Futaba _ Webs πΈπΈππΈπΈ
Evil Twin Attack πΈπΈππΈπΈ
Today, we are going to go over one of my favorite exploits, the EVIL TWIN ATTACK! This exploit focuses on kicking end users off their main network or posing as a legitimate one for end users to connect to so we can phish them and compromise sensitive data.
π Article π Glossary π Catalog π Home π Search Modeπ Article Glossary
πΈ Synopsis πΈ
Today, we are going to go over one of my favorite exploits, the EVIL TWIN ATTACK! This exploit focuses on kicking end users off their main network or posing as a legitimate one for end users to connect to so we can phish them and compromise sensitive data.
πΈ Article Topics πΈ
I'll be discussing the following topics in order: π Premise π What is a Rogue Access Point? π What is DNS Poisoning? π I just wonβt connect to any APβs that arenβt mine! π What are Jamming Attacks? π How to spot that you are on one π Evil Twin Attacks Bypass Random AP Channel Security π How to Hypothetically bypass randomized channels without Evil Twin? π The Exploit You can click on any of the topics to simply check that one out if it interests you! NOTE: Articles are read from LEFT to RIGHT via 2 columns! Read the first column all the way down and then move to the next one!
πΈ Key Links πΈ
Here's a quick run down on all the main links that are in the article in case you want to check them out first. π LinkedIn Version π Wild West Hacking Fest Presentation π Creating a Custom Rogue Access Point π Slide Show Presentation π Wifi Hacking Article π SanDisk Wireless Flash Drive π AlfaAC1200
π Evil Twin Attack
Premise πΈπΈππΈπΈ
Typically this is done using something that is known as βWiFi Pineappleβ from Hack5. The tool is designed to masquerade as a legitimate network access point and trick end users into connecting, posing as the router and intercepting any and all exit node traffic data that is sent to it, stripping it in the process to bypass secure communication methods. It interconnects with the main access point in the process and forwards the communication on its behalf to your target destination as if nothing ever happened.
But, WE'RE much better than that. You shouldn't have to rely on someone elseβs tool to get the job done. Are you a hacker or aren't you? I'm going to show you HOW to perform the exploit without one and the raw natural science behind it.
HOWEVER, since this involves WIFI hacking and network penetration testing, I recommend you check out my previous article that covers more on this topic as it goes over a lot of terminology that you might be unfamiliar with.
What is a Rogue Access Point? πΈπΈππΈπΈ
Rogue access points are wireless access points that masquerade as an original access point in order to trick end users into connecting to them, or as access points that one would assume is safe to access. Once the victim connects it, simulates that of a REAL network, gateway portal and all (the login page you see when you connect to free WiFi). Once the end user is on the network they will start to use it and try to access websites that they would typically use, some requiring them to login and send over sensitive credentials. This also includes any and all forms of MFA data that is sent over as well, allowing hackers to bypass their security. What happens next involves a process known as DNS poisoning.
What is DNS Poisoning? πΈπΈππΈπΈ
DNS Poisoning is similar to a technique known as ARP poisoning, where you poison the ARP cache of a network or switch gateway device in order to receives copies of what other systems on the network are sending to and from the network.
To put it simply with a example that is easy to understand, youβre spoofing the end user MAC/IP addresses on the network OR, directly targeting the ARP cache of the gateway device to intercept their traffic, which in return will lead to you also receiving a copy of what the target system receives as they send data over the network. This will lead to you being able to capture stuff like sensitive credentials, even bypassing secure communications like HTTPS since you canβt spy on that through normal means using stuff like wireshark or TCPdump. If you try to do so you will get nothing.
HOWEVER, in this case we are spoofing and manipulating the DNS routing that is set in place in order to redirect the end user to malicious sites of our choosing. DNS occurs on port 53 and is what the default gateway uses in order to handle and route network traffic on your behalf while browsing the internet. This is handy in case you happen to misspell something when entering in a site name. It also handles stuff like converting name based IP addresses back to their respective numeral format so that you can browse the internet with ease.
What we are going to do in this case, for demonstration purposes, is setup a rogue access point that will have a system on the network βactingβ like the default gateway. Once the end user connects to it, we are going to have them routed to it, and then spoof sites like google via the host configuration file to route the end user on our behalf to the apache server that will contain a spoofed server usingHTTPRACKwhen they try to visit it. The goal of the attack is to have it log down any sensitive credentials that are sent from the client, which we will check via the apache logs via the configuration file located here/var/log/apache2/access.log
I just wonβt connect to any APβs that arenβt mine! πΈπΈππΈπΈ
Hereβs where youβre wrong about that and how you can still get hacked. Remember the last article where I talked about how the whole process of breaching a wireless access point involved sending de-authentication packets? We do this in order to bounce systems off the network and force them to re-authenticate in order to secure the 4 way handshakes for WPA2 wireless encryption. This can also be applied here to kick you off your own network and pop you onto the rogue one.
