Evil Twin Attack

Posted by on
The Evil Twin Attack: A Comprehensive Guide

The Evil Twin Attack

Using Kali Linux Tools on Ubuntu

🕵️ 1 – What is an Evil Twin Attack?

An Evil Twin attack is a type of cyberattack where an attacker sets up a fake Wi-Fi access point that mimics a legitimate one to deceive users. By creating an access point with the same name (SSID) as a trusted network, the attacker can intercept traffic, steal credentials, and compromise sensitive data. This is a classic example of a **Man-in-the-Middle (MITM)** attack.

💻 2 – Wi-Fi Adapters for Hacking

For ethical hacking and penetration testing, a Wi-Fi adapter must support two key features: **Monitor Mode** and **Packet Injection**. Popular and recommended adapters for this purpose include the **TP-Link TL-WN722N** and adapters with **Atheros chipsets**.

  • Monitor Mode: Allows the adapter to passively listen to all network traffic in its range.
  • Packet Injection: Allows the adapter to send custom data packets into the network, essential for deauthenticating clients.

🖥️ 3 – Step-by-Step Procedure

Step 1: Put the Adapter in Monitor Mode

The first crucial step is to enable **monitor mode** on your wireless adapter. This changes your adapter's function from connecting to networks to listening to all traffic. 

sudo airmon-ng start wlan0
  • sudo airmon-ng start wlan0: This command puts the `wlan0` wireless interface into monitor mode. The interface name may change to something like `wlan0mon`.

Step 2: Scan for Target Networks

Next, use the `airodump-ng` tool to scan for all nearby Wi-Fi networks. This will provide the necessary details, such as the **BSSID** (the access point's MAC address), **channel**, and **ESSID** (the network's name), which you will need for the attack. 

sudo airodump-ng wlan0mon

You should see a list of networks. Identify the one you want to test and take note of its BSSID, ESSID, and CH (channel).

airodump-ng scanning networks

Step 3: Deauthenticate Clients

To force users to disconnect from the legitimate network and reconnect to your fake one, you need to send **deauthentication packets**. This will disconnect all users from the real access point, making them vulnerable to your fake one. 

sudo aireplay-ng --deauth 0 -a [BSSID_of_target] wlan0mon
  • --deauth 0: Sends deauthentication packets continuously.
  • -a [BSSID_of_target]: The BSSID of the legitimate network you identified.

Step 4: Create the Fake Access Point (Evil Twin)

In a new terminal, you'll use `airbase-ng` to create the fake access point. This tool will broadcast a network with the same name as your target. 

sudo airbase-ng -a [BSSID_of_target] -e "[ESSID_of_target]" -c [channel] wlan0mon
  • -a [BSSID_of_target]: Mimics the legitimate access point's MAC address.
  • -e "[ESSID_of_target]": Sets the name of your fake network.
  • -c [channel]: Ensures your fake network is on the same channel as the legitimate one.

Step 5: Redirect Traffic and Capture Credentials

Once a user connects to your evil twin, their internet traffic must be redirected to a server under your control. This is typically done by setting up a **DHCP** server to assign IP addresses and a **DNS** server to redirect all requests to a fake login page (a "captive portal").

The fake login page is a crucial component of the attack. It's designed to look identical to a legitimate login page for the Wi-Fi network. When the user attempts to browse the web, they are presented with this page and prompted to "re-enter" their Wi-Fi password or other credentials.

For ethical testing, this entire process is often automated by more advanced tools like **Fluxion** or **Wifiphisher**. These tools handle the creation of the fake access point, the deauthentication, and the generation of a realistic-looking login page to capture credentials, making the process much more streamlined for educational and professional penetration testing.

Note: This process is strictly for use in a controlled, legal lab environment where you have explicit permission to test systems. Using these tools on unauthorized networks is illegal and unethical.

🛡️ 4 – Ethical Use and Prevention

The Evil Twin attack is a powerful technique for educational and ethical hacking purposes. Understanding how it works is the best way to defend against it.

  • For Defense: Always check for slight differences in network names, use a VPN on public Wi-Fi, and avoid entering credentials on open Wi-Fi networks.
  • For Ethical Hacking: Penetration testers use this technique to demonstrate the dangers of insecure Wi-Fi networks to clients. It highlights the importance of user education and secure network configurations.

Comments

Post a Comment