Topics: Security

Setting up an Access Point using hostapd

This is the fifth article in a series of articles on security awareness, focusing on WiFi security.

In this article, we'll be setting a (rogue) Access Point, which can be very useful for man-in-the-middle attacks.

What's needed?

  • A computer running Kali Linux. See: ali Linux Bootable USB drive.
  • A few wireless interfaces, preferably three. One will be used for regular Internet access. One will be used for monitoring WiFi traffic. And the last one will be used for the Access Point. For the purposes of having a good signal, a wireless device that has sufficient power and one that can be switched into managed mode is required. A device that is typically used for this purposes is the Alfa AWUS036NH (2.4 GHz only) or Alpha AWUS052NH (both 2.4 and 5 GHz bands).
  • Good knowledge on WiFi networks, as described in Scanning WiFi networks.
In this article we'll be setting up an Access Point. As you know, Access Points or routers transmit their WiFi network(s) with a SSID or network name. Some of these names can be very common. For example, in the USA, very common network names are "Google Starbucks" or "attwifi". Many people use these open networks provided by Starbucks and AT&T, and often have these WiFi networks saved onto their devices (phones and laptops) and set to connect automatically. We're going to exploit that to our advantage. Any device such as a phone or laptop that knows about a WiFi network, and has it set to connect automatically, will simply indeed connect automatically to the WiFi, if WiFi is turned on on the device, and if a WiFi network with that name is in range.

So, if you've once visited the local Starbucks and used their open and free WiFi hotspot, and saved that network onto your device and have it set to connect automatically (which quite often is the default behavior), and you then visit another Starbucks later on, your device will connect automatically. And that happens only based on the SSID or network name, which in the case of Starbucks is known "Google Starbucks". A hacker can exploit that by setting his/her own Access Point with the same name.

First step: Install the required software

For the rogue Access Point to work, we'll need 2 items:
  • hostapd - the Access Point software
  • dnsmasq - a DHCP server that will provide IP address to any clients
Start up the Kali Linux system, and once logged in as user root, connect the system using one of the WiFi interfaces to the Internet using an existing Wifi Network. You can do so by navigating to the top right of the screen and connect a WiFi network. You can of course, also use a cabled Internet connection.

Then, install the required software:
# apt-get update
# apt-get install dnsmasq hostapd

Step 2: Set up the Access Point

Fist figure out which wireless network device you will be using for the Access Point. Run the "iwconfig" command to see the available wireless network devices. Use a wireless network device that can be switched into Managed mode, and one that has sufficient power. You may even attempt to increase the transmit power, as described here. For this article, we'll assume the wireless network device we'll use for Access Point is wlan1. If you have trouble determining which wireless network device maps to which physical device, try unplugging any USB wireless network devices, and plugging them in one by one, and running "iwconfig" in between.

Set up the configuration file for "hostapd", which defines the Access Point:
interface=wlan1
driver=nl80211
ssid=Google Starbucks
hw_mode=g
channel=4
macaddr_acl=0
ignore_broadcast_ssid=0
In the example above, an Access Point is defined with the network name "Google Starbucks", and it will run on channel 4, using wireless network device wlan1.

Save the file as hostapd.conf.

Within the same folder, start the Access Point:
# hostapd hostapd.conf
If, at this point, you see any errors, then most likely, another process is keeping the wireless network device occupied, usually the Network Manager process. In this article it was already described how to exclude a wireless network device from being managed by NetworkManager. Follow these steps, and you'll see that hostapd can be run without any issues.

When hostapd is running, check on another computer or phone if you can indeed discover a wireless network with the SSID "Google Starbucks".

Setting up a DHCP server

For our Access Point to work, we'll need it to act as a DHCP server as well, by handing out IP addresses to clients that will connect to the Access Point. Without that, the clients won't be able to do anything. For this purpose, we'll be using dnsmasq.

Again, we're going to create a configuration file, this time called dnsmasq.conf. Open a new terminal window and create the file:
interface=wlan1
dhcp-range=192.168.2.2,192.168.2.230,255.255.255.0,12h
dhcp-option=3,192.168.2.1
dhcp-option=6,192.168.2.1
server=8.8.8.8
server=8.8.4.4
log-queries
log-dhcp
listen-address=127.0.0.1
listen-address=192.168.2.1
This configuration file will tell dnsmasq to use the wlan1 device, and start handing out IP addresses in the range of 192.168.2.2 through 192.168.2.230. It will set the subnet mask to 255.255.255.0. It will provide a DHCP lease of 12 hours (12h). We're setting up DNS servers as well by using Google's DNS servers 8.8.8.8 and 8.8.4.4. And we're going to log everything (which by default will be through rsyslog in /var/log/messages).

Save the file. Next, we'll need to configure an IP address on the wireless interface wlan1, so clients can actually communicate to it:
# ifconfig wlan1 up 192.168.2.1 netmask 255.255.255.0
# route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.1
Now start the DHCP server:
# dnsmasq -C dnsmasq.conf -d
You may be able to see what the DHCP server is doing by monitoring the screen, or in a separate terminal window, run a command like:
# tail -f /var/log/messages | grep dnsmasq

Next step: Forward traffic

We're not quite there yet. Clients can now discover a WiFI network, and can get an IP address assigned by our Access Point. But in order for the clients to not suspect anything, we'll need to provide Internet access. If you've configured Internet access on one of your wireless network devices, as described in the beginning of this article, then you can do that. Let's assume the wireless network device begin used for the Internet access is wlan0. So wlan0 provides the regular Internet connectivity and wlan1 is being used by the Access Point. If you need to identify which wireless network is used for the Internet access, run "iwconfig". That command will show you if a wireless network device is associated to any SSID/WiFi network, and if so, which one.

Now forward the traffic:
# iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
# iptables --append FORWARD --in-interface wlan1 -j ACCEPT
# echo 1 > /proc/sys/net/ipv4/ip_forward
This will accept any network traffic from wlan1, and forward it to wlan0.

Next: Connect!

Now connect another device such as a phone or laptop to the wireless network called "Google Starbucks". It should connect normally and without any issues. In fact, you may even discover, if that device already knew about the Google Starbucks network, that it connected all by itself.

Next: Start monitoring

The Access Point has now been set up. The DHCP server is handing out IP addresses to any clients that connect, and Internet access is provided to any clients. Effectively, the Access Point now becomes the man-in-the-middle, and all network traffic will flow through the Access Point, and can be monitored. In the terminal screen running "hostapd", you can see if any clients connect. In the terminal window running "dnsmasq" you can see any clients that receive an IP address from the DHCP server, and any DNS queries that these clients do (these are also logged in /var/log/messages). Viewing the DNS queries of any clients will give you some idea of what the user is doing on their device. If you want to see what DHCP IP addresses have been assigned (or "leased") to clients, then run:
# cat /var/lib/misc/dnsmasq.leases
Now sit and wait for any clients to connect. Preferably do this in a location where many people stop by, such as your local coffee shop or a work location. You'll see more and more devices connect by themselves, especially if the location doesn't have any other open WiFi hotspots nearby. If you really want to start discovering what clients are doing, you can monitor their network traffic by running Wireshark, which can provide information about all network packets, but that's beyond the scope of this article.

Also, hostapd allows for multiple Access Points to be set up at the same time. So, if you wish to run two WiFi networks, such as "Google Starbucks" and "attwifi", you can do that too. But again, that's beyond the scope of this article. Should you need to discover what are common WiFi network names in your area, then in yet another terminal window, run the airodump-ng command as described in Scanning WiFi networks. In the bottom section of the output of airodump-ng you can see any client (or "station") information, and also see what names of WiFi networks these clients are probing for. This gives you a good idea about which wireless network names are commonly known on clients, and you can use that information when setting up the Access Point, by listing that network name (SSID) in the hostapd.conf configuration file for hostapd.

Finally: How to protect yourself from all this

You've now gotten a good idea of why using open networks might allow others to see what you're doing. The next obvious question will be: How do you protect yourself from this? Well, there are some options:
  • Do not use open WiFi networks/hotspots.
  • If you do use an open WiFi network/hotspot, then remain aware that others can see what you're doing, so hold off on checking your bank account or entering password anywhere.
  • Visit only websites that are secure - that are using "https:". This means any website traffic is encrypted, and can't be viewed, even when using a packet sniffer like Wireshark. Do not use any websites that are not secure (that are using "http:" instead of "https:".
  • If you do use an open WiFi network/hotspot, then make sure to disconnect afterwards, and to not have it set to connect automatically when in range.
  • Use a VPN when connected to a open WiFi network/hotspot. This will encrypt all your network traffic. Keep in mind though that DNS queries are never encrypted, and can still be seen by someone else.




If you found this useful, here's more on the same topic(s) in our blog:


UNIX Health Check delivers software to scan Linux and AIX systems for potential issues. Run our software on your system, and receive a report in just a few minutes. UNIX Health Check is an automated check list. It will report on perfomance, capacity, stability and security issues. It will alert on configurations that can be improved per best practices, or items that should be improved per audit guidelines. A report will be generated in the format you wish, and the report includes the issues discovered and information on how to solve the issues as well.

Interested in learning more?