EVIL-TWIN ATTACK

In my previous projects i demonstrated how do carry out a deauthentication attack with aireplay-ng  followed by a brief chat on how to bypass WEP and also manipulating a feature in routers called WPS before i took you through steps of cracking WPA&WPA2 with aircrack-ng dictionary attack.  As mentioned earlier there are various methods of cracking a WiFi encryption and getting the passkey to gain access, i want to demonstrate one of  my favorite which is the evil-twin attack with a captive portal. Hope you enjoy this one as much as enjoyed doing it now let's get started.

This was done in a controlled environment in my home lab and for educational purposes only.

 What is Evil-Twin ?   

Evil-Twin is type of rogue wiFi access point set up by an attacker to mimic a legitimate WiFi network. The goal is to trick users into connecting to the fake network, allowing the attacker to intercept sensitive data, such as login credentials, session tokens, or personal information. A man in the middle attack where by the attacker sits in between you device and the router. you can do more research on MITM. 

In this project i'll be using a tool called Fluxion you can download it on github just like i did and follow the steps below to perform the attack there other tool similar to fluxion like airgeddon, wifiphisher etc, i'll leave you to do your own research. 

STEP1: Download Fluxon and run it.

 I'm going to skip this step of showing how and where to download it from cause i already have it downloaded but you can find it on github. In the first image above i'm doing a check to see if my wifi adaptor is on monitor mode, fluxion automatically puts it on monitor mode but i like to do it manually to be sure, i already did i walk through on how to change a systems mac address and how to put a wifi adaptor in monitor mode so you can check my previous posts if the images look strange to you. 

Once you have finished downloading you want to locate the fluxion folder and run  "sudo ./fluxion.sh" which lunches fluxion as you can see in the second image above. Fluxion will do an automatic check to know if you have the necessary dependencies downloaded on your kali linux for fluxion to work properly, if you get any errors read the error output and follow the instructions to download the missing  dependencies. 

STEP2 : The right options to select.

I haven't really talked about fluxion but fluxion is a tool for wifi hacking which makes wireless hacking so simple and easy to carry out all you have to do is select the option you want from the options list I hav e documented my experience and I also want to make I easier if your new to this the following images will guide you on the right options to select to successfully carry out an evil- twin attack with fluxion using its captive portal. 

The first section is asking to select an access point for the wireless attack i already have my Atheros adaptor that supports monitor mode which i put manually into monitor mode earlier but like i said when you select an option  from this section fluxion will start monitor mode, in the image above  i have 3 options 

1.) Captive portal : creates an evil-twin access point.

2.) Handshake snooper : Acquires  WPA/WPA2 encryption hashes.

3.) Back. 

We obviously want an evil-twin attack so select option 1 and click Enter. 

 Next your going to see another list of options don't start panicking you still have a little left to do, In this section its asking what frequency to monitor my adaptor supports only 2.4Ghz so that's the option i'll be selecting remember that it all depends on your wireless adaptor so know the chip set of your adaptor.  A terminal will pop up once you select a channel and automatically start scanning for wifi frequencies just like how we used airodump-ng to probe and find a target to carry out an attack on. In the second image i've spotted my router ESSID that i'll be using as my target for this project which is fearless in option 2  now go ahead and select your own target ESSID , let's move on to the next list of options.

Here its requesting to select an interface for the access point you should select your wireless adaptor on monitor mode mine is wlan0 just as you know if you been following from the beginning so ill go ahead and select the option 2  and click Enter.

Okay now we're getting into some serious options in this section it starts by being asked to select a deauthentication process just like we did previously in the deauthentication attack where we disconnect a device or all devices from the router allowing the target to have no choice but to connect to the rouge AP  just  like we did in  the previous project using aireplay-ng. So that's the option you want to go for depending on what you want but i recommend using aireplay-ng for the deauthentication attack.

After selecting the tool for the deauth attack in this section are a list of tools to select from that will create the fake access point or rather the rouge access point you want to go ahead and select hostapd which allows you to create multiple access point with your wireless adaptor and fluxion recommends that option.

The following section in the image above i'm being asked to select a tool i want to use for the password verification method which will be stored in the .cap file this tool allows you to know if the user puts in the right password when trying to login into the rouge access point when deployed. The second image above is similar to the first but this time asking to select a method to verify the hash. Let’s move on to the next.

Okay in the section its going to ask for the WPA handshake, i already captured it using airodump-ng just like we did in my previous project so all i have to do is input the location of the file just as you can see the path to the fearless-01.cap file.  I recommend you capture the handshake before launching fluxion just as we discussed earlier the WPA handshake is relevant cause it holds the WPA encrypted keys for us to know when we have the correct passkey , As you already know by now the fearless-01.cap file with the captured  WPA handshake holds the information of the passkey we need in gaining access to the original router. 

In this section its asking us to select an option from the list given if you want an SSL certificate for the domain which opens the captive portal for authentication of the webpage when opened making it secured and making sure we are who we say we are, this is just for test so you want to go ahead and select the 3rd option which is none (disable SSL).

The following section in the image above is for our rouge AP do you want it to have internet access or no once the target puts in the passkey to login to the rouge AP, in tis project we just want the passkey for the wifi to gain access to the original router so in this section go ahead and select option 1 which is disconnected. 

The next section are a list of languages to select from which will be in the captive portal, you should pick the language of your choice mine is english which is option 7. Once you click Enter  six terminals will pop up the sic terminals are DHP server that will allocate an IP address to any user that logs into our rouge AP,  Next is the DNS server for the captive portal deployed making the domain functional, Next the AP service which notifies if the access point is up or down, WEB service gives information of the web services of the target either chrome or firefox browser is been used by our target, We have the AP authenticator which holds information of the device logged into the rogue AP deployed, The last terminal is doing the deauthentication attack on the router for all devices as you can see its a broadcast packet being sent. 

    I didn't really like the performance of the deauth attack by fluxion and i tried all the other options but the aireplay-ng was still the best option but doesn't work perfectly well on fluxon i would rather carry out a manual deauth attack on the client device if possible.

    Now let switch to my target system im using for this project which is connected to the router fearless and see the behaviour of the rogue AP evil-twin attack. 

Okay just like that we just created an  rogue AP similar to the targets and just be sure you can see it listed among router devices and the rouge access point is the fearless2 like i said i don't like fluxion deauth attack cause it wasn't effective and the real access point didn't loose its connection leaving me no choice but to  manually disconnect and sign into the rogue AP fearless2, note that a new client device unaware can try to login and also fall victim to this attack.  once i clicked on rogue access point a windows browser opened which is the captive portal requesting for the router password just to confirm if the password verification method we choose earlier worked i put in the wrong password for the router and  i got a message on the top just as you can see that the password entered in incorrect so that worked Next i put in the correct password and it say password VERIFIED although after this the target won't have internet access just the way i set it. 

 Now lets back to my attacker system to see what happened once the target put in right password.

Once the target puts in the correct password the attack stops and a terminal opens showing the location  path of the captured password, You can see in the second image above going the saved path of the file it will vary depending on where you have fluxion saved once you locate you want to run the command "cat +  file name" as you can is it displays information of the routers mac address the channel its on also time and then the password for the router which is "99999999".

There you have it we just successfully hacked a wifi and gained access to it. i hope you enjoyed this project as much as i did and in my next post i'll be writing on mitigation solutions to keep a network safe and keeping attackers out of our network,Thanks and bye for now.