PenTest Edition: Creating an “Evil Twin” with Aircrack-ng [Tutorial]

Prerequisites:

An “Evil Twin” attack is something you might want to perform if you’re a hired whitehat or you’re studying for an ethical hacking certification, but never for malicious reasons! Before we set sail, we have some prereqs we have to meet:

  • You’ll need to be running the latest version of Kali Linux. The current version is 2018.1 Kali Linux is a Debian-based Linux distribution aimed at advanced penetration testing and ethical hacking. It comes pre-installed with hundreds of penetration testing programs, including aircrack-ng. Personally, I run Kali Linux on a Debian 9.x 64-bit VMware workstation.
  • You’ll also need a wireless network adapter that supports monitor mode. There are all sorts of network adapters out there that you can connect to your PC via USB. You can go for the adapters with the more conspicuous look (multiple big antennas) or the less conspicuous versions (USB flash stick-size). For now, I am using my Alfa AWUS036NHA.

buy-best-wireless-network-adapter-for-wi-fi-hacking-2017.1280x600.jpg

What’s an Evil Twin?

When you connect to WiFi, your device connects to an Access Point (AP). That AP has an “SSID,” or “Service Set Identifier.” The SSID is just the network name (e.g., “Free Wifi,” “Starbucks-Guest,” “Marriott-Guest,” “Cafe-Latte,” etc.). The AP may have DHCP features or there is a DHCP server on the network that assigns you an IP address for that network. You’re also provided the DNS settings so you can lookup Web sites. An interesting thing is that hackers can use their laptops or mobile devices to create fake APs that are a “clone” of the real AP. Hackers can then force you off the real, legitimate AP and then connect to you to their evil AP. It looks something like this:

Evil Twin.png

In this tutorial, I’m going to show you how to create a fake wireless Access Point (AP) by converting our own PC into a clone of the target AP. For this demonstration, I am going to create an Evil Twin of my home network (Note: Typically, the better alternative is to create an evil twin of an open wireless network, such as a hotel, cafe, airport, gym, etc. This is where the attack really shines). This is a type of rogue AP attack that clones the legitmate SSID; therefore, we call it an “Evil Twin” attack. If client’s unexpectedly connect to this rogue AP, they’re in trouble.


The information provided on the cybersecurityman is for educational purposes only. I am in no way responsible for any misuse of the information provided. All the information here is meant to provide the reader with the knowledge to defend against hackers and prevent the attacks discussed here. At no time should any reader attempt to use this information for illegal purposes.


If you’d like to see a video tutorial of an Evil Twin attack, you can check out my video here.

Introduction

There are many ways we can create an Evil Twin. Most of these require configuring your PC to act as a fake DHCP server in order to allocate IP addresses to the victims connected to the Evil Twin; however, this would require pulling up the dhcpd.conf file and adding in the IP configurations and uncommenting lines, such as the subnet, mask, IP address ranges, gateway, and DNS settings. I’ve discovered a bit of an easier alternative to this.

Instead, we can use dnsmasq. This allows us to more easily configure the DHCP and DNS settings. Dnsmasq accepts DNS queries and either answers them from a small, local cache or forwards them to a real, recursive DNS server that you assign. This will allow our victims to surf the Web.

Make sure your OS is up-to-date with the tools we need. Type the following in the terminal

apt-get install isc-dhcp-server

apt-get install dnsmasq

apt-get install hostapd

Once all of the tools are installed, move on to Step 1.

Step 1: Configure the DHCP Server

In the terminal, type the command leafpad /etc/dnsmasq.conf. This will open the dnsmasq.conf file where you can enter the DHCP and DNS settings.

dnsmasq.png

You need to know the IP configuration of the AP you want to clone. If you don’t know it, you can easily find this out by typing the ifconfig network command in the terminal and find out the IP configuration by looking at the network interface of your PC. I’ve entered my correct IP configurations into my dnsmasq.conf file above. As you can see:

  • at0 is the name of the interface we will be using to set up the Evil Twin. We will create this interface in Step 4.
  • The DHCP range will be from 10.0.0.1 to 10.0.0.250. It can actually be anything you want, but this is a sufficient range. This means that our DHCP server will allocate host IP addresses ranging from 1 to 250. Each IP address will be leased for 12 hours.
  • DHCP-option 3 is “SonicWall.” The SonicWall security appliance includes a DHCP server to distribute IP addresses, subnet masks, gateway addresses, and DNS server addresses to your network clients. You can use the SonicWall security appliance’s DHCP server or use existing DHCP servers on your network. My DHCP server is on 10.0.0.1 (my gateway has DHCP capabilities).
  • DHCP-option 6 is specifically defined for DNS address assignment through DHCP. This is also on 10.0.0.1.
  • The DNS server dnsmasq we will be using are Google’s DNS servers at 8.8.8.8.
  • And you’ll want to log DHCP leases and DNS queries.

