CoffeeMiner: Hacking WiFi to inject cryptocurrency miner to HTML requests – ArnauCode

Disclamer: this article &, project is for academic purposes only.

Some weeks ago I read about this Starbucks case where hackers hijacked laptops on the WiFi network to use the devices computing power to mine cryptocurrency, and I thought it might be interesting perform the attack ter a different way.

The aim of this article, is to explain how can be done the attack of MITM (Man(Person)-In-The-Middle) to inject some javascript ter the html pages, to force all the devices connected to a WiFi network to be mining a cryptocurrency for the attacker.

The objective is to have a script that performs autonomous attack on the WiFi network. It&rsquo,s what wij have called CoffeeMiner, spil it&rsquo,s a kleintje of attack that can be performed ter the cafes WiFi networks.

1. The Script

The script will be some machines connected to the WiFi network, and the CoffeeMiner attacker intercepting the traffic inbetween the users and the router.

1.1 Script configuration

The real screenplay is a WiFi with laptops and smartphones connected. Wij have tested te this real world script, and it works. But for this article, wij will see more deeply how to set up ter a virtual environment.

Wij will use VirtualBox to deploy our virtual script .

Very first of all wij need to download some Linux disk pic and install it into a VirtualBox machine, for this example wij will use Kalium Linux pictures

Once wij have the ISO pic downloaded, wij prepare Trio VBox machines with the Linux pic installed.

To configure the defined script wij need to prepare the machines each one with a role:

  • Victim
  • will be the machine that connects to the Router and browse some pages.
  • Attacker
    • will be the machine where it runs the CoffeeMiner. Is the machine that performs the MITM.
    • Router / Gateway
      • will act spil a normal gateway.
      • Once the attack is performed, the screenplay will be:

        To configure each one of the machines, wij will do the following configuration:

        Two. CoffeeMiner, understanding the code

        Two.1 ARPspoofing

        Very first of all, wij need to understand how the MITM attack is performed.

        &ldquo,Te laptop networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technology by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker&rsquo,s MAC address with the IP address of another host, such spil the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.&rdquo,

        To perform the ARPspoofing attack, wij will use the dsniff library.

        Two.Two mitmproxy

        mitmproxy is a software device that permits us to analyze the traffic that goes through a host, and permits to edit that traffic. Te our case, wij will use it to inject the javascript into the html pages.

        To make the process more more clean, wij will only inject one line of code into the html pages. And will be that line of html code that will call to the javascript cryptocurrency miner.

        The line to inject the crypto miner is:

        Two.Three Injector

        Once wij have the victim&rsquo,s traffic intercepted, wij need to inject our script on it. Wij will use the mitmproxy API to do the injector:

        Two.Four HTTP Server

        Spil wij have seen, the injector adds a line to the html, with a call to our javascript crypto miner. So, wij need to have the script verkeersopstopping deployed te a HTTP Server.

        Te order to serve the javascript cryptocurrency miner, wij will deploy a HTTP Server ter the attacker machine. To do that, wij will use the Python library &lsquo,http.server&rsquo,:

        The code above is a plain HTTP Server that will serve our crypto miner to the victims, when they require it.

        The javascript miner, will be placed te the /miner_script directory. Te our case, wij have used the CoinHive javascript miner.

        Two.Five CoinHive crypto miner

        CoinHive is a javascript miner for the Monero cryptocurrency (XMR). It can be added to a webstek, and will use the user CPU power to calculate hashes with the Cryptonight PoW hash algorithm to mine Monero, based on CryptoNote protocol.

        CoinHive miner makes sense when user stays te a websit for mid-long term sessions. So, for example, for a webstek where the users average session is arround 40 seconds, it doesn&rsquo,t make much sense.

        Ter our case, spil wij will inject the crypto miner ter each one of the HTML pages that victims request, will have long term sessions to calculate hashes to mine Monero.

        Trio. CoffeeMiner, puting all together

        The main objective is to tie all the previous concepts te one autonomous deployment. This will be the CoffeeMiner.

        The idea is to have the CoffeeMiner script that performs the ARPspoofing attack and set ups the mitmproxy to inject the CoinHive cryptominer into victims HTML pages.

        Very first of all, wij need to configure the ip_forwarding and IPTABLES, te order to convert the attacker&rsquo,s machine into a proxy:

        To perform the ARPspoof for all the victims, wij will prepare a &lsquo,victims.txt&rsquo, opstopping with all the victim&rsquo,s IP. To read all the victims IPs, wij prepare some Python lines, that will get the IPs (and also the gateway IP from the instruction line args), and performs the ARPspoof for each one of the victim&rsquo,s IP.

        Once wij have the ARPspoofing performed, wij just need to run the HTTP Server:

        And now, wij can run the mitmproxy with the

        Three.1 CoffeeMiner, final script

        Now wij waterput all the concepts explained above ter the &lsquo,, script:

        And also ter the &lsquo,, script:

        And to execute, wij just need to do:

        Four. Demo

        Te order to do the demo, wij set up the VirtualBox script explained above.

        If wij want to perform the attack by hand, wij will need the following terminals:

        Then, once the ARPspoofing attack is done and the injector and the HTTP Server are ready, wij can go to the victim&rsquo,s machine and browse to a webstek. The victim&rsquo,s traffic will go through the attacker machine, and will activate the injector:

        Spil a result, the html pages that the victim is viewing, will have the html lines of code that the attacker has bot injected.

        Four.1 Demo movie

        Ter the following movie, wij can see the finish attack te the script, using the script:

        • Real world WiFi network and laptops demo:


        Spil wij have seen, the attack can be lightly performed, and also can be deployed to be an autonomous attack ter a WiFi network.

        Another think to have ter mind, is that for a real world WiFi network, is better to perform the process with a powerful WiFi antenna, to reach better all the physical zone.

        Tha main objective wasgoed to perform the autonomous attack, but wij still need to edit the victims.txt verkeersopstopping with the IP addresses of the victims devices. For a further version, a possible feature could be adding an autonomous Nmap scan, to add the IPs detected to the CoffeeMiner victims list. Another further feature, could be adding sslstrip, to make sure the injection also ter the websites that the user can request overheen HTTPS.

        The finish code is available te the github repo:

        Disclamer: this article &, project is for academic purposes only.

        tags: python, cryptocurrency, miner, blockchain, mitm, wifi, javascript, hacking, html, cryptominer, python3

        Related movie: Commence accepting Bitcoin, Litecoin & Dogecoin today

        Leave a Reply

        Your email address will not be published. Required fields are marked *