If you don't have a Raspberry Pi 3, you should really get one. They are super cool and relatively inexpensive. In this exercise, you will configure a Raspberry Pi 3 to run as a Wireless Access Point, granting connected users access to the Internet. This exercise is great because you will install Kali to the Raspberry Pi, edit files, change file permissions, configure network interfaces, install and configure services, configure iptables rules and more. It's a great overview.
This will require a few things:
- Raspberry Pi 3. You can use an older model with a USB wifi but you're on your own when it comes to configuring wlan0.
- hostapd: This creates an access point
- dnsmasq: This does DNS forwarding and provides a DHCP sever
- dhcpcd5: A DHCP client (which also does other cool network management stuff)
Grab the required packages:
apt-get install dnsmasq hostapd dhcpcd5
First, let's tell dhcpcd to ignore wlan0's setup. We'll configure a static IP later:
nano /etc/dhcpcd.conf
Put this above any interface lines that may be in the file:
denyinterfaces wlan0
Now, let's set up our wifi interface. If you have a Pi 2 with a USB wi-fi adapter, go ahead and plug it in now. Edit the interfaces file:
nano /etc/network/interfaces
...and add this section:
allow-hotplug wlan0
iface wlan0 inet static
address 172.24.1.1
netmask 255.255.255.0
network 172.24.1.0
broadcast 172.24.1.255
Restart dhcpcd with:
root@kali:~# service dhcpcd restart
and then reload the configuration for wlan0 with:
root@kali:~# ifdown wlan0; ifup wlan0
Next, let's configure hostapd with a new configuration file. Note that an SSID and passphrase are configured for your access point.
root@kali:~# nano /etc/hostapd/hostapd.conf
[..]
root@kali:~# cat /etc/hostapd/hostapd.conf
# This is the name of the WiFi interface we configured above
interface=wlan0
# Use the nl80211 driver with the brcmfmac driver
driver=nl80211
# This is the name of the network
ssid=Kali-Pi3
# Use the 2.4GHz band
hw_mode=g
# Use channel 6
channel=6
# Enable 802.11n
ieee80211n=1
# Enable WMM
wmm_enabled=1
# Enable 40MHz channels with 20ns guard interval
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
# Accept all MAC addresses
macaddr_acl=0
# Use WPA authentication
auth_algs=1
# Require clients to know the network name
ignore_broadcast_ssid=0
# Use WPA2
wpa=2
# Use a pre-shared key
wpa_key_mgmt=WPA-PSK
# The network passphrase
wpa_passphrase=raspberrytoor
# Use AES, instead of TKIP
rsn_pairwise=CCMP
At this point, we can test things out. Run:
root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf
This shows a successful run. Note that the errors pertaining to monitor mode are not relevant to us. For a RPi3 using the nexmon firmware, we would need (or an app) should nexutil -m2.
root@kali:~# /usr/sbin/hostapd /etc/hostapd/hostapd.conf
Configuration file: /etc/hostapd/hostapd.conf
Failed to create interface mon.wlan0: -95 (Operation not supported)
wlan0: Could not connect to kernel driver
Using interface wlan0 with hwaddr b6:ae:d7:42:a1:70 and ssid "Kali-Pi3"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
You can connect to this access point and hostapd will show some output:
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated
And once you enter the passphrase you should see something like this:
wlan0: AP-STA-CONNECTED 78:4f:43:7c:6d:32
wlan0: STA 78:4f:43:7c:6d:32 RADIUS: starting accounting session 5991CC2F-00000000
wlan0: STA 78:4f:43:7c:6d:32 WPA: pairwise key handshake completed (RSN)
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: disassociated
wlan0: AP-STA-DISCONNECTED 78:4f:43:7c:6d:32
wlan0: INTERFACE-DISABLED
wlan0: STA 00:00:00:00:00:00 IEEE 802.11: disassociated
wlan0: INTERFACE-ENABLED
wlan0: STA 78:4f:43:7c:6d:32 IEEE 802.11: associated
Note that your client may disconnect and reconnect because it didn't get an IP address. This is normal. You won’t get an IP address until we configure dnsmasq. Have fun with this! It gives you an idea of how this process works, behind the scenes.
Press Ctrl-C to stop hostapd.
Next, we’ll tell hostapd where to find its config file:
root@kali:~# nano /etc/default/hostapd
..Find the line #DAEMON_CONF="" and replace it with DAEMON_CONF="/etc/hostapd/hostapd.conf"
Let’s get dnsmasq set up:
root@kali:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf.orig
root@kali:~# nano /etc/dnsmasq.conf
The file should look like this:
interface=wlan0 # Use interface wlan0
listen-address=172.24.1.1 # Set our listening address
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
Now, we have two interfaces active, and we have a DHCP client for our Pi and a DHCP server for our wireless guests. Now we need to forward traffic between the wifi and ethernet interfaces. We can make this happen immediately with a simple command to update /proc:
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
1
However, this change won’t stick between reboots. We need to make it permanent through sysctl:
root@kali:~# nano /etc/sysctl.conf
..uncomment the line containing net.ipv4.ip_forward=1:
root@kali:/var/www/html# grep ip_forward /etc/sysctl.conf
net.ipv4.ip_forward = 1
The forward isn’t quite enough to give our wifi guests Internet access (through our eth0 interface). We need iptables to help us do this.
root@kali:~# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
root@kali:~# iptables -A FORWARD -i eth0 -o wlan0 \
> -m state --state RELATED,ESTABLISHED -j ACCEPT
root@kali:~# iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Let’s unwrap these commands:
- Whenever a new connection is encountered (-t nat), we want to alter the packets as they are about to go out (-A POSTROUTING) on our ethernet interface (-o eth0). The -j MASQUERADE target masks the private IP address of the client with the external IP address of the firewall/gateway (Kali Pi).
- Next, we append (-A) a rule to the FORWARD chain (packets being routed through the Pi) which accepts (-j ACCEPT) packets from eth0 to wlan0 (-i eth0 -o wlan0) that belong to (ESTABLISHED) or are related to (RELATED) an existing connection.
- Lastly, we will forward (and accept) all packets from wlan0 to eth0.
Check out our rules:
root@kali:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
Output our rules to a file:
iptables-save > /etc/iptables.ipv4.nat
Apply these rules every time we boot the Pi by editing the /etc/rc.local file:
root@kali:~# nano /etc/rc.local
[...]
root@kali:~# more /etc/rc.local
#!/bin/sh -e
iptables-restore < /etc/iptables.ipv4.nat
Make the file executable:
root@kali:~# chmod 711 /etc/rc.local
root@kali:~# ls -l /etc/rc.local
-rwx--x--x 1 root root 57 Aug 10 19:37 /etc/rc.local
As we've seen, hostapd and dnsmasq ship with all the init system goodies (see /etc/init.d), so let's start the services up and check that they are happy:
root@kali:~# systemctl start hostapd dnsmasq
root@kali:~# systemctl status hostapd dnsmasq
● hostapd.service - LSB: Advanced IEEE 802.11 management daemon
Loaded: loaded (/etc/init.d/hostapd; generated; vendor preset: disabled)
Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago
[...]
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
Loaded: loaded (/lib/systemd/system/dnsmasq.service; disabled; vendor preset:
Active: active (running) since Mon 2017-08-14 19:24:43 UTC; 2s ago
And let's set them to run on next reboot:
root@kali:~# systemctl enable hostapd dnsmasq
hostapd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable hostapd
Synchronizing state of dnsmasq.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable dnsmasq
Finally, reboot and make sure the rules stick after a reboot. Once rebooted, you should be able to connect to the "Kali Pi" and surf!