- Cybergibbons
- Reverse engineer, hardware hacker, security analyst, lock picker, heist planner. Definitely not involved in the Hatton Garden job.
- Quick and easy fake WiFi access point in Kali
- 1. Connect the Kali box to the Internet
- 2. Connect an external WiFi adapter that is supported by hostapd
- 3. Bring up the new wireless interface.
- 4. Configure and run DHCP and DNS services
- 5. Configure and run hostapd
- 6. Setup routing for the access point
- Tool Documentation:
- Packages and Binaries:
- wifiphisher
Cybergibbons
Reverse engineer, hardware hacker, security analyst, lock picker, heist planner. Definitely not involved in the Hatton Garden job.
Quick and easy fake WiFi access point in Kali
I’m working on a project at the moment that requires me to observe traffic from an iOS/Android app to various external IPs.
The easiest way to do this is to setup a fake WiFi access point and use Wireshark to sniff the traffic. This is very easy in Kali Linux.
1. Connect the Kali box to the Internet
On my machine, this is as simple as connecting to my WiFi network “DoingAJob5G” using the built-in wireless card on my x220. I use the GUI provided with Kali.
Using ifconfig I can see that this adapter is called wlan0.
You could use wired Ethernet, then in all likelihood this will be eth0 instead.
2. Connect an external WiFi adapter that is supported by hostapd
I’m using a USB TP-LINK TL-WN722N which is using an Atheros AR9271 chipset. These are cheap (£8-£10), powerful and reliable.
I suspect many USB WiFi adapters are compatible with hostapd, unfortunately I can’t see a clear source documenting which ones.
Check it works by connecting to any network using Kali’s GUI. This will save you hassle later if there are any driver or hardware issues.
3. Bring up the new wireless interface.
Use ifconfig -a to see the new wireless interface name:
wlan3 Link encap:Ethernet HWaddr c0:4a:00:1e:64:fd BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Bring this up as the gateway for your new wireless network. I am using 10.0.0.1/24 simply to avoid any chance of confusion with my internal NATed 192.168.0.1/24 network.
root@kali:~# ifconfig wlan3 10.0.0.1/24 up root@kali:~# ifconfig wlan3 wlan3 Link encap:Ethernet HWaddr c0:4a:00:1e:64:fd inet addr:10.0.0.1 Bcast:10.0.0.255 Mask:255.255.255.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
4. Configure and run DHCP and DNS services
DHCP assigns IP addresses when clients connect, and DNS provides resolution of names to IPs.
Most wireless clients expect DHCP by default, so it is convenient to run a DHCP server. You can manually set IP addresses, but it’s really easier to do DHCP.
Running our own DNS server means that we can easily intercept and alter DNS queries, which can assist in setting up man-in-the-middle attacks.
A piece of software called dnsmasq does both DHCP and DNS and is very simple to setup.
Next, create a config file dnsmasq.conf as follows:
interface=wlan3 dhcp-range=10.0.0.10,10.0.0.250,12h dhcp-option=3,10.0.0.1 dhcp-option=6,10.0.0.1 server=8.8.8.8 log-queries log-dhcp
This is about as simple as it gets. Only listen on wlan3, our additional wireless adapter. Hand out DHCP addresses from 10.0.0.10-10.0.0.250. DHCP option 3 is the gateway, DHCP option 6 is the DNS server – both of these should be set to our wlan3 IP of 10.0.0.1. server specifies upstream DNS servers that will handle most DNS queries – I have provided Google’s DNS server of 8.8.8.8. Finally, log DNS queries and DHCP requests – this just makes it easier to check everything is working.
We also want to create a file fakehosts.conf to allow us to spoof certain DNS requests:
This will cause the dnsmasq DNS server to respond with 10.0.0.9 to any request for neohub.co.uk.
We then need to bring dnsmasq up. I want it to run with output to stderr, so this is done as follows:
dnsmasq -C dnsmasq.conf -H fakehosts.conf -d
5. Configure and run hostapd
Next, we need to get our wireless adapter to run as a access point.
hostapd allows us to do this.
Create a config file hostapd.conf:
interface=wlan3 driver=nl80211 ssid=Kali-MITM channel=1
Again – really simple. Use our additional wireless adapter wlan3 with the nl80211 drivers (which seem to cover pretty much all modern adapters than can be APs), set the SSID to Kali-MITM and set the channel to 1. There is no encryption etc. but I really don’t need or want it for sniffing traffic.
root@kali:~# hostapd ./hostapd.conf Configuration file: ./hostapd.conf Failed to update rate sets in kernel module Using interface wlan3 with hwaddr c0:4a:00:1e:64:fd and ssid 'Kali-MITM'
6. Setup routing for the access point
You want a very simple setup at the moment – act as a basic NAT gateway between wlan3 and wlan0.
Without going into any detail, the following commands will set this up:
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -P FORWARD ACCEPT sudo iptables --table nat -A POSTROUTING -o wlan0 -j MASQUERADE
At this stage, you should now be able to connect to Kali-MITM, get an IP address, and start using the Internet.
Tool Documentation:
Do not perform jamming ( -nJ ), create a wireless access point ( -e “Free Wi-Fi” ) and present a fake firmware upgrade to clients ( -T firmware-upgrade ). When a client connects, they a presented with a webpage to enter the PSK of their network:
[email protected]:~# wifiphisher -nJ -e "Free Wi-Fi" -T firmware-upgrade [*] Starting Wifiphisher 1.1GIT at 2017-02-22 13:52 [+] Selecting wlan0 interface for creating the rogue Access Point [*] Cleared leases, started DHCP, set up iptables [+] Selecting Firmware Upgrade Page template [*] Starting the fake access point. Jamming devices: DHCP Leases: 1487839973 c0:cc:f8:06:53:93 10.0.0.93 Victims-iPhone 11:c0:cc:38:66:a3:b3 HTTP requests: [*] GET 10.0.0.93 [*] GET 10.0.0.93 [*] GET 10.0.0.93 [*] POST 10.0.0.93 wfphshr-wpa-password=s3cr3tp4s5 [*] GET 10.0.0.93 [*] GET 10.0.0.93 [*] GET 10.0.0.93
Packages and Binaries:
wifiphisher
This package contains a security tool that mounts automated phishing attacks against Wi-Fi networks in order to obtain secret passphrases or other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.
Installed size: 7.91 MB
How to install: sudo apt install wifiphisher
- cowpatty
- dnsmasq-base
- hostapd
- iptables
- net-tools
- python3
- python3-pbkdf2
- python3-pyric
- python3-roguehostapd
- python3-scapy
- python3-tornado
wifiphisher
[email protected]:~# wifiphisher -h usage: wifiphisher [-h] [-i INTERFACE] [-eI EXTENSIONSINTERFACE] [-aI APINTERFACE] [-iI INTERNETINTERFACE] [-pI PROTECTINTERFACE [PROTECTINTERFACE . ]] [-mI MITMINTERFACE] [-iAM MAC_AP_INTERFACE] [-iEM MAC_EXTENSIONS_INTERFACE] [-iNM] [-kN] [-nE] [-nD] [-dC DEAUTH_CHANNELS [DEAUTH_CHANNELS . ]] [-e ESSID] [-dE DEAUTH_ESSID] [-p PHISHINGSCENARIO] [-pK PRESHAREDKEY] [-hC HANDSHAKE_CAPTURE] [-qS] [-lC] [-lE LURE10_EXPLOIT] [--logging] [-dK] [-lP LOGPATH] [-cP CREDENTIAL_LOG_PATH] [--payload-path PAYLOAD_PATH] [-cM] [-wP] [-wAI WPSPBC_ASSOC_INTERFACE] [-kB] [-fH] [-pPD PHISHING_PAGES_DIRECTORY] [--dnsmasq-conf DNSMASQ_CONF] [-pE PHISHING_ESSID] options: -h, --help show this help message and exit -i INTERFACE, --interface INTERFACE Manually choose an interface that supports both AP and monitor modes for spawning the rogue AP as well as mounting additional Wi-Fi attacks from Extensions (i.e. deauth). Example: -i wlan1 -eI EXTENSIONSINTERFACE, --extensionsinterface EXTENSIONSINTERFACE Manually choose an interface that supports monitor mode for deauthenticating the victims. Example: -eI wlan1 -aI APINTERFACE, --apinterface APINTERFACE