Exercise 5-5: Mid course project – “Kali Pi” Access Point

Raspberry Pi Access point

If you don't have a Raspberry Pi 3, you should really get one. They are super cool and relatively inexpensive. In this exercise, you will configure a Raspberry Pi 3 to run as a Wireless Access Point, granting connected users access to the Internet. This exercise is great because you will install Kali to the Raspberry Pi, edit files, change file permissions, configure network interfaces, install and configure services, configure iptables rules and more. It's a great overview.

Here's what you'll need to do:

Install Kali on the Raspberry Pi 3. You could use a custom image, but if you do, you might have more troubleshooting to do. If you're unsure, use the stock image, which this solution was written for.
Implement WPA2 security on the AP.
Configure eth0 as DHCP, and wlan0 as static.
Configure the Raspberry Pi as a DHCP server for any wireless clients and assign a DHCP pool with 12-hour leases.
Have the SSH server start up at boot time so you can SSH to the Raspberry Pi once it's booted.
Forward all outbound traffic, including DNS, from wlan0 to eth0.
Allow inbound established (stateful) connections from eth0 to wlan0.
Hint: Although you have not learned about hostapd or dnsmasq, you will use them in this exercise.
Partial cheat: Although this article was not written for Kali (and will not work as written on Kali), it is the inspiration for this exercise, and is worth review. Thanks to Phil Martin for the inspiration.

Show Answer

This will require a few things:

Raspberry Pi 3. You can use an older model with a USB wifi but you're on your own when it comes to configuring wlan0.
hostapd: This creates an access point
dnsmasq: This does DNS forwarding and provides a DHCP sever
dhcpcd5: A DHCP client (which also does other cool network management stuff)

Grab the required packages:

apt-get install dnsmasq hostapd dhcpcd5

First, let's tell dhcpcd to ignore wlan0's setup. We'll configure a static IP later:

nano /etc/dhcpcd.conf

Put this above any interface lines that may be in the file:

denyinterfaces wlan0

Now, let's set up our wifi interface. If you have a Pi 2 with a USB wi-fi adapter, go ahead and plug it in now. Edit the interfaces file:

nano /etc/network/interfaces

...and add this section:

allow-hotplug wlan0  
iface wlan0 inet static  
    address 172.24.1.1
    netmask 255.255.255.0
    network 172.24.1.0
    broadcast 172.24.1.255

Restart dhcpcd with:

root@kali:~# service dhcpcd restart

and then reload the configuration for wlan0 with:

root@kali:~# ifdown wlan0; ifup wlan0

Next, let's configure hostapd with a new configuration file. Note that an SSID and passphrase are configured for your access point.

root@kali:~# nano /etc/hostapd/hostapd.conf
[..]
root@kali:~# cat /etc/hostapd/hostapd.conf
 
# This is the name of the WiFi interface we configured above
interface=wlan0

# Use the nl80211 driver with the brcmfmac driver
driver=nl80211

# This is the name of the network
ssid=Kali-Pi3

# Use the 2.4GHz band
hw_mode=g

# Use channel 6
channel=6

# Enable 802.11n
ieee80211n=1

# Enable WMM
wmm_enabled=1

# Enable 40MHz channels with 20ns guard interval
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]

# Accept all MAC addresses
macaddr_acl=0

# Use WPA authentication
auth_algs=1

# Require clients to know the network name
ignore_broadcast_ssid=0

# Use WPA2
wpa=2

# Use a pre-shared key
wpa_key_mgmt=WPA-PSK

# The network passphrase
wpa_passphrase=raspberrytoor

# Use AES, instead of TKIP
rsn_pairwise=CCMP

At this point, we can test things out. Run:

root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf

This shows a successful run. Note that the errors pertaining to monitor mode are not relevant to us. For a RPi3 using the nexmon firmware, we would need (or an app) should nexutil -m2.

root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf 
Configuration file: /etc/hostapd/hostapd.conf
Failed to create interface mon.wlan0: -95 (Operation not supported)
wlan0: Could not connect to kernel driver
Using interface wlan0 with hwaddr b6:ae:d7:42:a1:70 and ssid "Kali-Pi3"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

