Evil-Twin Attack
Last updated
Last updated
This is for educational purposes and only to be performed on networks you have permission to do so.
Basic info on Wireless can be found . This will be a walk through on performing an and .
An evil twin is a fake wireless access point(AP) that looks like a real one. The concept is to set up a malicious wireless network with the same SSID name as the target.
This is not required to have a WiFi Adapter that supports monitor mode, also known as packet injection. Though this will required if kicking clients off their network to connect to ours.
I myself have and recommend these adapters:
<-- Capable of 2.4GHz and 5GHz
<-- Capable of 2.4GHz and 5GHz
<-- Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)
<-- Capable of 2.4GHz and 5GHz
First we install the prerequisites
First we find our target, I will target "Open-WiFi" in this example. we use airodump for this
Kill process that may interfere
now put the interface into monitor mode if we're deauthenticating a client.
Create dnsmaqs.conf
file
Note to uncomment lines. if we uncomment the #address=/#/10.0.0.1
this will let clients connect but they will not get internet access as the pound sign(#
) is a wildcard for dnsmasq. So they will connect to the AP, then immediately asked to sign-in with the Evil Portal that is setup.
So instead we can redirect websites back to our Evil Portal instead.
Create hostapd.conf
and fill in with target info
Assign the interface a gateway and netmask
Add the routing table
Setup an easy script for IP with:
I named mine IP-Tables.sh. Make it executable and run it
If you want the AP setup without using a captive portal, just run dnsmasq and hostapd
Start dnsmasq with
Start hostapd with
We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects
Put your captive portal files, and put them in the /var/www/html/
directory.
Edit /etc/apache2/sites-enabled/000-default.conf
and add the following to the end
Start the web server
Start dnsmasq with:
Start hostapd AP with:
We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects
Once we're ready, we can disconnect clients from their network to connect to ours with aireplay.
OR if we want to deauth a specific client:
the -0 0
will send deauth packets continuously until stopped. we can change it to -0 10
to send just 10 deauth packets.
As the user attempts to go to any page, they are taken to a login portal, asked enter a username/password on the portal and it will be captured.
We look for HTTP Post Request
, then HTML Form URL Encoded, we will see their credentials.
dns and ip.adr=(IP)
to see sites they are going to
frame contains (word)
will search for various words
http.request.method=="POST"
will show us login info.
You can also use a device such as . This primarily works on open networks.
Once they are connected, or even before, we can start intercepting traffic with whatever tools we want, like , , , etc. In this case I'll use wireshark on wlan0
, the interface I was broadcasting from.