If you don’t have a Raspberry Pi 3, you should really get one. They are super cool and relatively inexpensive. In this exercise, you will configure a Raspberry Pi 3 to run as a Wireless Access Point, granting connected users access to the Internet. This exercise is great because you will install Kali to the Raspberry Pi, edit files, change file permissions, configure network interfaces, install and configure services, configure iptables rules and more. It’s a great overview.
This will require a few things:
- Raspberry Pi 3. You can use an older model with a USB wifi but you’re on your own when it comes to configuring wlan0.
- hostapd: This creates an access point
- dnsmasq: This does DNS forwarding and provides a DHCP sever
- dhcpcd5: A DHCP client (which also does other cool network management stuff)
Grab the required packages:
|
|
apt-get install dnsmasq hostapd dhcpcd5 |
First, let’s tell dhcpcd to ignore wlan0’s setup. We’ll configure a static IP later:
Put this above any interface lines that may be in the file:
Now, let’s set up our wifi interface. If you have a Pi 2 with a USB wi-fi adapter, go ahead and plug it in now. Edit the interfaces file:
|
|
nano /etc/network/interfaces |
…and add this section:
|
|
allow-hotplug wlan0 iface wlan0 inet static address 172.24.1.1 netmask 255.255.255.0 network 172.24.1.0 broadcast 172.24.1.255 |
Restart dhcpcd with:
|
|
root@kali:~# service dhcpcd restart |
and then reload the configuration for wlan0 with:
|
|
root@kali:~# ifdown wlan0; ifup wlan0 |
Next, let’s configure hostapd with a new configuration file. Note that an SSID and passphrase are configured for your access point.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
root@kali:~# nano /etc/hostapd/hostapd.conf [..] root@kali:~# cat /etc/hostapd/hostapd.conf # This is the name of the WiFi interface we configured above interface=wlan0 # Use the nl80211 driver with the brcmfmac driver driver=nl80211 # This is the name of the network ssid=Kali-Pi3 # Use the 2.4GHz band hw_mode=g # Use channel 6 channel=6 # Enable 802.11n ieee80211n=1 # Enable WMM wmm_enabled=1 # Enable 40MHz channels with 20ns guard interval ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40] # Accept all MAC addresses macaddr_acl=0 # Use WPA authentication auth_algs=1 # Require clients to know the network name ignore_broadcast_ssid=0 # Use WPA2 wpa=2 # Use a pre-shared key wpa_key_mgmt=WPA-PSK # The network passphrase wpa_passphrase=raspberrytoor # Use AES, instead of TKIP rsn_pairwise=CCMP |
At this point, we can test things out. Run:
|
|
root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf |
This shows a successful run. Note that the errors pertaining to monitor mode are not relevant to us. For a RPi3 using the nexmon firmware, we would need (or an app) should nexutil -m2.
|
|
root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf Configuration file: /etc/hostapd/hostapd.conf Failed to create interface mon.wlan0: -95 (Operation not supported) wlan0: Could not connect to kernel driver Using interface wlan0 with hwaddr b6:ae:d7:42:a1:70 and ssid "Kali-Pi3" wlan0: interface state UNINITIALIZED->ENABLED wlan0: AP-ENABLED |
You can connect to this access point and hostapd will show some output:
|
|
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated |
And once you enter the passphrase you should see something like this:
|
|
wlan0: AP-STA-CONNECTED 78:4f:43:7c:6d:32 wlan0: STA 78:4f:43:7c:6d:32 RADIUS: starting accounting session 5991CC2F-00000000 wlan0: STA 78:4f:43:7c:6d:32 WPA: pairwise key handshake completed (RSN) wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: disassociated wlan0: AP-STA-DISCONNECTED 78:4f:43:7c:6d:32 wlan0: INTERFACE-DISABLED wlan0: STA 00:00:00:00:00:00 IEEE 802.11: disassociated wlan0: INTERFACE-ENABLED wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated |
Note that your client may disconnect and reconnect because it didn’t get an IP address. This is normal. You won’t get an IP address until we configure dnsmasq. Have fun with this! It gives you an idea of how this process works, behind the scenes.
