Evil Twin Rogue AP - Phishing Attack
Harvest credentials using Phishing technique with an Evil Twin WiFi Rogue Access Point
Disclaimer: For Educational Purpose only
The article is for educational purpose. Use it on authorized network and devices only.
Who can follow along ( on authorized networks only ):
If you have a new PC that has new NIC with chipset that supports Monitored mode ( 6 years or so old ) with Host OS or Dual Booted Kali Linux. ( If you don't know what Monitored mode is or NICs are then don't worry, I've covered them all in prerequisites section of the article )
If you have an old PC running Kali Linux as Host ( Dual Booted or as single OS ) but you've got an external USB WiFI adapter.
If you have Virtual Machine Kali and USB WiFi adapter configured in VM and showing as wlan ( wireless interface ) in the VM.
If you can't follow along, no worries. You can still read through, I assure you'll learn a few new things here.
Required Software/tools:
A USB WiFi adapter that has chipset which supports Monitored mode is required if you're using a Virtual Machine or if your PC has old hardware (preferably dual band adapter - supports both 2.4GHz and 5GHz). I've used ALFA AWUS036ACM.
You can proceed without an external WiFi USB adapter only if you have a PC with new hardware ( PC that came within last 5 or so year, has newer NIC cards which supports Monitored Mode ) and running a host Kali Linux or Dual Booted Kali Linux, not as Virtual Machine.
You may continue to read the article but wouldn't be able to follow along if your PC doesn't have wireless connection support and if it only supports wired connection (Ethernet).
Linux Distribution preferably Kali Linux ( Host OS or dual booted ).
- You can configure your VM on your own if you're using a Guest OS as Virtual Machine: If you want to use Virtual Machine then you'll have to find a way to plug your USB adapter into the Oracle's Virtual Box or VMware Machine ( both will have a bit of difference in the way you connect the USB adapter in it ). Do the required and then proceed.
WifiPhisher tool
Prerequisites:
You can skip the following section if you're already aware about concepts like Dual-Band adapters (2.4GHz, 5GHz), differences between Modem, Router, Access Point | Managed and Monitored mode in NIC | SSID, BSSID and ESSID.
Concepts/terms that'll make the upcoming tutorial more accessible:
2.4GHz vs 5GHz WiFi Frequencies:
What's 2.4GHz and 5GHz? What is this Dual-band adapters?
In WiFi Networks, 2.4GHz and 5GHz are two frequencies that the devices that has wireless capabilities use for communication in the network.
Almost all the devices nowadays use 2.4GHz including the older ones but 5GHz is relatively newer frequency band and isn't supported by all devices but the new ones only.
The devices that come with 5GHz typically supports 2.4GHz as well for backward compatibility.
What's the difference b/w these two?
Both has it's pros and cons. They work best only when a device supports both, why do I say so? Let's see:
Bandwidth
: 2.4GHz has lower bandwidth supports meaning your download and upload speed is lower whereas 5GHz supports higher bandwidth.Distance Range
: But 2.4GHz has longer range whereas 5GHz has a shorter distance signal range.Interference
: 2.4 GHz and 5 GHz both frequency signals get affected by presence of an interference ( like walls etc ) but 5Ghz frequency signals drops highly in case of Interference in the way.
So When a device supports both 2.4 and 5 GHz bands and the network the device wants to connect with does too, then:
If the device connecting to the WiFi router ( or WiFi adapter ) is close-by then the bandwidth will be higher. This will provide good performance and speed.
If the device connecting to the router ( or WiFi adapter ) is farther then it will switch to 2.4GHz frequency band to connect with the same router ( or WiFi adapter ). This will prevent connection loss.
WiFi, Modem, Router and AP:
Let's talk a bit about what is a modem, router, Access Point and WiFi as well. More importantly though, we'll look at the end, where they are placed in a network.
WiFi
- is a technology that enables devices to connect to network/devices wireless without any physical connection to a network.
Modem
- converts digital signals coming from your computers to analog, sending it to internet and vice-versa.
Router
- A device that enables wireless devices ( like mobile phones, laptop ) and wired devices ( that uses ethernet ) to join together in a LAN. It broadcasts 2.4GHz and 5GHz signals ( if it's a dual band WiFi router ) so that the wireless devices can join in the LAN and the wired devices will use the Ethernet to directly connect to it and be a part of that LAN.
Routers has an inbuilt Firewall and also uses DHCP which provides free available IP address in the network to the devices that connect to it.
Wireless Access Point ( AP )
- A Wireless Access Point is a device that looks similar to the router but works just like a Wireless extension. Let me explain..
Let's say you have a WiFi router in your office placed on the 2nd floor, the office being a four floors premise.
The signal on the floor where the router is placed, is good but the other three floor especially the fourth floor's wireless devices can't connect to this router ( even if we were to take Ethernet cable connected to the router from the 2nd floor to the 4th one, the devices are wireless so they can't connect to it).
So here we'll take the Ethernet cable from router and connect it with an Access Point. This access point will now emit the same signals as the router and let the wireless devices from the fourth floor connect to it, hence connecting to the router.
