Introduction
In this lab, you will explore airbase-ng, a versatile tool from the Aircrack-ng suite. airbase-ng is primarily used to create software-based access points, often referred to as "soft APs". This capability is fundamental for various wireless security assessments, such as performing man-in-the-middle (MITM) attacks, capturing WPA/WPA2 handshakes for password cracking, or simply creating a honeypot to study attacker behavior.
Throughout this lab, you will be guided step-by-step to set up your own soft AP. You will learn how to configure a wireless interface for this purpose, launch the access point with a custom name, and prepare it to handle client connections. This hands-on experience will provide a solid foundation for understanding and utilizing one of the key tools in wireless penetration testing.
For this lab, we will use a simulated wireless environment, so you don't need a physical wireless card.
Put your wireless card in monitor mode
In this step, you will prepare your wireless interface for creating a soft AP. The first action required is to put the wireless card into "monitor mode". Monitor mode allows the network interface to capture all wireless traffic on a specific channel, not just the traffic addressed to it. This is essential for airbase-ng to operate correctly.
First, let's identify our simulated wireless interface. Run the iw dev command to list the wireless devices.
iw dev
You should see an interface named wlan0.
phy#0
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
type managed
txpower 0.00 dBm
Now, use the airmon-ng tool to start monitor mode on the wlan0 interface.
sudo airmon-ng start wlan0
After running the command, airmon-ng will create a new monitor mode interface, typically named wlan0mon. The output will confirm this.
PHY Interface Driver Chipset
phy0 wlan0 mac80211_hwsim Software-only virtual MAC
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
You can verify the new interface is present by running iw dev again.
iw dev
You will now see wlan0mon listed with type monitor.
phy#0
Interface wlan0mon
ifindex 4
wdev 0x2
addr 02:00:00:00:00:00
type monitor
txpower 0.00 dBm
Interface wlan0
ifindex 3
wdev 0x1
addr 02:00:00:00:00:00
type managed
txpower 0.00 dBm
Start airbase-ng with a specified ESSID and channel
In this step, you will use airbase-ng to start broadcasting your new soft AP. You need to specify the network name (ESSID) and the wireless channel it will operate on.
We will create a soft AP with the name "MyFakeAP" on channel 6. The command requires the monitor interface you created in the previous step, which is wlan0mon.
Execute the following command in your terminal. airbase-ng will start and run in the foreground, continuously broadcasting the new network.
sudo airbase-ng -e "MyFakeAP" -c 6 wlan0mon
-e "MyFakeAP": Sets the Extended Service Set Identifier (ESSID), which is the name of the Wi-Fi network that will be visible to other devices.-c 6: Sets the wireless channel to 6. It's good practice to choose a channel that is not heavily congested.wlan0mon: The monitor mode interface that will be used.
After running the command, airbase-ng will start and display a message indicating it is running.
20:30:10 Created tap interface at0
20:30:10 Trying to set MTU on at0 to 1500
20:30:10 Access Point with BSSID 02:00:00:00:00:00 started on channel 6
Important: This process will occupy your current terminal. For the next steps, you need to open a new terminal. You can do this by clicking the + icon in the terminal tab bar at the top of the terminal window. All subsequent commands in this lab should be run in the new terminal.
Observe the creation of a new 'at0' interface
In this step, you will confirm that airbase-ng has successfully created a new network interface. When airbase-ng starts, it automatically creates a virtual TAP interface, which typically defaults to the name at0. This interface acts as a bridge, allowing you to interact with clients that connect to your soft AP.
In the new terminal you opened, use the ifconfig -a command to list all network interfaces on the system.
ifconfig -a
In the output, you should now see a new interface named at0. This confirms that airbase-ng is running correctly and has set up the necessary infrastructure.
at0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
... (other interfaces) ...
This at0 interface is currently down and has no IP address. You will configure it in the next step.
Configure the 'at0' interface with an IP address
In this step, you will configure the at0 interface so it can function as a gateway for your soft AP. To do this, you need to bring the interface up and assign it a static IP address. This IP address will be the gateway for any clients that connect to your "MyFakeAP" network.
First, use ifconfig to bring the at0 interface up. Remember to run this in your new terminal.
sudo ifconfig at0 up
Next, assign an IP address and a netmask to the at0 interface. We will use the IP address 192.168.2.1, which will be the gateway for our new private network.
sudo ifconfig at0 192.168.2.1 netmask 255.255.255.0
Now, you can verify that the IP address has been assigned correctly by checking the configuration of the at0 interface again.
ifconfig at0
The output should now show that the interface is UP and has the inet address you assigned.
at0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255
ether 02:00:00:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Your soft AP is now fully configured and ready to accept client connections.
Watch for clients connecting to your new soft AP
In this step, you will observe what happens when a client connects to your soft AP. Your access point "MyFakeAP" is now broadcasting and fully configured.
Switch back to your first terminal, where airbase-ng is running. This terminal serves as your monitoring console for the soft AP.
In a real-world scenario, you would now take another device (like a smartphone or laptop), search for available Wi-Fi networks, and you would see "MyFakeAP" in the list. When a device attempts to connect and associates with your AP, airbase-ng will print a message to the console.
The message will look similar to this, showing the MAC address of the connecting client:
20:35:01 Client 12:34:56:78:9A:BC associated (WPA1)
Since we are in a simulated environment, you won't be able to connect a real device. However, understanding this output is the final piece of the puzzle.
To complete the lab, you need to clean up the environment.
- Go to the terminal where
airbase-ngis running and pressCtrl+Cto stop it. - In any terminal, stop the monitor mode interface to return your wireless card to its normal state.
sudo airmon-ng stop wlan0mon
This will remove the wlan0mon interface and restore wlan0 to managed mode.
Summary
Congratulations on completing the lab! You have successfully used airbase-ng to create and configure a software-based wireless access point.
In this lab, you learned how to:
- Install the
aircrack-ngsuite. - Place a wireless interface into monitor mode using
airmon-ng. - Launch a soft AP with a custom ESSID and channel using
airbase-ng. - Identify the newly created
at0TAP interface. - Configure the
at0interface with a static IP address to act as a gateway. - Understand how to monitor for client connections.
These skills are foundational for many advanced topics in wireless security, including network reconnaissance, honeypot deployment, and man-in-the-middle attacks. You are now better equipped to explore the fascinating world of wireless security.