dribble: stealing Wi-Fi passwords via browser’s cache poisoning

dribble

Dribble

The purpose of dribble is to stealing Wi-Fi passwords by exploiting web browser’s cache. Dribble creates a fake Wi-Fi access point and waits for clients to connect to it. When clients connect, dribble intercepts every HTTP requests performed to JavaScript pages and injects a malicious JavaScipt code. The malicious JavaScript code is cached so that it persists when clients disconnect. When clients disconnect and reconnect back to their home router, the malicious JavaScript code activates, steals the Wi-Fi password from the router and send it back to the attacker.

The idea is to steal Wi-Fi passwords by exploiting web browser’s cache. Since I needed to come up with a name for the project, I first developed it and then named it “Dribble” :-). Dribble creates a fake Wi-Fi access point and waits for clients to connect to it. When clients connect, dribble intercepts every HTTP requests performed to JavaScript pages and injects in the responses a malicious JavaScript code. The headers of the new response are altered too so that the malicious JavaScript code is cached and forced to persist in the browser. When the client disconnects from the fake access point and reconnects back to, say, its home routers, the malicious JavaScript code activates, steals the Wi-Fi password from the router and send it back to the attacker.
Pretty straightforward, right?

In order to achieve this result, I had to figure out these three things:

  1. How to create a fake access point
  2. How to force people to connect to it
  3. What should the malicious JavaScript code do to steal passwords from routers

Install

Requirement

  • hostapd
  • dnsmasq
  • node.js
  • bettercap

Download

git clone https://github.com/rhaidiz/dribble

Configuration

At the moment there isn’t a proper configuration file for dribble. So customization should be edited directly from the following files:

  • dribble.sh: to change the network configuration such as the local subnet of the fake access point and the ESSID
  • dribble.cap: change it to point to the location of inject-drible.js and should also be changed accordingly if you changed the subnet of the fake access point
  • dnsentries.hosts: change so that dribble.poison points to the IP address of the fake access point
  • www/js/dlink.js: to change the end-point where to send the Wi-Fi password

Tutorial

Source: https://github.com/rhaidiz/