Raspberry Pi Access point
If you don't have a Raspberry Pi 3, you should really get one. They are super cool and relatively inexpensive. In this exercise, you will configure a Raspberry Pi 3 to run as a Wireless Access Point, granting connected users access to the Internet. This exercise is great because you will install Kali to the Raspberry Pi, edit files, change file permissions, configure network interfaces, install and configure services, configure iptables rules and more. It's a great overview.
Here's what you'll need to do:
- Install Kali on the Raspberry Pi 3. You could use a custom image, but if you do, you might have more troubleshooting to do. If you're unsure, use the stock image, which this solution was written for.
- Implement WPA2 security on the AP.
- Configure eth0 as DHCP, and wlan0 as static.
- Configure the Raspberry Pi as a DHCP server for any wireless clients and assign a DHCP pool with 12-hour leases.
- Have the SSH server start up at boot time so you can SSH to the Raspberry Pi once it's booted.
- Forward all outbound traffic, including DNS, from wlan0 to eth0.
- Allow inbound established (stateful) connections from eth0 to wlan0.
- Hint: Although you have not learned about hostapd or dnsmasq, you will use them in this exercise.
- Partial cheat: Although this article was not written for Kali (and will not work as written on Kali), it is the inspiration for this exercise, and is worth review. Thanks to Phil Martin for the inspiration.
This will require a few things:
- Raspberry Pi 3. You can use an older model with a USB wifi but you're on your own when it comes to configuring wlan0.
- hostapd: This creates an access point
- dnsmasq: This does DNS forwarding and provides a DHCP sever
- dhcpcd5: A DHCP client (which also does other cool network management stuff)
Grab the required packages:
apt-get install dnsmasq hostapd dhcpcd5
First, let's tell dhcpcd to ignore wlan0's setup. We'll configure a static IP later:
Put this above any interface lines that may be in the file:
Now, let's set up our wifi interface. If you have a Pi 2 with a USB wi-fi adapter, go ahead and plug it in now. Edit the interfaces file:
...and add this section:
allow-hotplug wlan0 iface wlan0 inet static address 172.24.1.1 netmask 255.255.255.0 network 172.24.1.0 broadcast 172.24.1.255
Restart dhcpcd with:
root@kali:~# service dhcpcd restart
and then reload the configuration for wlan0 with:
root@kali:~# ifdown wlan0; ifup wlan0
Next, let's configure hostapd with a new configuration file. Note that an SSID and passphrase are configured for your access point.
root@kali:~# nano /etc/hostapd/hostapd.conf [..] root@kali:~# cat /etc/hostapd/hostapd.conf # This is the name of the WiFi interface we configured above interface=wlan0 # Use the nl80211 driver with the brcmfmac driver driver=nl80211 # This is the name of the network ssid=Kali-Pi3 # Use the 2.4GHz band hw_mode=g # Use channel 6 channel=6 # Enable 802.11n ieee80211n=1 # Enable WMM wmm_enabled=1 # Enable 40MHz channels with 20ns guard interval ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40] # Accept all MAC addresses macaddr_acl=0 # Use WPA authentication auth_algs=1 # Require clients to know the network name ignore_broadcast_ssid=0 # Use WPA2 wpa=2 # Use a pre-shared key wpa_key_mgmt=WPA-PSK # The network passphrase wpa_passphrase=raspberrytoor # Use AES, instead of TKIP rsn_pairwise=CCMP
At this point, we can test things out. Run:
root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf
This shows a successful run. Note that the errors pertaining to monitor mode are not relevant to us. For a RPi3 using the nexmon firmware, we would need (or an app) should nexutil -m2.
