[TuT] - Introduction to Evil Twin Attacks - WiFiPhisher, LinSet & Airgeddon

Introduction to Evil Twin Attacks
Social Engineer your way into Wi-Fi Networks!

I.) Introduction
As explained in the previous tutorial, evil twin attacks are automated social engineering attacks made with the primary intention of phishing WPA/WPA2 passwords from a target user. Within an evil twin attack, fake access points (APs) are setup by configuring a wireless card to act as an access point. The counterfeit access point are given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password. These attacks can be further configured to mirror man-in-the-middle (MiTM) attacks however we shall be discussing this later. The illustration below should depict how an Evil Twin attack typically occurs:



II.) Requirements

• Any Linux installation, preferably the Kali Linux distribution via native OS, virtual machine or live CD.
  
• WiFi adapter capable of injecting packets, strong signal reception and monitor mode support. An ideal router would be a NetGear or Alfa adapter but you can make do with low-level TP-LINK routers too.
  
• A third party tool such as AirGeddon, Fluxion, LinSet or WifiPhisher to conduct the attack.
  

III.) Evil Twin Attack via WifiPhisher

• Run the following command to initialize the setup of WifiPhisher and it's dependencies
  
  Code

  sudo apt-get install wifiphisher hostapd dnsmasq python-pyric python-jinja2
  
  
• Stop the NetworkManager daemon to avoid interference with your attack.
  
  Code

  sudo systemctl stop NetworkManager
  
  
• Run WifiPhisher with admin rights.
  
  Code

  sudo wifiphisher
  
  
  • If you receive an error like the ones below:
    
    Code

    "There is not enough wireless interfaces for the tool to run! Please ensure that there is no need for wireless adapters. Master mode (AP) mode and another must support Monitor mode."
    
    
    Code

    Not enough wireless interfaces to run the tool! Please ensure that at least two devices are connected and that they are compatible (the driver must support netlink). At least one must support Master Mode (AP), and the other must support Monitor mode.
    
    Proceed to run WifiPhisher in no-jamming mode which skips the deauthentication phase, requiring only one wireless interface to continue. Use either of the following commands to do so
    
    Code

    wifiphisher -nJ
wifiphisher --nojamming
  
  
• Upon successful startup, you should have your interface looking like this:
  
  
  
  
• Browse between the available Wi-Fi networks and press ENTER to select your target network.
  
  
• You will receive an option to select your phishing script from the available options within WiFiPhisher:
  
  1. Firmware Upgrade: A router configuration page without logos or brands asking for WPA/WPA2 password due to a firmware upgrade. Mobile-friendly.
     
  2. Network Manager Connect: Imitates the behavior of the network manager. This template shows Chrome's "Connection Failed" page and displays a network manager window through the page asking for the pre-shared key. Currently, the network managers of Windows and MAC 05 are supported.
     
  3. oAuth Login Page: A free Wi-Fi Service asking for Facebook credentials to authenticate using oAuth
     
  4. Browser Plugin Update: A generic browser plugin update page that can be used to serve payloads to the victims.
     
  
  
• You can proceed to enter the number of the scenario you'd like to utilize.
  
  
• Your evil twin Wi-Fi should be active. They appear like the following to a unsuspecting user device:
  
  
  Have you ever wondered why your local Starbucks had 3-4 WiFi networks open when you were there last? The extra ones were likely evil twins of the original. You aren't able to connect to the original Wi-Fi network while you could freely connect to open networks which request WPS passphrase upon connecting.
  
  
• Once a user connects to your fake AP, you should be able to view incoming HTTP requests on WifiPhisher:
  
  
  • "Extension feeds" are the event command logs, that show existing clients deauthenticated from the WiFi.
    
  • "DHCP Leases" show the users currently connected to your evil twin AP
    
  • "HTTP Requests" show the incoming HTTP GET requests made by the users on your network.
    
  
  
• The users connected to your network aren't able to access the Internet as every web-page redirects them to the Firmware Upgrade page:
  
  
  
• Upon typing the password, the data is relayed back to the person controlling the fake AP (in this case, us) in a POST HTTP request. The user is stuck on a fake loading screen after submitting the input:
  [img]https://i.imgur.com/7wtpXUs.jpg[img]
  
  
• As you can see, the respective POST HTTP request captures the required Wi-Fi password.
  
  
  
• Since the purpose of our attack has been fulfilled, you can press "Ctrl+C" to terminate your attack.
  