It basically works as the signal amplifier ( repeater ) for wireless devices.
So in series, Modem is the device that's part of Service Provider Network which connect through to the internet, after which a router comes, to which is connected an Access Point ( if required ).
Internet -> ( Internet Service Provider->Modem ) -> Router -> Access Point (optional)
Image-source: lazyadmin
Note:
Even though Modems are still widely used. Nowadays they are going out of commission as these days FTTP ( Fiber To The Premises ), fiber optic cables are used to deliver internet connectivity to the user's home/premises. These don't require Modem in place, instead require an ONT - Optical Network Terminal which converts optical signals into digital and vice-versa.
Sometimes, ISPs provide Direct Ethernet Connection to the user's home, in that case also, the Modem is absent.
Wireless NIC's Managed vs Monitored Mode:
In Wireless networking i.e., where the WiFi is in use, you'll come across these two terms way too often especially if you're a security professional tasked to do Network audit or assessment. So Let's understand them briefly.
Network Interface Card ( NIC ) is hardware ( typically builtin to your computer ) that enables it to connect to a network.
Wireless NICs only operate using wireless technologies like WiFi.
These are two modes that a wireless NIC ( with WiFi support ) operates with that you should be aware of, for the article:
Managed Mode:
It is the default operating mode of NICs.
In Managed mode, the NIC or adapter (NICs are builtin in adapters) acts as a client device which tries to connect with an Access Point or a WiFi router.
In this mode, It only captures the packet that is meant for it ( which includes it's MAC address in the destination header ).
Monitored Mode:
Also called as Promiscuous or RFMON ( Radio Frequency Monitoring ) Mode.
In Monitored Mode, the NIC or adapter listens to all and set to capture all the wireless traffic around it.
It doesn't matter if the device is a part of the network or not, it will listen to all the WiFi signals around it regardless.
Run the following command:
iwconfig
- This command will list wireless interfaces plugged or builtin to your PC and the network info that it is connected to.
There's one Wireless Local Area Network ( WLAN ) connection that I'm part of, appearing as Interface "wlan0" in my system.
The Network that I'm connect to is named as "Tattakeanand_".
We'll talk about the ESSID thing later, don't worry about it at the moment.
The Mode that's it's operating with at the moment is Managed Mode.
The Frequency band that the NIC ( of whatever I'm connected to, could be WiFi adapter or a mobile device hotspot etc ) is operating with is 5GHz.
For your reference I've included my device's preferred frequency band that its operating with:
The Access Point's MAC address ( the router's or mobile hotspot's MAC address that you're connecting with )
Now I just plugged in my ALFA adapter but haven't yet connected it to any network. It started showing as an interface named "wlan1" as you can see.
But it doesn't show any ESSID ( network name ) or Access Point because as mentioned, we're still not connected to any network.
After connecting it to another network (5GHz band network):
The attack will not require you to do anything, but the tool ( wifiPhisher ) will do everything but still I've discussed it so that you understand how the tool's actually working.
SSID vs BSSID vs ESSID
Sure you'd have seen this before many times when you turn your mobile's or Computer's WiFi on.
SSID
Network names in the image above, these are what we call SSID ( network name ), stands for Service Set Identifier.
SSIDs are typically human readable network names that we use to identify the network we want to connect with.
Example: "Tattakeanand_"
ESSID
But wait SSID listed in your WiFi can be an ESSID ( Extended Service Set Identifier ) too, how? Let's see..
Let's say that you're trying to connect to a network in a medium to large office or house area.
In such places there would be a Wireless Access Point (AP) in place connected with Ethernet wire to the main WiFi Router ( recall the Access Point part discussed previously in the prerequisites ), to extend the network range so that farther WiFi devices can connect to the same router using that AP.
This AP will have the same network name "Tattakeanand_" as we're connecting to the same network ( the Router ), but we now call it an ESSID not SSID.
As we've
extended
the network by adding an AP and the SSID that shows in the farther part of building ( medium to large office or home ) is being broadcast by the AP and not router.As the broadcast of SSID ( network name ) is being done by an Extension i.e., the AP, the SSID will now be called as ESSID (
Extended SSID
).
Note: SSID and ESSID are often used interchangeable.
Run iwconfig
command again:
- ESSID: "Tattaeanand_", do you understand this now? I hope you do.
BSSID
stands for Basic Service Set Identifier.
Even though you see the network names as human readable when you turn on your WiFi, the computers can't use that.
They use the BSSID, which is actually the MAC address of the network AP that's broadcasting its network name to any WiFI device around.
Rogue Access Point ( AP ):
Rogue AP is an access point that is introduced in a network without any authorization by the network owner or the network admins.
We'll be spawning one Rogue AP in the upcoming attack demonstration with the help of WifiPhisher tool using on the wireless interface.
Not going to lie, that was a lot for prerequisites. Anyways the following attack itself will be shorter as you already know quite a lot and now I won't have to explain everything thoroughly.
Let's debrief here a bit if you read through all of the Prerequisites section. If needed, read through it all in a dash one more time.
