How to perform Evil Twin WiFi Attack [Step-by-Step]

Hello, in this guide we will be launching a captive portal evil twin attack using airgeddon tool. Evil twin attacks have been around for a long time. Attackers combine evil twin attacks and phishing to launch sophisticated social engineering attacks on unsuspecting victims using public hotspots found in cafes and airports. In evil twin attacks, the victim will be redirected to a cloned website requesting his/her credentials.

In evil twin attacks, the attacker deauthenticates a user connected to a legitimate internet access point, the attacker then creates a rogue access point looking similar to the legitimate internet access point. The victim unknowingly connects to the rogue access point. From the rogue access point, the attacker is able to launch phishing attacks.

Advertisement

 

Pre-requisites

  1. Have a running instance of Kali Linux.
  2. Have a WiFi card that supports both Access Point Creation and monitor mode.
  3. Have basic knowledge of the Linux command line and the commands.
  4. Have a target device. Any type of a device which can connect to an access point. Using another computer or a mobile phone is recommended (always remember to obtain consent where required before making an attack. Hacking is illegal and is punishable by law).
  5. Have an active internet connection.

 

Airgeddon

Airgeddon is a Linux command line application with numerous features used by security engineers as they carry out different evil twin attack tests in their day to day work. Some of its features include:

  • Interface mode switcher keeping selection even on interface name changing
  • Denial of Service over wireless networks using different methods
  • Assisted WPA/WPA2 personal networks Handshake file and PMKID capturing
  • Cleaning and optimizing Handshake captured files
  • Offline password decryption on WPA/WPA2 captured files for personal networks
  • Evil Twin attacks (Rogue AP)
  • Only Rogue/Fake AP mode to sniff using an external sniffer
  • Simple integrated sniffing
  • Integrated sniffing, sslstrip2 and BeEF Browser Exploitation Framework (Hostapd + DHCP + DoS + Bettercap + BeEF)
  • Captive portal with "DNS black hole" to capture WiFi passwords
  • Optional MAC spoofing for all Evil Twin attacks
  • WPS features
  • Known WPS PINs attack (bully and reaver), based on online PIN database with auto-update
  • Integration of the most common PIN generation algorithms (ComputePIN, EasyBox, Arcadyan, etc.)
  • Offline PIN generation and the possibility to search PIN results on a database for a target
  • Parameterized timeouts for all attacks
  • Enterprise networks attacks
  • Fake AP using "smooth" and "noisy" modes capturing enterprise hashes and plain passwords
  • Custom certificates creation
  • WEP All-in-One attack (combining different techniques: Chop-Chop, Caffe Latte, ARP Replay, Hirte, Fragmentation, Fake association, etc.)

 

Steps to use Airgeddon to perform Evil Twin WiFi Attack

Step-1: Install Airgeddon

To install airgeddon, we first download the tool files from the GitHub repository using the command;

git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git

 

Step-2: Launching airgeddon

Before launching an evil twin attack, you have to make sure you have an active internet connection for it is required to install the required dependencies when running airgeddon for the first time. To launch airgeddon, we navigate to the tool’s folder we have just downloaded and run using the command as shown in the image below.

sudo ./airgeddon.sh

evil twin

 

Step-3: Choosing an interface to work with

After installing the required dependencies, airgeddon is ready to launch an evil twin attack but first, we need to choose the interface we will be working with. In our case, we will be using wlan0. We choose the interface and click enter.
evil twin

 

Step-4: Putting the interface on monitor mode

Before continuing, we have to put the interface on monitor mode This will enable us to scan and monitor our target access point. We choose option 2 as shown below.

evil twin

 

Step-5: Evil twin WiFi attack option

Now we have airgeddon on monitor mode, our next step to launching an attack is to select the evil twin attack option from where we will select the captive portal option. We will select option 7.
evil twin

Advertisement

 

Step-6: Choose the type of attack

In attack options, we will choose the evil twin attack with the captive portal option as shown in the image below.

evil twin

 

We let it run for some time to detect all the available access point and then close it. After closing, a screen displaying all the detected access points from the screen we select the access point we will attack as shown in the image below.

evil twin

 

Step-7: De-authenticating users and forcing the to connect to the rogue AP

On this screen, we need to choose the type of attack we want to launch against the target AP as shown in the image below.

evil twin

 

We will choose if we want to run the attack in pursuit mode(Pursuit mode - in some cases, you may find an access point that is set to run in channel hopping mode. This means the access point keeps on switching its channel after a certain period of time. In such a situation, you must use pursuit mode while launching an evil twin attack).

evil twin

 

Lastly, we will choose whether to spoof or keep the original mac address.

evil twin

 

If you want to store the captured handshake file during the evil twin attack, you have to allow it on the next screen as shown below.

Advertisement

evil twin

 

We have to select the timeout, but we can leave it at default (20 seconds). Finally, we need to select the language which we will use on the evil twin portal and continue with the attack.

evil twin

 

All the users will be de-authenticated from the access point, hence they will try to reconnect to another access point with similar features, this will be our rogue access point. Several screens will appear as shown in the image below.  After connecting to the rogue access point, the victim will get redirected to a portal requesting a password as shown in the image below.

evil twin

 

Step-8: Getting the captured passwords

On the screen below we are able to see the password that has been submitted by the victim on the portal.

How to perform Evil Twin WiFi Attack [Step-by-Step]

 

Conclusion

Evil twin attacks have been around for quite some time but still are very successful kinds of attacks. Using public internet access points makes you vulnerable to this kind of attack. When evil twin attacks are combined with phishing attacks, they are very difficult to be detected by a normal person who “just wants to use the internet access point for browsing”.  Normal users should be taught how to identify such kinds of attacks on them. For aspiring ethical hackers, launching evil twin attacks on the targets is a skill that should be added to your arsenal.

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X