customized to your hearts content. For example, returning to the login page may convince an unwitting user that their password wasn’t accepted and give them the opportunity to try “their other password”.

Modify a website to capture credentials

The last step in this phishing attack is to actually rip and modify the pages of our faux sites. In our example so far we’ve been using facebook.com as the target, so follow this example. Using a web browser (or getting fancy with curl or wget) save the homepage of your target site. In chrome click the wrench and choose “Save page as”. Save the site as “Web page complete”. This will save not only the HTML but create a folder including the additional image and javascript components.

facebook1

Open the html file in your favorite text editor and look for the following string: “form method=”post””. Set the action variable to equal “error.php”.

facebook2

Now check for the string “input type=”text”” and find the username field. Change the name variable to equal “name” if it is not so already.

facebook3-name

Finally check for the string “input type=”password”” and change the name variable to “pass”.

facebook4-pass

Your faux login page is now ready to be uploaded to the WiFi Pineapple. Using a tool such as WinSCP copy the facebook.html and accompanying facebook folder to /www/ on the device.

With these three modifications your error.php script will pickup the contents of the name and pass text fields. Test this by browsing to facebook.com while connected to your WiFi Pineapple. You should see your faux login page. Entering fake credentials should bring you to the error.php displaying a fake 503 error, and checking facebook.com/bitches.txt should display the captured information.

How not to fall victim to this attack

Obviously disk limitations on the WiFi Pineapple are going to prevent one from serving up face versions of every site on the Internet – so if you’re connected to one of these devious devices and can’t access an obscure URL, something is up. You’ll also notice that navigating to facebook.com in this example forwards you to facebook.com/facebook.html – which should be a sure sign of trouble. The most obvious part about this attack is that every domain you could possibly ping is going to report back a response from 192.168.1.1 – a huge red alert that you’re not in Kansas anymore.

ping-facebook

Finally keep in mind that having two or three passwords isn’t enough. Every site needs its own secure and unique password. Consider using a password manager such as LastPass, 1Password or KeePass.

For further reading and advice on identifying phishing sites see antiphishing.org.

Category:

Hack, WiFi Pineapple

Leave a Reply

Your email address will not be published. Required fields are marked *

*

51 Comments

  • Davidbl 3 years ago

    Hey Darren,

    The “default index” fix is not so simple unfortunately…
    Or at least i’m just doing it the hard way ;)

    Anyhoo, the source for httpd 1.11.2 states that I: is the right way to tell what default index page is to be used. But this does not work. I’m suspecting that the httpd.c have been static compiled with this information or i’m unable to markup the config file correctly.

    I’ve updated the busybox httpd to 1.18.4 and the same httpd.conf works like a charm! I now serv up index.php so i can do all the “redirecting/include” transparent.

    I’ve even been able to setup a E404: so i can catch all urls!

    Yummie ;)

    Cheers Dave

    • Good call Dave! Thanks. Mind sharing your E404 code?

    • Hey Dave,

      Can you post your .config for compiling busybox? I’d really appreciate it. I find menuconfig a bit confusing (for example, where is “free” or is it included by default? I looked everywhere).

      I compiled busybox w/ only httpd support and called it busyboxU (just to get httpd 1.11.2 to work) although I would like to just upgrade everything.

      ~AJ

      (I just learned how to “cross-compile” … YAY!!!)

  • Local User 3 years ago

    So based on Dave’s input can I just rename the redirect.php to index.php after updating or is there a better way to do the “redirecting/include” transparently? What’s the best way to implement the custom E404? Darren can you use this information and update the above tutorial? Thanks.

    • Keep in mind that the $_SERVER['REFERER'] variable is being sent to the redirect.php file from the index.html meta redirect. If you fix the index.php bug and go that route you’ll need to pull the site URL from $_SERVER['SERVER_NAME'] or $_SERVER ["SCRIPT_URI"]

      Thanks to Digininja for sending that tip by.

  • Hey,

    i’m really feeling stupid here but i cant get the php to work properly on my fon. I cant find the httpd.conf file in the /etc folder so i just made one without luck, i also tried another one which i found in /karma/etc/ but also without any luck. Any help would really be appriciated. Great show though!

    Thanks in advance

  • jimiz 3 years ago

    I am able to add the files and RickRoll but I can’t seem to get php to serve any php pages. every time I hit 192.168.1.1/test.php it tries to save the php file.

    I can run php -v on the pineapple and get the version but the http server won’t serve php

    Added the necessary elements to httpd.conf

    Could it be
    *.php:/usr/bin/php
    vs
    .php:/usr/bin/php

    • rtdev42 3 years ago

      I am having the same problem. I can run php –v on the pineapple, but when I try to hit any php pages the browser tries to save the file.

