Creating A Rogue Access Point

Computer with warning pop up sign window Premium Photo

Everyone is advertising free WiFi nowadays as a way to lure customers in. What these customers might not known is if the hotspot they are connecting to is genuine. It could be a Rogue AP setup by a malicious party in order to sniff your traffic. They provide you with free internet access and you provide them with all your network traffic. Below is an example on how it can work.

You may think it would be super complex in order for these malicious parties to set this up but you would be wrong. Useful tools such as Wifi-Pumpkin make life so much easier. Below is a few steps on how you can set it up yourselves.

What you will need:

Ethernet connection or 2nd Wireless Adapter: Connected with internet access
Wireless adapter for the AP: I use the ALFA AWUS036NHA
Running a Linux distro: Advised to use either Kali or Parrot OS

Parrot OS:

In this demonstration, I will be using Parrot OS which comes with a bunch of tools already installed. What it doesn’t come with is Wifi-Pumpkin but I will go through how to install. I find the easiest method is to use ‘git clone’:

git clone
cd WiFi-Pumpkin
sudo chmod +x
sudo ./ –install

You should then be able to start WP with: sudo wifi-pumpkin

If you jump straight to the settings tab, you can see WP does all the hard work for you.
If you want to spin up an AP quickly, you just need to give it a name (SSID) and select the wireless adapter (Not the adapter providing the internet access).

Once you are good, click Start and wait for a client to join. If you are testing at home, connect using your phone or laptop.

Once they or you have connected to the AP you will see their client under ‘Home’.
Once they have connected, you should start to see their traffic under the Monitor tab.

With SSLStrip and DNS2Proxy running, you should start to see HTTPS traffic.
SSLStrip is a very useful tool and helps break down HTTPS traffic.
How it works:

The malicious party will most likely be running multiple tools instead of just WiFi-Pumpkin. They will most likely be running tools such as WireShark or Ettercap in order to sniff huge amounts of traffic. Again, if you are using Parrot or Kali, these tools are already pre-installed. The more traffic your sniff, the more likely you are to find something of worth.

This image has an empty alt attribute; its file name is image-13.png

This is just the basic steps to setting up a Rogue AP. If a malicious party really wanted to capture sensitive traffic, they could be using tools for captive portals, Phishing, DNS poisoning and site cloning.

It might not be just your traffic they are interested in. They might be looking to directly attack your client. If they monitor your traffic, they will start to see how your client is interacting with the web. If they are seeing Outlook, Zscaler, Symantec, McAfee traffic and any other application traffic, they can be certain your client is running that product. If they know this, they can start to look for vulnerabilities in that software in order to gain access to your data.

They may do a simple Nmap on your client in order to see open services and ports or use a vulnerability scanner such as OpenVas. This is also included in Parrot and Kali and is a free tool to use. Here is how to set it up:

Sudo openvas-setup
Sudo openvasmd –user=admin –new-password=*Pick a Password*
sudo openvas-start

Once started, open Firefox and enter: Https://

You can then enter ‘admin’ and the password you chose above.

This image has an empty alt attribute; its file name is image-14.png

To run a quick scan, under the Tasks page there will be a purple wand. Click this for a quick scan. Enter the IP or range and let it do it’s thing.

This image has an empty alt attribute; its file name is image-15.png

Once ran, it should start to show you potential attack points. Again, this is very basic, there is a lot more you can do with these tools. It’s important to remember, only do this if you have been granted permission to do so or if you are attacking yourself.


4 responses to “Creating A Rogue Access Point”

  1. Ctrlaltdel avatar

    Alternatively to that, if you setup the mitmproxy, the traffic is encrypted at the proxy meaning that you can see traffic flow back and forth.


  2. Ctrlaltdel avatar

    To be able to see HTTPS traffic the client or browser will need to have a shared certificate installed.

    For example, for a firewall to do SSL inspection, it requires the client/server to have it’s certificate to be installed. If the client has the same certificate that the firewall has, HTTPS traffic can be inspected. If not, it can’t perform inspection which is a form of MiTM.


  3. casino avatar

    What’s up, this weekend is good in support of me, for the reason that this
    time i am reading this wonderful educational
    post here at my home.


  4. Peter avatar

    Not really working. I was able to start WiFi-Pumpkin, I was even able to eliminate the dependency errors related with pumpkin proxy. I was also able to connect to the Fake AP with my Android phone. Even if I select sslstrip & dns2proxy as the active module, I was NOT ABLE to see anything SSL encrypted. When I start Wireshark, this is the same – you can see only unencrypted traffic.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at

%d bloggers like this: