Select Page

Kali Linux WiFi Hack – Evil Twin Attack [2017 Walkthrough]

Sep 11, 2017 | 120 comments

How to steal WiFi

“A Fake WiFi access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.” – wikipedia

Fake WiFi access point is often called as:

In previous chapters of this series, we have now learned to

But all of those methods were either too slow or too much resource consuming. Wouldn’t it be better if we can harvest the WiFi password in plain text to save our time, effort, energy and resources required for cracking the WPA/2 hash ?

Good news!

This is possible using the Fake WiFi access point or the infamous Evil Twin attack method.

This article is an excerpt from my WiFi Penetration testing and Security eBook for aspiring WiFi hackers and Wireless security enthusiasts. Click here to learn more

Using this method it is possible to retrieve the WPA/2 passphrase in clear-text within minutes, no need of cracking or any extra hardware other than a Wireless adapter.

In some cases you don’t even need an adapter, when ? that we will discuss

Keep reading…

As per decided road map of chapter 7 there are some changes that had to be made due to the release of Kali Linux 2.0.

Previously until Kali Linux 1.x we used to create the Evil Twin access point and bridge the interface with the virtual machine’s default interface using brctl utility, but since Kali Linux 2.0 brctl isn’t supported and also dhcp3-server is changed to isc-dhcp-server which causes too many issues while using automated scripts.

There were some conflicts between aircrack-ng suite and network manager, So supposedly I have to make changes in the chapter to keep it up-to-date.

We will not be using any automated script as thought earlier, but we will understand the concept and perform it manually so that you can make your own script to automate the task and make it simple and fast to use.

Lets begin now!

Evil Twin Attack Methodology

Step 1: We will first scan the air for a target access point. Then create an access point using airbase-ng with the same name and channel of the target access point, hence Evil TWIN attack.

Step 2:The client is now disconnected repeatedly from the  original access point and as most modern system’s setting says… “Connect back to same ESSID (AP name) if disconnects”.

This also happens because when the client disconnects from any access point it starts sending probe requests in the air with the name of the access point it connected to earlier. Hence BSSID isn’t a barrier, you just need ESSID to spoof the AP

Step 3: Clients is now connected to the Evil Twin access point and now client may start browsing Internet.

Step 4: Client will see a web administrator warning saying “Enter WPA password to download and upgrade the router firmware”

Step 5: The moment client enters the password, s/he will be redirected to a loading page and the password will be stored in the MySQL database of the attacker machine.

Scanning the air for client probe requests can lead you to crack WPA2-PSK passphrase without any existing Access point or sometimes without any handshake.

Hardware used:

Software Used:

Installing required tools

So far we have aircrack-ng suite of tools, apache, mysql, iptables pre-installed in our Kali Linux virtual machine.

We just need to install isc-dhcp-server for IP address allocation to the client.

Install isc-dhcp-server in Kali Linux

Type in terminal:

This will update the cache and install latest version of dhcp server in your Kali Linux box.

Now all the required tools are installed. We need to configure apache and the dhcp server so that the access point will allocate IP address to the client/victim and client would be able to access our webpage remotely.

Enable “public_html” remote access in apache2

By default apache doesn’t allow public access to remote connections. So we need to do some more work.

In Ubuntu and other debian based distros, apache’s default web directory is /var/www/public_html/. In case there is no such directory,  create one.

Open terminal and type:

Remember, In Kali Linux default apache web directory is /var/www/html. So put all the rogue_AP.zip content under/var/www/html.

Now you’ll need to enable remote access to the public_html directory

Type in terminal:

and edit the outlined portion and make sure your file looks like the below image:

Enable the new userdir configuration file

Now we will define the IP range and the subnet mask for the dhcp server.

Configure isc-dhcp-server

Type in terminal:

and type this in the beginning of the file

Your dhcpd.conf file will look like this

 

(Optional)Resolve airmon-ng and Network Manager Conflict

Before enabling monitor mode on the wireless card let’s fix the airmon-ng and network-manager conflict forever.

So that we don’t need to kill the network-manager or disconnect tany network connection before putting wireless adapter into monitor mode as we used to run airmon-ng check kill every time we need to start wifi pentest.

Open terminal and type:

Now add the following at the end of the file

Output should look like this

Now that you have edited the NetworkManager.conf file you should have no conflicts with airmon-ng in Kali Linux 2.0

We are ready to begin now.

Bring up the wireless interface

Put wireless adapter into monitor mode

Putting the card in monitor mode will show a similar output

Now our card is in monitor mode without any issues with network manager. You can simply start monitoring the air with command

As soon your target AP appears in the airodump-ng output window press CTRL-C and note these three things in a text editor(Gedit, in case)

Set tx-power of alfa card to max: 1000mW

tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW.

tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.

If your country is set to US while installation. most probably your card should operate on 30 dBm(1000 mW)

In Kali Linux 2.0 (Codename: Sana) You might face issue while powering up your card.

As in earlier versions if you set country(region) to Bolivia, you are able to operate card at 30 dBm. But in Kali Sana is not working. So we’ll be using US as our region. Here is how

If you are thinking why we need to change region to operate our card at 1000mW. Here is why

because different countries have different legal allowance of Wireless devices at certain power and frequency. That is why Linux distribution have this information built in and you need to change your region to allow yourself to operate at that frequency and power.