      Has anyone found a solution?

      • I had the same experience until setting cgi.force_redirect to 0 in /etc/php.ini

        • rtdev42 3 years ago

          Thanks, that pointed me in the right direction. For some reason I needed an = sign before the 0. Works now, Yessss!

          Last line in /etc/php.ini
          .
          .
          cgi.force_redirect = 0

          Thanks for you help.

  • Landon Mayo 3 years ago

    issue “grep cgi.force_redirect /etc/php.ini”

    check third line down if it looks like this:
    ; cgi.force_redirect = 1

    change it to this (using vi)
    cgi.force_redirect = 0

  • Fixed my previous issue with the fix above. BUT my $ref Variable is always empty, so i think there isn’t a HTTP_referer send. Tried that with firefox 4 and WinXP Win7 anyone have the same issue?

    Thanks

    • I have been having the same issue as “Apex”. No matter what site I pull up on any device it always goes to the “peets.html” file via the redirect.php. If I goto facebook.com same thing. If I add the facebook.html to the end of any url it looks as I would expect with the faux facebook page. I am sure I am missing something very simple but I need a second set of eyes to see it.

      Thanks in advance.

    • Made a few tests and believe that the issue does lie with the HTTP_referer being empty.

  • Having the same issue as Apex & Cory.
    Used the download package http://hak5.org/wp-content/uploads/2011/05/phish-pineapple.zip in order to save time and make sure that there where no typing errors. However I think there is something missing here.

    P.S. Luv HAK5 keep on with the good work.

  • MicahC 3 years ago

    I am also having the same issue as cory and apex. I have tried $_SERVER['SERVER_NAME'] or $_SERVER ["SCRIPT_URI"] and other redirection scripts with no avail. How can I fix this?

  • Hey guys,

    After updating httpd to 1.11.2 and using index.php, I started using $_SERVER['HTTP_HOST'] to figure out what page to display.

    This is how you should check w/ ‘HTTP_POST’
    $ref = $_SERVER['HTTP_HOST'];
    if (strpos($ref, “facebook”) !== false) { include “facebook.htm”; }

    For future reference, print_r($_SERVER) is a very helpful command. It prints out everything stored in the $_SERVER array, making it easy to Ctr-F > facebook and figure out what entry to use.

    Hope that helps!

    ~AJ

    • Thanks for…
      I believe the problem is to do with the $_SERVER['HTTP_REFERER']and which browser is being used. I have tested the setup with Chrome and it works fine. However with IE it does not. IE and some software firewalls prevent the $_SERVER['HTTP_REFERER']from taking a value for security reasons.
      An alternative approach could be based on alias DNS records and a web server that supports host headers. This cans easily achieved for example with a windows server running the IIS and DNS roles. However here we are moving away from the portably, self-containment, and low-cost of the little FON 2100 based Pineapple
      As a matter of interest you mentioned that you up updated the httpd 1.11.2 to 1.18.4, so that you could use index.php. I would be most grateful if you could maybe share the method with us. Many thanks in advance for your input

      • How to update to httpd 1.11.2: (Note: Linux users only)

        – Download Busybox 1.18.4 source from BusyBox website.

        – Extract

        – Download a mips cross-compiler: http://landley.net/aboriginal/downloads/binaries/cross-compiler-mips.tar.bz2

        – Extract

        – Insert the bin folder in the cross-compiler-mips folder into PATH. Command: PATH=$PATH:/path/to/compiler/bin

        – CD into BusyBox source folder.

        – Run: make allnoconfig

        – Wait until it has finished and run: make menuconfig

        – In networking tools, select “httpd” and leave all of the sub-options selected.

        – Exit and save the configuration

        – Run: make CROSS_COMPILE=mips-

        – Rename the “busybox” binary that was compiled to “busyboxU” (or anything different than “busybox”) and scp it to Fon

        – Place “busyboxU” in /bin and edit /etc/init.d/httpd and replace “/bin/httpd” near the top with “/bin/busyboxU”

        – Reboot

        That is how I got it to work. Let me know if you have any problems.

        ~Rain

        • May someone who have the same problems as me confirm if this work?

          Thanks

        • Using Linux Ubuntu 11.04.

          Downloaded and extracted the MIPS cross compiler to the root of the file system. http://landley.net/aboriginal/downloads/binaries/cross-compiler-mips.tar.bz2

          Downloaded and extracted http://busybox.net/downloads/busybox-1.18.4.tar.bz2 to \home\”USER”\Downloads\busybox-1.18.4

          In a terminal session PATH=$PATH:/cross-compiler-mips/bin.
          Checked that the above has been added to the PATH by running: echo $PATH which it had.

