Introduction
A Rogue Access Point (Rogue AP) is a wireless access point that has been installed on a secure network without explicit authorization. In cybersecurity testing and penetration testing scenarios, rogue APs are often set up to mimic legitimate wireless networks in an attempt to intercept data or exploit client vulnerabilities.
Using Kali Linux, an advanced penetration testing Linux distribution, ethical hackers and security researchers can simulate such attacks to test wireless network defenses. This guide explores how to set up a rogue access point, the tools involved, and the implications of such attacks.
What is a Rogue Access Point?
A Rogue Access Point is a malicious or unauthorized wireless access point that appears to be a legitimate Wi-Fi network. Attackers use this method to trick users into connecting to their rogue APs, allowing them to:
-
Monitor or sniff network traffic
-
Inject malware
-
Steal login credentials and session tokens
-
Launch Man-in-the-Middle (MITM) attacks
These attacks are particularly effective in environments where users often connect to open or public Wi-Fi networks.
Prerequisites
Before setting up a rogue access point with Kali Linux, ensure you have the following:
-
Kali Linux (latest version recommended)
-
A wireless network adapter that supports monitor mode and packet injection
-
Root or sudo privileges
-
A working knowledge of Linux terminal commands
Key Tools Used
Kali Linux comes pre-installed with several tools useful for creating and managing rogue access points:
1. Airbase-ng
Part of the Aircrack-ng suite, this tool is used to create rogue access points.
2. Hostapd
A user-space daemon for access point and authentication servers.
3. Dnsmasq
Lightweight DNS and DHCP server for network configuration.
4. Wireshark / tcpdump
Used for packet capturing and monitoring.
5. iptables
Handles NAT and packet redirection for routing traffic.
Setting Up a Rogue Access Point Using Airbase-ng
Step 1: Enable Monitor Mode
First, put your wireless card into monitor mode:
This creates a monitor interface, usually wlan0mon.
Step 2: Start Airbase-ng
Run the following command to start a fake access point:
-
-especifies the SSID (you can clone a real one). -
-csets the channel.
This will start broadcasting a fake access point named "FreeWiFi".
Step 3: Configure the Interface
Bring up the new interface (typically at0):
Step 4: Configure DHCP Server (Dnsmasq)
Create a config file for dnsmasq:
Add:
Then start dnsmasq:
Step 5: Configure iptables
Set up NAT to allow internet access through your AP:
This forwards traffic from your fake AP to the internet.
Advanced Rogue AP Scenarios
Captive Portal and Credential Harvesting
To capture user credentials, set up a fake login page and redirect all traffic to it:
-
Use
iptablesto redirect traffic to your web server. -
Set up
ApacheorNginxwith a phishing login page.
MITM with sslstrip
You can use sslstrip to downgrade HTTPS to HTTP:
And redirect traffic:
Detection and Defense Against Rogue APs
For Users:
-
Always verify SSIDs before connecting.
-
Use VPN services when on public Wi-Fi.
-
Avoid entering sensitive data on unknown networks.
For Network Admins:
-
Deploy Wireless Intrusion Detection Systems (WIDS).
-
Use MAC filtering and 802.1X authentication.
-
Regularly audit and scan wireless environments with tools like
Kismet.
Legal and Ethical Considerations
Using rogue APs for unauthorized access or eavesdropping is illegal in most jurisdictions. Only conduct these activities in controlled environments (e.g., penetration testing engagements or labs) and with explicit permission.
Conclusion
Creating a Rogue Access Point with Kali Linux is a powerful demonstration of wireless vulnerabilities and can be a critical part of penetration testing. Understanding the process allows both attackers and defenders to better grasp the importance of Wi-Fi security.
Always use these techniques responsibly and in ethical contexts.