Monday, August 26, 2013

Creating a WIFI Honeypot

In this post I will go through the process of creating a WIFI Honeypot.  We can use this to get clients to to connect to us instead of the WIFI network they actually want to. 

When a device is running it is constantly sending out probes for wireless networks that it has previously connected to.  The devices also look for WIFI networks in the area that are available to connect with.  We can go wither way with this, in this post I will talk about WIFI networks that are in the clients range.  This attack can be used in a coffee shop, airport, corporate network, or whatever.   

NOTE: I will use honeypot and AP interchangeably for what we are creating, hopefully this doesnt create any confusion. But it probably will.

What you need:

+ Laptop
+ Aircrack-suite (Already installed on Backtrack and Kali)
+ Unsuspecting Victim

In another post we will further this attack for some advanced attacks. :)

Lets begin...

Ok so first we need to find wifi networks in the area that our victims will try to connect to.
To do this we need to put our Alfa card into monitor mode. So we find the interface:
running ifconfig:

From this we can see that in my case the interface is wlan2.  It may be different for you so check it!

Next we need to actually put it into monitor mode.

We run the command: sudo airmon-ng start wlan2

As you can see wlan2 is in monitor mode now. This will create the interface mon0

Now lets find some networks that are around and see if anyone is probing for them.  Then we will setup out honeypot.

To find APs and clients we will use airodump-ng.

Lets run sudo airodump-ng mon0 and see what we get.

From this output we can see one client not assosiated with Brea Network.  We want to attack the non-associated clients when possible, however we arent limited to that.  I have the AP SECNET2 running with a test network for my home lab so we will use that for now.

Now that we know what AP we are gong to create a honeypot for, we can now proceed to do so.  

NOTE: If you want to see more in depth traffic analysis, use wireshark and sniff on mon0, then you can filter probe requests and see everything moving across the airways.

moving on...

Lets create our Fake AP with the command sudo airbase-ng --essid "SECNET2" -c 2 mon0:

Now we have a fake AP called SECNET2 and if anyone comes into the area that has connected to SECNET2 before they should automatically connect to our honeypot.  But lets say we want the clients that are already connected to the legit AP.

NOTE:  A new interface called at0 was created, this will come in handy later on if you want to sniff the traffic on the fake AP.

Some of you may be wondering what the previous flags in airbase mean.

--essid = Name of BSSID to create
-c  = The channel your AP will be on.  This is optional and may be left blank to span all channels.

To kick the clients off of the legit access point we will send broadcast de-authentication messages.  This will de-authenticate the clients from the legit AP and hopefully when they re-authenticate they will connect to our AP.

NOTE: You may need to do multiple deauths.

lets break the clients connection to the legit AP:

So being as no clients were connected to the SECNET2 AP we dont kick anyone off and it errors out.

But as a new client comes in we see them connect to the rouge AP:

As you can see a client has now associated with our honeypot.  And whats interesting is that we have created a fake AP with no authentication in place of the legit AP that has WEP protection.  Clients dont know the difference because most of the time they will go for the open AP or their device will automatically connect to whichever has the strongest signal, and if we deauth them they will then connect to ours.

In the next post ill show you how to create a bridge for your fake AP so when clients connect they will be able to access the internet, because currently they cannot and that will raise some suspicion.  


  1. Seria possivel criar um AP FAKE e neste utilizar o mesmo SSID, MAC e CHANEL do legitimo afim de que quando o cliente se conectar ao falso ele tente entrar com a senha certa e assim capturar esta senha que ele digitou ?

  2. The write-up on "Creating a WIFI Honeypot" is useful. But I observed that he should have use channel 6 instead of 2.

  3. Know about the diverse sort on reception apparatus connectors. I like the RP-TNC connector that is found on Linksys WRT54GL switches, as it's more tough than the little RP-SMA connector utilized on other unit. change mifi password