Access Point BackTrack 5

So, what I want to do is to create an open wireless access point, and let people connect to it.
This requires that I have 2 network-interfaces and a DHCP-server running.
The 2 network interfaces pretty much explains itself. One interface with access to the internet, and another to broadcast WiFi. In this case, wlan0 is connected to my home router / cell phone etc. and wlan1 is broadcasting the WiFi.
The DHCP-server provides the clients with a private IP adress when they connect. Of course the clients needs an IP address. We are going to use a class C IP adress and a /25 subnet. You can configure it how you like, just keep in mind, that the DHCP-server should not conflict with another DHCP-server, and especially not on the same IP range / subnet.

The software I’m using is from the aircrack-ng suite, dhcp3-server..

So to get started:
aircrack-ng is pre-installed on BT5
Install dhcp3-server

apt-get install dhcp3-server -y

Backup the configuration file

mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.backup

Create a new dhcp.conf with class C ip and /25 subnet

nano /etc/dhcp3/dhcpd.conf

Insert the following:

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 8.8.8.8;
range 192.168.2.130 192.168.2.140;
}

The dhcpd.conf ends here

First, set the Wifi to monitor-mode (im using wlan1, yours might be different)

airmon-ng start wlan1

Now we’re going to start the access point
-e for the name of the access point, -c for channel

airbase-ng -e "Free Hotspot" -c 9 mon0

This will create a virtual interface called at0
Now, configure at0 to go along with the DHCP-server

ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128

Add a route, for the traffic

route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129

To sum things up:
192.168.2.128 == The first IP adress, reserved for the network
255.255.255.128 == The subnet which is /25
192.168.2.129 == The gateway aka first available IP address on the network

Now point the new dhcpd.conf to the dhcp3-server and specify the interface (at0)

dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0

You only have to do that once, after that, just start dhcp3 with the following: /etc/init.d/dhcp3-server start

Run the following commands to flush all ip-tables and setup new ones

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

I suggest that you type these in manually, but after 2-3 times you get sick by doing it.
You can easily make it as a bash-script.
Simply cp the commands into a document, write && between the commands, save it as iptables.sh and execute it with: bash iptables.sh
If your ethX or wlanX is connected to a router or similar, you now have a working WiFi access point

So, now that people connect to your computer, you don’t need to arp poison anyone. You have become the router to the clients. This makes it very easy to sniff traffic, modify the traffic or to exploit who ever joins.

I’m planning on making a video tutorial about the WiFi access point, and a tutorial on how to sniff traffic etc. Feel free to leave a comment, send me feedback at m00kaw@teh-geek.com and subscribe to our RSS Feed

//M00kaw

 

Links:

http://www.howtoforge.com/nat_iptables
http://adaywithtape.blogspot.com/2009/10/fake-ap-using-airbase-ng.html
http://www.thoughtcrime.org/software/sslstrip/
http://www.aircrack-ng.org/doku.php?id=airbase-ng
Download as PDF

71 Responses to “Access Point BackTrack 5”


  • Some of the commands are wrong, missing d’s and maybe a h.

    • Thanks for letting me know …
      You know, once you’ve read the text 100 times while trying it out and writing it down, a few commands might slip.. I’ll get it fixed asap.

  • Hello fellow ‘geeks’,

    Thanks for sharing this with us, i follwed all the steps and it seems to work. Just one thing i cant figure out; how to get the fake wifi router to work? I can connect and all but cannot use the internet and the radio type is b only i want both b & g how to fix this? Im not totally new to linux but i am new with BT5

  • Im not sure what you mean, by “how to get the fake wifi router to work?” … My wlan0 is connected to my home router, and wlan1 is used to create mon0 and the virtual interface at0. The fake/soft access point is then created with the command airbase-ng -e “Free Hotspot” -c 9 mon0

    If you can see the access point, that part is working. If you can see it, but not connect to it, it’s probably the dhcp-server that’s not working correct.

    If you can connect, and get an IP-address but not browse the internet, it’s because you haven’t connected to a router on the BT-machine..

    Let me know if this was any help.

    //M00kaw

  • Thanks for the fast reply M00kaw!