Motive of powering up the card is that when creating the hotspot you do not have any need to be near to the victim. victim device will automatically connect to the device with higher signal strength even if it isn’t physically near.

Start Evil Twin Attack

Begin the Evil Twin attack using airbase-ng:

Evil Twin Attack

 

by default airbase-ng creates a tap interface(at0) as the wired interface for bridging/routing the network traffic via the rogue access point. you can see it using ifconfig at0 command.

 

 

For the at0 to allocate IP address we need to assign an IP range to itself first.

Allocate IP and Subnet Mask

allocate ip range to at0 tap interface

Here we have allocated Class-C IP address to the at0 interface.

route command had set 192.168.1.0 as the network address, 255.255.255.0 as Subnet Mask and 192.168.1.1 as default gateway i.e at0’s IP

Do not confuse between Network address and default gateway. Network address is also called the network node. Nodes are the reserved IP address of any specific range. “X.X.X.0” and “X.X.X.255” are always reserved that is why IP range always varies from X.X.X.1-254

An address that ends in “.255” is also called broadcast address: all devices in the same network should handle packets addressed to the broadcast address.

Now as we have allocated IP address and subnet mask to the at0 interface we will use our default ethernet interface i.e eth0, through which we access the network connection or the Internet inside the virtual machine to route all the traffic from the client through it.

In short allowing victim to access the internet and allowing ourselves(attacker) to sniff the victim traffic.

For that we will use iptables utility to set a firewall rule to route all the traffic through this specific interface.

first you need to check the IP address of the routing interface. check it using

you will get a similar output, if using VM

Note the first line, it says “default“. It means the interface defined: eth0, is the upstream(Internet enabled) interface on this machine and 192.168.2.129 is the IP of the same as written in second line.

NOTE: second line also says eth0. Yours may be different

Enable NAT  by setting Firewall rules in iptables

Enter the following commands to set-up an actual NAT:

Make sure you enter correct interface for –out-interface. eth0 here is the upstream interface where we want to send out packets, coming from at0 interface(from victim). Rest if fine.

Don’t worry we will discuss the meaning of the above commands in the coming chapter in detail. Till then just test it 😉

After entering the above command if you are willing to provide Internet access to the victim just enable routing using the command below

Enable IP forwarding

Entering “1” in the ip_forward file will tell the system to enable the rules defined in the IPtables and start forwarding traffic(if any). 0 stand for disable. Although rules will remain defined until next reboot.

We will put it 0 for this attack, as we are not providing internet access before we get the WPA password.

Our Evil Twin access point is now up and rules has been enabled, now we will start the dhcp server to allow fake AP to allocate IP address to the clients.

First we need to tell dhcp server the location of the file we created earlier, which defines IP class, subnet mask and range of the network.

Start dhcpd Listener

Type in terminal:

Here -cf stands for Configuration file and -pf stands for PID file

Use your desired name for .pid file.

You should see a similar output

In case you are facing any issue regarding dhcp server, just kill the curently running dhcp process

and run dhcpd again. It should work now.

Start the Services

Now start the dhcp server, apache and mysql inline

We have our Evil Twin attack vector up and working perfectly. Now we need to setup our fake webpage in action so that victim will see the webpage while browsing and enter the passphrase which s/he uses for his/her access point.

Click here to Download Rogue AP configuration files

and simply enter the following command in Terminal

This command will extract the contents of rogue_AP.zip file and copy them to the apache’s public_html directory so that when the victim opens the browser s/he will automatically be redirected to the default index.html webpage.

Now to store the credentials entered by the victim in the html page, we need an SQL database.

you will see a dbconnect.php file for that, but to be in effect you need a database created already so that the dbconnect.php will reflect the changes in the DB.

Open terminal and type:

Create a new user “fakeap” and password “fakeap”

As you cannot execute MySQL queries from PHP being a root user since version 5.7

now create database and table as defined in the dbconnect.php. Simply type

it should go like this:

Grant fakeap all the permissions on rogue_AP Database:

Exit and log in using new user

Now you may test inserting a test value in the table

Type:

insert values in table

Note that both the values are same here, that means password and confirmation password should be the same.

Our attack is now ready just wait for the client to connect and see the credential coming.

In some cases your client might already be connected to the original AP. You need to disconnect the client as we did in the previous chapters using aireplay-ng utility.

open the notepad in which you saved the AP info and type:

  • aireplay-ng –deauth 0  -a <BSSID> wlan1mon

–deauth 0 : Unlimited de-authentication requests. Limit the request by entering natural numbers.

We are using 0 so that every client will disconnect from that specific BSSID and connect to our AP as it is of the same name as of real AP and also open type access point.

As soon a client connects to your AP you will see an activity in the airbase-ng terminal window like this

Now to simulate the client side I am using Ubuntu machine connected via WiFi and using a Firefox web browser to illustrate the attack.

Victim can now access Internet now. You can do 2 things now:

  1. Sniff the client traffic
  2. Redirect all the traffic to the fake AP page

and that’s what we wanna do. Redirect the client to our fake AP page.