When you connect to an access point in general your system looks for the SSID to connect to in name based format. If an attacker creates one of the same name and then kicks everyone else off the main one, who do you think it will prioritize? This can also be done via Jamming methods, combining the de-authentication method Iβve just discussed so far. It's because of this that Evil Twin attackers are able to bypass randomized AP channel security that is often seen on AP devices.
What are Jamming Attacks? πΈπΈππΈπΈ
Jamming attacks jam the signal of the original access point so that victims on the network can only connect to yours when they attempt to re-authenticate back to the main AP. It causes a form of RF interference that prevents the main AP from allowing end users to connect back to it. Think of this like a form of DOS, where you block the router, in this case, so that only your AP can be interacted with if that makes sense.
This process is done exploiting something that is known as a βTransmit Power Levelβ (PWR) that is set in order to change the overall quality of the RF frequency that emits electromagnetic signals that transmit wireless data from one end point to another via a data channel line. It has an integer value, where the lower the number the better the quality. Find one that is of better quality or a match and you'll be able to jam the AP if yours is better.
How to spot that you are on one πΈπΈππΈπΈ
One of the biggest dead giveaways to knowing that you are on a rogue access point is the classic lack of HTTP for sites that typically have them. If you ever notice that your network traffic doesnβt appear to be βsecureβ for sites that typically have HTTPS and such for them then you know that you are on one.
Be mindful just because a site has βHTTPSβ doesn't mean itβs secure either if you were browsing from a legitimate access point. These are just key things to look out for if you are in these particular situations.
Evil Twin Attacks Bypass Random AP Channel Security πΈπΈππΈπΈ
Before we dive into what Ransomware is, let's go over what FDE is, since it heavily applies to the topic for today.
FDE, full disk encryption, is a defensive technique that is used to harden data protection across all hierarchical flat file systems. It's the overall process of enumerating the entire file system, and then applying what is known as symmetric cryptography in order to encrypt the entire data storage medium. A good example of this would be bitlocker, which is commonly used for Windows system infrastructures.
As you know, data encryption is irreversible without the crypto keys, so by performing this method and leaving the keys out the hands of the attacker, should they breach the system, whether it be digitally or physically, any and all data they steal will be useless to them.
How to Hypothetically bypass randomized channels without Evil Twin? πΈπΈππΈπΈ
Itβs quite simple, there are only a finite number of channels that we can send de-authenticate packets to, so if we wanted to, hypothetically, we can also randomize using the Aircrack-ng tool via a bash script that will randomize our channels as well so that we will eventually hit the AP. All we need is ONE of them to connect and the exploit will be successful.
The Exploit πΈπΈππΈπΈ
For this exploit, all you are going to need are two access points with different qualities in PA levels, one weaker than the other in order to kick the end user off the network. You can use whatever you want, BUT, in case you want a easy setup I recommend this product right here. You'll also need the NIC card that is listed here as well if you want to kick them off the network via de-authentication packets.
This little toy here, the SanDisk Wireless Flash drive is one of the best βunintendedβ hacking tools that you could possibly own. WHY? Well, itβs a wireless access point you can connect to and share files over and save stuff too. You can practice network penetration testing on the go with this and do whatever you want. The default gateway also has all HTTP methods allowed so you can practice hacking them, that, and it also allows you to daisy chain to a main AP just like the WiFi pineapple. It also happens to have a weaker PA level that we can exploit. That, and unlike most APβs today, you can practice WIFI hacking against it since it doesn't have randomized channels for security.
Now, the exploit:
π First, set the SSID of the SanDisk AP to anyone that you desire. You can do this for the gateway portal where all the configurations are located.
π Next, add systems to the network and then have them connect to the target AP gateway portal of the system to check if you are on the right network. If they can talk to the portal then you are good to go.
π Next, pop open a router that you have and change its SSID to that of the SanDisk one, and then, and this is also CRUCIAL, set the password for the Access point to NONE. You need to do this so that the end users are automatically authenticated to the AP. This creates the illusion they are re-authenticating, allowing you to go undetected.
π Next, pop open my video that Iβve provided and follow along up until β2:50β, which is where you will see the main AP of the Sandisk Flash drive being de-athenticated. This also shows you how to setup the NIC to sniff AP's Follow those very steps to kick end users off the network, and watch as they bounce to the rogue one that youβve created. Once thatβs done check if you have clients on the rogue network. If they are, then the exploit was a success!
If you enjoyed this post give it a thumbs up! Iβll be keeping track of whose reacting from now on as there is a βspecialβ reason for it. Just know the more you support my content the more there is in stored!
- The Hacker Who Laughs πΈπΈππΈπΈ
