DISCLAIMER: I am testing exclusively on hardware I own (personal devices, isolated network) for educational purposes and security research. Everything described here is legal in my context and on infrastructure that I own. This is NOT for attacking networks I don’t own or have permission to test.

Hey everyone, I'm troubleshooting a really frustrating Wifiphisher issue on Kali NetHunter and could use some help. My victim device (MacBook Air) connects to the rogue AP, receives an IP via DHCP, but cannot communicate with the gateway at all: no ping, no HTTP, nothing.

Setup:

• ⁠Kernel: EmberHeart (custom kernel by nulloptrss)

• ⁠Also tried with -iNM flag to disable MAC randomization

Configuration:

• ⁠iptables NAT rules configured correctly

• ⁠dnsmasq bound to wlan0

The problem:

The MacBook test device connects to the AP and receives IP 10.0.0.79 correctly via DHCP. However:

- Cannot ping 10.0.0.1 from client

- Captive portal doesn't appear automatically

- Manually visiting 10.0.0.1:8080 fails (connection timeout)

- Client can resolve gateway MAC via ARP but packets don't go through

What I've already tried:

1. MAC randomization: Disabled with -iNM flag - no change

2. Manual iptables configuration: Configured rules before starting wifiphisher - same result

3. Different dnsmasq configs: Tried various configurations - dnsmasq is running and listening

Test Script Output:

=== TEST CONFIGURATION ===

[*] Backup iptables rules...

[+] Backup saved in /tmp/iptables_backup.rules

[*] Configuring interface wlan0...

[+] wlan0 configured with IP 10.0.0.1

[*] Configuring iptables for wifiphisher...

[+] Iptables configured

[*] Starting dnsmasq...

[+] Dnsmasq started

=== CURRENT STATUS ===

[*] Interfaces:

44: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 3000

inet 10.0.0.1/24 scope global wlan0

[*] NAT Rules:

Chain PREROUTING (policy ACCEPT 755 packets, 171K bytes)

pkts bytes target prot opt in out source destination

0 0 DNAT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:10.0.0.1:8080

0 0 DNAT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:10.0.0.1:443

0 0 DNAT udp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:10.0.0.1:53

0 0 DNAT tcp -- wlan0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:10.0.0.1:53

[*] Active Processes:

nobody 515 0.0 0.0 14084 472 ? S 13:34 0:00 dnsmasq -C /tmp/dnsmasq_wifiphisher.conf

[*] Listening Ports:

tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 515/dnsmasq

tcp 0 0 10.0.0.1:8080 0.0.0.0:* LISTEN 5177/python

tcp6 0 0 :::53 :::* LISTEN 515/dnsmasq

[*] IP Forwarding: 1

Notice: NAT rules show 0 packets matched, even though tcpdump shows traffic coming from the client! The HTTP server IS running on 8080 (Python process), but clients can't reach it.

tcpdump Output (relevant parts):

22:33:22.255694 IP 10.0.0.1.bootps > 10.0.0.79.bootpc: BOOTP/DHCP, Reply, length 300

22:33:24.589711 ARP, Reply 10.0.0.1 is-at 00:00:00:ce:1c:88 (oui Ethernet), length 28

22:33:26.145438 IP 10.0.0.79.52705 > 10.0.0.1.domain: 15318+ HTTPS? captive.apple.com. (35)

22:33:26.242535 IP 10.0.0.79.50283 > 10.0.0.1.domain: 33904+ A? captive.apple.com. (35)

22:33:27.779015 IP 10.0.0.79 > 10.0.0.1: ICMP echo request, id 10555, seq 742, length 64

22:33:47.849003 IP 10.0.0.79.63106 > 10.0.0.1.http-alt: Flags [S], seq 1538471952, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 288749658 ecr 0,sackOK,eol], length 0

22:33:48.244571 IP 10.0.0.79.53643 > 10.0.0.1.snmp: GetRequest(98)

22:33:48.246147 IP 10.0.0.79.52541 > 10.0.0.1.domain: 2+ PTR? 1.0.0.10.in-addr.arpa. (39)

As you can see:

- DHCP works (client receives 10.0.0.79)

- ARP works (client resolves gateway MAC)

- DNS queries arrive (but no replies)

- ICMP echo requests arrive (no replies)

- TCP SYN to port 8080 arrives (no SYN-ACK)

- SNMP requests arrive

The traffic is clearly reaching wlan0, but the system is not responding to anything. It's like packets are being black-holed somewhere between the interface and the application layer.

My suspicion:

I'm starting to think this is a hostapd issue rather than a kernel/netfilter problem. The fact that packets arrive but never get processed by the listening services is suspicious. I was considering trying roguehostapd (from the same author as wifiphisher) instead of the standard hostapd, but there's no clear documentation on how to integrate it with wifiphisher on NetHunter.

Alternatively, this could still be a kernel-level issue with the EmberHeart kernel. Android kernels often have limited netfilter module support, and maybe some critical modules are missing. I'm considering reaching out to the developer (nulloptrss) to request implementation of necessary iptables/netfilter modules.

Questions:

1. Has anyone successfully run Wifiphisher on NetHunter with similar hardware?

2. Could this be related to hostapd not properly bridging packets to the system?

3. Has anyone used roguehostapd with wifiphisher on NetHunter? Any guides?

4. Could this be missing netfilter kernel modules (nf_nat_redirect, xt_REDIRECT, etc.)?

5. Is there a way to verify which netfilter modules are loaded/available?

6. Should I be using iptables-legacy instead of iptables-nft?

What I've verified:

- IP forwarding is enabled

- iptables rules are present and correct

- dnsmasq is running and bound to wlan0

- wifiphisher's HTTP server IS listening on 8080

- No firewall blocking local connections

- ARP resolution works

- Packets arrive at wlan0 (confirmed via tcpdump)

I'm completely stumped. Everything looks correct in configuration but packets just disappear after reaching the interface. Any help would be greatly appreciated!