Just run this command:

It will redirect all HTTP traffic coming from the at0 interface.

Not HTTPS traffic, due to the built in list of HSTS web sites. You can’t redirect HTPS traffic without getting an SSL/TLS error on the victim’s machine.

When victim tries to access any website(google.com in this case), s/he will see this page which tell the victim to enter the password to download and upgrade the firmware

Here i am entering “iamrootsh3ll” as the password that I (Victim) think is his/her AP’s password.

Subscribe and Download the Rogue_AP.zip:

As soon as the victim presses [ENTER] s/he will see this

Now coming back to attacker side. You need to check in the mySQL database for the stored passwords.

Just type the previously used command in the mySQL terminal window and see whether a new update is there or not.

After simulating I checked the mySQL DB and here is the output

Voila! you have successfully harvested the WPA passphrase right from the victim in plain text.

now close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you. haha

Although you don’t need to name any AP similar to an existing AP you can also create a random free open WiFi type name to gather the client on your AP and start pentesting.

Want to go even deeper? Want to learn how to create the Ultimate Fake Access Point to spawn all the clear-text password for WiFi, victim ever connected to?

Want to Create multiple Access point with a single card?

Learn how to fix the “No Internet Access” to prevent victim to auto-disconnect the honeypot when you are missing the Internet connection?

All the above techniques and methodologies are taught in the WiFi hacking eBook I recently released.

Click the image below to learn more about the contents

There are a whole lot of possibilities of implementing the Evil Twin attacks and techniques, one of which I discuss here in the Rogue Access Point article. Before having a look let me know in the comments about your experience with the evil twin attack method and as always

Keep Learning…

  • 1v4nuk0

    Hi , i need your hel p, when i do airbase -e “blabla” -c 11 wlan0mon , i have it “”Error: Got channel -1, expected a value < 256."" , please help , i use kali 2.0 and alfa or tplink and allways say this .

    • Hi 1v4nuk0,
      You have 2 ways To fix this:
      1: Run “airmon-ng check kill“, before you create wlan0mon interface, or
      2: Head over to the “Resolve airmon-ng and Network Manager conflicts” section of this post, that will fix this issue permanently.

  • 1v4nuk0

    thx , i update suite aircrack and fix this problems , thanks

  • Антонио Любчев

    Hey, great tutorial but when I connect to the fake access point I get disconnected in a few seconds

    • Which device you are using to connect to fake AP ?

      • Антонио Любчев

        I’m using my tp-link tl-WN722N and it’s the only wireless interface

        • WN722N is well supported by Kali Linux. I tested it with android 4.4 as client and faced the same issue. Seems like newer Android devices are detecting the Fake access points and dropping the connection.

          Did you also use Android device to connect to F-AP ?

          • Антонио Любчев

            Yes, unfortunately I did. Same android 4.4.4 …

  • Rockstar_admirable

    Can you please suggest some Code Changes, Because I’m connected with Internet via Wlan0 instead of Eth0.
    And my Rogue AP connection is Wlan1.
    I appreciate any help.

    • Hello Rockstar,
      You just need to replace Eth0 with Wlan0. rest, all the commands will remain same for the task.
      No additional changes are needed 🙂

      Remember, Cable(Eth0) or EM field(WiFi) is just medium for transfer of information.

      Also, do not forget to use Wlan0 ip with prerouting

      • Rockstar_admirable

        I did it till starting DHCP Server, Apache2, Mysql but then I found that my own internet connectivity stopped so I unable to download Rogue file.
        Any further suggestion, or I missed something due to which it caused me.

        • I think you are running “airmon-ng check kill” command, which is causing the disconnection.
          If this is so, see the “Resolve airmon-ng and Network Manager conflicts” section, to get rid of this issue.
          That’ll help for sure.

          • Rockstar_admirable

            I have managed and succeeded to create Fake AP but When i tried to connect via Android Phone, after obtaining IP it disconnect automatically and this process continues. In Windows it’s working…. Previously I have done this method on Kali Linux 1.1 and it worked for both Android Phone and Windows but now it’s only working for Windows.
            Can you suggest any solution for it.

          • This thing happened to me also. it disconnected on android 4.3 and not on android 2.3

            So I have to check whether it is an Android fix or issue with latest Kali Linux’s version on Aircrack-ng suite

          • Rockstar_admirable

            I have managed to connect with my Android Kitkat 4.4 using Kali Linux 1.1 about 8 months ago. But now in Kali Linux 2.0, it causing error. I’m sure it’s Kali’s or Aircrack-ng issue not Android.

  • Антонио Любчев

    When I create the access point with aireplay-ng it makes 2 access points ?!?!?!?! one with my chose essid and another one named “default” this screws up everything

  • slmafiq

    PLEASE HELP ME!
    When i connected for fake AP i dont have internet access and cannot loading rouge page
    i make this step by step http://www89.zippyshare.com/v/rx39bULr/file.html
    Thanks !!!

  • Kuldeep Shakya

    Sir i have completed all the stepcarefully but in the last step the debian index is showing up but not the rogue_AP index in the webpage olease help me what to do

    • András Tóth

      Try just putting all the rogue files into “var/www/html” folder.

