Evil twin attacks sound exactly like what they are. The attack works by creating a fake WiFi with the same name as the target. The attack works on both open and encrypted networks (it works better if you know the password).
Disclaimer: I’m not responsible for what you do with this information.
Tools
Airgeddon — Only gets WiFi passwords
Wifiphisher — More captive portal options
Computer — needs to run Linux
Two WiFi adapters — needs to support packet injection
Airgeddon
One of the best scripts for WiFi attacks. If you are looking for more than the WiFi password, use Wifiphisher instead. Once installed run
sudo airgeddon
In the terminal. A cute ufo animation will show up and a prompt to press enter. It then checks for dependencies and may try to auto-install missing ones depending on your distro. You will then be prompted to select a WiFi adapter. Select one of your WiFi adapters and you will get to Airgeddons main menu. On the main menu select the Evil Twin option (should be number 7).
In the Evil Twin menu select 2 to put the adapter in monitor mode
After your WiFi adapter is in monitor mode select what attack mode you want (options 5 to 9). In this example, we will be using the captive portal option (option 9). Once option 9 is selected Airgeddon will start scanning for nearby networks. A window will pop up which you can close after a few seconds. Airgeddon will then give you a list of found networks and you can select your target.
Once a target is selected Airgeddon will ask you what deauth type to use.
In this example, we will use option 2 but option 1 is also effective on most networks. Airgeddon will then ask for a handshake file to verify the victim’s input. If you have one you can enter the path here. If not then Airgeddon will try to get one.
Once Airgeddon has gotten a handshake or you have supplied one, you will be prompted to choose a language for the login portal.
After the language is chosen Airgeddonn will begin the attack. It should look something like this:
A bunch of stuff will pop up when a victim connects to the fake network. Once the victim enters the correct password Airgeddon will tell you and ask if you want to save the password somewhere.
Wifiphisher
Wifiphisher is more capable than Airgeddon in what options it has. It comes with four different login pages for different scenarios. In this example, we will also be trying to get the WiFi password using Wifiphisher’s firmware update page.
To use Wifiphisher, start by setting your WiFi adapter in monitor mode. If you can, capture a handshake from the target network. The handshake is optional but highly recommended.
In the terminal type:
sudo wifiphisher -i (adapter name here) -hC (path to handshake pcap file)
ex. sudo wifiphisher -i wlan1mon -hC /home/user/handshake.pcap
If you don’t have a handshake type:
sudo wifiphisher -i (adapter name here)
ex. sudo wifiphisher -i wlan1mon
Once Wifiphisher starts, it immediately starts scanning for nearby networks. Choose the target network using the arrow keys and press enter.
Once you have selected the target network Wifiphisher will prompt you for which phishing page you want to use. The firmware update page should be option three. After the portal has been selected Wifiphisher will automatically start the attack. Wifiphisher will automatically detect and use your second adapter to death the real network.
Optional: Extra Phishing Pages
Once the victim has entered the password it will show up as a post request.
And just like that Wifiphisher has gained the password.
Conclusion
Evil twin attacks are a great way to phish passwords from victims, especially towards people who don’t know their way around tech. This attack is not effective towards those who know the network is a trick. Major operating systems have also implemented warnings and safeguards to prevent users from falling for the scam. Unfortunately, most of the world is still tech illiterate, keeping Evil twins a significant threat to security.
Happy Hacking~!
Leave a Reply
You must be logged in to post a comment.