In order to have some rogue WiFi networks for playing around with security tools and techniques at home, I wanted to set up my Raspberry Pi 3 as an Access Point. Turned out, that trying this with two WiFi adapters - the builtin one plus a USB adapter - can be a huge pain...

Overview

To give a quick overview of what scenario I want to create check out the picture below.

overview

In the end we should be able to spawn a WiFi for our testing purposes as shown here being the BadWiFi. The main machine will be able to connect to the Pi itself via SSH over the regular WiFi. The attacker will just connect/sniff the BadWiFi.

Hardware Setup

Since I have an additional WiFi adapter the Pi registers two different interfaces:

  • wlan0 is the Pi's builtin WiFi interface
  • wlan1 is the USB adapter

For the purpose of creating my own AP I will use wlan0 as the AP interface and wlan1 remains connected to my regular home WiFi.

If you want to set this up yourself, too - I had no luck using the interfaces the other way round (wlan1 as AP). I wasted around 12 hours trying, so just don't (or you tell me why I failed miserably). The issue I had with using wlan1 as AP was that all clients were always disassociating from the WiFi and could not establish a stable connection.

Preparing Configuration

Usually the wpa_supplicant will try to control all our WiFi interfaces on the Pi. In my case it would always make both of them immediately join the configured home WiFi. One neat thing I found after lots of googling was that it is possible to separate wpa_supplicant configurations by interface.

First, let's use the main configuration as base for both individual configs.

$ cd /etc/wpa_supplicant
$ sudo cp wpa_supplicant.conf wpa_supplicant-wlan0.conf
$ sudo cp wpa_supplicant.conf wpa_supplicant-wlan1.conf

Since we will be using wlan1 as our normal WiFi interface, all the network configuration blocks should go into wpa_supplicant-wlan1.conf. Make sure both the regular wpa_supplicant.conf and wpa_supplicant-wlan0.conf do not contain any network blocks. In my case I only had a single line with a country setting in the /etc/wpa_supplicant file.

Verify that everything is still working and you can connect to the Pi using ssh by rebooting it. You should see when running iwconfig that only wlan1 is connected to the regular WiFi.

Software Setup

To be able to create the AP via software on the Pi I used hostapd. In order to provide the DHCP server required to automatically hand out IP addresses I relied on dnsmasq. To install both packages on the Pi just do:

$ sudo apt-get install hostapd dnsmasq

After installation we just make sure to have both services stopped so that we can play around with the configuration files:

$ sudo systemctl stop hostapd
$ sudo systemctl stop dnsmasq

Since I don't need the AP all the time and only activate it when required, I decided to completely disable both services to not have them started on boot:

$ sudo systemctl disable hostapd
$ sudo systemctl disable dnsmasq

Configuring DHCP

For DHCP to be fully operational both the dhcpcd as well as dnsmasq have to be properly configured. The former needs to be used to assign a fixed IP to the wlan0 interface which will then hand out DHCP leases to the WiFi via dnsmasq.

I decided to give the BadWiFi the 192.168.1.1/24 IP subnet since my regular WiFi has 192.168.178.1/24. As such wlan0 should get the address 192.168.1.1.

Just edit /etc/dhcpcd.conf and at the end of the file add the following (check there is no other interface wlan0 block):

interface wlan0
static ip_address=192.168.1.1/24

The original configuration of dnsmasq that is provided after installation at /etc/dnsmasq.conf contains a huge load of possible configuration options and comments. It's best to just start with a fresh one and keep the old as backup:

$ sudo cp /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
$ vim /etc/dnsmasq.conf

The required content for DHCP to work in our AP is:

interface=wlan0
no-dhcp-interface=wlan1
dhcp-range=192.168.1.100,192.168.1.200,24h
dhcp-option=option:dns-server,192.168.1.1  

We set to work on wlan0 but exclude wlan1 (my regular WiFi also does DHCP and I don't want any conflicts there). The DHCP range itself is limited to the addresses 100 to 200 and wlan0 will also be the DNS server for all clients.

After all this configuration once again make sure to reboot your Pi and verify that everything else is still working as expected...

Configuring the AP

Finally - it's time to configure hostapd and get the software AP up and running. We will place its configuration file at /etc/hostapd/hostapd.conf:

$ sudo vim /etc/hostapd/hostapd.conf

The required content to create a simple WPA2 network is as follows:

interface=wlan0
# country_code=DE - adapt if needed

ssid=BadWifi
channel=9
auth_algs=1
wpa=2
wpa_passphrase=YourSecret!
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_group_rekey=86400

The options should be self explanatory. I only added wpa_group_rekey=86400 to make sure the rekeying takes place only once per day.

A great resource to find out all those settings and see what is possible has been that dummy file.

The last thing to change to get hostapd to pick the right config is to edit /etc/default/hostapd and make sure the following line is in there:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Finally for IP forwarding to work and be able to share the WiFi connection upstream we need to change one setting in /etc/sysctl.conf by uncommenting the following line:

net.ipv4.ip_forward=1

Just reboot a last time without enabling any services and make sure everything else works as expected.

Starting the AP

After all the changes and configuration hurdles we can now try and start the Access Point at last:

$ sudo systemctl start dnsmasq
$ sudo systemctl start hostapd

A minor little thing I found when starting hostapd is that sometimes it doesn't have enough entropy to be able to start the WPA encryption required for all handshakes. The easiest workaround: just run find * / for a few seconds at that will be solved.

And after a few seconds you should finally be able to see the new BadWiFi and join it with the provided password from above!

Conclusion

Despite following the official documentation I could not get the AP up and running. It really took me some hard hours of research, pain, and failure to finally succeed. I hope my description above does help you out when trying to get it running yourself. BUT IT WORKS!!

Resources: