From charlesreid1

This covers a bit more in depth about how to follow up with an Evil Twin access point attack and use it to Man in the Middle a client computer.

The Evil Twin Setup

Once you've got an Evil Twin access point set up, you'll have a setup that looks something like this:

         Evil Twin AP Network Devices:

sheep ---> wlan1
                      | lucifer (bridge)
           eth0 <----+

Recall that wlan1 is the device acting as an access point, and so the sheep is connected to wlan1.

The device at0 is created by airbase, and is a network connection for the client connected to wlan1.

We also created the lucifer bridge, which bridges the at0 network device (the client's internet connection) to eth0 (the network cable plugged into Mars, the attacker computer).

Performing MITM Attack

This attack consists of two parts: first, tricking the sheep into thinking we are the gateway, and that it should be sending all of its traffic through us, the same way it normally sends all its traffic to the router. Second, we want to rerout e traffic to the default gateway, and receive traffic back from the gateway to forward to the sheep. This keeps everything cool at both ends - important to do in the heat of battle!


We'll use Ettercap to build a special bridge between devices that we can sniff.

This will allow us to do things like sniff all the clear-text HTTP traffic passing through the router, as well as set us up to run SSLStrip to bypass HTTPS encryption.

At that point we can also start using other tools:

Nmap and Metasploit, which is possible now since the target is now connected to our fake AP, and that means we can also connect to the target.

Ettercap and Dsniff, used at the Defon Wall of Sheep.

Hamster Sidejacking Tool, for sidejacking (?) and stealing cookies for persistent sessions in people's email accounts. Also used by the Wall of Sheep team.

On to Ettercap...

Build Bridge

The first step is to build a bridge between two network devices. The two devices are at0, the device that is our Evil Twin sheep's network connection, and eth0, which will be our sheep's connection to the internet.

Detailed step-by-step for building that bridge is here: EvilTwin#Building_the_Bridge

Run Evil Twin Attack

At this point you'll want to go through the EvilTwin attack process.

Run airbase in window 1.

Run deauth attack in window 2.

Sheep will be deauthenticated and reattach using wireless network connection.

Monitor Bridge

You can monitor traffic crossing the network interface bridge you've constructed with tcpdump:

$ tcpdump -i lucifer

Now surf the web on your sheep computer. You should see the corresponding packet traffic scroll down the screen. You may also notice a slowdown from the sheep's perspective.

You've now tapped the connection. Welcome to Watergate, son.


Now you can use Ettercap. You can use Ettercap in two modes:

Ettercap can do unified sniffing, meeaning it sniffs all packets passing through the cable via one interface.

Ettercap can also do bridged sniffing, where it uses two network interfaces and fowards traffic between them. This is a way of replicating our brctl command.

Run ettercap:

$ ettercap


Please select a User Interface

Yikes! We have to specify text mode -T or gui mode -G when we run ettercap. Try that again:

$ ettercap -G