• otw

Wireless Hacking, Part 10: Creating an Evil Twin Wi-Fi AP to Eavesdrop on the Target's Traffic

Updated: Aug 13


Welcome back, my aspiring cyber warriors!

There are a multitude of strategies and techniques for hacking wireless networks. You can see a list of the tutorials in the Wireless Hacking section here on Hackers-Arise. Here, we will look at one more technique for hacking Wi-Fi for spying on the target's traffic.

One such strategy would to be set up a wireless Access Point (AP) that looks and acts identical to a legitimate AP. In this way, unsuspecting victims will connect to this AP for Internet access. Once they connect to the AP, we will then send their traffic through our computer--where we can view and eavesdrop on their traffic--and then back out to a wired or wireless Internet connection. To them, it will totally transparent and looks and acts like their legitimate AP.

To conduct this hack, you will need one wireless adapter (I'll be using a Alfa) and another wired or wireless connection. Our ultimate goal is to be able to watch and even alter the traffic of those people that connect unwittingly to our access point. This can be used in restaurants, coffee shops, schools and businesses to spy on others and even capture their credentials to other sites they connect to. Please note that this hack is not intended to capture the target's Wi-Fi credentials. To do that, see my tutorial "Capturing Wi-Fi Credential with wifiphisher".

To effectuate this hack, we will need to;

1. Build an effective wireless access point from a wireless adapter and the tools available in Kali

2. Pass the Internet traffic through our Kali operating system back out to another wired or wireless connection

3. Eavesdrop on the traffic with a sniffer such as Wireshark or tcpdump

Step #: Fire up Kali

Our first step, as usual, is to fire up Kali. If you are

using a VM of Kali, make certain that you use an

external USB wireless adapter. In my case, I will be using my trusty Alfa AWUS036NHA.

Step #2: Information Gathering

Once you have Kali up and running and your external wireless adapter connected to Kali, the next step is to do a bit of information gathering.

First, let's make certain our wireless adapter is connected to our Kali system. We can use the built-in command in nearly every Linux, iwconfig, for this purpose.

kali > iwconfig

Note that our wireless adapter is connected and named wlan0. Also, note that it is in manged mode (just below the 802.11). For nearly any Wi-Fi hacking, we need this adapter is monitor mode. This is the equivalent to promiscuous mode in wired networks, where you can see all the traffic passing your interface. In our case here, we want to be able to see all the Wi-Fi traffic passing through the air and our adapter.

To put our adapter in monitor mode, we can use one of the tools in the aircrack-ng suite, airmon-ng. We simply need to use the airmon-ng command followed by the word start and then the name of the wireless adapter (wlan0).

kali > airmon-ng start wlan0

Note that when airmon-ng puts the adapter into monitor mode, it changes its name. In this case, it is changed the name to wlan0mon. We will need that information the next step. Yours may be different and if it is, make certain to use that name in the following command.

Now, we want to see all the critical information from all the AP's in our range. We can get that information by using another tool from the aircrack-ng suite, airodump-ng. We start the wireless data dump by simply using the command airodump-ng followed by the name of the wireless adapter you put into monitor mode above.

kali > airodump-ng wlan0mon

Here we can see all the critical info we need for this hack, specifically the BSSID (MAC address) and the ESSID (the name) of the AP we want to clone.

Step #3: Build Our Evil Twin

To create our Evil Twin access point, we can clone any of the AP's in range. Obviously, choose the one where the target will likely be connecting or already connected to. In my case, I will be creating a clone AP with the ESSID of hackers-arise (how original) and a BSSID of aa:bb:cc:dd:ee:ff (this is a fictional BSSID. Please use the BSSID of the target AP) and place it on channel 6. I hope it goes without saying that you should use the information particular to the AP you want to clone.