Step 2: Put Network Adapter in Monitor Mode

Now, we need to put our network adapter in “monitor mode.” Most built-in network adapters do not have this capability, so you’ll need to buy a network adapter that can do this. With monitor mode, we will be able to monitor everyone’s network traffic. Put in the following command in the terminal

iwconfig

iwconfig.png

This is the result above. You can see that my network interface is wlan0. Yours is probably something similar.

If you noticed, the mode of the interface is set to “Managed,” but we need it in monitor mode. So, type the following command in the terminal:

airmon-ng start wlan0

airmon-ng

Sometimes, a few already processes can interfere with airodump-ng, aireplay-ng, and airtun-ng (especially NetworkManager). So, if that happens, you can kill the processes by typing airmon-ng check kill in the terminal should this happen. Now, type iwconfig in the terminal one more time.

iwconfig 2.png

After setting wlan0 to monitor mode, it has been renamed to wlan0mon (“mon” = monitor) and the mode was changed to Monitor. Well done, let’s move to step 3.

Step 3: Find the Real AP to Clone

Sometimes, you may not have the SSID of the AP or its MAC address you want to clone. We can find it by typing the following command:

airodump-ng wlan0mon

airodump-ng.png

What airodump-ng does is scan through all the channels (1 through 23) to see if it can pick up any broadcast beacons from the APs in the surrounding area. These beacon frames are sent out every second for clients who want to communicate. They include the Extended Service Set Identifier (ESSID), or in laymen’s terms, the name of the network with multiple APs. The Basic Service Set Identifier (BSSID) is just the MAC address of the AP that’s servicing a BSS. With Airodump-ng, we have identified the network I particularly want to clone for this demonstration…my home network:

  • ESSID = HOME-5432
  • BSSID = FC:51:A4:01:18:D6
  • Channel = 11

Keep this terminal open.

Step 4: Create the Fake AP

Now we need to turn our PC into a cloned version of the AP using Airbase-ng. I’ll type the following command in the terminal to create a clone of my home network:

airbase-ng -e HOME-5432 -c 11 wlan0mon

Airbase-ng.png

This command has created a fake HOME-5432 AP on channel 11 and also created a tap interface at0. The fake AP was automatically assigned a new BSSID: 9C:EF:FD:33:FF. If we look in the network settings, we’ll see that our Evil Twin has appeared in the area:

networks.png

Remember, if this didn’t work for you, try airmon-ng check kill. This will kill any interfering processes.

Step 5: Set IP Configurations for the Evil Twin

The Evil Twin is running on the at0 interface we created in Step 4, so we will need to configure the IP address and subnet mask for it. You should already have this from the ifconfig network command in Step 1. For me, I will type the following command in the terminal:

ifconfig at0 up

This will bring up the at0 interface and we can now see it displayed if we type the ifconfig network command (it’s at the top of the list).

at0 up.png

But, these aren’t the correct IP configurations I want, so I’ll type the following in the terminal:

ifconfig at0 10.0.0.1 netmask 255.255.255.0

This changes the interface to the correct IP configuration, as seen below. 10.0.0.1 is my default gateway:

at0 IP config.png

Step 5: Bootup DNS server and DHCP

We need to make sure that any victim connecting to our Evil Twin is allocated an IP address to use (DHCP). Plus, they also need access to a DNS server to resolve domain names. That way, they will be able to surf the Web and travel to their favorite Web sites. Additionally, they won’t be able to access the Internet unless we enable IP forwarding. So, if we enable it, each victim’s network connection will be routed through our network adapter. In my case, its wlan0. So, type the following command in the terminal:

dnsmasq -C /etc/dnsmasq.conf -d

dnsmasq boot.png

So, what we’ve done here is boot up our dnsmasq.conf file that we created earlier. As you see, we are using Google’s DNS server at 8.8.8.8 over the default UDP port 53 (name queries). Now, we need to enable IP forwarding by typing in the following commands in a new terminal:

route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

This will add a static route and configure our Evil Twin’s IP address as our default gateway. Now, we have to configure our IP tables to accept the routing of packets through our system with the following two commands:

iptables -P FORWARD ACCEPT

iptables -t nat -A POSTROUTING -o wlan0mon -j MASQUERADE

The final step is to enable IP forwarding with the following command. The “1” enables IP forwarding while a “0” disables it.

echo 1 > /proc/sys/net/ipv4/ip_forward

Great, now move on to the next step.