  
  

Introduction to Evil Twin Attacks
Social Engineer your way into Wi-Fi Networks!

I.) Introduction
As explained in the previous tutorial, evil twin attacks are automated social engineering attacks made with the primary intention of phishing WPA/WPA2 passwords from a target user. Within an evil twin attack, fake access points (APs) are setup by configuring a wireless card to act as an access point. The counterfeit access point are given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password. These attacks can be further configured to mirror man-in-the-middle (MiTM) attacks however we shall be discussing this later. The illustration below should depict how an Evil Twin attack typically occurs:



II.) Requirements

• Any Linux installation, preferably the Kali Linux distribution via native OS, virtual machine or live CD.
  
• WiFi adapter capable of injecting packets, strong signal reception and monitor mode support. An ideal router would be a NetGear or Alfa adapter but you can make do with low-level TP-LINK routers too.
  
• A third party tool such as AirGeddon, Fluxion, LinSet or WifiPhisher to conduct the attack.
  

III.) Evil Twin Attack via WifiPhisher

• Run the following command to initialize the setup of WifiPhisher and it's dependencies
  
  Code

  sudo apt-get install wifiphisher hostapd dnsmasq python-pyric python-jinja2
  
  
• Stop the NetworkManager daemon to avoid interference with your attack.
  
  Code

  sudo systemctl stop NetworkManager
  
  
• Run WifiPhisher with admin rights.
  
  Code

  sudo wifiphisher
  
  
  • If you receive an error like the ones below:
    
    Code

    "There is not enough wireless interfaces for the tool to run! Please ensure that there is no need for wireless adapters. Master mode (AP) mode and another must support Monitor mode."
    
    
    Code

    Not enough wireless interfaces to run the tool! Please ensure that at least two devices are connected and that they are compatible (the driver must support netlink). At least one must support Master Mode (AP), and the other must support Monitor mode.
    
    Proceed to run WifiPhisher in no-jamming mode which skips the deauthentication phase, requiring only one wireless interface to continue. Use either of the following commands to do so
    
    Code

    wifiphisher -nJ
wifiphisher --nojamming
  
  
• Upon successful startup, you should have your interface looking like this:
  
  
  
  
• Browse between the available Wi-Fi networks and press ENTER to select your target network.
  
  
• You will receive an option to select your phishing script from the available options within WiFiPhisher:
  
  1. Firmware Upgrade: A router configuration page without logos or brands asking for WPA/WPA2 password due to a firmware upgrade. Mobile-friendly.
     
  2. Network Manager Connect: Imitates the behavior of the network manager. This template shows Chrome's "Connection Failed" page and displays a network manager window through the page asking for the pre-shared key. Currently, the network managers of Windows and MAC 05 are supported.
     
  3. oAuth Login Page: A free Wi-Fi Service asking for Facebook credentials to authenticate using oAuth
     
  4. Browser Plugin Update: A generic browser plugin update page that can be used to serve payloads to the victims.
     
  
  
• You can proceed to enter the number of the scenario you'd like to utilize.
  
  
• Your evil twin Wi-Fi should be active. They appear like the following to a unsuspecting user device:
  
  
  Have you ever wondered why your local Starbucks had 3-4 WiFi networks open when you were there last? The extra ones were likely evil twins of the original. You aren't able to connect to the original Wi-Fi network while you could freely connect to open networks which request WPS passphrase upon connecting.
  
  
• Once a user connects to your fake AP, you should be able to view incoming HTTP requests on WifiPhisher:
  
  
  • "Extension feeds" are the event command logs, that show existing clients deauthenticated from the WiFi.
    
  • "DHCP Leases" show the users currently connected to your evil twin AP
    
  • "HTTP Requests" show the incoming HTTP GET requests made by the users on your network.
    
  
  
• The users connected to your network aren't able to access the Internet as every web-page redirects them to the Firmware Upgrade page:
  
  
  
• Upon typing the password, the data is relayed back to the person controlling the fake AP (in this case, us) in a POST HTTP request. The user is stuck on a fake loading screen after submitting the input:
  [img]https://i.imgur.com/7wtpXUs.jpg[img]
  
  
• As you can see, the respective POST HTTP request captures the required Wi-Fi password.
  
  
  
• Since the purpose of our attack has been fulfilled, you can press "Ctrl+C" to terminate your attack.
  
  
  

Introduction to Evil Twin Attacks
Social Engineer your way into Wi-Fi Networks!