Manually choose an interface that supports AP mode for spawning the rogue AP. Example: -aI wlan0 -iI INTERNETINTERFACE, --internetinterface INTERNETINTERFACE Choose an interface that is connected on the InternetExample: -iI ppp0 -pI PROTECTINTERFACE [PROTECTINTERFACE . ], --protectinterface PROTECTINTERFACE [PROTECTINTERFACE . ] Specify the interface(s) that will have their connection protected (i.e. NetworkManager will be prevented from controlling them). Example: -pI wlan1 wlan2 -mI MITMINTERFACE, --mitminterface MITMINTERFACE Choose an interface that is connected on the Internet in order to perform a MITM attack. All other interfaces will be protected.Example: -mI wlan1 -iAM MAC_AP_INTERFACE, --mac-ap-interface MAC_AP_INTERFACE Specify the MAC address of the AP interface -iEM MAC_EXTENSIONS_INTERFACE, --mac-extensions-interface MAC_EXTENSIONS_INTERFACE Specify the MAC address of the extensions interface -iNM, --no-mac-randomization Do not change any MAC address -kN, --keepnetworkmanager Do not kill NetworkManager -nE, --noextensions Do not load any extensions. -nD, --nodeauth Skip the deauthentication phase. -dC DEAUTH_CHANNELS [DEAUTH_CHANNELS . ], --deauth-channels DEAUTH_CHANNELS [DEAUTH_CHANNELS . ] Channels to deauth. Example: --deauth-channels 1,3,7 -e ESSID, --essid ESSID Enter the ESSID of the rogue Access Point. This option will skip Access Point selection phase. Example: --essid 'Free WiFi' -dE DEAUTH_ESSID, --deauth-essid DEAUTH_ESSID Deauth all the BSSIDs in the WLAN with that ESSID. -p PHISHINGSCENARIO, --phishingscenario PHISHINGSCENARIO Choose the phishing scenario to run.This option will skip the scenario selection phase. Example: -p firmware_upgrade -pK PRESHAREDKEY, --presharedkey PRESHAREDKEY Add WPA/WPA2 protection on the rogue Access Point. Example: -pK s3cr3tp4ssw0rd -hC HANDSHAKE_CAPTURE, --handshake-capture HANDSHAKE_CAPTURE Capture of the WPA/WPA2 handshakes for verifying passphrase. Requires cowpatty. Example : -hC capture.pcap -qS, --quitonsuccess Stop the script after successfully retrieving one pair of credentials -lC, --lure10-capture Capture the BSSIDs of the APs that are discovered during AP selection phase. This option is part of Lure10 attack. -lE LURE10_EXPLOIT, --lure10-exploit LURE10_EXPLOIT Fool the Windows Location Service of nearby Windows users to believe it is within an area that was previously captured with --lure10-capture. Part of the Lure10 attack. --logging Log activity to file -dK, --disable-karma Disables KARMA attack -lP LOGPATH, --logpath LOGPATH Determine the full path of the logfile. -cP CREDENTIAL_LOG_PATH, --credential-log-path CREDENTIAL_LOG_PATH Determine the full path of the file that will store any captured credentials --payload-path PAYLOAD_PATH Payload path for scenarios serving a payload -cM, --channel-monitor Monitor if target access point changes the channel. -wP, --wps-pbc Monitor if the button on a WPS-PBC Registrar is pressed. -wAI WPSPBC_ASSOC_INTERFACE, --wpspbc-assoc-interface WPSPBC_ASSOC_INTERFACE The WLAN interface used for associating to the WPS AccessPoint. -kB, --known-beacons Broadcast a number of beacon frames advertising popular WLANs -fH, --force-hostapd Force the usage of hostapd installed in the system -pPD PHISHING_PAGES_DIRECTORY, --phishing-pages-directory PHISHING_PAGES_DIRECTORY Search for phishing pages in this location --dnsmasq-conf DNSMASQ_CONF Determine the full path of a custom dnmasq.conf file -pE PHISHING_ESSID, --phishing-essid PHISHING_ESSID Determine the ESSID you want to use for the phishing page