A few days ago, we had the opportunity to deploy a rogue access point that would steal user credentials using a fake, captive web portal, and provide MITM’d Internet services via 3G. We needed reliability and scalability in our environment as there would potentially be a large amount of, erm….”participants” in this wireless network. We were pretty happy with the result and quickly realized that we had created a new “Kali Linux recipe”. Or in other words, we could create a custom, bootable wireless evil access point image, which could do all sorts of wondrous things.
- We used a battery-powered Raspberry Pi for this project, however the instructions below will work on pretty much anything that can run Kali Linux and has 2 free USB ports – ARM and virtual environments included.
- A supported USB wireless adapter; we used an old Netgear WNA1000 we had lying around.
- A supported 3G modem; we found a TP-Link MA180 3.75G HSUPA USB Adapter in a local shop.
We ended up building our wireless access point using hostapd and dnsmasq using a relatively simple setup. We found that this gave the most reliable performance and was the easiest to configure. In addition, using dnsmasq allowed us to easily control spoofed DNS queries. We start by installing all our prerequisites:
Once everything is installed, we configure dnsmasq to serve DHCP and DNS on the wireless interface and then start the dnsmasq service.
cat <<EOF > /etc/dnsmasq.conf
service start dnsmasq
This part was surprisingly simple using the Gnome NetworkManager GUI interface. Adding a new 3G connection and going through the automated wizard got us online in a couple of minutes. Once connected, we saw our new ppp0 WAN interface, now providing us with Internet access. Alternatively, this setup can be performed at the command line using wvdial. Now that we have our WAN connection setup, let’s move on to setting up the wireless access point.
Setting up the access point is a breeze using hostapd. We configure an IP for the wireless interface, and configure iptables rules for NAT. Then we quickly configure the hostapd service to use our wireless interface to run an access point with the SSID “FreeWifi”. Once the service is started a wireless network called “FreeWifi” should show up. Anyone connecting to this network would be routed thorough our Kali box, out to the internet over 3g.
ifconfig wlan0 10.0.0.1/24
iptables -t nat -F
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT
echo ‘1’ > /proc/sys/net/ipv4/ip_forward
cat <<EOF > /etc/hostapd/hostapd.conf
# Yes, we support the Karma attack.
service start hostapd
Using live-build, we can create a custom Kali Linux ISO image that will boot up into a “rogue AP”. Certain elements such as the wireless and 3G interface names (wlan0, ppp0, etc) would be pre-configured during the live-build process. We’ve gone ahead and set up a Kali Recipe which worked perfectly in our VMware environment, with both the wireless card and 3G modem connected to the VM at boot time.
There’s a whole bunch of evil stuff to be done once we’re in the middle of communications. MITM tools like responder, evilgrade and sslsplit come to mind. In our case, selectively spoofing DNS queries and redirecting users to our own phishing site was sufficient for our task. Lastly, we’ve added the Karma patch to our hostapd package, which causes the AP to probe requests not just for itself but for any ESSID requested. This allows the AP to act as a lure to draw in any clients probing for known networks. Let the games begin!