rogue access point rootsh3ll

It is often pain in the butt to setup a working Rogue Access Point with (isc!) DHCP server. Most users either don’t know how to hack WiFi or find a hard time configuring the required setup. Many find it difficult to perform flexible tasks with the rogue access points with airbase-ng but end up getting frustrated.

airbase-ng is a nice little WiFi hacking tool, part of aircrack-ng suite of tools with very limited options along with a full-blown, memory hungry, hard to maintain (isc!)DHCP server which itself isn’t required at minute operational levels or especially when you are working on embedded, lesser powerful devices like raspberry pi.

hostapd (Host access point daemon) is a very flexible and lightweight software access point capable of turning normal NICs into full-blown (real) access points and authentication servers.
Hostapd along with apache can do a lot of interesting things, but a few of those aspects will be covered in this book.

dnsmasq is a lightweight DHCP and caching DNS server.
Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server.
Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows unneeded functions to be omitted from the compiled binary.

Before jumping right into the possibilities of a fake AP, you must make sure that our configuration files are well settled up.
This will allow one to ready-to-go according to the scenario and would save a lot of time.

Download Complete eBook – It’s Free: Kali Linux Wireless Pentesting and Security !
If you don’t have time to read this complete guide
Then you should download the Kali Linux Wireless Pentesting and Security eBook.It includes this chapter and a lot more sophisticated WiFi attacks. You learn pentesting wireless networks from scratch, create Rogue Access Points, Ultimate Evil Twins, Honepots, and hack Cleartext WPA2 Passphrases on the go.
Download Complete PDF

Understanding the Basic Attack Scenario

We scan the air and gather information about the target access point.

Information like:

  • ESSID: Extended Service Set Identifier aka AP Name
  • BSSID: Basic Service Set Identifier aka AP MAC address
  • Channel number
  • Connected clients’ aka victim

We create an access point with same name as of our target AP (rsX), though operating channel may be different.
De-authenticate the client from real AP. Wait for him/her to connect to our fake AP (rsX)
The moment victim associates with our fake AP, s/he is allocated an IP address.

Now we have IP level access to the victim machine.
Here you can do a lot of stuff like:

But to make all of these possible you should be prepared with your tools. As being said

A craftsman is only as good as his tools

Configuring the Rogue Access Point


To create a specific type of access point, be it WPA/2 personal, enterprise or karma attack. Keep everything commented in your arsenal, for later use.

Lightweight DNS/DHCP server. It is used to resolve dns requests from/to a machine and also acts as DHCP server to allocate IP addresses to the clients.
Remember IP level connectivity to client? thanks to dnsmasq

Basically, it acts as a web server to the client (victim). But you can transcend capabilities of your web server and fake AP using this powerful tool, apache.
Though it’s not necessary to have apache and/or mysql in just any attack.

All the client information is stored in the database. So, you better have a corresponding database, tables, columns pre-setup.

hostapd and dnsmasq are required in just any case you want to setup a rogue access point. Though there are some advanced techniques which may differ according to the attack scenario.
Advanced techniques which may use flexibility and features of apache and mysql

Say you force-connected victim to your AP and simply want to sniff or redirect the traffic. You do not need apache at all.
But in case you want to respond to the web based requests made by the victim, you can manipulate it in a certain way to get the maximum sensitive information out of it.
Kind of lost? No worries upcoming chapters will make it clearer.

We will learn about different attack scenarios and variety of roles of apache and mysql in it.
But before that let us setup the fundamentally required tools i.e. hostapd, dnsmasq


Make sure latest version of tools is installed:

apt update
apt install hostapd dnsmasq apache2 mysql

Configure hostapd

Create a directory for saved configuration files. Open Terminal and create hostapd config file.

  • vi hostapd.conf


interface=<Your Fake AP interface>
ssid=<Desired AP Name>
channel=<Operating Channel #>

Make sure you edit the changes accordingly every time you perform an attack.

Operating Channel number can cause issues if not chosen properly.

Configure dnsmasq

vi dnsmasq.conf


interface=<Fake AP Interface name>

Make sure to define proper interface in dnsmasq.conf file.

Parameter Breakdown:

dhcp-range=,,12h:  Client IP address will range from to and default lease time is 12 hours.
dhcp-option=3,  3 is code for Default Gateway followed by IP of D.G i.e.
dhcp-option=6,  6 for DNS Server followed by IP address

That’s all for configuration. Simple, isn’t it?
Assuming that you’ve already setup the mysql database and required web files in the apache working directory, as taught in previous segment of this chapter, let’s run the server and our fake AP now

Open new Terminal and run hostapd:

cd ~/Desktop/fakeap/
hostapd hostapd.conf

To allocate IP addresses to victims, run dnsmasq.
Before that, set IP address for wlan0 interface to enable IP networking, so that dnsmasq can process the incoming requests and direct the traffic accordingly.

Open a new Terminal for dnsmasq:

cd ~/Desktop/fakeap/
ifconfig wlan0       # Set class-A IP address to wlan0
dnsmasq -C dnsmasq.conf -d    # -C: configuration file. -d: daemon (as a process) mode

as soon as victim connects you should see similar output for hostapd and dnsmasq Terminal windows:

[ hostapd ]

Using interface wlan0 with hwaddr 00:c0:ca:5a:34:b7 and ssid "rootsh3ll"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: STA 2c:33:61:3a:c4:2f IEEE 802.11: authenticated
wlan0: STA 2c:33:61:3a:c4:2f IEEE 802.11: associated (aid 1)
wlan0: AP-STA-CONNECTED 2c:33:61:3a:c4:2f
wlan0: STA 2c:33:61:3a:c4:2f RADIUS: starting accounting session 596B9DE2-00000000

[ dnsmasq ]

dnsmasq: started, version 2.76 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCP, IP range --, lease time 12h
dnsmasq: using nameserver
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver
dnsmasq: using nameserver
dnsmasq: read /etc/hosts - 5 addresses
dnsmasq-dhcp: 1673205542 available DHCP range: --
dnsmasq-dhcp: 1673205542 client provides name: rootsh3ll-iPhone
dnsmasq-dhcp: 1673205542 DHCPDISCOVER(wlan0) 2c:33:61:3a:c4:2f
dnsmasq-dhcp: 1673205542 tags: wlan0
dnsmasq-dhcp: 1673205542 DHCPOFFER(wlan0) 2c:33:61:3a:c4:2f
dnsmasq-dhcp: 1673205542 requested options: 1:netmask, 121:classless-static-route, 3:router,
dnsmasq-dhcp: 1673205542 available DHCP range: --

Now you can enable NAT by setting Firewall rules in iptables

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0 -j ACCEPT

and enable internet access for victims:

echo 1 > /proc/sys/net/ipv4/ip_forward

Here’s for some extra topping…

Heard about iOS’s 1970 Bug by faking NTP (Network Time Protocol) Server, where if you set an iOS < 10.1.1 date to 01/01/1970 it will brick your device permanently beyond repair? Yes, that is as easy to change this option to NTP server’s

NTP Server


42 tells dnsmasq to redirect all NTP requests for time synchronisation to i.e. any interface of our machine.
Here is a configuration for NetBIOS, note that we do not need it in our current setup

44-47 NetBIOS



server= : Optional for public DNS server, where  is Google’s DNS
Log-queries : Enable query logging
Log-dhcp : Enable DHCP logging
listen-address= : Dnsmasq will listen on localhost for local/redirected traffic. So that Internet works on our machine too, if required

Optional configurations

You can create an optional fakehosts.conf file for dnsmasq to allow it to redirect a target website traffic to your desired IP address. It will simply tell client that
Is hosted on our target IP address.

vi fakehosts.conf


That’s all. Just pass the file with -H flag to dnsmasq and all your traffic for these sites will redirect to your apache server.

You can also use multiple IP (1 IP/domain) addresses to redirect traffic to another machine, be it public or private IP, example:


It will spoof the traffic requests accordingly.

If you frequently connect to your mobile hotspot and also want to pwn the machines in the vicinity you should keep you wpa_supplicant configuration ready.
After killing network-manager you can still connect to Wi-Fi AP using wpa_supplicant utility.

Save the PSK in a file:

Syntax: wpa_passphrase [ESSID] [Passphrase] > wpa.conf

wpa_passphrase rootsh3ll iamrootsh3ll > wpa.conf

It will create a file, wpa.conf, with content:


You can connect to WiFi using your WiFi/Station interface

wpa_supplicant -D nl80211 -i wlan0 -c wpa.conf

That’s all the setting you need to preserve for saving time and effort.

Now you know how to hack WiFi and you have your rogue access point working perfectly fine. You must’ve heard of WiFi-Phisher tool that uses captive portals to sniff WPA2 Passphrase in cleartext. well, you can take that approach to THE NEXT LEVEL!

You heard it right.
Wouldn’t it be better if you could get cleartext WPA2 passphrases, even of those access points that doesn’t virtually/physically exists in the vicinity? that’s what The Ultimate Fake AP is all about. It opens up a captive portal on the client device (automagically) and send a malicious (AV-proof) executable to the victim as a **mandatory system update**. The moment victim executes the file, you get passwords of all the access point victim ever connected to. That too in plain text.

After setting up the Rogue Access Point make sure to test The Ultimate Fake AP setup on it.


Port Scanning Machines:

The Ultimate Fake AP:

Kali Linux WiFi Pentesting and Security eBook:

Join the Discussion