A wolf in sheep’s clothing. How to transform an ESP8266 into a sham access point and steal victims’ passwords

Free_Wi-Fi… People sitting in a food court or airport lounge are delighted to see this message on their smartphones. Everybody likes free stuff. But, as you are well aware, the only free cheese is in the mousetrap. What are the dangers of free Wi-Fi?

It is not a secret that operators of open networks offering free Internet access can easily intercept the traffic and collect information about your habits and preferences (including your favorite sites and search requests). Consider yourself lucky if this information is just sold to advertisers researching the demand on goods and services. Much worse scenarios are possible as well.

In many countries, the legislation requires to secure open access points deployed in public places through the mandatory authentication of users via their mobile phones or social networks. But this seemingly noble cause has resulted in the appearance of new vulnerabilities exploiting human weaknesses. Furthermore, a small malicious project capitalizing on the people’s credulity was born.

WARNING

All information provided in this article is intended for educational purposes only. Neither the author nor Editorial Board can be held liable for any damages caused by improper usage of this publication.

What is it all about?

The project uses the ESP8266 controller created by our Chinese colleagues (and repeatedly mentioned in articles published in HackMag and on GitHub) as a ‘wolf’ to be draped in sheep’s clothing. To be specific, the controller is transformed into an autonomous access point and web server. The name of this AP point is “Free_Wifi”, and it doesn’t require a password. As soon as the access point is deployed, the majority of smartphones and other mobile devices located within its active range will offer their owners to connect to an open Wi-Fi network – even if these people hadn’t requested the list of available networks (this has been experimentally proven on Android 9 and the latest iOS version). Credulous users, who rarely rely on their common sense, click on a drop-down notification with a lucrative offer and see (without even opening their browsers!) the registration page shown below.

Login page of an open network

Login page of an open network

This is a standard welcome page used by many open access points; it offers to authenticate by providing your e-mail, password, and phone number or, alternatively, you can enter an authorization code (if you have one). Normally, the victim mindlessly enters the requested data and gets a notification that a text message with the authentication code is coming soon. In reality, the data provided by the victim are saved to an SD card installed on the device and displayed on its OLED screen.

Intercepted data

Intercepted data

Overall, the device acts as a sham access point with an enticing name; it forces nearby devices to react to its connection invitations and steals users’ credentials.

What’s next?

In the worst case scenario, the device brings you an active e-mail address and phone number of a naive user. In the best case scenario, you also get a password supposedly used by that person to log into other services.

Ask yourself: do you use a unique password for each and every service? A rhetorical question… But even without an active password, it is possible to draw certain conclusions about the victim. The stolen e-mail address and phone number would be very useful for subsequent attacks: from sending advertising e-mails and text messages to hacking the victim’s e-mail and social networks accounts. At least, you can get the phone and e-mail of that girl next door you are in love with…

As you can see, unknown open networks pose severe risks!

The birth of the wolf

To implement this project, you will need either an ESP8266 NodeMCU or an ESP32 (but the code for it should be slightly modified). Equip yourself with a soldering iron, assembly board, and other tools. The device you are to assemble also includes a microSD card adapter, an OLED display (128 x 32 pixels) with an SSD1306 controller and i2C interface, and a beeper from an old system unit. The scheme is shown on the diagram below. You may either use the soldering iron or install and connect the parts on a debug board.

 Schematic diagram of the device

Schematic diagram of the device

I assume that you have some experience in dealing with ESP and Arduino IDE boards. If not, please refer to numerous online manuals providing step-by-step instructions on how to configure an Arduino IDE for ESP8266 programming.

The only additional library you need is the library for OLED displays; it can be downloaded here. The U8g2 folder containing the library should be placed in the libraries folder in the Arduino working directory. The path for Windows is as follows: \user\My Documents\Arduino; for Linux: /home/user/Arduino.

Important: not all ESP modules are suitable for this project. Some of them don’t have enough memory to store the firmware and an additional file. Some modules don’t have enough pins to connect all the required peripherals (the project includes as many as three peripheral devices). The following ESP8266 modifications have been successfully tested: NodeMCU V3, V1, and V0.9.

ESP-12 is an excellent variant: it has all the required pins and enough memory. ESP-07 is a good variant, too; but you should carefully select the modification: some models have only 1 MB of RAM, while others, 3 MB of RAM. A great advantage is the slot for an external antenna.

Various ESP models

Various ESP models

The leftmost module is unsuitable for the project: its memory is insufficient and it lacks some of the required pins. The ESP-201 module is not good, too: it is very buggy. The NodeMCU boards shown below would fit perfectly.

All these NodeMCU boards are suitable for the project

All these NodeMCU boards are suitable for the project

All components can be purchased on AliExpress. Their full list is as follows:

  • NodeMCU module;
  • ESP-12 module;
  • OLED display 128 × 32; and
  • SD module.

If you use a soldering iron, make sure to select wires with good conductivity, durability, fire resistance, and longevity characteristics.

The soldering iron must not be too powerful; the best option is a station with regulated temperature and galvanic separation. Static discharges can easily kill the controller. I recommend soldering such devices in antistatic boxers gloves or in a grounding bracelet.

First, connect negative buses of all boards and only then start soldering other pins. Use soldering gel or liquid, but not the active flux and, of course, not the acid-based one.

After the soldering, thoroughly wash the board with ethanol, acetone, or a special solution to remove the soldering flux. Flux remains may cause parasite connections on the controller’s pins, especially on analog inputs.