          Changed directory to \home\”USER”\Downloads\busybox-1.18.4
          Run: make allnoconfig

          Run: make menuconfig
          HOSTLD scripts/kconfig/mconf
          HOSTCC scripts/kconfig/lxdialog/checklist.o
          In file included from scripts/kconfig/lxdialog/checklist.c:24:0:
          scripts/kconfig/lxdialog/dialog.h:31:20: fatal error: curses.h: No such file or directory
          compilation terminated.
          make[2]: *** [scripts/kconfig/lxdialog/checklist.o] Error 1
          make[1]: *** [menuconfig] Error 2
          make: *** [menuconfig] Error 2

          Any help would be most appreciated. Thanks in advance:)

  • Local User 3 years ago

    Project = FAIL

    This only seems to work with Chrome Browser and most users will be using explorer or safari as they don’t know any better. Unless we can get this to work with all the basic browsers this project will remain as a “proof of concept” only.

    Love the jasager and pineapple.
    HAK5 Rules.

  • HearNoEvil 3 years ago

    I’m not sure if this setup provides a DNS server, but if we have DNS on the “victim”, cant we just tell the browser that facebook.com is at a certain port on 192.168.1.1? facebook.com could be 192.168.1.1:5678, twitter.com could be 192.168.1.1:7890?? I just thought that since webif and jasager web interfaces could show up on different ports on the pineapple, why not Facebook and Twitter?

  • Remember this is proof of concept. It would not be a good idea to deploy this on “anybody” in the the “real world”. The driving factors for these projects is to help us understand the underlying infrastructures and to try to protect them from such exploits, as IT pro’s should do…

  • cwb020 3 years ago

    It works with google Chrome but how can I make it work with internet explorer?
    Perhaps someone has an working redirect.php which works with internet explorer and safari

  • First of all thanks to the replies works flawlessly but only in chrome. So wouldn’t it be possible to do it with a VirtualHost for every site you want to phish? I wasn’t able to make the setup right or maybe it just dosen’t work…conclusions?

  • Emmett 3 years ago

    I received my pineapple a couple of days ago and was able to quickly get up and running, however,I notice that the signal gets weaker the longer the pineapple is on. I have my pineapple located near my laptop but the signal seems to fade. Has anyone else encountered this problem?

    Thank for the help and input.

    • Modem 3 years ago

      i’ve been having the same issue.. have to unplug just to get signal back and then it drops.. have you found a solution??

  • @apex Thats what I have been working on, sort of. I am working on creating a landing page like the RickRoll and then several different sign in options.
    Pineapple works great. Was able to SSH into it from Epic4G and view Karma’d clients. Flawless…

  • In your index.php file instead of using header() you can use Include() or require() and it will display with appending the /facebook.html or /twitter.html

  • Sounds like several of you were having the same issue as I am now, but I’m having a hard time understanding which fix fixed what. Could someone create a thread on the forum with updated instructions :-)

    Thanks!

  • Arsenius 3 years ago

    any fix already? havent found a forum post. and also have the problem that it always goes to peets.html

  • Chacka 3 years ago

    Does using a vpn protects you in this case? Any tools that i should have on my mac to protect me from this or at least alert me that something fishy is going on?

  • timothy88 3 years ago

    The instructions seem fairly complicated to me. I guess I am a noob. Can someone please confirm
    1) If the Phishing attacks work with IE and firefox?
    2) How hard/easy for someone like me to get it working with very little programming experience

    Thanks in advance

  • httpCRASH 3 years ago

    Hi,
    i get an “internet explorer can not show the page” error when i try to go to my test.php … i can access other non-php files fine in the www folder..
    i just cant figure out why i dont atleast get a file download when i try to access the php file… anyone got an idea??

    i got the following packages installed:

