Create Evil WiFi Access Point (802.11evil)

Introduction

In pentests, connecting devices to your own network can be very useful. This enables you to analyze the network traffic and use a transparent proxy to intercept and inspect data transmitted between the devices and servers. This approach helps finding potential security weaknesses in applications and network communications.

In order to make this process easier, I created a script that starts a new WiFi that can be used to analyze the network traffic of the connected clients.

Script

The script can be found on GitHub: 802.11evil. The usage of the script is explained in the help and is quite simple:

$ ./802.11evil -h
Usage: 802.11evil [OPTION ...]

Program:
  Create evil WiFi access point.

Options:
  -l    LAN interface           (default: eth0)
  -a    Access Point interface  (default: wlan0)
  -i    Access Point IP address (default: 192.168.42.1)
  -s    Access Point SSID       (default: 802.11evil)
  -p    Access Point password   (default: password)
  -r    Redirect on/off         (default: off)
  -f    Redirect ports from     (default: 80,443)
  -t    Redirect ports to       (default: 8080)

Example Usage

Before the script can be started, the infrastructure has to be setup correctly. One network interface of your notebook has to be connected to an upstream network (e.g. a network with Internet connection) and the other network interface should be an unused WiFi interface that will be used to serve the new WiFi network.

Example command:

sudo ./802.11evil -l eth1 -a wlan1 -s mywifi -p hunter2 -f 80,443,8443 -f

Explanation:

• The command must be run as root, because network configuration is changed and services are started on privileged ports.
• The notebook is connected to an upstream network with Internet access on the interface eth1.
• The unused WiFi interface wlan1 will be used to create the new WiFi network.
• This command creates a new WiFi network with the name testwifi and the password hunter2
• All all traffic from the connected clients to port 80,443 and 8443 is redirected to port 8080 on the testing notebook.
  • On this port, a transparent proxy is running (like Burp Suite or mitmproxy) which can be used to intercept the network traffic. For this, the proxy CA has to be installed on the clients (or the applications to be tested must be hooked in order to bypass TLS certificate verification).
  • Alternatively, a tool like certmitm could be used to test if clients correctly verify certificates at all.

The script will now automatically configure the network interfaces using the ip command, enable IP forwarding using sysctl and configures NAT using iptables so that the notebook acts as a router and that the clients can access the upstream network. To redirect the ports to the transparent proxy, iptables is used as well. To assign IP addresses to the clients via DHCP and to resolve hostnames via DNS, dnsmasq is used.

When the job is done, the script can be terminated using ^C (Ctrl-C). This will stop all started services and restore the previous configurations of IP addresses, the iptables firewall and IP forwarding.

References

• NAT using iptables: https://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-9.html
• hostapd: https://w1.fi/
• Dnsmasq: https://thekelleys.org.uk/dnsmasq/doc.html
• Burp Transparent Proxy: https://portswigger.net/burp/documentation/desktop/tools/proxy/invisible
• Certmitm: https://github.com/aapooksman/certmitm