Follow these instructions to get started:
airodump-ng mon0
and check the output. You will very soon find the client to be in the not associated
mode and probing for Wireless Lab and other SSIDs in its stored profile:mon0
interface. As expected, you might see a lot of packets that are not relevant to our analysis. Apply a Wireshark filter to only display Probe Request packets from the client MAC you are using:wlan.fc.type_subtype == 0x04 && wlan.sa == <my mac>
. You should now see Probe Request packets only from the client for the previously identified SSIDs.airbase-ng –c 3 –e "Wireless Lab" mon0
3
. Let the client connect to the access point. We can verify this from airodump-ng
, as shown in the following screenshot:airodump-ng
output to see the new association of the client with our fake access point:We just created a Honeypot using the probed list from the client and also using the same ESSID as that of neighboring access points. In the first case, the client automatically connected to us, as it was searching for the network. In the latter case, as we were closer to the client than the real access point, our signal strength was higher, and the client connected to us.
In the previous exercise, what do we do if the client does not automatically connect to us? We would have to send a deauthentication packet to break the legitimate client-access point connection and then, if our signal strength is higher, the client will connect to our spoofed access point. Try this out by connecting a client to a legitimate access point, and then forcing it to connect to your Honeypot.