The Evil Twin Setup
Once you've got an Evil Twin access point set up, you'll have a setup that looks something like this:
Evil Twin AP Network Devices: wlan0 sheep ---> wlan1 at0--------+ | lucifer (bridge) eth0 <----+
Recall that wlan1 is the device acting as an access point, and so the sheep is connected to wlan1.
The device at0 is created by airbase, and is a network connection for the client connected to wlan1.
We also created the lucifer bridge, which bridges the at0 network device (the client's internet connection) to eth0 (the network cable plugged into Mars, the attacker computer).
Performing MITM Attack
This attack consists of two parts: first, tricking the sheep into thinking we are the gateway, and that it should be sending all of its traffic through us, the same way it normally sends all its traffic to the router. Second, we want to rerout e traffic to the default gateway, and receive traffic back from the gateway to forward to the sheep. This keeps everything cool at both ends - important to do in the heat of battle!
We'll use Ettercap to build a special bridge between devices that we can sniff.
This will allow us to do things like sniff all the clear-text HTTP traffic passing through the router, as well as set us up to run SSLStrip to bypass HTTPS encryption.
At that point we can also start using other tools:
Hamster Sidejacking Tool, for sidejacking (?) and stealing cookies for persistent sessions in people's email accounts. Also used by the Wall of Sheep team.
On to Ettercap...
The first step is to build a bridge between two network devices. The two devices are at0, the device that is our Evil Twin sheep's network connection, and eth0, which will be our sheep's connection to the internet.
Detailed step-by-step for building that bridge is here: EvilTwin#Building_the_Bridge
Run Evil Twin Attack
At this point you'll want to go through the EvilTwin attack process.
Run airbase in window 1.
Run deauth attack in window 2.
Sheep will be deauthenticated and reattach using wireless network connection.
You can monitor traffic crossing the network interface bridge you've constructed with tcpdump:
$ tcpdump -i lucifer
Now surf the web on your sheep computer. You should see the corresponding packet traffic scroll down the screen. You may also notice a slowdown from the sheep's perspective.
You've now tapped the connection. Welcome to Watergate, son.
Now you can use Ettercap. You can use Ettercap in two modes:
Ettercap can do unified sniffing, meeaning it sniffs all packets passing through the cable via one interface.
Ettercap can also do bridged sniffing, where it uses two network interfaces and fowards traffic between them. This is a way of replicating our brctl command.
$ ettercap ... Please select a User Interface
Yikes! We have to specify text mode -T or gui mode -G when we run ettercap. Try that again:
$ ettercap -G