  • please help me i am unable to download rouge zip file …..when i click on link that i recieved via email it just says thank you …and download does’t starts,,,,please help me quickly …i am in middle …

  • nehat

    can’t download Rogue_AP.zip! After clicking that is send to my given email address it says “thank you for showing your concern” and nothing else. No file to download. Please help me with that!
    Hoping for quick response.Thank you!

    • Hello Nehat,
      Please contact me on harry@rootsh3ll.com . I’ll send you the file there.

      • nehat

        i send you and email regarding this issue in your given contact details, please send me the file! thank you!

  • Fake ap is not alloting ip address.. I googled problem it is about same subnet.. Help me with this please

    • Did you run dhcp server before ?
      also make sure you are using ethernet as internet interface

    • András Tóth

      Same here, tried already everything. Browsed through all the iptables functions etc., but still no solution and i have no idea what could cause the problem. When i set everything up and my test victim connects to the ap, the station is not redirected to the desired apache2 server. Although if I put my eth0 ip address in the browser of the vic., then it ends up on the desired page. I dont want to start spoofing all the freqently visited sites like google or fb, I just would like to find a working way to redirect all the 80,8080 tcp traffic to the local server.

      Any ideas solving this? Would be highly appreciated!

  • equinox

    I follow all the steps and work correctly but when I connect to the fake ap there is no internet connection. What might be the possible problem?

    • Check the IP address of the interface connected to the Internet. Set accordingly

      Mine is 192.168.2.129 (Check the Set Firewall rules in Iptables Section)
      Your’s might be different.

      • equinox

        Is this part correct? When I run the command “dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient-eth1.pid at0” ( I am using eth1 ethernet) It’s not displaying the listening and sending line. I already check the ip and it’s correct.

        • odk

          Hi! I’m having the same problem!
          In my situation, I follow the instructions and at the point where I type ip route, I get two different routing interfaces(?), one with a weird IP address and the other with 192.168.1.1
          And when I try to start dhcpd listener with either IP address, I get the same situation as equinox.
          Also, there is no dhcpd.leases file in /var/lib/dhcp
          I wonder if this has anything to do with my problem.
          Please help me!! Thank you.

    • nothingnoone

      Did you all figure this out? I am having the same problem. with “There’s already a DHCP server running” and no connectivity on the fake AP…

  • Oby Genova

    Hello everyone,
    First, thanks to Harry for this amazing tuto !
    I did exactly what you did and it works fine, but when I connect to the fake AP I have Internet connection but I’m not automatically redirected on the fake page. How do you do that ?

    • Try running this command to redirect all traffic to your apache server:
      dnsspoof -i [WiFi Interface]

      • Pieter

        somehow DNSSPOOF monitors traffic (DNS requests) to 8.8.8.8, but the traffic is never redirected to my honeypot page. Internet works fine on the victim, but they never get redirected. Any suggestions?

        • You must be providing wrong interface to dnsspoof. try at0, if using aircrack-ng. and wlan0 if using hostapd.

          • Pieter

            I have followed your steps to de letter and dot, i have been monitoring at0. I see al the traffic, but somehow it is all directed to 8.8.8.8 without being intercepted/rerouted. If i add my at0 ip to the DNS config it kills the internet connection for the victim (all DNS requests are then redirected to at0, but thats obviously not a DNS server). I have tried running DNSspoof with a config file (-f) for specific websites, but still no avail. When I open the fake page by typing the IP for at0 it works like a charm, i can enter passwords and retrieve them from MySQL. So Apache and SQL are doing their thing, i just need to redirect the victim to that IP somehow… Sorry for the lengthy explanation, it’s been bugging me for a few days now!

          • jima

            same issue ^^ When I open the fake page by typing the IP for at0 and 8.8.8.8 it works very well. but no D.N.S automatic redirection.

          • Pieter

            I have found out what te issue was; the client (target) was caching DNS. I flushed the cache and described in the DNSspoof file a new (never visited) site. It then sort of works, sometimes DNSSpoof intercepts and the credential harvester page appears! It does seem to be a bit flaky though. I have also tried dnsmasq, but somehow I can’t get it started because of DHCP issues with this walk-through. I hope you find out how to get it going!
            Sidenote; If you make a site clone with SET toolkit you can easily make a custom credential harvester site which dumps the credentials in an easy accessible TXT file in the /var/www/html dir. It also redirects directly to the official site after the credentials are received; the target is none the wiser (much more elegant than the site described in this tutorial).

          • Pieter, I saw that DNS spoof will only redirect HTTP based traffic to the local apache server and not the sites operating on HTTPS(mostly). for that to make work quickly, you

            can use Bettercap. It does the job pretty neatly.

            That’s something I wanted to cover in a different article, but in meantime you can get it working with it, I will write about details and working soon.

            Secondly, the DHCP issue you might be facing because isc-dhcp server is still running and using port 53 on which DNS servers usually operate. You need to kill isc-dhcp-server.

            # service isc-dhcp-server stop

            or

            # service dhcpd stop

            then run dnsmasq. It should run now.

            About SideNote:

            SET is a very good toolkit, but writing about it will not do justice to the purpose of this site i.e teaching you how actually stuff works.

