Skip to content

DilshanHarshajith/GhostAP

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

69 Commits
.github/workflows
.github/workflows
 
 
src
src
 
 
GhostAP.sh
GhostAP.sh
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

GhostAP - Wireless Access Point Creator

A comprehensive Bash script for creating wireless access points with advanced features including internet sharing, packet capture, DNS spoofing, proxy routing, captive portal, and monitor mode capabilities.

Features

  • Wireless Access Point Creation: Set up secure (WPA2/WPA3) or open WiFi networks
  • AP Cloning: Quickly clone existing networks by SSID with automatic configuration
  • Internet Sharing: Share internet connection from another interface via NAT
  • Real-time Client Monitoring: Track connected devices with MAC, IP, and hostname
  • Packet Capture: Real-time traffic monitoring and PCAP export with tshark
  • DNS Spoofing: Redirect specific domains to custom IP addresses
  • DoH Blocking: Block DNS-over-HTTPS to enforce DNS spoofing
  • Captive Portal: Intercept clients with a customizable portal page; credentials are captured and clients are whitelisted on acceptance
  • Proxy Integration: Tool-agnostic support for local transparent proxies, redsocks (upstream), and remote DNAT
  • VPN Routing: Securely route all AP traffic through OpenVPN, WireGuard, or a pre-configured VPN interface
  • VPN Kill Switch: Prevent traffic leaks with a built-in firewall kill switch
  • Intercept Traffic: Easily bridge traffic to tools like mitmproxy, Burp Suite, or Wireshark
  • Interactive & CLI Modes: Flexible configuration options
  • Configuration Management: Save and load configurations with CLI argument overrides
  • Comprehensive Logging: Detailed operation logs for all services

Requirements

System Requirements

  • Linux system with root access
  • Bash version 4.0 or newer
  • Wireless network interface capable of AP mode

Required Dependencies

sudo apt update
sudo apt install hostapd dnsmasq wireless-tools net-tools iptables iproute2

Optional Dependencies

# For packet capture
sudo apt install wireshark-common

# For proxy routing
sudo apt install redsocks

# For VPN routing (optional)
sudo apt install openvpn wireguard-tools

# For advanced interception (optional)
sudo apt install mitmproxy

Installation

  1. Clone the repository:
git clone https://github.com/DilshanHarshajith/GhostAP.git
cd GhostAP
chmod +x GhostAP.sh
  1. Run with root privileges:
sudo ./GhostAP.sh

Installation as Debian Package (Recommended)

  1. Download the latest .deb package from the Releases page.
  2. Install using apt:
sudo apt install ./ghostap_*.deb
  1. Run from anywhere:
sudo ghostap

Usage

Interactive Mode (Recommended for beginners)

sudo ./GhostAP.sh --interactive

Quick Start Examples

Basic Open Access Point

sudo ./GhostAP.sh -i wlan0 -s "MyOpenAP" -c 6 --security open

Secure WPA2 Access Point with Internet Sharing

sudo ./GhostAP.sh -i wlan0 -s "MySecureAP" -c 6 --security wpa2 --password "password123" --internet -si eth0

Access Point with Packet Capture

sudo ./GhostAP.sh -i wlan0 -s "MonitorAP" --capture
# or
sudo ./GhostAP.sh -i wlan0 -s "MonitorAP" --capture "capture.pcap"

Access Point with Proxy Routing

sudo ./GhostAP.sh -i wlan0 -s "ProxyAP" --proxy --proxy-host 127.0.0.1 --proxy-port 8080 --proxy-type http

Clone an Existing Access Point

sudo ./GhostAP.sh -i wlan0 --clone "Target_SSID"

Local Transparent Interception

sudo ./GhostAP.sh --local-proxy -s "InterceptAP"

Captive Portal (intercept clients before granting internet access)

# Built-in portal page with internet sharing
sudo ./GhostAP.sh -i wlan0 -s "FreeWifi" --security open --captive --internet -si eth0

# With a custom HTML template
sudo ./GhostAP.sh -i wlan0 -s "FreeWifi" --captive --internet -si eth0 \
    --captive-template /path/to/portal/index.html

