Evil Twin Attack

The potential risks an Evil Twin attack in areas where people are using public WiFi (e.g. coffee shops or universities) could be devastating. With hundred of students using a campus WiFi on any given day, the likelihood of catching people off guard and tricking them into connecting onto a rogue Access Point is pretty high.  The same is true for those using a cafe’s free WiFi.

In the following example I am using an Alfa Wireless Adapter for scanning and Kali Linux along with the open source script airgeddon to conduct my Captive Portal Evil Twin Attack.

The first step is to download and install ‘airgeddon’ on my Linux machine:

Make the airgeddon.sh script executable
Welcome screen on airgeddon launch

Upon launching the airgeddon script, I need to first choose my wireless interface and change it from ‘Managed’ mode into ‘Monitor’ mode. This will enable my Alfa Wireless Adapter to capture WiFi packets.

Setting Alpha Wireless Adapter to monitor mode.

Monitor mode allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. This is different from promiscuous mode (used for packet sniffing) as monitor mode allows packets to be captured without having to associate with an access point (AP) first. In this case, putting our wireless adapter into monitor mode is used to observe widespread traffic and check the air for surrounding AP’s and their beacons.

Selecting an Interface

Airgeddon presents a very simple process allowing the user to tailor their attack specifically for what needs to be accomplished.

In this sample scenario we are going to launch a captive portal Evil Twin attack. The “captive portal” will be the first thing that pops up when a victim connects to our rogue AP. It is essentially a log in page that is required to access the network.

These captive portals act as a landing page for users upon first connecting. They are typically used to offer a method of authenticating end-users and ensuring their acceptance of an organization’s acceptable use policy.

We have all seen captive portals on public WiFi networks:

By mimicking a wireless network’s SSID and customizing a captive portal for our target, the connection will appear legitimate and our trap will be set.

Once a victim connects and enters their credentials airgeddon will simply save them to a text file, leaving you with the WPA2 passphrase in plaintext.

I select number 7 in the above prompt and advance to scanning for available networks. This is where an attacker will choose the network they want to target. I am performing this example attack at my house and not anywhere public, like a coffee shop or on a university campus.

Once our target is chosen, we can perform a deauthentication attack which is often used capture a networks WPA2 handshake upon reauthentication. A deauthentication attack is where an attacker sends specifically crafted packets with the BSSID of the AP in the air telling every client to deauthenticate (disconnect).

Because I was using my home network as a guinea pig, I launched this deauth attack without giving my wife a heads up, and our Disney+ stream that she and our son were watching suddenly dropped. Woops, sorry about that. All of this is to say that the connected clients will honor the command given and disconnect themselves from their AP.

A lot of devices will constantly be scanning for familiar AP’s and when found, will automatically connect to them. The purpose of the deauthentication attack in this context is to force clients to connect to our rogue AP when they are reconnecting after being knocked off.

An additional strategy here is to turn up the power of our rogue AP in an attempt to have a stronger signal than the legitimate AP. The stronger signal is generally the one automatically selected by devices.

Finally, we will launch our attack with a spoofed MAC address of our target access point and a duplicate name of it’s SSID. While the attack is active, we will be able to observe in real-time when victims connect to our Evil Twin:

Below shows what it will look like when a victim connects (in this case, is me, connecting on purpose):

The victim can now access the internet and there are two options left: sniff the client traffic or redirect all traffic to our captive portal page (well, or both!). Whenever the victim attempts to navigate to any website, they will instead see a captive portal which tells them they need to first log in.

An example captive portal page (albeit a poorly crafted one)

Once the victim enters their credentials, the attacker can proceed to either use them to gain access to the network themselves or simply observe the traffic that is being routed through the rogue AP (with the potential of stealing more credentials like e-mail, social media, or banking log ins — we’ll have to get into the details of these sorts of attacks on a different day).

All of this took maybe 15 minutes to set up and execute from scratch. The hardware necessary to perform this attack (aside from a laptop) is only about $30. This is a very easy and incredibly dangerous MitM attack which can not only capture login credentials to otherwise protected networks, but it can be expanded into a much more complex attack than my example shown here.