I am trying to create a fake AP using the airbase-ng to test how evil twin works.
I have a WiFi adapter TP-link WN4226 [Atheros AR9271 chipset], which supports monitor mode. My laptop (running on Ubuntu 20lts) is connected to internet wirelessly (using WPA-PSK) through its own WiFi adapter.
Here is ifconfig before starting the monitor mode:
wlp4s0 IEEE 802.11 ESSID:"Mir_Sahib"
Mode:Managed Frequency:2.412 GHz Access Point: 90:8D:78:0F:FE:CE
Bit Rate=150 Mb/s Tx-Power=22 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
Link Quality=70/70 Signal level=-33 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:291 Missed beacon:0
wlxf8d111129a12 IEEE 802.11 ESSID:"Mir_Sahib"
Mode:Managed Frequency:2.412 GHz Access Point: 90:8D:78:0F:FE:CB
Bit Rate=40.5 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
Link Quality=69/70 Signal level=-41 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:18 Missed beacon:0
enp0s31f6: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 8c:16:45:82:04:49 txqueuelen 1000 (Ethernet)
RX packets 12337 bytes 13508188 (13.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8993 bytes 1146468 (1.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xec200000-ec220000
wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.9 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::7d86:5034:5192:6952 prefixlen 64 scopeid 0x20<link>
ether 5c:5f:67:d0:44:be txqueuelen 1000 (Ethernet)
RX packets 17280 bytes 16222452 (16.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10496 bytes 1788185 (1.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlxf8d111129a12: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.10 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::3ff:6be8:710d:7bf8 prefixlen 64 scopeid 0x20<link>
ether f8:d1:11:12:9a:13 txqueuelen 1000 (Ethernet)
RX packets 264 bytes 34466 (34.4 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 112 bytes 21293 (21.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I have killed all the processes, which might interfere with monitor mode by airmon-ng check kill, I started the monitor mode on my Tp-Link WiFi adapter airmon-ng start wlxf8d111129a12, then started the NetworkManager so that my laptop has network connection service Networkmanger start.
My TP-Link WiFi adapter changed to wlan0mon which shows the mode:Monitor like the following:
wlan0mon IEEE 802.11 Mode:Monitor Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
I create a fake AP with the command airbase-ng -e Demo -c 11 wlan0mon, this command show a fake ap name Demo in my phone (Redmi Note 7)
Here is my dnsconfig.conf for dnsmasq:
interface=at0
dhcp-range=10.0.0.20,10.0.0.250,255.255.255.0,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=8.8.8.8
server=8.8.4.4
server=64.6.64.6
server=64.6.65.6
log-queries
log-dhcp
port=5353
listen-address=127.0.0.1
iptable rules:
#!/bin/bash
ifconfig at0 up
ifconfig at0 mtu 1500
ifconfig at0 10.0.0.1 netmask 255.255.255.0
route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.0.1
iptables --table nat --append POSTROUTING --out-interface enp0s31f6 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.11:80
I then run the iptables rules and dnsmasq.conf
dnsmasq -C dnsmasq.conf -d
My problem is I can connect to the fake AP, but my AP doesn't have any network access, I also tried changing the --out-interface to wlp4s0 which also doesn't work apparently, I have read that a lot of people are using the captive technique using a DHCP server but I haven't tried that. I think I might have a problem with my iptables rules but can't figure out the issue.
192.168.0.11? This is not looking like a security question but a networking config question.