    I see the fake acces point in my available wifi list, i can connect to it as well. I get the Ip (192.168.2.128) but cannot connect to the net. When i take a look on wireshark and when i go to google for example, i see the destination is 8.8.8.8 and not their ip.

    I use VMware Player with bridged networking so im directly connected to the network.

    Im using eth1, wlan0 and wlan1. I use wlan0 to monitor and for at0. Im not connected to the network with the wlan0 but with eth1. Or do i have to install BT on my HDD and then run it?

    greetings

    • Well – I use a small netbook (Lenovo S12) with a hard install of Backtrack5… I’m not sure about how this will work in a virtual enviroment..

      Never the less, I will always recommend to do a hard install…

      • Just a quick update – I’m going to try and make it work, with the VMWare images of BackTrack…

        • That would be great M00kaw! I really appreciate the help. I did used the VMware images i downloaded from BT site, but i experienced problems with it so i switched to the standard BT5 32 bit images file and used that instead on vmware.

          I have BT5 gnome 32-bit on my HDD along with win and runned BT5 directly from the HDD as well but no luck :( Im guessing im doing something wrong when starting the config at0 for DHCP server.

  • I am having the same problem as Gasto but I am using Virtualbox. It seems using 8.8.8.8 as a dns server does not work when using a VM.

    • It seems odd, that the DNS server would mess things up, but try using the same DNS on the virtual machine as on the host for the virtual machine..

  • Great tutorial.. works flawlessly. One question: what commands do you use to get sslstrip & ettercap working with this setup to sniff credentials?

    • Actually, I was thinking of making a small update on how I use sslstrip with this fake access point..

      I pretty much just start sslstrip, and save the log-file.
      Then i’m using a script to look for username/password in the sslstrip.log and output it, in a new text..

      A small how to is comming up some time..

      //M00kaw

    • Looking forward to your next how-to to follow up with this setup.

      Thanks

  • Do you use a virtual machine or directly from the HDD?

    • While I was playing around with this access point, it was on my netbook (Lenovo S12), with a HDD install of BackTrack5 32bit Gnome.. And it works like a charm on that laptop..

  • How ever! After you guys were saying that it wasn’t working in a virtual machine (Vbox / VMWare) i decided to try my own guide in a virtual machine.
    I got Backtrack 5 32bit Gnome (just as the netbook), and followed my own guide – and Yes, it gave me a hell of a lot of a hard time !

    First, i thought that the DHCP-server was failing, so I got a new dhcpd.conf from a nice guy called g0tmi1k.
    That didn’t solve the problem. I then contacted g0tmi1k again, and he actually told me, that there might be bug (something messed up), with airbase-ng and virtual machines! I tried to re-create the access point over and over again, I un-plugged the WiFi and started from scratch. After 6 hours of frustration I had to give up. I simply can’t see what it takes to solve the problem, with airbase-ng and a virtual machine…

    Keep in mind, that this was VMWare – and I haven’t tried Virtualbox yet. I’m hoping that Vbox will be easier, but at this point – I can’t imagine that it is..

    So, I’m sorry guys – but I don’t have a solution for you. I will still be looking for a way to solve this, but as for now, I think that sniffing traffic on the AP is more exciting :>

    • Thanks for the effort M00kaw!

      On VirtualBox i experienced the same problem.
      Anyway, i tried it running BT straight from the HDD followed the steps but i cannot use the internet when connected to the fake AP. I get the ip but same dns error as in VMware. Im guessing im doing something wrong here -_-

    • since it is the host OS that control the hardwares what you wish to do must be done on it.
      in Vbox/VMWare only usb adapters can be acessed without Vbox/VMWare being in the way.

  • Gasto

    You need to do an ifconfig and figure out what your outgoing interface is. Then you need to change the script in the iptables to reflect that interface. For me I had to switch

    –out-interface wlan0 to –out-interface eth1

    All working now. Thanks M00kaw.

    • I also forgot with my card I needed to set the channel after putting the card into monitor mode.

      iwconfig wlan0 channel 9
      iwconfig mon0 channel 9

    • JihAaaa! Finally it worked out. You were right Bob i had to change wlan1 to eth0 in iptables and it works. Thanks for the help both of you!