Carefully check everything you solder against the scheme. All pins shown on the scheme exactly correspond to their marks on the boards (they are marked identically). Pay special attention to the power pins. On the NodeMCU board, there are two types of them: 5V and 3.3V. SD card modules are normally equipped with voltage converters; so, this module can be powered by the 5V pins. Such a solution is optimal: the converter on the NodeMCU board (the one powering the Wi-Fi module and display) is not really powerful, and it’s better not to overload it.

So, you have assembled the board and checked the power, connections, and drivers in the system. If the ESP module is used separately in your scheme, you have to connect it in accordance with the datasheet of the specific modification (including the adjustment of some pins with resistors; all the required information is available on the Internet). The scheme below shows the connection scheme for ESP-07 (ESP-12 is connected in the same way). The module won’t work without resistors (especially on the СH_PD pins), and you won’t be able to flash it without the activation of the FLASH pins.

Connection scheme for a separate module

Connection scheme for a separate module

The buzzer/beeper is passive (i.e. it has no built-in generator). You can take one from an old system unit. It is also necessary to take into account that the display will be used with an SSD1306 controller. With regards to the SD card adapter, keep in mind that it must be equipped with a 3.3V converter because both the controller and the card require this voltage.

If there is no converter, power the adapter from the MCU using the 3.3V pins – but not 5V! Otherwise, bid farewell to your module. The same applies to the display, even though it is equipped with a converter and is, in fact, tolerant to the 5V voltage – unlike the i2C interface. Therefore, I strongly recommend powering it by the 3.3V source, too.

In addition, I suggest purchasing a power bank charger module for Li-ion batteries. It can generate electric current up to 1A and has a built-in 5V DC-DC STEP-UP. This is exactly what you need to power the system.

A fully charged 18650-type battery can power the device for a long time. Its total power consumption is some 120 mA, while the capacity of a 18650-type battery is 1800-3200 mA; so, you can easily calculate the battery lifetime for your device. Important: the 5V voltage should be applied to the VIN pin of the NodeMCU board, because, having a battery, it is impractical to power it via the USB slot in the operating mode.

And the last important aspect: if you use separate modules (i.e. without a debug board), keep in mind that all of them require 3.3V power sources. The respective voltage converters are available in stores, the capacity of 500 mA should be sufficient. In the future, I intend to enable the device to make voice notifications by equipping it with a WTV020 audio/sound module. Wouldn’t it be nice to hear a pleasant female voice notifying you about yet another victim, right?…

Charger module with a voltage converter

Charger module with a voltage converter

Time has come for truly exciting stuff… 🙂

Sewing sheep’s clothing

The firmware used by the device is a slightly modified version of the code developed by our colleague 0xRM.

There is nothing really sophisticated in it; the key strings are supplied with comments. The notes file (an association of sound codes for the beeper) must be stored in one directory with the firmware file; it will appear in the project window as a separate tab.

The program code contains the authentication web page encoded in Base64 (this is the longest and virtually unreadable string). This is because I am a lazy hacker and opted not to convert the authentication page into a separate HTML file. I intend to do so with the next project upgrade.

The ESP microcontroller has an exciting feature: it can read and execute program code not from its own memory, but from an SD card. I hadn’t personally tried this feature yet, but it is on my schedule. I also plan to modify the authentication method by deploying 2-3 phishing pages on the SD card (e.g. Google, VK.com, and Instagram authentication pages), and the login page will offer victims to authenticate via these sites.

In addition, after receiving victim’s credentials, it would be great to show the victim a realistically looking error page to prevent any suspicions. All security systems in the world won’t detect the spoof because the fake web node is located on the device and not connected to the real Internet. As you can see, the project has plenty of room for improvements and upgrades.

The phishing page’s authentication logs are stored on the SD card, while the screen displays the credentials of the last victim and the total number of victims. Now you understand why is it so important to equip the device with an SD card. The program code can be downloaded from the project page on GitHub.

While selecting the controller board in Arduino IDE, pay attention to the parameters of the selected model. See below the selection of various boards and settings applied to them depending on their type:

Settings for NodeMCU boards

Settings for NodeMCU boards

Settings for the ESP-12 module

Settings for the ESP-12 module

 Settings for the ESP-07 module

Settings for the ESP-07 module

At the startup, you will see a greeting message on the display; then the device will notify you of an attempt to initialize the memory card. If there is no such card, the device will make three warning shots signals and continue executing the program.

The program displays notifications of all currently performed operations. After performing all operations specified in the program, the device plays a melody: it means that an access point has been successfully deployed, and the device is on-the-go.

The screen will also display the battery level, the counter of connected clients, and the number of authenticated users. Every time a new victim enters their credentials, you will hear a melodious signal. The file with authentication logs is saved on the memory card that must be formatted in FAT32; otherwise, it won’t work.

The fully assembled device

The fully assembled device

Conclusions

As said above, the project can be improved in many ways. For instance, an ESP-07 module with an external antenna would greatly increase the device’s range. The wolf in sheep’s clothing may offer potential victims to authenticate via social networks and show them realistically looking phishing pages with login and passwords fields.

This allows to steal login credentials that can be subsequently used for various purposes, including not-so-legal ones. Furthermore, some scripts allow to take photos using frontal cameras of victims’ devices. Such scripts can be embedded in the fake web pages hosted by your mini-server.

Another interesting scenario: you can add the logon data of a real open access point to the firmware of your device, deploy a copy of this access point, and disable the real access point using an ESP8266 microchip… Overall, there are plenty of exciting possibilities, and your creative freedom is limited only by the scope of your fantasy. Good luck!


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">