root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf Configuration file: /etc/hostapd/hostapd.conf Failed to create interface mon.wlan0: -95 (Operation not supported) wlan0: Could not connect to kernel driver Using interface wlan0 with hwaddr b6:ae:d7:42:a1:70 and ssid "Kali-Pi3" wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED
You can connect to this access point and hostapd will show some output:
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated
And once you enter the passphrase you should see something like this:
wlan0: AP-STA-CONNECTED 78:4f:43:7c:6d:32 wlan0: STA 78:4f:43:7c:6d:32 RADIUS: starting accounting session 5991CC2F-00000000 wlan0: STA 78:4f:43:7c:6d:32 WPA: pairwise key handshake completed (RSN) wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: disassociated wlan0: AP-STA-DISCONNECTED 78:4f:43:7c:6d:32 wlan0: INTERFACE-DISABLED wlan0: STA 00:00:00:00:00:00 IEEE 802.11: disassociated wlan0: INTERFACE-ENABLED wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated
Note that your client may disconnect and reconnect because it didn't get an IP address. This is normal. You won’t get an IP address until we configure dnsmasq. Have fun with this! It gives you an idea of how this process works, behind the scenes.
Press Ctrl-C to stop hostapd.
Next, we’ll tell hostapd where to find its config file:
root@kali:~# nano /etc/default/hostapd
..Find the line #DAEMON_CONF="" and replace it with DAEMON_CONF="/etc/hostapd/hostapd.conf"
Let’s get dnsmasq set up:
The file should look like this:
interface=wlan0 # Use interface wlan0 listen-address=172.24.1.1 # Set our listening address bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere server=184.108.40.206 # Forward DNS requests to Google DNS domain-needed # Don't forward short names bogus-priv # Never forward addresses in the non-routed address spaces. dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
Now, we have two interfaces active, and we have a DHCP client for our Pi and a DHCP server for our wireless guests. Now we need to forward traffic between the wifi and ethernet interfaces. We can make this happen immediately with a simple command to update /proc:
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward root@kali:~# cat /proc/sys/net/ipv4/ip_forward 1
However, this change won’t stick between reboots. We need to make it permanent through sysctl:
root@kali:~# nano /etc/sysctl.conf
..uncomment the line containing net.ipv4.ip_forward=1:
root@kali:/var/www/html# grep ip_forward /etc/sysctl.conf net.ipv4.ip_forward = 1
The forward isn’t quite enough to give our wifi guests Internet access (through our eth0 interface). We need iptables to help us do this.
root@kali:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@kali:~# iptables -A FORWARD -i eth0 -o wlan0 \ > -m state --state RELATED,ESTABLISHED -j ACCEPT root@kali:~# iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Let’s unwrap these commands:
- Whenever a new connection is encountered (-t nat), we want to alter the packets as they are about to go out (-A POSTROUTING) on our ethernet interface (-o eth0). The -j MASQUERADE target masks the private IP address of the client with the external IP address of the firewall/gateway (Kali Pi).
- Next, we append (-A) a rule to the FORWARD chain (packets being routed through the Pi) which accepts (-j ACCEPT) packets from eth0 to wlan0 (-i eth0 -o wlan0) that belong to (ESTABLISHED) or are related to (RELATED) an existing connection.
- Lastly, we will forward (and accept) all packets from wlan0 to eth0.
Check out our rules:
root@kali:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Output our rules to a file:
iptables-save > /etc/iptables.ipv4.nat
Apply these rules every time we boot the Pi by editing the /etc/rc.local file:
root@kali:~# nano /etc/rc.local [...] root@kali:~# more /etc/rc.local #!/bin/sh -e iptables-restore < /etc/iptables.ipv4.nat
Make the file executable:
root@kali:~# chmod 711 /etc/rc.local root@kali:~# ls -l /etc/rc.local -rwx--x--x 1 root root 57 Aug 10 19:37 /etc/rc.local
As we've seen, hostapd and dnsmasq ship with all the init system goodies (see /etc/init.d), so let's start the services up and check that they are happy:
root@kali:~# systemctl start hostapd dnsmasq root@kali:~# systemctl status hostapd dnsmasq ● hostapd.service - LSB: Advanced IEEE 802.11 management daemon Loaded: loaded (/etc/init.d/hostapd; generated; vendor preset: disabled) Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago [...] ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset: Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago
And let's set them to run on next reboot:
root@kali:~# systemctl enable hostapd dnsmasq hostapd.service is not a native service, redirecting to systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable hostapd Synchronizing state of dnsmasq.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable dnsmasq
Finally, reboot and make sure the rules stick after a reboot. Once rebooted, you should be able to connect to the "Kali Pi" and surf!