  • I have A-Link WL54USB-A adapter and Intel 5100 adapter integrated in notebook. I use BackTrack 5 in vmware.
    My problem when is created AP:
    Client can connect, dhcp work OK, but client can not ping gateway and does not see network and internet. This problem i have when i use WL54USB-A in vmware and in live cd, too. But when i use Intel 5100 in live cd (in vmware i can not) everything works great with same configuration.
    Can anybody help me? Bad adapter or firmware or driver?

    • I also forgot, with WL54USB-A (zd1211 firmware) adapter works packet injection and other features, only i have problem with AP (but when i try connect with android LG P350, it work correct, Nokia N8 and any windows 7 PC or laptop not).

  • Yes there should realize the reader to RSS my feed to RSS commentary, quite simply

  • please make video tutorial about the wifi access point

    • I will go ahead and do that … It’s just gonna be a video of me typing the commands, so it shouldn’t take long to fix…
      Thanks for the comment :>

      //M00kaw

  • thanks M00kaw,what changed if my ifconfig :
    eth0 Link encap:Ethernet HWaddr 00:21:70:c1:41:6c
    inet addr:192.168.1.3 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::221:70ff:fec1:416c/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:34064 errors:0 dropped:0 overruns:0 frame:0
    TX packets:36247 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:29640123 (29.6 MB) TX bytes:5586347 (5.5 MB)
    Interrupt:45 Base address:0xe000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:831 errors:0 dropped:0 overruns:0 frame:0
    TX packets:831 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:59573 (59.5 KB) TX bytes:59573 (59.5 KB)

    wlan0 Link encap:Ethernet HWaddr 00:23:4e:1b:33:36
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    and default gateway 192.168.1.1 and DNS server is 203.130.196.5

    thanks,sorry if my english so bad

  • there is a missing line in the iptables that shoul allow the traffic to be forwarded :

    iptables -P FORWARD ACCEPT

    works for me with bt5 in virtual box with usb wireless dongle.

  • plz help i followed this to a T and it is not working for me i can connect to the vap but i have no internet am i supposed to use my ip address in the dhcp im using wicd to connect with my wlan1 and am using my wlan0 as my mon0 vap
    wlan0 Atheros AR2413 ath5k – [phy0]
    wlan1 Ralink RT2870/3070 rt2800usb – [phy1]
    mon0 Atheros AR2413 ath5k – [phy0]
    at0 Link encap:Ethernet HWaddr 00:11:f5:7d:80:a1
    inet addr:192.168.2.129 Bcast:192.168.2.255 Mask:255.255.255.128
    inet6 addr: fe80::211:f5ff:fe7d:80a1/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:47 errors:0 dropped:0 overruns:0 frame:0
    TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:500
    RX bytes:4142 (4.1 KB) TX bytes:1550 (1.5 KB)

    eth0 Link encap:Ethernet HWaddr 00:0f:b0:8e:81:83
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
    Interrupt:16

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:16436 Metric:1
    RX packets:33 errors:0 dropped:0 overruns:0 frame:0
    TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:2112 (2.1 KB) TX bytes:2112 (2.1 KB)

    mon0 Link encap:UNSPEC HWaddr 00-11-F5-7D-80-A1-30-30-00-00-00-00-00-00-00-00
    UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1800 Metric:1
    RX packets:3129 errors:0 dropped:499 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:300786 (300.7 KB) TX bytes:0 (0.0 B)

    wlan0 Link encap:Ethernet HWaddr 00:11:f5:7d:80:a1
    inet addr:192.168.1.118 Bcast:192.168.1.255 Mask:255.255.255.0
    UP BROADCAST MULTICAST MTU:1500 Metric:1
    RX packets:0 errors:0 dropped:0 overruns:0 frame:0
    TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

    wlan1 Link encap:Ethernet HWaddr 00:a1:b0:f0:18:3f
    inet addr:192.168.1.90 Bcast:192.168.1.255 Mask:255.255.255.0
    inet6 addr: fe80::2a1:b0ff:fef0:183f/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:35044 errors:0 dropped:0 overruns:0 frame:0
    TX packets:22666 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:47328253 (47.3 MB) TX bytes:2385287 (2.3 MB)

  • This is great to act as a “honey pot”/rogue AP or in a lab. But I would also like to establish a “closed” hotspot with WPA enabled instead of it being open. Can you post how you would do this or email me?