I.) Introduction
As explained in the previous tutorial, evil twin attacks are automated social engineering attacks made with the primary intention of phishing WPA/WPA2 passwords from a target user. Within an evil twin attack, fake access points (APs) are setup by configuring a wireless card to act as an access point. The counterfeit access point are given the same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass Internet traffic through to the legitimate access point while monitoring the victim's connection, or it can simply say the system is temporarily unavailable after obtaining a username and password. These attacks can be further configured to mirror man-in-the-middle (MiTM) attacks however we shall be discussing this later. The illustration below should depict how an Evil Twin attack typically occurs:



II.) Requirements

• Any Linux installation, preferably the Kali Linux distribution via native OS, virtual machine or live CD.
  
• WiFi adapter capable of injecting packets, strong signal reception and monitor mode support. An ideal router would be a NetGear or Alfa adapter but you can make do with low-level TP-LINK routers too.
  
• A third party tool such as AirGeddon, Fluxion, LinSet or WifiPhisher to conduct the attack.
  

III.) Evil Twin Attack via WifiPhisher

• Run the following command to initialize the setup of WifiPhisher and it's dependencies
  
  Code

  sudo apt-get install wifiphisher hostapd dnsmasq python-pyric python-jinja2
  
  
• Stop the NetworkManager daemon to avoid interference with your attack.
  
  Code

  sudo systemctl stop NetworkManager
  
  
• Run WifiPhisher with admin rights.
  
  Code

  sudo wifiphisher
  
  
  • If you receive an error like the ones below:
    
    Code

    "There is not enough wireless interfaces for the tool to run! Please ensure that there is no need for wireless adapters. Master mode (AP) mode and another must support Monitor mode."
    
    
    Code

    Not enough wireless interfaces to run the tool! Please ensure that at least two devices are connected and that they are compatible (the driver must support netlink). At least one must support Master Mode (AP), and the other must support Monitor mode.
    
    Proceed to run WifiPhisher in no-jamming mode which skips the deauthentication phase, requiring only one wireless interface to continue. Use either of the following commands to do so
    
    Code

    wifiphisher -nJ
wifiphisher --nojamming
  
  
• Upon successful startup, you should have your interface looking like this:
  
  
  
  
• Browse between the available Wi-Fi networks and press ENTER to select your target network.
  
  
• You will receive an option to select your phishing script from the available options within WiFiPhisher:
  
  1. Firmware Upgrade: A router configuration page without logos or brands asking for WPA/WPA2 password due to a firmware upgrade. Mobile-friendly.
     
  2. Network Manager Connect: Imitates the behavior of the network manager. This template shows Chrome's "Connection Failed" page and displays a network manager window through the page asking for the pre-shared key. Currently, the network managers of Windows and MAC 05 are supported.
     
  3. oAuth Login Page: A free Wi-Fi Service asking for Facebook credentials to authenticate using oAuth
     
  4. Browser Plugin Update: A generic browser plugin update page that can be used to serve payloads to the victims.
     
  
  
• You can proceed to enter the number of the scenario you'd like to utilize.
  
  
• Your evil twin Wi-Fi should be active. They appear like the following to a unsuspecting user device:
  
  
  Have you ever wondered why your local Starbucks had 3-4 WiFi networks open when you were there last? The extra ones were likely evil twins of the original. You aren't able to connect to the original Wi-Fi network while you could freely connect to open networks which request WPS passphrase upon connecting.
  
  
• Once a user connects to your fake AP, you should be able to view incoming HTTP requests on WifiPhisher:
  
  
  • "Extension feeds" are the event command logs, that show existing clients deauthenticated from the WiFi.
    
  • "DHCP Leases" show the users currently connected to your evil twin AP
    
  • "HTTP Requests" show the incoming HTTP GET requests made by the users on your network.
    
  
  
• The users connected to your network aren't able to access the Internet as every web-page redirects them to the Firmware Upgrade page:
  
  
  
• Upon typing the password, the data is relayed back to the person controlling the fake AP (in this case, us) in a POST HTTP request. The user is stuck on a fake loading screen after submitting the input:
  [img]https://i.imgur.com/7wtpXUs.jpg[img]
  
  
• As you can see, the respective POST HTTP request captures the required Wi-Fi password.
  
  
  
• Since the purpose of our attack has been fulfilled, you can press "Ctrl+C" to terminate your attack.