How to Create Fake Access Points using Scapy in Python

Creating fake access points and fooling nearby devices by sending valid beacon frames to the air using scapy in python.
Abdou Rockikz · 5 min read · Updated oct 2019 · Ethical Hacking · Packet Manipulation Using Scapy

Ever wondered how does your laptop or mobile phone know which wireless networks are available nearby ? It is actually very simple, Wireless Access Points continually send beacon frames to all nearby wireless devices, these frames include informations about the access point, such as the SSID ( name ), type of encryption, MAC address, etc.

In this tutorial, you will learn how can you send beacon frames into the air using Scapy to successfully forge fake access points!

Necessary packages to install for this tutorial:

pip3 install faker scapy

Let's start with a simple recipe:

from scapy.all import *

# interface to use to send beacon frames, must be in monitor mode
iface = "wlan0mon"
# generate a random MAC address (built-in in scapy)
sender_mac = RandMAC()
# SSID (name of access point)
ssid = "Test"
# 802.11 frame
dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=sender_mac, addr3=sender_mac)
# beacon layer
beacon = Dot11Beacon()
# putting ssid in the frame
essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid))
# stack all the layers and add a RadioTap
frame = RadioTap()/dot11/beacon/essid
# send the frame in layer 2 every 100 milliseconds forever
# using the `iface` interface
sendp(frame, inter=0.1, iface=iface, loop=1)

Note: If you didn't install scapy yet, you need to install it, head to this tutorial or the official scapy documentation for installation.

First, we imported Scapy, then we specify the interface to use, it must be in monitor modemake sure you're in a linux machine, we gonna need airmon-ng command installed, I'm using Kali, so aircrack-ng is already installed here, otherwise install it by the following command:

apt-get install aircrack-ng

Next, we need to enable our interface ( I have a USB WLAN stick, "wlan0" ) into monitor mode, to do it, just type:

root@rockikz:~# airmon-ng check kill

Killing these processes:

  PID Name
  735 wpa_supplicant
root@rockikz:~# airmon-ng start wlan0

PHY    Interface    Driver     Chipset

phy0   wlan0        ath9k_htc  Atheros Communications, Inc. TP-Link TL-WN821N v3 / TL-WN822N v2 802.11n [Atheros AR7010+AR9287]

               (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
               (mac80211 station mode vif disabled for [phy0]wlan0)

It should be all good now, going back to the Python script, we generate a random MAC address as well as a name of our access point we want to create and then we create a 802.11 frame, the fields are:

  • type=0:  indicates that it is a management frame.
  • subtype=8:  indicates that this management frame is a beacon frame.
  • addr1: refers to the destination MAC address, in other words, the receiver's MAC address, we use the broadcast address here ("ff:ff:ff:ff:ff:ff"), if you want this fake access point to appear only in a target device, you can use the target's MAC address.
  • addr2: source MAC address, the sender's MAC address.
  • addr3: the MAC address of the access point.

So we should use the same MAC address of addr2 and addr3, that's because the sender is the access point!

We create our beacon frame with ssid infos and then stack them all together and send them using sendp() function.

After we setup our interface into monitor mode and execute the script, we should see something like that in the list of available Wi-Fi access points:

Fake Access Point

Now let's get a little bit fancier and create many fake access points in the same time:

from scapy.all import *
from threading import Thread
from faker import Faker

def send_beacon(ssid, mac, infinite=True):
    dot11 = Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2=mac, addr3=mac)
    # ESS+privacy to appear as secured on some devices
    beacon = Dot11Beacon(cap="ESS+privacy")
    essid = Dot11Elt(ID="SSID", info=ssid, len=len(ssid))
    frame = RadioTap()/dot11/beacon/essid
    sendp(frame, inter=0.1, loop=1, iface=iface, verbose=0)

if __name__ == "__main__":
    # number of access points
    n_ap = 5
    iface = "wlan0mon"
    # generate random SSIDs and MACs
    faker = Faker()
    ssids_macs = [ (, faker.mac_address()) for i in range(n_ap) ]
    for ssid, mac in ssids_macs:
        Thread(target=send_beacon, args=(ssid, mac)).start()

All I did here, is wrapping the previous lines of code in a function, and generate random MAC addresses and SSIDs using faker package, and then start a separate thread for each access point, once you execute the script, the interface will send 5 beacons each 100 milliseconds (at least in theory), this will result to an appearing of five fake access points, check this out:

Fake Access Points

Here is how it looks on Android:

Fake Access Points

That is amazing, note that attempting to connect to one of these access points will fail, as they are not real access points!

RELATED: How to Make a DNS Spoof attack using Scapy in Python.

Alright that's it, Happy Crafting ♥

View Full Code
Sharing is caring!

Read Also

Comment panel

Comment system is still in Beta, if you find any bug, please consider contacting us here.