            SET will do all on its own, but purpose is to teach you what happens behind-the-scenes, so that you do not need to depend on any specific framework/toolkit.

            For example, What SET does is actually putting the cloned HTML/CSS/JS files into a folder named acc. to sitename and add a virtual host in the apache configuration.

            So that whenever the client request for that site, apache will redirect it to the /var/www/html/$sitename

            This is also how the multiple domains are hosted on a single webhost

            Hope you get the idea.

          • Pieter

            Hardeep, thanks for your reply! I will test your suggestions as soon as I find the time. Just wondering; doesn’t stopping the DHCP server cut of the handing out of IP’s and therefore the internet connection from the target? Guess i’ll find out!
            About your remarks about the side note; Point taken, although SET-generated pages will definitely take out the countless hours of programming needed to craft a credible target-specific site with working PHP/Apache connections and credential-dumps. But fair enough; there’s too many script-kiddy’s out there already, right?:-)

          • You’re most welcome Pieter.
            Just wondering;
            DNSMasq works as a DHCP and a DNS server at same time. So killing the isc-dhcp server would then free the DNS service port(53). And DHCP will take care of the IP’s being allocated to clients and Internet connection also.

            Yeah, alot. and it’s good cuz that’s the way to learn. Can’t start as an expert 🙂

            Sidenote:
            Using SET and alike tools must be used to save time and for better productivity, ONLY IF you know how stuff works. If not, better get back to basics.

  • Oby Genova

    Okay I fixed my problem (echo 1 instead of echo 0) but no automatic redirection to the fake page for me…

    • Sinaï 00

      same issue, does anyone have a answer ?

    • Just wait for a few days.. I have a better version of the same attack method.. as this one is causing many issues.. I am writing a better and up to date version for Fake AP method.

      Stay tuned!

      • Sinaï 00

        cool thank you 😉 i’m looking forward

  • GM

    Hello, first of all congratulations. I have a problem maybe you can help me:

    root@kali:~# ifconfig wlan0 up
    root@kali:~# airmon-ng start wlan0

    PHY Interface Driver Chipset

    phy0 wlan0 rtl8187 Realtek Semiconductor Corp. RTL8187
    packet_write_wait: Connection to 192.168.1.16: Broken pipe
    $ ssh root@192.168.1.16

    As you will notice, I connect remotely (I’m using ‘nano’ instead of ‘gedit’, I hope the same is fine) just send that command disconnects me. I have to unplug the raspberry and restart it.

    I added that string inside ‘NetworkManager.conf’ to avoid conflicts, but nothing. I also did ‘airmon ng check-kill’ but nothing. Disconnects!

    I am using a ‘awus036nh’. I hope you can help me. Thank you

    • Thanks GM 🙂
      Try killing the network-manager utility first: service network-manager stop rather than airmon-ng check kill.

      Also how are you connecting to SSH ? via cable ?

      • GM

        I tried as you say, the problem remains. I enter ssh from mac. The connection to the raspberry is given by alfa AWUS036H. I question arises? How do I do this if the antenna where it takes the connection should become a hotspot? I mean, I then remotely then we connect? I must also stick an ethernet cable? Unfortunately I have the router away from raspberry. Thank

  • Nguyên

    can i using wlan card on laptop?

    • Yes.
      Make sure it support for this attack is “Access Point mode”

      to check it, type iw list in Terminal and look for “AP/VLAN” under the WiFi interface section.

      You can also filter the output. For example, Type
      iw list | grep AP/VLAN

      If it shows an output with this text: “AP/VLAN” it means you can perform the attack.

      • Nguyên

        when i in put: iw list | grep AP/VLAN
        appear
        iw list | grep AP/VLAN
        * AP/VLAN
        * AP/VLAN: 0x00 0x10 0x20 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xa0 0xb0 0xc0 0xd0 0xe0 0xf0
        * AP/VLAN: 0x00 0x20 0x40 0xa0 0xb0 0xc0 0xd0
        * AP/VLAN

        is this ok?

        • Cool! You are good to go.

          • Nguyên

            thank you very much. but when i in put:
            apt-get install isc-dhcp-server -y

            i get error:

            Reading package lists… Done
            Building dependency tree
            Reading state information… Done
            Some packages could not be installed. This may mean that you have
            requested an impossible situation or if you are using the unstable
            distribution that some required packages have not yet been created
            or been moved out of Incoming.
            The following information may help to resolve the situation:

            The following packages have unmet dependencies:
            isc-dhcp-server : Depends: isc-dhcp-common (= 4.3.1-6+deb8u2) but 4.3.3-5 is to be installed
            E: Unable to correct problems, you have held broken packages.

            how can i fix it? i have try some way but it don’t work

          • Most probably, the issue lies in your sources.list file.
            Add this text string within your /etc/apt/sources.list file:

            deb http://http.kali.org/kali kali-rolling main non-free contrib

            save and run apt-get update the instal isc-dhcp-server

          • Nguyên

            it worked. thank you very much.
            but on the last step:
            root@Kali:~# aireplay-ng –deauth 0 -a FE:9B:9C:36:E2:75 wlan0mon
            FE:9B:9C:36:E2:75 is my BSSID from my iPhone for test.