Secure Access Point with VPN Routing

# Using an OpenVPN config
sudo ./GhostAP.sh -i wlan0 -s "VPNAccess" --vpn "/path/to/vpn.ovpn"

# Using a WireGuard config
sudo ./GhostAP.sh -i wlan0 -s "VPNAccess" --vpn "/path/to/wg0.conf"

# Routing through an existing VPN interface
sudo ./GhostAP.sh -i wlan0 -s "VPNAccess" --vpn-interface tun0

Command Line Options

Basic Options

Option Description
--int, --interactive Start in interactive mode
--config FILE Load configuration from file
--save NAME Save current configuration with name
--help Show help message

Interface Options

Option Description
-i, --interface IFACE Wireless interface to use
-si, --source-interface IFACE Source interface for internet sharing
--vpn [CONFIG] Enable VPN routing (optional .ovpn/.conf)
--vpn-interface IFACE Use an existing VPN interface
--vpn-creds USER:PASS OpenVPN credentials (non-interactive)
--clone SSID Clone an existing AP by SSID

Network Options

Option Description
-s, --ssid SSID Network name (SSID)
-c, --channel CHANNEL WiFi channel (1-14)
--security TYPE Security type (open/wpa2/wpa3)
--password PASSWORD WiFi password (for WPA2/WPA3)
--subnet OCTET Subnet third octet (0-255)
--dns IP DNS server IP address
-m, --mac MAC MAC address to use

Feature Options

Option Description
--internet Enable internet sharing
--capture [FILE] Enable packet capture
--spoof "DOMAINS" Enable DNS spoofing (Format: dom.com=1.2.3.4|dom2.com|...)
--spoof-target IP Default target IP for DNS spoofing (when domain has no explicit IP)
--block-doh Block DNS-over-HTTPS to enforce DNS spoofing

Proxy Options

Option Description
--local-proxy Redirect traffic to local port (default 8080)
--remote-proxy Redirect traffic to a remote host/port (DNAT)
--proxy Redirect traffic to an upstream proxy (redsocks)
--proxy-host HOST Proxy server host/IP
--proxy-port PORT Proxy server port
--proxy-type TYPE Proxy type (http/socks4/socks5)
--proxy-user USER Proxy username
--proxy-pass PASS Proxy password

Captive Portal Options

Option Description
--captive Enable captive portal (intercepts clients until they submit)
--captive-port PORT Port for the captive portal server (default: 8880)
--captive-template FILE Path to a custom HTML file to use as the portal page

Configuration Management

Saving Configurations

sudo ./GhostAP.sh --save myconfig -i wlan0 -s "MyAP" --security wpa2 --password "password"

Loading Configurations

sudo ./GhostAP.sh --config /path/to/myconfig.conf

Note

Command-line arguments always take precedence over configuration file settings.

Configuration File Format

# Network Configuration
INTERFACE="wlan0"
SSID="MyAccessPoint"
CHANNEL="6"
SUBNET="10"
DNS="8.8.8.8"
SECURITY="wpa2"
PASSWORD="mypassword"

# Features
INTERNET_SHARING="true"
SOURCE_INTERFACE="eth0"
DNS_SPOOFING="false"
PACKET_CAPTURE="true"

# Cloning Options
CLONE="false"
CLONE_SSID=""

# Proxy Options
PROXY_ENABLED="false"
PROXY_MODE="TRANSPARENT_LOCAL"
PROXY_HOST=""
PROXY_PORT=""
PROXY_TYPE=""
PROXY_USER=""
PROXY_PASS=""

# VPN Options
VPN_ROUTING="false"
VPN_INTERFACE=""
VPN_CONFIG=""
VPN_CREDS=""

# DNS Spoofing Options
SPOOF_DOMAINS=""
SPOOF_TARGET_IP=""
BLOCK_DOH="false"

# Captive Portal Options
CAPTIVE_PORTAL="false"
CAPTIVE_PORT="8880"
CAPTIVE_TEMPLATE=""

Advanced Features

DNS Spoofing

Redirect specific domains to custom IP addresses:

# Spoof specific domains with explicit IPs
sudo ./GhostAP.sh --spoof "example.com=192.168.1.100|test.com=10.0.0.1"

# Spoof domains to default target (AP IP or custom target)
sudo ./GhostAP.sh --spoof "example.com|test.com" --spoof-target 192.168.1.50

# Mix explicit and default targets
sudo ./GhostAP.sh --spoof "example.com=192.168.1.100|test.com" --spoof-target 10.0.0.1

# Spoof with DoH blocking to prevent DNS bypass
sudo ./GhostAP.sh --spoof "example.com" --block-doh

Note

When DNS spoofing is enabled without --spoof-target, domains without explicit IPs default to the AP's IP address (192.168.X.1).

