Sniff Wifi Traffic to uncover Secrets of your Home Devices - Part 1
Setup your Raspberry PI as a router and use tcpdump and mitmproxy to intercept wifi traffic.
André Eichhofer
You can transform your Raspberry PI in a few steps into a router to intercept wifi traffic. This makes sense if you want to test your IOT devices in your home network. Sometimes, vacuum cleaners, printers or webcams use unencrypted traffic giving interesting insights or exposing vulnerabilities.
Setup your Raspberry PI as an access point
The first step is to setup your Raspberry as an access point. To do that, you may want to use RaspAP. RaspAP will do all configurations automatically during the install process.
First, connect your PI with an ethernet cable to your router. Then login to your PI. If you don’t know it’s IP, check with sudo arp-scan -l. Once you logged in ensure that you are connected with the PI over eth0 interface. As long as wifi is enabled, you will see a second IP address adress assigned to the wlan0 adapter
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.223 netmask 255.255.255.0 broadcast 192.168.0.255
...
...
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.225 netmask 255.255.255.0 broadcast 192.168.0.255Then, update packages and select correct locale for wifi adapter
sudo apt-get update && apt-get full upgrade- It is necessary to set the localisation for wifi to the country where you are located. The Pi’s Wi-Fi radio must be compliant with the legislation controlling radio communications in your country:
raspi-config->Localisation->Wlan country set - Reboot PI:
sudo reboot
Next, install RaspAP on the PI
sudo curl -sL https://install.raspap.com | bash- Reboot PI:
sudo reboot
After that, reboot the PI. Now, it should have created its own wifi subnet and started an http server with a web interface to control the access point. Connect to the SSID raspi-webgui using the default passphrase provided in the documentation.
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport scan
...
SSID BSSID RSSI CHANNEL HT CC SECURITY
raspi-webgui -63 1 Y -- RSN(PSK/AES/AES)
...We do not need to make other configurations at this stage and we do not need the web interface.
In case the PI did not span the AP automatically, do it manually with
sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf
Check whether the wifi adapter is working in monitor mode:
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether d8:3a:dd:cb:d7:9a txqueuelen 1000 (Ethernet)And if the AP is enabled, the PI creates an own subnet:
...
...
wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 10.0.0.141.1 txqueuelen 1000 (Ethernet)Install and configure mitmproxy
Now, it’s time to configure mitmproxy on our PI. We want that traffic coming from and to a device that is connected to our access point will be redirected to the proxy. To achieve that we first install mitmproxy, which is not a big deal:
pip install pipx --break-system`
pipx ensurepath
pipx install mitmproxyNext, we need to configure ip tables to route traffic through mitmproxy. For that, I have found this tiny script:
#!/bin/bash
# start a transparent proxy
sudo sysctl -w net.ipv4.ip_forward=1
# clean old firewall
sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
# nat on the local lan
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# forward all requests to the proxy
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 433 -j REDIRECT --to-port 8080
/home/admin/.local/bin/mitmproxy --mode transparent --showhostMake the script executable, chmod +x mitm.sh, and start mitmproxy sudo ./mitm.sh
Install tcpdump
Last but not least we need tcpdump to intercept all traffic. Tcpdump is not installed by default, but can be installed with
sudo apt update && sudo apt install tcpdump
Now, that we have everything in place we can test the setting on any device that connects to our access point. See more in part 2.