            i got some error:
            16:39:31 Waiting for beacon frame (BSSID: FE:9B:9C:36:E2:75) on channel 11
            16:39:32 wlan0mon is on channel 11, but the AP uses channel 1

            I tried: root@Kali:~# aireplay-ng –deauth 0 -e iPhone wlan0mon
            but got the same error.

            when i replace:

            airbase-ng -e “rootsh3ll” -c 1 wlan1mon
            to: aiirbase-ng -e “iPhone” -c 1 wlan1mon

            then use BSSID, i got the same error,
            when i use ESSID: aireplay-ng –deauth 0 -e iPhone wlan0mon
            it work with BSSID: 30:3A:64:FD:0D:E0.
            i try to connect with my iPhone’s wifi. and client not apper

            please help me!
            thank you very much

          • Issue is not with airebase-ng operating on *SOME* channel but your card itself.
            as you may have noticed while running airodump-ng [on the upper left corner]. Airodump is constantly hopping between different channels [1-13] and the moment you hit (^C) your card stays on the *random* channel it was last on during airodump-ng scan.

            So as you are deauthenticating an access point now you need to send deauthentication packets on the same frequency(channel).

            To fix this there are 2 ways:
            1. Use airodump-ng to put card on a specific channel [Channel 1 in your case]
            Example: *After first airodump-ng scan and Before running aireplay-ng or airbase-ng*
            :~# airodump-ng -c 1 wlan0mon
            and hit CTRL-C as soon as scan starts.
            Now the card is on your desired channel i.e 1

            2. Use BaSH utilities to get the job done

            :~# ifconfig wlan0mon down
            :~# iwconfig wlan0mon channel 1
            :~# ifconfig wlan0mon up

            Let me know if you face further issue. 🙂

          • Nguyên

            i’m got some error and i don’t know how to fix it.
            1. when i input

            dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient-eth0.pid at0:
            cannot find /var/lib/dhcp/dhcpd.leases
            i try create file leadpad, name: dhcpd.leases and save in /var/lib/dhcp/dhcpd.leases
            and it worked, but i don’t know is this correct

            2. i set:

            iw reg set US
            but in iwconfig wlan0mon: Tx-Power=0 dBm

            3.ip route
            igot:
            default dev ppp0 proto static scope link metric 700
            10.161.143.52 dev ppp0 proto kernel scope link src 10.161.143.52 metric 700
            192.168.1.0/24 via 192.168.1.1 dev ppp0
            192.196.1.0/24 dev at0 proto kernel scope link src 192.196.1.1
            i have try bot 10.161.143.52 and 192.196.1.1 in

            iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.2.129:80
            but i don’t know is this true, or i set ifconfg at0 and route add -net is fail

            4. and the last i try this your help in channel
            it worked. but when i connect my wifi for test, i can’t see client connect as you, and i try access any web site but I’m not automatically redirected on the fake page.
            i think my AP have not to work as Access point

            can you help me these question
            thank you very much

          • 1. cannot find /var/lib/dhcp/dhcpd.leases
            Stop isc-dhcp-server:
            service isc-dhcp-server stop
            now run the command:
            dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient.pid at0

            Note the dhcpd.pid. You can name it whatever you want.

            Now start isc-dhcp-server:
            service isc-dhcp-server start
            It will now create required leases files.

            2. but in iwconfig wlan0mon: Tx-Power=0 dBm

            As you said earlier you are using onboard WiFi card. It(0 dBm) means your card doesn’t support this feature. But you can still use for test purposes on any nearby devices like your iPhone. It’ll work.

            3. ip route

            You got first line saying default:
            default dev ppp0 proto static scope link metric 700

            Note the ppp0. It is your default connection for Internet in your Kali Machine. You just need to replace eth0 with ppp0. As in this article eth0 is been used as Internet enabled interface.

            NOTE: Use only the interface that says “default dev…”

            Use these iptables commands now:
            iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
            iptables --append FORWARD --in-interface wlan0mon -j ACCEPT

            4. i think my AP have not to work as Access point
            Just run this command if it still isn’t working:
            dnsspoof -i at0

            Hope all questions are answered. If not, feel free to ask.

            🙂

          • Nguyên

            I did exactly what you did and it works fine, but when I connect to the
            fake AP I have Internet connection and have no error, but I’m not automatically redirected
            on the fake page. may be i should by an usb AP. tp-link wr822n is ok?

          • Nguyên

            I did exactly what you did and it works fine and have no error, when I connect to the
            fake AP I have Internet connection, but I’m not automatically redirected
            on the fake page.
            and on:
            airbase-ng -e “HVAN-HV5” -c 1 wlan0mon
            10:37:53 Created tap interface at0
            10:37:53 Trying to set MTU on at0 to 1500
            10:37:53 Access Point with BSSID 30:3A:64:FD:0D:E0 started.

            i don’t have an clien connect as you.

            may be i should by an usb AP for test.
            tp-link wr822n and tp-link wr722n, which AP i should by?

          • I didn’t get it.

            have no error, when I connect to the
            fake AP I have Internet connection
            is contradicting
            i don’t have an clien connect as you.