Important

Use --block-doh to block DNS-over-HTTPS traffic and force clients to use your DNS server. This prevents clients from bypassing DNS spoofing by using encrypted DNS services like Google DoH or Cloudflare DoH.

Captured packets are saved to the current directory (or specified path) with timestamps:

ls -la *.pcap

Proxy Routing

GhostAP supports three advanced proxying modes in a tool-agnostic manner:

1. Local Transparent Proxy (--local-proxy or --proxy-mode TRANSPARENT_LOCAL)

Redirects client traffic to a local port (default 8080) for interception:

  • Transparently redirects HTTP (80) and HTTPS (443) traffic.
  • Allows you to manually run your favorite tool (e.g., mitmproxy, Burp Suite) on the specified port.
  • Traffic flow: Client → AP → Local Interceptor (8080) → Internet
sudo ./GhostAP.sh --local-proxy -s "InterceptAP"
# Now start your interceptor tool on port 8080

2. Upstream Proxy (--proxy or --proxy-mode TRANSPARENT_UPSTREAM)

Forwards intercepted traffic to an external HTTP or SOCKS proxy using redsocks:

  • Transparently redirects traffic to an upstream proxy server.
  • Supports HTTP, SOCKS4, and SOCKS5 proxies.
  • Supports authenticated proxies (username/password).
  • Traffic flow: Client → AP → Redsocks → External Proxy → Internet
sudo ./GhostAP.sh --proxy --proxy-host 10.0.0.5 --proxy-port 3128 --proxy-type http

3. Remote Forwarding (--remote-proxy or --proxy-mode REMOTE_DNAT)

Simple DNAT forwarding to a remote IP/Port:

  • Useful if your interception tool is running on a different machine.
  • No local proxy process is started.
  • Traffic flow: Client → AP → Remote Host (DNAT)
sudo ./GhostAP.sh --remote-proxy --proxy-host 10.0.0.10 --proxy-port 8080

Connected Devices Monitoring

The script monitors connected clients in real-time by watching DHCP leases. It displays:

  • MAC Address
  • Assigned IP Address
  • Device Hostname (if available)

VPN Routing

GhostAP provides robust VPN routing using Policy-Based Routing (PBR):

  • Traffic Isolation: All traffic from the AP is routed through the VPN tunnel.
  • Kill Switch: Built-in firewall rules prevent traffic leaks if the VPN connection drops.
  • Multiple Backends:
    • OpenVPN: Full support for .ovpn configurations with credential management.
    • WireGuard: Native support for .conf profiles.
    • Existing Interface: Use already running VPN tunnels (tun, wg, proton, etc.).
  • Automatic Configuration: Detects and configures routing tables and NAT rules automatically.
# Enable VPN with an OpenVPN profile
sudo ./GhostAP.sh --vpn client.ovpn --vpn-creds "user:pass"

Caution

When VPN routing is enabled, a kill switch is active. This will block all internet traffic from clients if the VPN interface is not up.

Captive Portal

GhostAP can intercept connecting clients with a captive portal — the same mechanism used by hotel and airport Wi-Fi networks. Clients are blocked from internet access until they submit the portal form (e.g. accept terms, enter credentials).

How it works:

  1. DNS wildcard (address=/#/...) in dnsmasq redirects all lookups to the AP.
  2. An iptables rule redirects all client HTTP traffic to the built-in Python portal server.
  3. HTTPS is blocked with a TCP-reset until the client is whitelisted.
  4. When a client submits the form (POST /accept), the server:
    • Logs any submitted fields (credentials, etc.) to a timestamped file in Output/.
    • Inserts per-client iptables rules to allow full internet access.
    • Restores the client's DNS to the real upstream server.
  5. OS captive-portal detection probes (iOS, Android, Windows, Firefox) are handled so the "Sign in to network" dialog appears automatically.

