In my laptop, I have two wifi interfaces wlan0 and wlan1. I am using wlan1 to create rogue AP and wlan0 is connected to the internet which will be ultimately used to provide internet connectivity to rogue AP. You can also use ethernet interface to provide internet connectivity.
Select the wifi interface using which you want to create fake AP and click on Start Access Point, you can leave all the remaining values to default. This will create the fake access point, also configures DHCP server to assign IPs, launches dns2proxy to poison DNS.
Even this minimal setup is ready to perform SSL MITM by downgrading the HTTPS traffic to HTTP using sslstrip. For the case where the client knows it has to connect to HTTPS, we will be using bettercap which replaces certificates on the place of downgrading from HTTPS to HTTP.
To launch bettercap:
sudo bettercap -T 10.0.0.20 –interface wlan1 –no-spoofing –no-discovery –proxy –proxy-port 80 –proxy-https –proxy-https-port 443 -P POST
Now all the HTTP and HTTPS traffic will pass through bettercap and original certificates will be replaced with a self-signed certificate. The CA certificate used by bettercap(bettercap-ca.pem) can be found in ~/.bettercap folder. You can also install this CA certificate on victim machine’s trusted CA store to disable the self-signed certificate error.
Above process helps in creating rogue wifi AP using wifi-pumpkin + bettercap and performing SSL Man in the middle attack (MITM). Below is a snapshot of bettercap decrypting traffic of a banking software.