I can create my evil twin then by using another tool from the aircrack-ng suite, airbase-ng. Simply place the BSSID in the command after -a switch, the ESSID after --essid switch and the channel after the -c switch as seem below.

kali > airbase-ng -a aa:bb:cc:dd:ee:ff --essid hackers-arise -c 6 wlan0mon

As you can see, airbase-ng has started an Access Point (AP) on your wireless adapter and created a tap interface at at0.

Now, let's see if that tap interface (a tap interface is simply a userspace interface that enables the user to do networking, rather than the kernel) appears among our list of wireless interfaces.

kali > iwconfig

As you can see, we now have a new wireless interface. It is labelled at0. This is our evil twin's interface. Right now, all we have is a wireless interface, but anyone who connected would NOT get Internet access. To provide them with seamless internet access, we will need to create a bridge from that interface to our wired interface or other wireless interface connected to the Internet.

Build a Bridge Between Interfaces

To build our bridge through our system, we will use the ip command. You will also need the name of your other network interface (eth0 or wlan1). In my case, I will be building a bridge from at0 to eth0.

The first step is to add a bridge and then name the bridge. In this case, I will name my bridge "ha".

kali > ip link add name ha type bridge

Next, I will make certain the bridge is up.

kali > ip link set ha up

In the next step, we simply add end points to this bridge. In our case, the end points are eth0 and at0.

kali > ip link set eth0 master ha

kali > ip link set at0 master ha

Now that you have created your bridge, let's make certain your system "sees" it by running ifconfig.

kali > ifconfig

As you can see above, there is now an interface ha with wlan0 on one end and eth0 on the other.

Step#4: Set Up DHCP

Now that we have our Evil Twin interface up and a bridge built between our Evil Twin and our external Internet connection (eth0), we will need to serve up DHCP assigned IP addresses to those who connect to our Evil Twin (otherwise they won't be able to traverse the Internet). We can do that by using the dhclient utility built into Kali and assigning it to our bridge

kali >dhclient ha &

Remember, the & at the end of this command simply puts his daemon (process) in the background. Kali will respond with the Process ID (in this case, 2199, but yours will likely be different) and nothing else.

Step#5: Knock the Targets from the AP

We could wait for the victims to connect to our Evil twin or we could knock them off their current AP and hope they then reconnect to ours. We can use the deauth frame of Wi-Fi to knock everyone off the AP and then hope they reconnect to ours. For this step, we will use another tool from the aircrack-ng suite, aireplay-ng.

kali > aireplay-ng --deauth 10 -a aa:bb:cc:dd:ee:ff wlan0mon --ignore-negative-one

Where:

aireplay-ng is the command

aa:bb:cc:dd:ee:ff is the fictional BSSID we can to knock the users off

--deauth 10 tells the command to send 10 deauth frames

wlan0mon i sthe name of our interface

--ignore-negative-one avoids a common error

We have now kicked everyone off the legitimate Hackers-Arise AP and we will wait for them to re-associate (connect) to our AP. If we are closer or have a stronger signal, they will likely reconnect to ours.

Step #6: Sniff Their Traffic with Wireshark

When they connect to our Evil Twin AP, we can simply open Wireshark on our Kali system and watch all their traffic pass through our system.

kali > wireshark

When Wireshark opens, select the bridge we created (ha) as the interface we want to sniff on.

Now, we can see all the traffic of our guests(?) and even sniff out their credentials by following their tcp stream and looking for POST packets (for more on Wireshark, see Network Forensics, Wireshark Basics Parts 1 and 2).

Conclusion

In this tutorial, we set up a Wi-Fi AP with the same SSID as a legitimate Wi-Fi AP in order to eavesdrop on their traffic. Once we have all their traffic passing through our system, we can;

1. View all the sites they visit;

2. Potentially find credentials to other sites;

3. Re-direct their traffic to our websites rather than the site they intended.

If you are more interested in obtaining the victim's Wi-Fi AP credentials, check out my tutorial on wifiphisher here.


2,691 views