You can connect to this access point and hostapd will show some output:

wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated

And once you enter the passphrase you should see something like this:

wlan0: AP-STA-CONNECTED 78:4f:43:7c:6d:32
wlan0: STA 78:4f:43:7c:6d:32 RADIUS: starting accounting session 5991CC2F-00000000
wlan0: STA 78:4f:43:7c:6d:32 WPA: pairwise key handshake completed (RSN)
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: disassociated
wlan0: AP-STA-DISCONNECTED 78:4f:43:7c:6d:32
wlan0: INTERFACE-DISABLED 
wlan0: STA 00:00:00:00:00:00 IEEE 802.11: disassociated
wlan0: INTERFACE-ENABLED 
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated

Note that your client may disconnect and reconnect because it didn't get an IP address. This is normal. You won’t get an IP address until we configure dnsmasq. Have fun with this! It gives you an idea of how this process works, behind the scenes.

Press Ctrl-C to stop hostapd.

Next, we’ll tell hostapd where to find its config file:

root@kali:~# nano /etc/default/hostapd

..Find the line #DAEMON_CONF="" and replace it with DAEMON_CONF="/etc/hostapd/hostapd.conf"

Let’s get dnsmasq set up:

root@kali:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig  
root@kali:~# nano /etc/dnsmasq.conf

The file should look like this:

interface=wlan0      # Use interface wlan0  
listen-address=172.24.1.1 # Set our listening address
bind-interfaces      # Bind to the interface to make sure we aren't sending things elsewhere  
server=8.8.8.8       # Forward DNS requests to Google DNS  
domain-needed        # Don't forward short names  
bogus-priv           # Never forward addresses in the non-routed address spaces.  
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time

Now, we have two interfaces active, and we have a DHCP client for our Pi and a DHCP server for our wireless guests. Now we need to forward traffic between the wifi and ethernet interfaces. We can make this happen immediately with a simple command to update /proc:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
1

However, this change won’t stick between reboots. We need to make it permanent through sysctl:

root@kali:~# nano /etc/sysctl.conf

..uncomment the line containing net.ipv4.ip_forward=1:

root@kali:/var/www/html# grep ip_forward /etc/sysctl.conf 
net.ipv4.ip_forward = 1

The forward isn’t quite enough to give our wifi guests Internet access (through our eth0 interface). We need iptables to help us do this.

root@kali:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  
root@kali:~# iptables -A FORWARD -i eth0 -o wlan0 \                                             
> -m state --state RELATED,ESTABLISHED -j ACCEPT
root@kali:~# iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Let’s unwrap these commands:

Whenever a new connection is encountered (-t nat), we want to alter the packets as they are about to go out (-A POSTROUTING) on our ethernet interface (-o eth0). The -j MASQUERADE target masks the private IP address of the client with the external IP address of the firewall/gateway (Kali Pi).
Next, we append (-A) a rule to the FORWARD chain (packets being routed through the Pi) which accepts (-j ACCEPT) packets from eth0 to wlan0 (-i eth0 -o wlan0) that belong to (ESTABLISHED) or are related to (RELATED) an existing connection.
Lastly, we will forward (and accept) all packets from wlan0 to eth0.

Check out our rules:

root@kali:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT

Output our rules to a file:

iptables-save > /etc/iptables.ipv4.nat

Apply these rules every time we boot the Pi by editing the /etc/rc.local file:

root@kali:~# nano /etc/rc.local
[...]
root@kali:~# more /etc/rc.local
#!/bin/sh -e
iptables-restore < /etc/iptables.ipv4.nat

Make the file executable:

root@kali:~# chmod 711 /etc/rc.local
root@kali:~# ls -l /etc/rc.local
-rwx--x--x 1 root root 57 Aug 10 19:37 /etc/rc.local

As we've seen, hostapd and dnsmasq ship with all the init system goodies (see /etc/init.d), so let's start the services up and check that they are happy:

root@kali:~# systemctl start hostapd dnsmasq
root@kali:~# systemctl status hostapd dnsmasq
● hostapd.service - LSB: Advanced IEEE 802.11 management daemon
   Loaded: loaded (/etc/init.d/hostapd; generated; vendor preset: disabled)
   Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago
[...]
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset:
   Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago

And let's set them to run on next reboot:

root@kali:~# systemctl enable hostapd dnsmasq
hostapd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable hostapd
Synchronizing state of dnsmasq.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dnsmasq

Finally, reboot and make sure the rules stick after a reboot. Once rebooted, you should be able to connect to the "Kali Pi" and surf!

← Previous Topic

Raspberry Pi Access point

NEW FOR 2021