In this article I’m demonstrating one easy method to find rogue access points. The cost of hardware is extremely low, the software is free, and the skills required are not super-advanced.
So fair warning, if you need instant pinpoint accuracy, this approach probably isn’t what you’re looking for. It also includes several wireless network analysis tools that are useful for rogue AP detection.
Kali has very minimal system requirements, so any laptop with 1 GB or more of memory and at least 32 GB of free disk space is sufficient. This time I’m using an Alpha Networks AWUS036NHA adapter powered by an Others AR9271 Wi-Fi chipset.
This Alpha NIC is supported by Kali Linux by default, has a sensitive and efficient wireless radio, and is equipped with an external antenna jack. The portability allows me to move it around both attached to the laptop and by hand.
If I wanted wireless networking to work consistently, I might have to kill those processes. The result of this command is that I have a new interface, mon0, assigned as a monitor mode port for wlan3 (the NIC).
This is a purely optional step, as I can scan all channels until I succeed. Once the target shows up in the list, I begin slowly creeping around the office, watching signal strength.
Lower PWR numbers are better and indicate that I’m closer, as this indicates the amount of signal drop-off from sender to receiver. If you’re getting strange readings (e.g. the AP seems to be inside a concrete wall), move a few feet and start again.
While this probably isn’t the same technique that a true wireless professional would use, it can be highly effective. Eventually I’ll find an office or cubicle that appears to be the strongest source for signal and then just look for the AP.
Once the rogue AP is found as shown, you should take whatever action is appropriate based on your organization’s policies and compliance regulations. Mike Anselmo teaches Security classes at Interface Technical Training.
His classes can be attended in Phoenix, Arizona or online from anywhere in the world with Remotely. C41n is an automated Rogue Access Point setup tool.
C41n provides automated setup of several types of Rogue Access Points, and Evil Twin attacks. It sets up an access point with user defined characteristics (interface, name and channel for the access point), sets up DHCP server for the access point, and provides user with abilities of HTTP traffic sniffing, or Captive Portal setup with credential sniffing.
The misuse of h4rpy can result in criminal charges brought against the persons in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing h4rpy to break the law.
NOTE: The Wp3 require hosted installed by default Operating System: A recent version of Linux (we tested on Ubuntu 18.04 LTS); Please note: Windows is not supported.
The following list of OSes represents recommended environments to run wifipumpkin3 (wp3), as most of required dependencies are pre-installed. This problem is caused by systemd-resolved to solve only follow the step bellow.
Virtual is a tool used to create an isolated Python environment. Virtual is the easiest and recommended way to configure a custom Python environment.
Docker is an open platform for developing, shipping, and running applications. Docker enables you to separate your applications from your infrastructure, so you can deliver software quickly.
The wp3 is full compatible to run on docker container. With docker.Io installed and working fine, let’s take a look how to mount a container with wp3.
Find your kernel driver module in use by issuing the below command: ESPCI -k | grep -A 3 -i network (example module: ath9k) next, use the below command to find out your Wi-Fi capabilities (replace ath9k by your kernel driver): mod info ath9k | grep depend on If the above output includes “mac80211” then it means your Wi-Fi card will support the AP mode. Once started the tool with sudo wifipumpkin3, you’ll be presented with an interactive session like the metalloid framework where you can enable or disable modules, plugin, proxy configure the AP etc.
The interface CLI is very simple, basic commands you’ll need to perform operations such as setting a session like access point (AP) information (SSID, channel, interface), start/stop access point and monitor clients activities joined on AP. It is possible to script your interactive session using pulps files.
Once saved as demo. Pulp file, you’ll be able to load and execute it via: If you not want to use .pulp file, exist a option to use the parents –pulp or -x and each command can either be executed singularly, or concatenated by the ; in string.
Interactive sessions can be scripted with .pulp file, a powerful way to automate your attack. Each command can either be executed singularly, or concatenated by the ; in string.
Use this options for set the wireless mode (static, docker), by default is static mode, but you can change if you want to run on docker container. Show program’s version number and exit.
You can see (SSID, SSID, channel, security, or status AP) If you type this command not be seen anymore log in console WP.
The plugins are designed to add features to WP3 core and run parallel with access point (AP), WP3 provides facilities to develop plugins. Generally speaking, there is really a few things you have to do in order to get a plugin working.
The most important is you can run multi plugins simultaneously, because the plugins has been designed to work only monitor and analyze the traffic generate by users connected on access point. If you want to enable or disable the plugin, follow command bellow.
You can to enable/disable subplugins with command, type tab to autocomplete ;): The Proxies are designed to add features to WP3 core and run parallel with access point (AP), but redirect all traffic with iptables.
A module provides a feature that not is necessary to use with access point, the must modules are projected for add a new functionality into attack, like devices' discovery, services enumeration, perform reauthentication attacks etc. Modules are introduced to add more functionalities to complement the attack.
CommandsDescriptionssetset options for modulebackgo back one levelhelpshow available commandsoptionsshow options of current modulerunexecute moduleModules developers and users are welcome to include your module into this project, take a look the guidelines how to create a module.