检测含有挖矿脚本的WiFi热点教学文档<\/h1>

1. 背景介绍<\/h2>
近年来，公共WiFi网络被植入挖矿脚本的事件频发，例如星巴克店内无线网络被发现植入了恶意代码，利用用户设备挖掘门罗币(XMR)。攻击者可以通过MITM(中间人)攻击植入JavaScript代码，使WiFi网络内的所有设备帮助其挖矿。<\/p>

2. CoinHive挖矿程序<\/h2>
CoinHive是一个提供门罗币挖掘JS脚本的平台，攻击者可以将其脚本植入网站中。当用户访问网页加载JS后，便会利用用户设备的运算资源挖掘门罗币。<\/p>

2.1 CoinHive特点<\/h3>

提供多种部署方式：JS代码、人机验证、Wordpress插件等<\/li>
部署简单，只需将示例代码放入网站的html中<\/li>

可通过将

authedmine.min.js<\/code>替换为coinhive.min.js<\/code>来隐藏用户提示<\/li>
<\/ul>
3. 开放式WiFi网络的特性<\/h2>
开放式WiFi网络(无密码)存在两大安全威胁：<\/p>

攻击者可轻易建立同名钓鱼WiFi(客户端会自动连接)<\/li>
通信数据未加密容易被嗅探<\/li>
<\/ol>
虽然WPA3将添加对开放式WiFi的通信数据加密，但在WPA3普及前，这类攻击仍会长期存在。<\/p>
4. 检测原理<\/h2>
利用开放式WiFi"通信数据未加密"的特性，通过监听明文的802.11数据帧，当发现挖矿脚本特征时进行告警。<\/p>
5. 检测工具实现<\/h2>
5.1 搭建测试热点(可选)<\/h3>
为了测试检测工具，可以先建立一个包含挖矿代码的开放式WiFi网络：<\/p>
方法一：完整方案<\/h4>

使用无线网卡Hostapd建立软AP<\/li>
Dnsmasq提供DHCP及DNS服务<\/li>
本地Nginx提供Web服务并植入CoinHive代码<\/li>
通过iptables配置Captive Portal(强制认证登陆页面)<\/li>
<\/ul>
方法二：简化方案<\/h4>

使用随身WiFi或家庭路由器建立热点<\/li>
配置认证页面指向本地Web服务(或手动访问网页)<\/li>
<\/ul>
5.2 监听明文802.11数据帧<\/h3>

将无线网卡配置为Monitor模式：<\/li>
<\/ol>
ifconfig wlan0 down
<\/span><\/span>iwconfig wlan0 mode monitor
<\/span><\/span>ifconfig wlan0 up
<\/span><\/span>iwconfig wlan0 channel 11<\/span>
<\/span><\/span><\/code><\/pre>
使用Wireshark观察802.11帧，过滤HTTP Response包：<\/li>
<\/ol>
http.response
<\/code><\/pre>

过滤CoinHive特征代码：<\/li>
<\/ol>
data-text-lines contains CoinHive.Anonymous
<\/code><\/pre>

从wlan.sa字段获取热点MAC地址，结合Beacon或Probe帧获取热点名称<\/li>
<\/ol>
5.3 使用Scapy编写恶意热点识别框架<\/h3>
5.3.1 安装依赖<\/h4>
sudo apt install python-pip
<\/span><\/span>pip install scapy
<\/span><\/span>pip install scapy_http
<\/span><\/span><\/code><\/pre>5.3.2 获取热点列表<\/h4>
from<\/span> scapy.all import<\/span> *<\/span>
<\/span><\/span>from<\/span> scapy.layers import<\/span> http
<\/span><\/span>
<\/span><\/span>iface =<\/span> "wlan0"<\/span>
<\/span><\/span>ap_dict =<\/span> {}
<\/span><\/span>
<\/span><\/span>def<\/span> BeaconHandler<\/span>(pkt):
<\/span><\/span>    if<\/span> pkt.<\/span>haslayer(Dot11):
<\/span><\/span>        if<\/span> pkt.<\/span>type ==<\/span> 0<\/span> and<\/span> pkt.<\/span>subtype ==<\/span> 8<\/span>:
<\/span><\/span>            if<\/span> pkt.<\/span>addr2 not<\/span> in<\/span> ap_dict.<\/span>keys():
<\/span><\/span>                ap_dict[pkt.<\/span>addr2] =<\/span> pkt.<\/span>info
<\/span><\/span>
<\/span><\/span>sniff(iface=<\/span>iface, prn=<\/span>BeaconHandler, timeout=<\/span>1<\/span>)
<\/span><\/span><\/code><\/pre>5.3.3 监听含有关键字的HTTP数据包<\/h4>
filter_response =<\/span> "tcp src port 80"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> HTTPHandler<\/span>(pkt):
<\/span><\/span>    if<\/span> pkt.<\/span>haslayer('HTTP'<\/span>):
<\/span><\/span>        if<\/span> "CoinHive.Anonymous"<\/span> in<\/span> pkt.<\/span>load:
<\/span><\/span>            mac =<\/span> pkt.<\/span>addr2
<\/span><\/span>            if<\/span> mac in<\/span> ap_dict.<\/span>keys():
<\/span><\/span>                ssid =<\/span> ap_dict[mac]
<\/span><\/span>                reason =<\/span> "Coinhive_miner"<\/span>
<\/span><\/span>                print "Find Rogue AP: <\/span>%s<\/span>(<\/span>%s<\/span>) -- <\/span>%s<\/span>"<\/span> %<\/span>(ssid, mac, reason)
<\/span><\/span>            else<\/span>:
<\/span><\/span>                print mac
<\/span><\/span>
<\/span><\/span>sniff(iface=<\/span>iface, prn=<\/span>HTTPHandler, filter=<\/span>filter_response, timeout=<\/span>5<\/span>)
<\/span><\/span><\/code><\/pre>5.3.4 监听模式及信道切换<\/h4>
import<\/span> os
<\/span><\/span>
<\/span><\/span>print "[+] Set iface <\/span>%s<\/span> to monitor mode"<\/span> %<\/span>(iface)
<\/span><\/span>os.<\/span>system("ifconfig "<\/span> +<\/span> iface +<\/span> " down"<\/span>)
<\/span><\/span>os.<\/span>system("iwconfig "<\/span> +<\/span> iface +<\/span> " mode monitor"<\/span>)
<\/span><\/span>os.<\/span>system("ifconfig "<\/span> +<\/span> iface +<\/span> " up"<\/span>)
<\/span><\/span>
<\/span><\/span>channels =<\/span> [1<\/span>,6<\/span>,11<\/span>]  # 2.4GHz中互不干扰的三个主要信道<\/span>
<\/span><\/span>print "[+] Sniffing on channel "<\/span> +<\/span> str(channels)
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    for<\/span> channel in<\/span> channels:
<\/span><\/span>        os.<\/span>system("iwconfig "<\/span> +<\/span> iface +<\/span> " channel "<\/span> +<\/span> str(channel))
<\/span><\/span>        # 在此处添加监听代码<\/span>
<\/span><\/span><\/code><\/pre>6. 扩展检测规则<\/h2>
可以在HTTPHandler函数中扩展更多的检测规则，例如：<\/p>
def<\/span> HTTPHandler<\/span>(pkt):
<\/span><\/span>    if<\/span> pkt.<\/span>haslayer('HTTP'<\/span>):
<\/span><\/span>        http_load =<\/span> pkt.<\/span>load
<\/span><\/span>        if<\/span> "CoinHive.Anonymous"<\/span> in<\/span> http_load:
<\/span><\/span>            # 检测CoinHive挖矿脚本<\/span>
<\/span><\/span>            reason =<\/span> "Coinhive_miner"<\/span>
<\/span><\/span>        elif<\/span> "cryptonight"<\/span> in<\/span> http_load.<\/span>lower():
<\/span><\/span>            # 检测其他使用cryptonight算法的挖矿脚本<\/span>
<\/span><\/span>            reason =<\/span> "Cryptonight_miner"<\/span>
<\/span><\/span>        elif<\/span> "webassembly"<\/span> in<\/span> http_load.<\/span>lower() and<\/span> "mine"<\/span> in<\/span> http_load.<\/span>lower():
<\/span><\/span>            # 检测使用WebAssembly的挖矿脚本<\/span>
<\/span><\/span>            reason =<\/span> "WASM_miner"<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span> reason:
<\/span><\/span>            mac =<\/span> pkt.<\/span>addr2
<\/span><\/span>            if<\/span> mac in<\/span> ap_dict.<\/span>keys():
<\/span><\/span>                ssid =<\/span> ap_dict[mac]
<\/span><\/span>                print "Find Rogue AP: <\/span>%s<\/span>(<\/span>%s<\/span>) -- <\/span>%s<\/span>"<\/span> %<\/span>(ssid, mac, reason)
<\/span><\/span>            else<\/span>:
<\/span><\/span>                print mac
<\/span><\/span><\/code><\/pre>7. 防御措施<\/h2>

使用VPN加密所有网络流量<\/li>
安装广告拦截插件(如Adblock)，可屏蔽已知挖矿脚本<\/li>
避免连接开放式WiFi，或使用移动数据网络<\/li>
定期检查设备CPU使用率，异常高使用率可能是挖矿脚本在运行<\/li>
使用本文介绍的检测工具定期扫描周围WiFi网络<\/li>
<\/ol>
8. 完整代码参考<\/h2>
完整实现代码可参考原作者的GitHub仓库(文中提到的链接)。<\/p>

检测含有挖矿脚本的WiFi热点教学文档<\/h1>

2. CoinHive挖矿程序<\/h2> CoinHive是一个提供门罗币挖掘JS脚本的平台，攻击者可以将其脚本植入网站中。当用户访问网页加载JS后，便会利用用户设备的运算资源挖掘门罗币。<\/p>

4. 检测原理<\/h2> 利用开放式WiFi"通信数据未加密"的特性，通过监听明文的802.11数据帧，当发现挖矿脚本特征时进行告警。<\/p>

5. 检测工具实现<\/h2>

5.1 搭建测试热点(可选)<\/h3> 为了测试检测工具，可以先建立一个包含挖矿代码的开放式WiFi网络：<\/p>

5.3 使用Scapy编写恶意热点识别框架<\/h3>

8. 完整代码参考<\/h2> 完整实现代码可参考原作者的GitHub仓库(文中提到的链接)。<\/p>

2. CoinHive挖矿程序<\/h2>
CoinHive是一个提供门罗币挖掘JS脚本的平台，攻击者可以将其脚本植入网站中。当用户访问网页加载JS后，便会利用用户设备的运算资源挖掘门罗币。<\/p>

4. 检测原理<\/h2>
利用开放式WiFi"通信数据未加密"的特性，通过监听明文的802.11数据帧，当发现挖矿脚本特征时进行告警。<\/p>

5.1 搭建测试热点(可选)<\/h3>
为了测试检测工具，可以先建立一个包含挖矿代码的开放式WiFi网络：<\/p>

8. 完整代码参考<\/h2>
完整实现代码可参考原作者的GitHub仓库(文中提到的链接)。<\/p>