            How can you connect to AP and access Internet without getting associated with airbase-ng’s created soft AP ?

            please mail me output of dmesg command just after connecting to the AP(if you see no assoc. on airbase-ng)

            Tip: Save dmesg output into a file in current directory

            dmesg > output.txt

            Either way, 722N is just perfect!

            Checkout other cards at rStore

  • Nguyên

    i can’t connect wifi card on board in lap top with kali linux vmware. can you help me how to connect?

  • Æxyeen Een Aryeen

    everything works fine but when i load the configuration page, input the passphrase and click on submit button nothing happens..and i check the database too..it was empty..
    can anyone tell what’s wrong???

    • Make sure you’ve made proper connection with MySQL server from your PHP file.

  • Chris

    Hey whats up, I’m having a problem with getting associated after deauth. From what I’ve read, deauth is supposed to kick all the stations (if any) off the network and they are supposed to connect back to me( The Fake AP)? Why isn’t it auto connecting back to my AP after I deauth? Do i have to wait for someone to be on there phone and physically connect to the fake ap that says open? I could use some help here, Ive been at this for like 4 days and have lost soo much sleep.

    • Yes. You have to wait for someone to physically click/tap on the WiFi to connect to Fake AP.
      That’s where using alfa card to max tx-power comes to use. To outcast the original WiFi and get above that in the list of scanned networks, so that the client unintentionally connects to you only.(as they probably haven’t been associated to an open Network with same name earlier).

      and please don’t waste so much time worrying.
      Next time contact me via email: harry@rootsh3ll.com | Facebook | Twitter

      🙂

      • Chris

        I don’t have to put wlan0mon instead of eth0 is do I?

        dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhclient-eth0.pid at0

        iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

        same question for this as well ^ eth0 to wlan0mon? or wlan0?

        • you can use any Interface as your Internet medium. Just replace eth0 with the interface name that has Internet enabled on it.
          For example ppp0 for dongles. Replace eth0 -> ppp0
          rest will remain same.

  • capati

    Is there a way to redirect https requests? I tried to create a https server with a self-signed certificate, but the browser throw the error “Your connection is not private” with a broken https: ERR_CERT_AUTHORITY_INVALID

    • Sorry but apparently there seems to be no way for redirecting HTTPS based traffic requests on modern browsers. I’ll keep you updated if I find any alternative.

      • capati

        I see, I just want to say thanks for these tutorials, great work.

  • knightblood

    hi, fake portal will not show if the victim tries to go to a https website. I’m trying it on an android device. Portal shows up only if it is a non-https sites.

    thank you.

    • Sorry but this is prevented by all modern browsers using HSTS(HTTP Strict Transport Security).
      Apparently you can’t redirect/strip HTTPS to HTTP site.

      I’ll keep you posted if I discover something useful.

  • knightblood

    Hi hardeep, great job on the tutorial. It’s detailed and easy to follow. Also thanks for the extra help in providing me with the. php script. It works just fine.

    • Thanks Knight.
      I am looking forward for your Fake portal. All the best.
      Who knows it may be included in rootsh3ll’s WiFi hacking book 😉

  • Asdfsdfsadf Sdfsdfsdfasdf

    Does this work with Raspberry Pi or only Ethernet cable?

    • Yeah, it should!

      • Asdfsdfsadf Sdfsdfsdfasdf

        Ok sounds, I will test this out.

        “So put all the rogue_AP.zip content under/var/www/html.”

        Do I extract this part or leave it as a .zip

  • Asdfsdfsadf Sdfsdfsdfasdf

    NEAT THIS WORKED. FINALLY A WORKING GUIDE AND NOT SOME VIRUS SCAM.

    Although for now I am only able to captures dns with dns sniff. I am getting “0 leases” instead of 3. Do you know how to fix that

    • You can use dnsmasq if you are facing frequent issues with dhcp server.
      Come over email, I’ll tell you how to setup there.

  • dou

    i followed exact step by step and everything worked, but i couldnt connect to the other target.. and also i get an error with the configuration specified above for the apache service, will only restart once i enable old configuration

    • probably because of the version difference, as article was written in 2015.
      Thanks for pointing out though. Will update it soon 🙂

      Hope you are not facing any other issues

      • dou

        Hello, thank you for the quick reply, I was running the apache configuration as root, so I just commented out “disabled root” and apache started successfully, but the there’s still an error when I try to log in to the fake host it never connects…I deauth my packets and loose wifi great lol, and my fake wifi shows up, and also forwarded my IPv4

        • You can try dnsmasq as a isc-dhcp-server alternative with hostapd. It is much stable in such cases

          Mail me(harry@rootsh3ll.com) if you need any help. I’ll send you files and instructions.

      • BrainS

        Hey Hardeep, did you update the tut yet?

  • Unknown

    Wao, its working for me//////

  • Unknown

    Hey everything is going fine. Everything works greatly. But i cannot recieve the wpa_passphrase in mysql terminal. Please help me with this.

    • Make sure you’ve created a database first:
      insert into wpa_keys(password1, password2) values ("testpass", "testpass");

      as dbconnect.php will write all the captured info in wpa_keys only.

  • Unknown

    And i want to know if it it possible to set fake page on every website instead of 192.168.1.1, like http://www.google.com

    • The redirection won’t work on HTTPS sites enabled with HSTS. though you can still redirect a lot of sites.
      At last of al the steps just run:
      dnsspoof -i "FakeAP Interface"

      and create a php site in your webserver’s home directory which will redirect al incoming traffic to your desired site.