Press Ctrl-C to stop hostapd.
Next, we’ll tell hostapd where to find its config file:
|
|
root@kali:~# nano /etc/default/hostapd |
..Find the line #DAEMON_CONF=”” and replace it with DAEMON_CONF=”/etc/hostapd/hostapd.conf”
Let’s get dnsmasq set up:
|
|
root@kali:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig root@kali:~# nano /etc/dnsmasq.conf |
The file should look like this:
|
|
interface=wlan0 # Use interface wlan0 listen-address=172.24.1.1 # Set our listening address bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere server=8.8.8.8 # Forward DNS requests to Google DNS domain-needed # Don't forward short names bogus-priv # Never forward addresses in the non-routed address spaces. dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time |
Now, we have two interfaces active, and we have a DHCP client for our Pi and a DHCP server for our wireless guests. Now we need to forward traffic between the wifi and ethernet interfaces. We can make this happen immediately with a simple command to update /proc:
|
|
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward root@kali:~# cat /proc/sys/net/ipv4/ip_forward 1 |
However, this change won’t stick between reboots. We need to make it permanent through sysctl:
|
|
root@kali:~# nano /etc/sysctl.conf |
..uncomment the line containing net.ipv4.ip_forward=1:
|
|
root@kali:/var/www/html# grep ip_forward /etc/sysctl.conf net.ipv4.ip_forward = 1 |
The forward isn’t quite enough to give our wifi guests Internet access (through our eth0 interface). We need iptables to help us do this.
|
|
root@kali:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE root@kali:~# iptables -A FORWARD -i eth0 -o wlan0 \ > -m state --state RELATED,ESTABLISHED -j ACCEPT root@kali:~# iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT |
Let’s unwrap these commands:
- Whenever a new connection is encountered (-t nat), we want to alter the packets as they are about to go out (-A POSTROUTING) on our ethernet interface (-o eth0). The -j MASQUERADE target masks the private IP address of the client with the external IP address of the firewall/gateway (Kali Pi).
- Next, we append (-A) a rule to the FORWARD chain (packets being routed through the Pi) which accepts (-j ACCEPT) packets from eth0 to wlan0 (-i eth0 -o wlan0) that belong to (ESTABLISHED) or are related to (RELATED) an existing connection.
- Lastly, we will forward (and accept) all packets from wlan0 to eth0.
Check out our rules:
|
|
root@kali:~# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wlan0 -o eth0 -j ACCEPT |
Output our rules to a file:
|
|
iptables-save > /etc/iptables.ipv4.nat |
Apply these rules every time we boot the Pi by editing the /etc/rc.local file:
|
|
root@kali:~# nano /etc/rc.local [...] root@kali:~# more /etc/rc.local #!/bin/sh -e iptables-restore < /etc/iptables.ipv4.nat |
Make the file executable:
|
|
root@kali:~# chmod 711 /etc/rc.local root@kali:~# ls -l /etc/rc.local -rwx--x--x 1 root root 57 Aug 10 19:37 /etc/rc.local |
As we’ve seen, hostapd and dnsmasq ship with all the init system goodies (see /etc/init.d), so let’s start the services up and check that they are happy:
|
|
root@kali:~# systemctl start hostapd dnsmasq root@kali:~# systemctl status hostapd dnsmasq ● hostapd.service - LSB: Advanced IEEE 802.11 management daemon Loaded: loaded (/etc/init.d/hostapd; generated; vendor preset: disabled) Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago [...] ● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset: Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago |
And let’s set them to run on next reboot:
|
|
root@kali:~# systemctl enable hostapd dnsmasq hostapd.service is not a native service, redirecting to systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable hostapd Synchronizing state of dnsmasq.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable dnsmasq |
Finally, reboot and make sure the rules stick after a reboot. Once rebooted, you should be able to connect to the “Kali Pi” and surf!