Custom templates:

You can supply your own HTML portal page. The entire directory containing the specified file is served, preserving any folder structure (CSS, JS, images, sub-directories). The supplied file becomes the entry point (index.html). The form must POST to /accept to trigger client whitelisting.

# Built-in portal
sudo ./GhostAP.sh -i wlan0 -s "FreeWifi" --security open --captive --internet -si eth0

# Custom template
sudo ./GhostAP.sh --captive --captive-template /path/to/portal/login.html --internet -si eth0

# Custom port
sudo ./GhostAP.sh --captive --captive-port 9090 --internet -si eth0

Note

Captive portal requires python3. Captured credentials are saved to Output/captive_credentials-<timestamp>.txt.

Warning

Using captive portal together with --proxy or --spoof may cause conflicts, as all three features manipulate HTTP traffic and/or DNS. Use only one at a time.

Architecture

GhostAP uses a modular architecture with separate modules for each feature:

GhostAP/
├── GhostAP.sh           # Main entry point
└── src/
    ├── globals.sh       # Global variables and constants
    ├── utils.sh         # Logging, validation, cleanup functions
    ├── config.sh        # Configuration management and argument parsing
    ├── ui.sh            # User interface and status display
    ├── interface.sh     # Wireless interface management
    ├── hostapd.sh       # Access point configuration
    ├── dnsmasq.sh       # DHCP/DNS server and spoofing
    ├── internet.sh      # NAT and internet sharing
    ├── proxy.sh         # Proxy routing (Interception/Redsocks)
    ├── capture.sh       # Packet capture with tshark
    ├── captive.sh       # Captive portal server and iptables whitelisting
    └── services.sh      # Service lifecycle management


## Monitoring and Logs

### Real-time Log Monitoring

```bash
tail -f Logs/GhostAP.log

Service-specific Logs

  • Logs/hostapd.log - Access point service logs
  • Logs/dnsmasq.log - DHCP/DNS service logs
  • Logs/tshark.log - Packet capture logs
  • Logs/redsocks.log - Proxy service logs (when applicable)
  • Logs/captive.log - Captive portal server logs (when applicable)

Security Considerations

⚠️ Important Security Notes:

  1. Legal Usage: Only use this tool on networks you own or have explicit permission to test
  2. Packet Capture: May capture sensitive information - handle responsibly
  3. DNS Spoofing: Can redirect legitimate traffic - use carefully
  4. Proxy Routing: All traffic may be intercepted - ensure proper authorization

Troubleshooting

Common Issues

Interface Not Found

# List available wireless interfaces
iw dev

Permission Denied

# Ensure running as root
sudo ./GhostAP.sh

Service Start Failures

# Check system logs
journalctl -u hostapd
journalctl -u dnsmasq

No Internet Access

  • Verify source interface has internet connectivity
  • Check iptables rules: iptables -L -n -t nat
  • Ensure IP forwarding is enabled: cat /proc/sys/net/ipv4/ip_forward

Debug Mode

Enable debug logging:

DEBUG=1 sudo ./GhostAP.sh

Stopping the Access Point

Press Ctrl+C to gracefully stop the access point. The script will:

  • Terminate all started services
  • Remove iptables rules
  • Restore interface to managed mode
  • Clean up temporary files
  • Save packet captures (if enabled)

Contributing

Contributions are welcome! Please ensure:

  • Code follows existing style conventions
  • New features include appropriate error handling
  • Documentation is updated for new options
  • Security implications are considered

License

Licensed under the GNU General Public License v3

Support

For issues and questions:

  1. Check the troubleshooting section
  2. Review log files for error details
  3. Ensure all dependencies are installed
  4. Verify interface compatibility with AP mode

Disclaimer: This tool is intended for authorized network testing and educational purposes only. Unauthorized access to networks is illegal and unethical. Always obtain proper permission before testing network security.

About

A comprehensive Bash script for creating wireless access points with advanced features including internet sharing, packet capture, DNS spoofing, proxy routing, and monitor mode capabilities.

Topics

honeypot man-in-the-middle evil-twin wifi-hotspot wifi-security iot-analytics iot-pentesting traffic-interception fake-access-point proxy-routing proxy-router

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

GhostAP v1.0.2 Latest
Mar 2, 2026
+ 2 releases

Packages

 
 
 

Contributors

Languages