We have installed the necessary tools in our Wi-Fi pentesting system, but it is just a part of the preparation work. In order to be able to use some of them, we need to prepare some configuration files and develop a script to automate some tasks.
We would like to start with Hostapd. We mostly use it in two situations: when we need to install a fake AP to attack clients' traffic and to set an AP with FreeRADIUS-WPE when we attack WPA-Enterprise protected networks.
To install a rogue AP for client traffic or phishing attacks you can use Hostapd in a standalone mode without connecting it to a RADIUS server. Mostly, we need it open, but sometimes there are situations when we need it to be WPA/WPA2 protected, for example, when you need to imitate a certain WPA/WPA2-protected AP. Thus, we should prepare two configuration file templates for both situations:
The following is the content of open.conf for an open AP:
interface=wlan0 driver=nl80211 ssid=Free Wi-Fi channel=8
The following is the content of wpa.conf for a WPA2-protected AP:
interface=wlan0 driver=nl80211 ssid=YourSSID channel=8 wpa_passphrase=your_passphrase wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP
Before you use those templates, you need to modify some values for a certain situation:
- Driver value should be changed to the one corresponding to your Wi-Fi interface (in terms of Hostapd, you can get it from the sample configuration file, distributed with Hostapd)
- Interface value should be changed to the name of your Wi-Fi interface if it is not connected as
wlan0 - We need the
ssidvalue to change the WLAN's name - The channel can have any value between 1 and 11
- We need the WPA passphrase if you are setting up a WPA-protected AP
You can then start an AP with Hostapd and one of the previously mentioned configs, for example, open.conf:
sudo hostapd open.conf
In your Linux terminal, you should see the following:
Starting an open AP
At the same time, you can see your open WLAN in the list of available networks on another device:
Our open AP is listed among available WLANs
Tip
If you have any trouble with an AP on Hostapd, the option -d can be very helpful. It makes Hostapd display debug information in the terminal. The option -f will forward debug output into a file instead of standard output. You might want to also use -t and -K options to include some additional information in debug output.
Let's go further and prepare a configuration for a DHCP server in order to use it to make your rogue APs more attractive and real. We use the Dnsmasq software to set up a DHCP server and it needs a configuration file, /etc/dnsmasq.conf:
interface=wlan0 dhcp-range=192.168.0.2,192.168.0.255,12h dhcp-option=3,192.168.0.1 dhcp-option=6,192.168.0.1 log-facility=/var/log/dnsmasq.log log-queries
You need to change the interface parameter value if your Wi-Fi interface is not wlan0. With the DHCP options 3 and 6, we set the IP addresses of a router and a DNS server to be distributed in DHCP responses. With the last two lines, we configure log output to be able to debug our setup in case of problems.
Usually, during a penetration test you do not want to spend time on changing configuration files and you could forget to change some parameters. Therefore, it is wise to automate the process. We have prepared a bash script, hostapd_auto.sh, for you, which automatically creates a temporary configuration file containing necessary parameters and then starts Hostapd with this configuration:
#!/bin/bash
#show usage tips if no argument supplied
if [[ $# < 1 ]]
then
echo -e "Usage: ./hostap_standalone.sh options"
echo -e " -i|--interface - wlan interface to use (default wlan0)"
echo -e " -s|--ssid - ssid to set (default "Free WiFi""
echo -e " -d|--driver - driver, corresponding to hostapd (default nl80211)"
echo -e " --security - security type: open, wpa, wpa2 (default "open")"
exit
fi
#Let's save all command line arguments into variables
while [[ $# > 1 ]]
do
key="$1"
case $key in
-i|--interface)
WIFIINTERFACE="$2"
shift # pass next argument
;;
-s|--ssid)
SSID="$2"
shift # pass next argument
;;
-d|--driver)
DRIVER="$2"
shift # pass next argument
;;
--security)
SECURITY="$2"
shift # pass next argument
;;
*)
# unknown option
;;
esac
shift # pass next argument
done
#Check if parameters were set
if [ -z "$WIFIINTERFACE" ]
then
echo "WIFI interface not set ( -i | --interface ), using default wlan0"
WIFIINTERFACE="wlan0"
fi
if [ -z "$SSID" ]
then
echo -e "SSID not set ( -s | --ssid ), using default "Free WiFi""
SSID="Free WiFi"
fi
if [ -z "$DRIVER" ]
then
echo "Driver not set ( -d | --driver ), using default nl80211"
DRIVER="nl80211"
fi
if [ ! -z "$SECURITY" ]
then
case $SECURITY in
wpa|WPA)
wpa="wpa=1"
echo "Enter WPA passphrase:"
read PASS
;;
wpa2|WPA2)
wpa="wpa=2"
echo "Enter WPA passphrase:"
read PASS
;;
open|Open|OPEN)
;;
*)
echo "Unknown security type, setting an open AP"
SECURITY="open"
;;
esac
else
echo "Security not set ( --security ), setting an open AP"
SECURITY="open"
fi
#Creating a temporary configuration file