Step 6: Turn Up the Power

signal.jpg

We need to make sure that the signal of our Evil Twin for HOME-5432 overpowers the real AP for HOME-5432. That way, when we bump client’s off the real AP, they will re-connect to the stronger signal of our Evil Twin. You can do this with the following command:

iwconfig wlan0mon txpower 27 

This turns up the power to 27 dBm or 500 milliwatts; any higher is illegal in the U.S. Now that our power is turned up, we can proceed to the second-to-last step.

Step 7: Deauth

boot.jpg

The last step consists of “bumping” clients off the real HOME-5432 network. The 802.11 wireless protocol uses special management frames. 802.11 management frames are part of the MAC layer of 802.11 protocol. Management frames are used to bootstrap the authentication and association of clients to an AP. Management frames “manage” the connection between an AP and all connected devices. There are various types of management frames, some of which are received by any client within range of an AP, and other which are targeted at connected/connecting devices. Most significant management frame types include:

  • Probe or Beacons
  • Authentication
  • Deuathentication
  • Association
  • Reassociation
  • Disassociation

The Authentication/Deauthentication frames are heavily used by 802.11 during the secure authentication process. They are used to relay the intention of a client to connect to an AP. Even in situations where an AP is using “open” authentication and requires no keying material, an authentication frame procedure is performed. APs can also send deauthentication frames to clients to knock them off the currently connected network.

We are going to send a spoofed deauthentication frame onto the real HOME-5432 network to knock off some clients. We can see what clients are connected to the real HOME-5432 network with the following command.

airodump-ng –bssid FC:51:A4:01:18:D6

If you see any particular devices you want to deauth off the network, take note of their MAC addresses. You can then use the following command to deauth specific clients, where “xx:xx:xx:xx:xx:xx” is the MAC address of the client station:

aireplay-ng –deauth 0 -a FC:51:A4:01:18:D6 -c xx:xx:xx:xx:xx

You can get the BSSID of the real AP from Step 3. That terminal should still be open.

Step 8: Now, We Wait

DImQ9QMXgAEkhMU.jpg

Now that the client(s) is bumped off the real HOME-5432 network, they will connect to the strongest signal in the area, which is my Evil Twin of HOME-5432. Since my actual home network uses encryption, clients are probably not going to seamlessly connect to my Evil Twin without noticing. But, I could just set it to WPA2 if I know the password. That’s why Evil Twins are best on open, unprotected WiFi networks. You can easily clone an open wireless Startbucks network (e.g. “Starbucks Free WiFi”), kick clients off the real network, and them have them seamlessly connect to your own clone of that network.

connected

Check it out, a device with the MAC address 78:88:6D:38:A0:81 has connected to my Evil Twin. As you can see below, the device also has the host name “01gbf56.” What a weird name.

dhcp offer.png

We can also see above that my fake DHCP server has offered this client an IP address to use while on the Evil Twin network, which is 10.0.0.179. The device accepted the offer.

Step 8: What to Do

So, what can a hacker do with an Evil Twin attack? Since all the victim’s traffic is going through the hacker’s network adapter, he can capture all the sensitive information he can provided to the victim. He can even use sslstrip to decrypt all https traffic and gain access to bank account credentials, email credentials, and social media credentials. Whatever the victim submits is now in the hands of the hacker.

Hackers can even send cloned Web sites to the victim. It’s not uncommon for hackers to clone the Facebook login page and send it to the victim. Once the victim tries to login, the hacker harvests the credentials. This attack can be very easily accomplished using Ghost Phisher.

How Can You Protect Yourself from an Evil Twin Attack?

Be wary about connecting to open WiFi. If you see two identical network names, such as “Starbucks WiFi” and “Starbucks WiFi,” then perhaps you should avoid connecting to either one of those networks. If you’re on a smart phone, then now is a great time to use the cellular network instead.

networks 2

If you are already connected to open WiFi, you should think twice about submitting any sensitive information. Also, keep an eye on the URL bar. If the “s” in https should ever vanish for some reason, you could be a victim of sslstrip. Your information is being decrypted and viewed by a nearby hacker.

Conclusion

That’s all. That’s how you create an evil twin. I hope this also gives you a better understanding of wireless networks and the dangers behind them. And most importantly, I hope I’ve opened your eyes to something new or sparked your interest in cybersecurity and ethical hacking.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: