We have installed the necessary tools in our Wi-Fi pentesting system, but it is just a part of the preparation work. In order to be able to use some of them, we need to prepare some configuration files and develop a script to automate some tasks.
We would like to start with Hostapd. We mostly use it in two situations: when we need to install a fake AP to attack clients' traffic and to set an AP with FreeRADIUS-WPE when we attack WPA-Enterprise protected networks.
To install a rogue AP for client traffic or phishing attacks you can use Hostapd in a standalone mode without connecting it to a RADIUS server. Mostly, we need it open, but sometimes there are situations when we need it to be WPA/WPA2 protected, for example, when you need to imitate a certain WPA/WPA2-protected AP. Thus, we should prepare two configuration file templates for both situations:
The following is the content of open.conf
for an open AP:
interface=wlan0 driver=nl80211 ssid=Free Wi-Fi channel=8
The following is the content of wpa.conf
for a WPA2-protected AP:
interface=wlan0 driver=nl80211 ssid=YourSSID channel=8 wpa_passphrase=your_passphrase wpa=2 wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP
Before you use those templates, you need to modify some values for a certain situation:
wlan0
ssid
value to change the WLAN's nameYou can then start an AP with Hostapd and one of the previously mentioned configs, for example, open.conf
:
sudo hostapd open.conf
In your Linux terminal, you should see the following:
At the same time, you can see your open WLAN in the list of available networks on another device:
If you have any trouble with an AP on Hostapd, the option -d
can be very helpful. It makes Hostapd display debug information in the terminal. The option -f
will forward debug output into a file instead of standard output. You might want to also use -t
and -K
options to include some additional information in debug output.
Let's go further and prepare a configuration for a DHCP server in order to use it to make your rogue APs more attractive and real. We use the Dnsmasq software to set up a DHCP server and it needs a configuration file, /etc/dnsmasq.conf
:
interface=wlan0 dhcp-range=192.168.0.2,192.168.0.255,12h dhcp-option=3,192.168.0.1 dhcp-option=6,192.168.0.1 log-facility=/var/log/dnsmasq.log log-queries
You need to change the interface parameter value if your Wi-Fi interface is not wlan0
. With the DHCP options 3 and 6, we set the IP addresses of a router and a DNS server to be distributed in DHCP responses. With the last two lines, we configure log output to be able to debug our setup in case of problems.
Usually, during a penetration test you do not want to spend time on changing configuration files and you could forget to change some parameters. Therefore, it is wise to automate the process. We have prepared a bash script, hostapd_auto.sh
, for you, which automatically creates a temporary configuration file containing necessary parameters and then starts Hostapd with this configuration:
#!/bin/bash #show usage tips if no argument supplied if [[ $# < 1 ]] then echo -e "Usage: ./hostap_standalone.sh options" echo -e " -i|--interface - wlan interface to use (default wlan0)" echo -e " -s|--ssid - ssid to set (default "Free WiFi"" echo -e " -d|--driver - driver, corresponding to hostapd (default nl80211)" echo -e " --security - security type: open, wpa, wpa2 (default "open")" exit fi #Let's save all command line arguments into variables while [[ $# > 1 ]] do key="$1" case $key in -i|--interface) WIFIINTERFACE="$2" shift # pass next argument ;; -s|--ssid) SSID="$2" shift # pass next argument ;; -d|--driver) DRIVER="$2" shift # pass next argument ;; --security) SECURITY="$2" shift # pass next argument ;; *) # unknown option ;; esac shift # pass next argument done #Check if parameters were set if [ -z "$WIFIINTERFACE" ] then echo "WIFI interface not set ( -i | --interface ), using default wlan0" WIFIINTERFACE="wlan0" fi if [ -z "$SSID" ] then echo -e "SSID not set ( -s | --ssid ), using default "Free WiFi"" SSID="Free WiFi" fi if [ -z "$DRIVER" ] then echo "Driver not set ( -d | --driver ), using default nl80211" DRIVER="nl80211" fi if [ ! -z "$SECURITY" ] then case $SECURITY in wpa|WPA) wpa="wpa=1" echo "Enter WPA passphrase:" read PASS ;; wpa2|WPA2) wpa="wpa=2" echo "Enter WPA passphrase:" read PASS ;; open|Open|OPEN) ;; *) echo "Unknown security type, setting an open AP" SECURITY="open" ;; esac else echo "Security not set ( --security ), setting an open AP" SECURITY="open" fi #Creating a temporary configuration file echo "interface=$WIFIINTERFACE" >> temp.conf echo "driver=$DRIVER" >> temp.conf echo "channel=8" >> temp.conf echo "ssid=$SSID" >> temp.conf if [ "$SECURITY" != "open" ] then echo $wpa >> temp.conf echo "wpa_passphrase=$PASS" >> temp.conf echo "wpa_key_mgmt=WPA-PSK" >> temp.conf echo "wpa_pairwise=TKIP CCMP" >> temp.conf fi #Preparing the host for network traffic processing #Stopping the networking service to exclude conflicts /etc/init.d/networking stop #set the IP parameters for wireless interface ifconfig $WIFIINTERFACE 192.168.0.1 netmask 255.255.255.0 route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 #start dhcp and dns server service dnsmasq start #Prepare network traffic processing rules iptables -F iptables -t nat -F iptables -A FORWARD -i eth0 -d 192.168.0.0/255.255.255.0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #You can uncomment the following line to redirect client ssl traffic to TCP port 10000 #iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 10000 #enable network traffic forwarding echo 1 > /proc/sys/net/ipv4/ip_forward #Starting AP echo "Starting an AP with the following parameters:" echo "SSID: $SSID" echo "SECURITY: $SECURITY" echo "Interface: $WIFIINTERFACE" echo "Driver: $DRIVER" hostapd temp.conf wait #Removing the temporary configuration file rm temp.conf #Stopping dnsmasq service dnsmasq stop #Starting networking service /etc/init.d/networking start
You just need to make the script executable (chmod +x hostapd_auto.sh
) and start it without parameters to see the possible options. It will automatically delete the temporary configuration file when you stop Hostapd. Don't forget to use sudo
when you start the script, because it will need to change system parameters requiring root privileges.
Now, let's talk about a scenario with a WPE-Enterprise-protected WLAN. For that scenario, we need to use either Hostapd and FreeRADIUS-WPE, or Hostapd-WPE. In the first case, you'll need to configure a RADIUS server and create an additional configuration file for Hostapd.
But first, it does not matter what you use, you need to configure RADIUS certificate parameters and create certificates before you start attacking WPA-Enterprise-protected WLANs in both cases with FreeRADIUS-WPE and also with Hostapd-WPE. This can be done by changing the parameters in the [certificate_authority]
section of the ca.cnf
file and the [server]
section of the server.cnf
file. Depending on your tasks, you will probably want to also change the values in the [client]
section of the client.cnf
file.
Setting the parameters to the values corresponding to the same parameter values of your target WLAN will make attacks less visible and less suspicious. Just execute the bootstrap script from the same directory to generate certificates after changing all necessary parameter values:
./bootstrap
The configuration process of FreeRADIUS-WPE is similar to the configuration process of FreeRADIUS described in Chapter 5, Implementing Security. Thus, we will not describe it in this chapter, but we will show you a configuration file, wpa-e.conf
, that allows Hostapd to work together with FreeRADIUS-WPE:
interface=wlan0 driver=nl80211 ssid=YourSSID ieee8021x=1 eapol_key_index_workaround=0 own_ip_addr=192.168.0.1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=YourRADIUSsecret wpa=1 wpa_key_mgmt=WPA-EAP channel=1 wpa_pairwise=TKIP CCMP logger_stdout=-1 logger_stdout_level=0 dump_file=hostapd.dump
In this example, you will need to change the following:
interface
and driver
parameters and set values according to your hardware Wi-Fi interface.ssid
parameter. It should be identical to the SSID of your target WLAN.auth_server_shared_secret
that is the secret (passphrase) for connecting Hostapd to the RADIUS server.The last three lines configure logging; you can comment them and use them when you need to debug your configuration.
Now, you can start FreeRADIUS-WPE first and then Hostapd to have a WPA-Enterprise-protected AP. But you can also do it with just Hostapd-WPE using a configuration file with the following content:
interface=wlan0 ssid=PACKT eap_user_file=hostapd-wpe.eap_user ca_cert=../../hostapd-wpe/certs/ca.pem server_cert=../../hostapd-wpe/certs/server.pem private_key=../../hostapd-wpe/certs/server.pem private_key_passwd=whatever dh_file=../../hostapd-wpe/certs/dh hw_mode=g channel=1 eap_server=1 eap_fast_a_id=101112131415161718191a1b1c1d1e1f eap_fast_a_id_info=hostapd-wpe eap_fast_prov=3 ieee8021x=1 pac_key_lifetime=604800 pac_key_refresh_time=86400 pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f wpa=1 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP
But like Hostapd, Hostapd-WPE is distributed along with a sample configuration file called hostapd-wpe.conf
, which contains information about all possible parameters as well as their default values. You can just change the interface
and ssid
parameters in this file and use it. Anyway, we recommend you look through it to understand how to create your own configuration files or modify existing ones.
3.15.147.53