Creating Honeypot Access Points using Hostapd
In order to rejoin the network when a client disconnects, the client sends probe requests. To entice probing clients into the network and carry out additional enumeration, you can use hostapd to establish fake hostspot networks.
Hello World! As you may already be aware, the client device sends probe requests seven to eight times per minute after disassociating from the WiFi network. It waits for the access point's probe answer before sending the association request with encrypted credentials. It is impossible to tell if the access point sending the probe response is a genuine one or not. I'll demonstrate today how to set up a honeypot access point and make the client to join to it.
The lab for the demonstration was made possible by the AttackDefense platform. I advise you to give it a shot once. – https://www.attackdefense.com/challengedetails?cid=1260
What is Hostapd?
Hostapd is a user space application that allows you to configure access points and authentication servers. It is simple to configure using a configuration file, and it supports multiple BSS.
For the authentication mechanism, the current implementation supports RADIUS server, WEP, WPA, and WPA2. However, in this lesson, we'll be using the WPA-PSK mechanism.
Setup Honeypot Access Point
The physical wireless devices connected to the present system can be listed using the iw dev
command. As you can see, wlan0 and wlan1 are the names of the two actual cards.
If the clients are active, they will send the probe request and we can dump it using airodump-ng command. For this your WiFi card must be set in monitor mode. I will be using wlan0 interface to dump the traffic.
Now run the airodump command with --band abg
to monitor traffic from both 2.4GHz (bg) and 5GHz (a) bands via wlan0 interface.
--channel 6
to fix the channel to 6, the same list of probes is displayed.Since a single WiFi card can support 8 or 16 BSS, we can use it with hostapd to serve all four networks at once, as shown in the configuration file below. I continue to use the wlan0 interface to run airodump-ng, and I use the wlan1 interface for our BSS networks.
Set up the hostspot networks using the above configuration file (here, hostapd.conf), and you'll notice that client 02:00:00:00:02:00
is connected to the Forrest_Gump WiFi network in the wlan1_2 BSS network.
The output of the airodump-ng command is shown below, and you can also confirm the same there.