    aircrack-ng – 0.7-1 –
    base-files-atheros – 14-unknown –
    bridge – 1.4-1 –
    busybox – 1.11.2-2 –
    dnsmasq – 2.46-1 –
    dropbear – 0.51-2 –
    firewall – 1-1 –
    gpioctl – 1.0-1 –
    haserl – 0.9.24-1 –
    hostapd-mini – 0.6.6-1 –
    hotplug2 – 0.9+r102-2 –
    iptables – 1.4.0-1 –
    iptables-mod-conntrack – 1.4.0-1 –
    iptables-mod-nat – 1.4.0-1 –
    jasager – 2.1-1 –
    kernel – 2.6.26.5-atheros-1 –
    kmod-ipt-conntrack – 2.6.26.5-atheros-1 –
    kmod-ipt-core – 2.6.26.5-atheros-1 –
    kmod-ipt-nat – 2.6.26.5-atheros-1 –
    kmod-ipt-nathelper – 2.6.26.5-atheros-1 –
    kmod-madwifi – 2.6.26.5+r3314-atheros-2 –
    kmod-ppp – 2.6.26.5-atheros-1 –
    kmod-pppoe – 2.6.26.5-atheros-1 –
    libgcc – 4.1.2-14 –
    libopenssl – 0.9.8i-3.2 –
    libpthread – 0.9.28-8 –
    libruby – 1.8.6-p287-2 –
    libuci – 0.7.3-1 –
    mdk3 – v5-1 –
    mtd – 8 –
    opkg – 4564-3 –
    php4 – 4.4.7-1 –
    php4-cgi – 4.4.7-1 –
    ppp – 2.4.3-10 –
    ppp-mod-pppoe – 2.4.3-10 –
    ruby – 1.8.6-p287-2 –
    ruby-core – 1.8.6-p287-2 –
    ruby-rexml – 1.8.6-p287-2 –
    uci – 0.7.3-1 –
    uclibc – 0.9.29-14 –
    udevtrigger – 106-1 –
    webif – 0.3-4838 –
    wireless-tools – 29-2 –
    zlib – 1.2.3-5 -

    • httpCRASH 3 years ago

      just found out that if i run /usr/bin/php test.php from the command line i get the expected output, so PHP seems to work…
      but still cant figure out why its not giving me any response in the browser… puzzled

    • httpCRASH 3 years ago

      never mind.. got it working.. :o)

  • hi to all.. any fix? i also downloaded the zip.. copied excatly on the instructions ..i cant seem to make it work. please help

    • httpCRASH 3 years ago

      mine worked after i changed
      cgi.force_redirect 0
      to
      cgi.force_redirect = 0

      and restarted the webserver…

      (like Arsenius)
      but for some reason after i connect to the wifi, all sites i go to forwards to peets.html even when i go to facebook.com, so the redirect dosnt work right even though i used the one downloaded here :o

      and after a couple of requests the router no longer broadcasts SSID, and terminate all connections.
      when i restore the “original” pineaple/karma config files the radio stays on, and the router works perfect again

  • exactly.. same problem.. doesnt work as in with the video. goes to peats.html not on facebook or twitter etc.. hope this one will be fixed

  • Manuel 2 years ago

    If the signal on your Pineapple is getting weaker, it might be because at some point you turn on the pineapple without plugging in the antenna, NEVER TURN ON ANY ACCESS POINT, ROUTER, WITHOUT THE ANTENNA

    • httpCRASH 2 years ago

      with the FON this is happening when running the jasager firmware, but not with a standart openwrt, so what your saying makes NO sense..

      I have always used an antenna, but also have this problem…

      what i have found out, was that mine seems to becomes unstable when the FON gets warm, mine seems stable when i set the antenna output to 10dbm
      I have ordered a big heatsink for mine, and will make a mod when it arrives to see if that solves the problem for good.

  • HttpCRASH 2 years ago

    Hi,
    I found a workaround, so that the redirect work correct for All browsers…
    Or actually im moving the redirect from php to the webserver..

    Moved HTTPD to port 81 (Can also be completly stopped)
    Installed lighttpd
    Moved facebook files to own www folder
    Moved twitter files to own www folder
    Renamed the html files to index.html
    Copied the error.php to each subfolder
    set up vhosts for each domain in lighttpd.conf
    Set up php in lighttpd.conf
    Restarted lighttpd

    And Bingo, now it works

  • ignacio 2 years ago

    dear all

    i install php4 in the pinneaple2 following the phishing excercise
    i worte a php and ulploaded to the jassager and a ctype error happen.
    i realize then then using php info function that the module was not install
    i try to search it in the webiste of openwrt and doesnt exist
    could you be so kind and give me a tip to these problem

  • Hi,

    Did this today on my home network just for fun. (home from work sick..)

    FYI and future reference:
    The username is not stored in the “name” variable any more..

    It is in.

    Changed the “error.php” to read.

    $nam = stripslashes($_POST['email']);

    This solved My problem.

    //G

  • Actually i have one question i did this same on linux server . Is it possible that we can do it on apache24 on windows.
    Thanks

  • This kind of phishing attack has been useful, but now its useless. Most browsers nowadays (2014) will force the user to use https on facebook, which will make this attack ineffective. Please tell me if anyone have already figured this out.

    • C0D3MAN 1 month ago

      Anyone with the new Mark v Pineapple I have everything working with my own custom php scripts. Email me if anyone wants to know how to get this going I can publish my files. I will try to do a writeup and post it somewhere soon.