Let's start the Attack
Note for Virtual Machine Users
: Again I will mention it one more time as I did in the beginning, I'm using Kali as Host OS and this article sees things with that POV only. If you're using Virtual Machine, the attack part would be the same but before that you'll have to configure your VM so that the USB WiFI adapter shows as wlan0 or wlan1 ( wireless interface ) inside your virtual box. A lot of times, Virtual Machines by default take your interface connection's as ethernet ( wired ) even when you're using wireless.
I'm assuming now that you've satisfied all the requirements and are aware about the concepts discussed in Prerequisites section.
Attacker's POV - WifiPhisher
Our attack is heavily going to be based on wifiphisher tool.
Starting with first command:
Check for what wireless interfaces are available:
we have two; wlan0 (builtin) and wlan1 (external USB WiFI adapter) both connected to same network "Tattakeanand_".
Note down the SSID of the one network that we're authorized to do the attack on:
- Warning: Select the network that you own and have authorization to conduct such attacks on.
- For the demonstration, the network selected is "Tattakeanand_".
Note: before proceeding further from here, you should save and close everything if you've any application running or etc.
Next we'll use wifiphisher on one of the wireless interfaces ( wlan0 ), with the target network SSID ( Tattakenanad_ ) :
sudo wifiphisher -i wlan0 -e "Tattkeanand_"
"-i" for interface
"-e" for target ESSID. This will be the ESSID that'll be used for deploying a rogue Acess Point ( AP ) on the interface that we've selected.
You can explore all the other options in this tool using the following command but this is enough for our attack:
wifiphisher -h
Everything next will be selection based only, you'll not be needing to run any command.
- As soon as you run the command, you'll see somethings quickly pass-by and then be prompted to choose from 4 options:
You can try each one out later but for the time we'll go with Firmware Upgrade Page.
But before we proceed further, let's see the screen that quickly passed by your screen before this window appeared:
First the wifiphisher creates a "wfphshr-wlan0" interface for de-authenticating the user if its connected to the "Tattakeanand_" network by sending the deAuth probes by trying to appear as legit Tattakeanand_ AP.
- A lot of times you'll see this fail in de-authenticating the device. No worries our attack will very well be effective enough.
wlan0 is the interface that's being used to deploy a Rogue Access Point.
Then it changes the BSSID ( i.e., the MAC address ) of the AP.
Then it also starts a DHCP server so when a device connects to it, it assigns an available IP from the IP table to it.
A proper setup is ready.
Now let's come back to the "Firmware upgrade Page" option.
Select the option, again you'll see something quickly pass through your screen and then the following window appear on your screen:
- Keep an eye on the right three columns.
Let's again look at the "Something" that passed through the screen:
It says it selected Firmware upgrade Page ( which we choose ), then started the fake access point ( AP ) and then hosted a HTTP/HTTPS server at port 8080 and 443.
Great, you'll see how this web server will come in play for Phishing and harvesting the victim's credential.
Coming back to the window that we were at:
- As mentioned keep an eye on left especially on HTTP requests when trying to connect the victim ( victim is supposed to be your own device or a device that you're authorized to test this on ).
Victim's POV:
Now let's see what the victim sees.
- When Victim turns on the WiFi it sees two network with same SSID Tattakeanand_ appear on its screen.
Now as soon as the Victim's screen shows the Rogue AP, it gets reflected on attacker side at Extensions feed:
- It says that the Victim with MAC address has received ( probed ) Evil Twin AP's ESSID. Makes sense, right?
Assuming that the victim would go ahead and click on the first one ( chooses to go with one of the two random SSID appearing on the screen ) then it would be served with the Firmware update page using the HTTP/HTTPS server deployed on 8080 and 443 respectively.
Note: You'll see sometimes that 2 SSIDs aren't appearing which means either you're out of range or something similar has happened.
- Now I ( as victim ) went ahead and clicked on the Rogue AP's SSID which will lead me to the firmware upgrade page:
- This looks more than legit to me and hence so it will to the victim. But look at the domain name ( connectivitycheck.gstatic.com ). That doesn't make much sense, but victim will often ( more than often actually ) overlook that and proceed anyways.
While this page is opened on Victim's screen, this too get's reflected on attacker's screen:
- It says the device with IP 10.0.0.25 is making GET request for the given url page, which we saw on victim's screen.
Assuming that the I (victim) checked on I Agree .... then typed the password and clicked on start upgrade. We'll now come back at the Attacker's screen.
Returning to Attacker's POV:
As soon as the victim click's on start upgrade, the attacker's screen will see a POST request made:
- This POST request will have the Victim's password captured.
We successfully harvested the Victim's password. YEAH!!
Stop the Rogue AP, HTTP/HTTPS server and the entire attack by pressing CTRL + C:
- All the passwords captured will be displayed at the end when you stop the attack.
"ThisIsMyPassword" is what I entered when filling the Firmware Upgrade key and that's what it is showing.
So yeah we did it!
Concluding:
- You should try other options on your own especially the OAuth one which presents the victim with a facebook login page.
You can expand on it and do more fun on your own with this but be warned that this is supposed to be conducted on authorized devices and networks only.
That's a wrap.