      Though it could be done by iptables, I guess.

  • Unknown

    What can i do if i have no connection in ip route???

    • make sure your network-manager is running. In case you killed it, you’d have to connect eth0 using dhclient eth0 command and/or WiFi using wpa_supplicant

  • Unknown

    I mean that, like if i have not eth0 option or any other interface in iproute.
    then is it possible to skip this statement or something like this;

    iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

    i am asking because when i write ip route no interface is coming instead of at0.
    Is it possible to set this interface as –out-interface

    • In that case you can skip the line. Only downside is that you won’t be able to provide Internet access to the victim.
      EDIT: Though you can set this interface as –out-interface. but traffic won’t redirect to it as it doesn’t exist actually.

  • BrainS

    Hi, Everything works until I put two passwords in the boxes on the .html web , after I press enter, nothing happends, I get redirected to a blank .php page. And I dont get any inputs in Mysql database. I do see dnsspoof working and the client connected successfully . Maybe something in the .php?

    • Check these things:
      1. MySQL password in the PHP file must be correct
      2. Database and tables created must be same as of the PHP file (case sensitive)
      3. Make sure php5-mysql is installed apt install php5-mysql

      If everything is fine get over email. We’ll sort it out their much faster.

  • Unknown

    Hi, Can you post this same method by using HOSTAPD instead of using AIRBASE-NG
    Because when I start the fake AP instead of showing one AP it show one more AP name “default” and even sometime it also shows a third one who’s ESSID is something “iff 20008303923Z”

    • I am about to include that method in my book.
      Though you can contact me on harry@rootsh3ll.com I’ll send you the method and required configuration files there.

      • Unknown

        thanks i will contact you

  • Unknown

    Hey, i have onboard wifi adpater in my laptop with driver “iwlwifi”. Well, the problem is that i cannot be able to increase the tx-power of my adapter. I googled it and try different methods to increase the txpower but every time i got a failure.
    Or
    if i increase the txpower of my card then what will be it’s effect on card

    • This is because most of the on oard wireless cards doesn’t support packet injection, powering up the card etc.
      For those purposes you’d need a dedicated WiFi adapter.

  • Unknown

    Ok, But i also buy a TP-link wifi adapter “WN727N”. I also tried to increase its txpower but it doesn’t.

    • I think 727 was incompatible with Kali Linux.
      722N is pretty nicely supported though.

  • Walid

    Hi thanks for the article, so I was wondering: is there a way if I create an evil twin with a WPA password for exemple to get the password when the victim will use when she wants to connect to my evil twin? And also why and how the victim is disconnect from his wifi?

    • Yes you can create a WPA/2 type access point as well.
      1: using -Z option in airbase-ng. see manual
      2: using hostapd utility. google it!

      Victim is deauthenticated by sending deauthentication packets to the client pretending to be sent from the real AP. we used aireplay-ng to perform this attack as written in the tutorial.

      It is done because we are using an open AP so that anyone can join the network without any password. but assuming that victim is already connected to his/her own AP(real one) we need to first deauthenticate them continuously from the real AP so that they can manually click on the fake AP(with same name, but open) and join it, unknowingly.

      You can use aireplay-ng, MDK3 toolkit or craft your own tools using Python/Scapy acc. to your needs.

      Glad that you liked it!

      • Walid

        Thank you very much for your answer, the thing is I dont have Linux I’m using Macbook with vm windows. I have macports with the aircrack thing. Do you know if I can use deauthentication with another tool? Thanks
        PS: Is there a way to secure your access point from deauthentication packets

        • I think aircrack-ng suite does come for Mac also. You will find one on github I guess. Another tool is MDK3. there are other tools also butvthey ultimately use aircrack-ng only. so go with that or script your own tool in Python is a good choice.

          Yes there is a way. but I am not quite sure if it is for every router/client.
          as of now I am working on my WiFi hacking ans security book. I am researching on that too. hopefully I will find something useful and include that in the book within a month or so.

  • Vignesh Raja

    How to redirect all traffic

  • danish

    Hardeep Singh sir this article is so much good. but sir i am trying to make fake ap like u from 5 days and continuously failing. sir can u come in my pc and solve my error my dhcp is not running, and also ip addressing in i am doing mistake

    • 5 days are too much danish. let me help you over email (harry@rootsh3ll.com)
      🙂

  • wice22

    Well , basically it is impossible to run DHCP with this configuration…

    • Owen Lenegan

      That’s what I have found…

  • i dont mind

    I’m trying this, to create an AP, but i want to give me full network access, ’cause i’m too far from my router. I have set up everything, but i can’t redirect my traffic from wlan0mon to eth0 (using kali btw). i can get a dynamic ip, but anything i’ve tried worked. Form setting up a bridge manually to finally trying to use bridge-utils to do it. And that’s my problem. I can join eth0 and br0, but not br0 and wlan0mon. Any help?

  • Pingback: APT-1874()

  • FURY

    dhcp start is faild !! if can someone can help me i will be great i have just 2 question !! 🙂