Jump to content
Tuts 4 You

Android FakeAP


Recommended Posts

Here is how to setup a Fake Access Point with Android Broadcom chip 4329:

you must be root

ultra_bcm_config executable should be in the droid's /data directory with rwx rights

If yu don't know linux I suggest yu not do this

1) insmod /system/lib/modules/dhd.ko firmware_path=/system/vendor/firmware/fw_bcm4329_apsta.bin nvram_path=/system/etc/wl/nvram.txt

That loads the wifi module with all the correct chipset setups as needed into android kernel

2) /data/ultra_bcm_config eth0 softap_gog APFAKER none "" 11

That uses the ultra config to setup the droids wifi as a fake ap with name APFAKER using eth0 device (yours may be different) on channel 11 with no wifi crypto set

Once up and running, I used an iPhone to connect to the droids wifi and recorded a valid IP

This could be used anywhere at say a bar, to fool people into connecting to an Evil Twin AP (of course change the APFAKER to something more marketable)

I'll post some pictures a lil later of screen shoots showing the iPhone connected to my fake ap

I have not been able to properly setup iptables to route any of the iPhones connections (to say google) back to a web server on the droid (that I had running)

However I was able to have the iPhone goto the droid's webserver address (say 192 168 1 1) and stream the droids welcome home-page to the iPhone

I'll try to post all the needed stuff a lil later

Ultra config


Droid c based server built using C4Droid compiler

Edited by JMC31337
Link to comment
Share on other sites

C4Droid Web Server (c-code):

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <err.h> char response[] = "HTTP/1.1 200 OK\r\n"
"Content-Type: text/html; charset=UTF-8\r\n\r\n"
"<doctype !html><html><head><title>Bye-bye baby bye-bye</title>"
"<style>body { background-color: #111 }"
"h1 { font-size:4cm; text-align: center; color: black;"
" text-shadow: 0 0 2mm red}</style></head>"
"<body><h1>Goodbye, world!</h1></body></html>\r\n"; int main()
int one = 1, client_fd;
struct sockaddr_in svr_addr, cli_addr;
socklen_t sin_len = sizeof(cli_addr); int sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0)
err(1, "can't open socket"); setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(int)); int port = 80;
svr_addr.sin_family = AF_INET;
svr_addr.sin_addr.s_addr = inet_addr("");
svr_addr.sin_port = htons(port); if (bind(sock, (struct sockaddr *) &svr_addr, sizeof(svr_addr)) == -1) {
err(1, "Can't bind");
} listen(sock, 5);
while (1) {
client_fd = accept(sock, (struct sockaddr *) &cli_addr, &sin_len);
printf("got connection\n"); if (client_fd == -1) {
perror("Can't accept");
} write(client_fd, response, sizeof(response) - 1); /*-1:'\0'*/
write(client_fd, response, sizeof(response) - 1); /*-1:'\0'*/









(moderator, if the images are too big; lemme know and ill convert them to smaller formats)


Security Implications:

We see people in public places all the time with laptops, iphones, droids, ipads etc etc

If we setup a fake AP we could detect the browser, stream malware, redirect to malicious porn sites, steal passwords with fake logins; the list goes on


However, Iphones and Droids dont come stock with ROOT ACCESS (hence jailbreak and roms)

But you can stream IPA to iphones and they will download them (ive done this from other sites (yu can stream .deb files to jailbreaks and it will run them -done that too-)  Without an Enterprise Apple Developer's Certificate (which anything can be hacked) you cant have people install your IPA apps (unless their jailbroke and the fake signed) so.... for $400 - $1000 to get that Enterprise Cert you could have a field day

Androids do allow apk to boot load (as normal user)  depending on the circumstance

Iphones also have a boot load option under VOIP app programming with sdk

Windows we know can be infected

OSX too, although their are few OSX malwarez out there (compared to Windows) you can stil be infected if you're an OSX user

And anyone, can be redirected to any site with any browser, and anyone can be faked into entering their login info on a FAKE Evil Twin lojin page; just depends upon whether the person is smart enough to know NOT to

Edited by JMC31337
Link to comment
Share on other sites

so if anyone knows a good source of info for IPTABLES so i can redirect all outgoing request to the web server i'd appreciate it (as i have tried many different iptable options)


and my iphone power button is broke so i had to use the droid to capture screenshots... (hate installing cydia 3rd party apps)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...