  • It worked ok but I can’t dnsspoof all the traffic to my web page that I have in my apache2 (/var/www/index.php). When I’m trying this with dnsspoof (dnsspoof -i at0 -f dns) and dns file has this: 192.168.2.129 * I can’t visit any site (In client’s side) Is something wrong with DNS? I must set the router’s DNS and not Google’s?

  • Great post. Just wondering, is there any way to have the victim get rerouted to say “www.google.com” instead of whatever sites they try to visit? Did a quick search but my Google-Fu proved insufficient.

  • For everyone having a DNS error or problems with 8.8.8.8, TRY USING YOUR ACTUAL DNS SERVER IP ADDRESS GIVEN TO YOU BY YOUR ISP. Stop just “copy&paste”ing – tutorials that your find on the web and calling yourself a 1337 h4x0r. You can find your “nameserver” (DNS server IP address) by looking in “/etc/resolv.conf”. Hope this helps some n00bs.

    • Thank you meebo!
      Im not sure, if it’s a good thing helping out the copy/paste guys :-P

      Thanks for the comment again.

      • That is why I generally do my tutorials with either pictures or videos – it stops from people just copy/paste’ing the commands. They can still copy the steps, but have to manually type the commands. Usually people will make a typo or do something wrong and then have to debug the steps they took – ultimately resulting in gaining some knowledge about what they’re doing.

      • Just a clarification:
        8.8.8.8 and 8.8.4.4 is Google DNS (http://code.google.com/speed/public-dns/) and can be used as an alternative to your DNS.

        Most times this will work out okay, but I don’t recommend using Google’s Public DNS service – for obvious reasons.

        Using your assigned DNS server IP is always a much better route. It may be nice to include that in the post – to use your own DNS and how to find it.

        One last thing. This works fine on Back|Track, but you may want it to update it to work with the newer versions of Ubuntu and Debian.

  • Why you are not using -P with airbase-ng?
    And when you are airbase-ng running and you have wlan1 mon0 and at0 which one you should sniff with wireshark to get the best result?

    Hope that you will update your script soon it looks really good so keep up the good work =)

    • I’m not using -P because I, in this tutorial, dont wanna catch others probes. This is a proof of concept, not a how to trick your neighbour.
      So the -P would be your own responsibility to find ;>

      You need to sniff the virtual interface at0 in this case.
      you can use either wireshark, sslstrip, tcpdump. There’s a lot of traffic-analysers out there..

      • Thank you about your answer.

        I noticed that at0 is the best interface to sniff because there is traffic only when something is really happening. wlan0 and mon0 are full of useless traffic so it’s better to sniff at0…

        I actually use wireshark (to see what is going on), sslstrip (well.. to strip ssl) and tcpdump to capture data for later use and looking.

  • And one another thing.. Could you write a tutorial how to use Karma?

  • hi guyz , iam facing a problem , DNS with the dhcp . i was using the google’s DNS and all of them were working , the second day they stopped working then i changed the DNS to the 1 that given by my isp it worked, and the second day also stopped , now am trying again and again nothing is working , i can ping an ip of a website , but i cant ping a web like yahoo.com , dunno whats wrong wish can anyone help me thanks alot …

  • Hi … your tutorial is the best i have seen around.. plz upload this tutorial with backtrack 5 r2..thnx

  • Thanks for this tutorial, it really helped. I made a bash script of pretty much everything that happens here and going to expand on it to have further functionality outside this tutorial.
    http://pastebin.com/DAscWtiJ
    Please excuse my horrible coding, first time really using bash script

    • that is so awesome!
      I’m gonna look at it closer, test it out and then post it with reference to you :>
      Do you have a twitter I could follow ?

      • Nice to know you like it man, took a couple of hours because it was my first time coding in bash..feel free to edit what you want and change it just try keep the credits.

        Well im about to start my website up, securitytutorials.co.uk, so i will be using this twitter soon https://twitter.com/securitytut..but its a lot of work creating a new site so itll take a while

        btw great tutorials keep it up man

      • what is your twitter that i could follow?