echo "interface=$WIFIINTERFACE" >> temp.conf
echo "driver=$DRIVER" >> temp.conf
echo "channel=8" >> temp.conf
echo "ssid=$SSID" >> temp.conf
if [ "$SECURITY" != "open" ]
then
echo $wpa >> temp.conf
echo "wpa_passphrase=$PASS" >> temp.conf
echo "wpa_key_mgmt=WPA-PSK" >> temp.conf
echo "wpa_pairwise=TKIP CCMP" >> temp.conf
fi
#Preparing the host for network traffic processing
#Stopping the networking service to exclude conflicts
/etc/init.d/networking stop
#set the IP parameters for wireless interface
ifconfig $WIFIINTERFACE 192.168.0.1 netmask 255.255.255.0
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1
#start dhcp and dns server
service dnsmasq start
#Prepare network traffic processing rules
iptables -F
iptables -t nat -F
iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#You can uncomment the following line to redirect client ssl traffic to TCP port 10000
#iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 10000
#enable network traffic forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Starting AP
echo "Starting an AP with the following parameters:"
echo "SSID: $SSID"
echo "SECURITY: $SECURITY"
echo "Interface: $WIFIINTERFACE"
echo "Driver: $DRIVER"
hostapd temp.conf
wait
#Removing the temporary configuration file
rm temp.conf
#Stopping dnsmasq
service dnsmasq stop
#Starting networking service
/etc/init.d/networking startYou just need to make the script executable (chmod +x hostapd_auto.sh) and start it without parameters to see the possible options. It will automatically delete the temporary configuration file when you stop Hostapd. Don't forget to use sudo when you start the script, because it will need to change system parameters requiring root privileges.
Now, let's talk about a scenario with a WPE-Enterprise-protected WLAN. For that scenario, we need to use either Hostapd and FreeRADIUS-WPE, or Hostapd-WPE. In the first case, you'll need to configure a RADIUS server and create an additional configuration file for Hostapd.
But first, it does not matter what you use, you need to configure RADIUS certificate parameters and create certificates before you start attacking WPA-Enterprise-protected WLANs in both cases with FreeRADIUS-WPE and also with Hostapd-WPE. This can be done by changing the parameters in the [certificate_authority] section of the ca.cnf file and the [server] section of the server.cnf file. Depending on your tasks, you will probably want to also change the values in the [client] section of the client.cnf file.
Setting the parameters to the values corresponding to the same parameter values of your target WLAN will make attacks less visible and less suspicious. Just execute the bootstrap script from the same directory to generate certificates after changing all necessary parameter values:
./bootstrap
The configuration process of FreeRADIUS-WPE is similar to the configuration process of FreeRADIUS described in Chapter 5, Implementing Security. Thus, we will not describe it in this chapter, but we will show you a configuration file, wpa-e.conf, that allows Hostapd to work together with FreeRADIUS-WPE:
interface=wlan0 driver=nl80211 ssid=YourSSID ieee8021x=1 eapol_key_index_workaround=0 own_ip_addr=192.168.0.1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=YourRADIUSsecret wpa=1 wpa_key_mgmt=WPA-EAP channel=1 wpa_pairwise=TKIP CCMP logger_stdout=-1 logger_stdout_level=0 dump_file=hostapd.dump
In this example, you will need to change the following:
- Change the
interfaceanddriverparameters and set values according to your hardware Wi-Fi interface. - Change the
ssidparameter. It should be identical to the SSID of your target WLAN. - Change
auth_server_shared_secretthat is the secret (passphrase) for connecting Hostapd to the RADIUS server.
The last three lines configure logging; you can comment them and use them when you need to debug your configuration.
Now, you can start FreeRADIUS-WPE first and then Hostapd to have a WPA-Enterprise-protected AP. But you can also do it with just Hostapd-WPE using a configuration file with the following content:
interface=wlan0 ssid=PACKT eap_user_file=hostapd-wpe.eap_user ca_cert=../../hostapd-wpe/certs/ca.pem server_cert=../../hostapd-wpe/certs/server.pem private_key=../../hostapd-wpe/certs/server.pem private_key_passwd=whatever dh_file=../../hostapd-wpe/certs/dh hw_mode=g channel=1 eap_server=1 eap_fast_a_id=101112131415161718191a1b1c1d1e1f eap_fast_a_id_info=hostapd-wpe eap_fast_prov=3 ieee8021x=1 pac_key_lifetime=604800 pac_key_refresh_time=86400 pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f wpa=1 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP
But like Hostapd, Hostapd-WPE is distributed along with a sample configuration file called hostapd-wpe.conf, which contains information about all possible parameters as well as their default values. You can just change the interface and ssid parameters in this file and use it. Anyway, we recommend you look through it to understand how to create your own configuration files or modify existing ones.