Create a Rogue Access Point with Fluxion

LinuxBeginner
Practice Now

Introduction

In this lab, you will explore the fundamentals of Wi-Fi security by creating a rogue Access Point (AP) using Fluxion. Fluxion is a security auditing and social-engineering research tool. It allows you to perform a variety of attacks to test the security of Wi-Fi networks.

A rogue AP is a wireless access point that has been installed on a secure network without explicit authorization. A common attack involving a rogue AP is the "Captive Portal" attack, where an attacker creates a fake, open Wi-Fi network that mimics a legitimate one. When users connect, they are redirected to a phishing page to capture their credentials.

This lab will guide you through the initial steps of setting up such an attack in a controlled and simulated environment for educational purposes only. You will learn how to launch Fluxion and configure it to broadcast a fake Wi-Fi network.

Start the Captive Portal Attack

In this step, you will launch Fluxion and select the Captive Portal attack. This is the first phase of setting up our rogue access point. The setup script has already cloned the Fluxion repository into the ~/project/fluxion directory.

First, navigate to the fluxion directory:

cd ~/project/fluxion

Next, run the Fluxion script with sudo privileges. It requires root access to manage network interfaces.

sudo ./fluxion.sh

Fluxion will first ask you to select a language. Choose English by typing 1 and pressing Enter.

[#] Select a language:
[1] English
...
[*] Language > 1

After selecting the language, Fluxion will check for missing dependencies. The lab environment has them pre-installed. You will then be presented with the main attack menu. We want to perform a Captive Portal attack. Select it by typing 2 and pressing Enter.

[#] Select an attack:
[1] Handshake Snooper
[2] Captive Portal
[*] Attack > 2

Fluxion will now proceed to the next stage of the attack configuration.

Select the 'hostapd' Access Point Creation Method

In this step, you will choose the method for creating the fake access point. Fluxion provides several options, but hostapd is a standard and reliable choice. hostapd is a user-space daemon that turns a network interface card into a wireless access point.

After you selected the Captive Portal attack in the previous step, Fluxion will ask you to choose a wireless adapter and a channel. In this simulated environment, you can typically accept the defaults by pressing Enter.

Next, you will be prompted to select an access point creation method.

[#] Select an access point creation method:
[1] hostapd
[2] Airmon-ng
[*] Method >

Select hostapd by typing 1 and pressing Enter.

1

By choosing hostapd, you are instructing Fluxion to use this robust tool to broadcast the rogue Wi-Fi signal. Fluxion will then move on to the next configuration steps, such as asking for a network to clone or a handshake file, which we will bypass in this simplified lab. For now, Fluxion is ready to create the AP.

Verify the Rogue AP is Broadcasting the Target's ESSID

In this step, you will verify that Fluxion has successfully started the rogue access point and is broadcasting its network name (ESSID). After configuring the attack parameters, Fluxion will start the AP and display a status window showing client connections and other information.

Your first terminal window is now occupied by Fluxion's running process. To check if the network is live, you need to open a new terminal.

On your LabEx desktop, go to the top menu bar, click Applications -> System -> Xfce Terminal to open a second terminal window.

In this new terminal, you can use the aircrack-ng suite tools to scan for wireless networks. The command iwlist can also be used. Let's use iwlist to scan for networks on the wlan0 interface. Note that your wireless interface name might differ in a real-world scenario.

Run the following command in the new terminal:

sudo iwlist wlan0 scan

This command lists all wireless networks the wlan0 interface can detect. You will see a lot of information. Look through the output for the rogue access point. By default, Fluxion might create an AP with an ESSID like "Free WiFi" or a name it prompted you to enter.

wlan0     Scan completed :
          Cell 01 - Address: 00:11:22:33:44:55
                    Channel:6
                    Frequency:2.437 GHz (Channel 6)
                    Quality=70/70  Signal level=-40 dBm
                    Encryption key:off
                    ESSID:"My-Network"
                    ...
          Cell 02 - Address: AA:BB:CC:DD:EE:FF
                    Channel:1
                    Frequency:2.412 GHz (Channel 1)
                    Quality=50/70  Signal level=-60 dBm
                    Encryption key:off
                    ESSID:"Fluxion-AP"
                    ...

In the example output above, ESSID:"Fluxion-AP" is our rogue access point.

Use a Separate Device to Scan for Wi-Fi Networks

In this step, we will continue using our second terminal to simulate what a separate device, like a smartphone or laptop, would see when scanning for available Wi-Fi networks. The goal is to confirm that our rogue AP is visible to potential victims.

Instead of looking through the entire output of iwlist scan, we can filter it to only show the network names (ESSIDs). This makes it much easier to spot our network. We can do this by piping the output of the scan command to grep.

In your second terminal window, run this command:

sudo iwlist wlan0 scan | grep ESSID

This command will execute the scan and then filter the results to show only the lines containing "ESSID".

The output should look something like this, clearly listing the names of all nearby networks, including your rogue AP.

                    ESSID:"My-Network"
                    ESSID:"Another-WiFi"
                    ESSID:"Fluxion-AP"
                    ESSID:"Neighbors-Net"

This confirms that from the perspective of any device in range, our rogue access point is active and visible.

Confirm the Rogue AP is Visible and Open

In this final hands-on step, you will analyze the scan results to confirm two crucial details about your rogue AP: its visibility and its security status. A successful captive portal attack relies on the AP being both visible and open (unencrypted).

Let's run the full scan command again in the second terminal, but this time, pay close attention to the details of your rogue AP's entry.

sudo iwlist wlan0 scan

Find the cell corresponding to your rogue AP (e.g., ESSID:"Fluxion-AP"). Look for the Encryption key line within that cell's information.

          Cell 02 - Address: AA:BB:CC:DD:EE:FF
                    Channel:1
                    Frequency:2.412 GHz (Channel 1)
                    Quality=50/70  Signal level=-60 dBm
                    Encryption key:off
                    ESSID:"Fluxion-AP"

The two key lines are:

  • ESSID:"Fluxion-AP": This confirms the network is broadcasting the name you intended.
  • Encryption key:off: This is critical. It shows that the network is "Open," meaning no password is required to connect. This is what entices users to join the network, at which point the captive portal can be presented to them to steal their credentials for another service (like a fake "Hotel Wi-Fi Login").

You have now successfully created and verified a visible, open rogue access point, laying the groundwork for a captive portal attack. You can now close the second terminal window and stop the Fluxion script in the first terminal by pressing Ctrl+C.

Summary

In this lab, you have successfully used Fluxion to create a rogue wireless access point. You learned how to navigate the Fluxion interface to launch a Captive Portal attack, select hostapd to create the AP, and verify its existence and properties using command-line tools in a separate terminal.

You confirmed that the rogue AP was broadcasting its ESSID and, most importantly, that it was an "Open" network, which is a key element in luring users in a real-world scenario.

Understanding how these tools work is the first step toward defending against such attacks. Always be cautious of open Wi-Fi networks and use a VPN to encrypt your traffic. Congratulations on completing this lab!