  • Hello i found a solution to the vmware users that can’t browse the internet once connected to the Fake AP.
    I was trying loads of things to get it working until finally i changed the network settings in vmware from “NAT” to “BRIDGED” for those who are unsure of how to do this see below:

    double click your BT Image then when vmware opens look to the left of your screen and you will see “Devices”

    click on network adapter
    make sure “connect at power on” is checked

    “Bridged:Connected directly to the physical network” is checked

    “Replicate physical network connection state” is checked

    this should solve your issue

  • btw this is my script that allows you to create an access point and forward all traffic to the internet, allows to forward all dns queries to your localhost, and does both. Along with that it does arpspoofing for man in the middle attacks on the wireless. You can edit it any way you please and is a good script i wrote for easy execution. (Upadte Verion)
    http://www.twitter.com/securitytut
    http://www.pastebin.com/DAscWtiJ

  • Hi, great tutorial.
    I was just thinking about how this could be applied to social engineering and just have a few of questions;
    Is it possible, instead of bridging the fake ap to one’s own internet connection. Could you get it to give out a fake html router login page instead?

    Also, could the AP broadcast an encryption it doesn’t have, and then disregard any encrypted packets it receive? E.g. If a client’s computer believed it was connected to an access point, using a password of their choice. The requests they send me would be encrypted with the password they entered.
    But would it still be able to send out a html landing page unencrypted. (I think I may have already answered my own question).

    Thanks

    • Well there are many different ways you could use this type of attack. First you could use it for capturing passwords through a man in the middle attack if you forward the internet. Second you can go to my script which redirects all queries to you so you can load up whatever fake page you like and capture credentials(hotel passwords, router passwords, etc.)
      If you want any more help please contact me
      http://securitytutorials.co.uk/contact.php
      Sorry, i dont want to publish my email online

    • Now, i am insalling Backtrack 5. I think create wifi hotspot with this article.

  • You sir.. are AWESOME!

  • Hi,
    first of all, thanks for the great tutorial. I was looking for this for so long. But I have some problem with it as it is not well explained. I installed the dhcp3 and made the backup, created the file and put everything in it, but then didnt know what to do! However, I pressed ctrl+x, saved the file, and exited, but when I typed down: airmon-ng , I couldn’t see an interface called wlan0!There is just one interface called wlan0. What did I do wrong?? Please help!

  • Hi, i’m getting a problem while using dnsspoof or ettetcap with filters.

    I have 2 interfaces at0(over wlan0) and eth0 (connected to the internet).

    Dnsspoof works fine and redirects to my local page. But when i set the ip tables:

    iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

    Any ideas?

  • i have setup everything like this tutrial but my problem is when a client connects to my fake access point the internet connection on the client is very very slow

    any idea ?

    • Are you connected to your router by wifi og by cable?
      Depending on your WiFi configuration, the internet connection could appear to be slow.
      Either use cable or check your WiFi-settings (running a N-network and so on)..

  • hi i am following your setup please let me know how to do this say im conected to wireless with wlan0 and my coection status is this

    Physical Address: 00-C0-CA-69-52-7D
    IP Address: 192.168.1.72
    Subnet Mask: 255.255.255.0
    Default Gateway: 192.168.1.1
    DHCP Server: 192.168.1.1
    Lease Obtained: 16/04/2013 11:16:59
    Lease Expires: 17/04/2013 11:16:59
    DNS Server: 192.168.1.1

    what would i put in the dhcp server config to give access to the victim to allow them to browse the internet please help thanks in advance. :)

    • That has nothing to do with the DHCP-server.
      The DHCP-server makes sure, that people joining YOUR wifi gets an IP-address assignet..

      You need to configure the IP-tables, so it forwards all traffic from the virtual interface, to your wlan0-interface.
      Pretty much just like i did it, in the tutorial :>

      //M00kaw

  • everyone easy creds does all this for you in backtrack 5 enjoy.

    • The idea behind this, is to get an idea of whats going on..
      Not to execute some random program, like a script-kiddie…

      You, my good Sir, totally misunderstood the concept…

Comments are currently closed.