DigiNinja wrote a set of patches for hostapd that allow it to operate in KARMA mode (i.e. respond to any probe in an attempt to fool wifi devices into joining it). His last set of patches were for v1.0. I spent some time porting them to v2.0 of hostapd.

The functionality is exactly the same (although the probe response is a little more aggressive), and you can grab either the patch or the full tarball here:

• hostapd-2.0-karma.patch (38K)
• hostapd-2.0-karma.tar.gz (1.4M)

If you want to clean them up, some context: the majority of the changes are based in src/ap/beacon.c and are due to the introduction of the new ssid_match() function. I initially had something fairly intelligent, but it got turfed as I debugged back to Robin's initial method. The big problem was that the probe response's SSID was being grabbed from the configured SSIDs instead of what was probed for. So I created a new _karma probe response method that took the SSID as a parameter. 

This is republished from the original on the SensePost blog.

In preparation for our wireless training course at BlackHat Vegas in a few weeks, I spent some time updating the content on rogue/spoofed access points. What we mean by this are access points under your control, that you attempt to trick a user into connecting to, rather than the “unauthorised access points” Bob in Marketing bought and plugged into your internal network for his team to use.

I’ll discuss how to quickly get a rogue AP up on Kali that will allow you to start gathering some creds, specifically mail creds. Once you have that basic pattern down, setting up more complex attacks is fairly easy.

This is a fairly detailed “how-to” style blog entry that gives you a taste of what you can grab on our training course.