While Wi-Fi networks can be set up by intelligent IT professionals, that does not mean that system users also have the same technology. We'll show you how a malicious attack on twins can steal Wi-Fi passwords by kicking a user on their trusted network while making a virtual fake one. This forces the victim to connect to a fake network and provide a Wi-Fi password to regain internet access.
While a technology user can detect this attack, it is surprisingly effective for those who are not trained to search for suspicious network work. The reason it is so successful is that many users do not know what the actual firmware update looks like, leading to confusion about knowing that the attack is ongoing.
What is the Evil Twin Attack
Evil twin attacks are a form of Wi-Fi attack that is so effective that most computers and phones will only see the word "name" or wireless network ESSID. This actually makes it very difficult to distinguish between networks with the same name and the same type of encryption. In fact, most networks will have access points that extend to all networks using the same name to extend access without confusing users.
If you want to see how this works, you can create a Wi-Fi hotspot on your phone and name it according to your home network, and you'll find it hard to tell the difference between two networks or your computer can just see both as the same network. A network sniffing tool like Wigle Wifi on Android or Kismet clearly sees the difference between these networks, but for the average user, these networks will look the same.
This works well for tricking a user into communicating if we have a network with the same name, the same password, and the same encryption, but what if we don't know the password yet? We will not be able to create a network that will trick the user into connecting automatically, but we can try social media attacks to try to force the user to give us a password by removing them from the actual network.
Using a Captive Portal Attack
In the case of the evil twin portal-style attack, we will use the Airgeddon wireless attack framework to try to force the user to connect to an open network with the same name as the network they trust. The capture site is something similar to the screen you see when you connect to an open network at a coffee shop, plane, or hotel. This screen that contains the terms and conditions is something people are used to seeing, and we will use that to our advantage to create a data stealing page that looks like the router is being updated.
How we will trick the victim into doing this by filling their trusted network with verification packets, making it difficult to connect to the internet in general. When confronted with an internet connection that refuses to connect and does not allow any internet access, the average annoyed user will find an open Wi-Fi network with the same name as the network they can connect to and think is related to the problem.
When connecting to a network, the victim will be redirected to a phishing scams page explaining that the router has renewed and requires a password to continue. If the user is easily deceived, they will enter the network password here, but that is not where the fun is set. If the victim is upset by this interruption and type in the wrong password, we will need to make sure they can tell the wrong password from the wrong one. To do this, we will capture the network connection first, so that we can look at each password that the user gives us and tell us when the correct one is entered.
Technologically Assisted Social Engineering
For this attack to work, a number of important requirements must be met. First, this attack requires the user to do some unknowable things. If the target you choose is known to be tech-savvy, this attack may not work. The advanced user, anyone with any cyber security awareness awareness training, will see this attack continue and may know that the attack is very close. Against a well-protected target, you can expect this attack to be detected and even localized to find you.
Don't Miss: Turn your Android Phone into Hacking Device
Second, the victim must be successfully authenticated from his or her network, and frustrated enough to join a completely open network that does not appear anywhere and has the same network name they trust. In addition, attempting to connect to this network (on macOS) brings even a warning that the last time the network was connected, it had some form of encryption.
Finally, the victim must enter the network password on the theft page that looks like a sketch that is sometimes redirected after joining the open network that the attacker has created. There are many clues that can give a sharp user the fact that this page, including incorrect language, incorrect router (if the phishing scams page is talking about), or mispronunciation and English text in the text of the page. Since router pages often look so bad, this information may not be visible to anyone unfamiliar with what their administrator page looks like.
Step 1: Make Sure You Have It All
To prepare for our Ewil twin access attack, we will need to use Kali Linux or another supported distro. There are still a few distributions, and you can check out the Airgeddon GitHub page to find out which Airgeddon will work with.
You can use Raspberry Pi using Kali Linux for this with a wireless network adapter, but you will need to have access to the GUI and not be SSHed to Pi, as you will need to be able to open and navigate multiple windows in this multi-bash text.
Finally, you will need a good wireless network adapter for this. In our experiment, we found that the TP-Link WN722N v1 and Panda Wireless PAU07 cards worked well with this attack.
Step 2: Install Airgeddon
To start using Airgeddon wireless attack framework, we will need to download Airgeddon and any other necessary programs. The developer also recommends downloading and installing a tool called CCZE to make the output easier to understand. You can do that by typing the apt-get to install the ccze end window.
Next, we will install Airgeddon with a git clone.
Then change directions and start Airgeddon with the following instructions.
If you see an alien spacecraft, you know that you are ready to hack
Step 3: Configure Airgeddon
Press Enter to test the various tools the Airgeddon frame relies on. If something is missing (it will say "Error" next to them), you can hit Y and enter immediately to try to automatically insert anything that isn't there, but that usually doesn't work.
Don't Miss: Hack WPA2-PSK Passwords using Aircrack-ng
Instead, open a new signal window and type apt-get install tool , inserting the "tool" in the name of the missing tool. If that doesn't work, you can try the Sudo pip install tool again. You should install all the tools, otherwise, you may encounter problems during your attack, especially if you have lost dnsspoof.
If you have all the tools, proceed to the next step by pressing Enter. Next, the script will check internet access so we can analyze ourselves when there is a new version.
When that is complete, press Enter to select the network adapter to use. Press the number on your keyboard corresponding to the network adapter in the list, then enter Enter.
After selecting our wireless network adapter, we will proceed to the main attack menu.
Press 2 and enter to enter your wireless card in the standby mode. Next, select option 7 and enter the "Evil Twin attack" menu, and you will see a menu below this attack module appear.
Step 4: Select Target
Now that we're in our attack phase, select option 9 and install the "Evil Twin AP attack with the captive portal." We'll need to check the indicators, so press Enter, and you'll see a window appear showing a list of all available networks. You will need to wait a bit to complete the list of all nearby networks.
After working for about 60 seconds, exit through the small window, and a list of targets appears. You will notice that the networks that the user is using appear yellow with an asterisk next to them. This is important because you cannot trick someone into giving you a password if there is no one on the network in the first place.
Select the target number you want to attack, then press Enter to move to the next screen.
Step 5: Combine handshake
Now, we will select the type of unauthorized attack we want to use to kick the user off his trusted network. I recommend the second option, "Deauth aireplay attack," but a different attack will work better depending on the network.
Press Enter once you have selected, and you will be asked if you would like to enable DoS tracking mode, which allows you to track AP when moving to another channel. You can select yes (Y) or no (N) depending on your preferences, then press Enter. Finally, you will select N using an interface with internet access. We will not need this attack, and it will make our attacks more accessible so that we do not need an internet resource.
Next, it will ask you if you want to damage your MAC address during an attack. In this case, I chose N as "no."
Don't Miss: Hack online Passwords with THC Hydra & Temper Data
Now, if we don't have a handshake for this network, we'll have to take it now. BE VERY CAREFUL not to mistakenly select Y in "Do you already have a connected Handshake file?" if you really didn't shake my hand. There is no clear way to return to the script without restarting if you make this mistake.
While we are still in the process of typing, type N in no, then press Enter to start shooting.
Once the capture process has started, a window with red text that sends deauth packets and a white text window will open to shake hands. You will need to wait until you see the "WPA Handshake:" and then the BSSID address of your specified network. In the example below, we are still waiting for a handshake.
Once you see that you have got the handshake, you can opt out of the Capturing Handshakewindow. When the script asks you for a handshake, select Y, and save the handshake file. Next, select the location where you can write the stolen password, and you're ready to go to the final step of setting up a phishing scam.
Step 6: Set up a phishing page to steal sensitive information
In the last step before launching the attack, we will set the language of the page to steal sensitive information. The page provided by Airgeddon is great for exploring this style of attack. In this example, we will select 1 English. Once selected, press Enter, and the attack will begin with an opening of six windows to perform various attack operations simultaneously.
Step 7: Capture Network Credentials
As the attack continues, the victim should be removed from their network and see our fake as the only thing that seems normal. Be patient, and pay attention to the network status in the upper right window. This will tell you when the device joins the network, allowing you to see any password attempts they make when they are transferred to the hostage site.
When the victim joins your network, you will see more activity in the image below. In the upper right corner, you'll be able to see any failed, hand-tested password attempts that we've collected. This will continue until the victim enters the correct password, and all their online requests (seen in the green text box) will fail until they do so.
When the victim works in the caves and finally enters the correct password, the windows will close without the right window at the top. The fake network will disappear, and the victim will be free to connect back to our wireless network.
Don't Miss: Hack Password protected Zip Files, Pdfs & More with Zydra
The details should be displayed on the control screen at the top right, and you should copy and paste the password into the file that you will save, in case the script does not properly save that file. This sometimes happens, so be sure not to forget this step or you may lose the password you just got.
After this, you can close the window, and close the tool by pressing Ctrl + C. If we get a valid confirmation of this step, our attack has worked, and we have a Wi-Fi password for tricking a user into sending you to our AP fraud page!
How to Preventing the Evil Twin Attack AP
The best way to protect yourself from being attacked by evil twins is to know the trick, and know that the symptoms of that one should be very suspicious. If you suddenly lose the ability to connect to your trusted network and suddenly see an open wireless network with the same name, this is not an uncommon phenomenon or typical event change.
Never connect to an anonymous wireless network that makes it your own, especially without the encryption. If you suspect that your router is actually updating, turn off your Wi-Fi and connect to Ethernet directly to see what the problem is.
0 Comments