Configuring our AP

Reconnaissance

First, we need to perform reconnaissance against the target to get information about its encryption details, as I mentioned some client store the encryption details of the AP they saved so we need to match them for the attack to be successful.

Creating a Rogue AP

We will use hostapd-mana, this is based on modified version of hostapd that creates APs from network adapters.

The default configuration file is located in /etc/hostapd-mana/hostapd-mana.conf , it contains many example parameters you can check but we will create our own configuration file, check the configuration template below:

interface = <Interface>
ssid = <Use Target ESSID>
channel = <Use Target Channel>
ieee80211n=1
hw_mode=g
wpa=3
wpa-key-mgmt=WPA-PSK
wpa_passphrase=anything
wpa_pairwise=TKIP CCMP
rsn_pairwise=TKIP CCMP
mana_wpaout=/home/user/captures.hccapx

hostapd-mana by default uses ieee80211p , for the example I used ieee80211n , you must choose the one that meets your target settings.

Setting hw_mode to g sets the band to be 2.4GHz, in order to use 5GHz use a instead.

Setting wpa to 3 means we want the AP to enable both WPA and WPA2, setting it to 1 only enables WPA, while setting it to 2 only enables WPA2.

To set the authentication to PSK, we need to set the wpa-key-mgmt to WPA-PSK

The parameter wpa_pairwise is only used for WPA, while rsn_pairwise is only used for WPA2, for this example we set both because we enable both WPA and WPA2.

Finally, the parameter mana_wpaout is used to specify a file to save the captured handshakes, each handshake will be appended to this file.