Evil Twin Attack
An Evil Twin Attack is when a wireless device spoofs an existing wireless access point in the hope that an unsuspecting victim device will connect to this one rather than the real access point, this chance can be increased for the following:
- The wireless access point is open with no authentication present (more typical in public areas)
- The attacker performs de-auths against the real wireless access point and victim
- The signal strength is stronger than the real wireless access point
The usual reason for performing this attack is for the attacker to then use MitM attacks against the victim as they now have control over the network.
An Evil Twin Attack can be difficult to defend against as it is reliant on the victim knowing not to choose the spoofed wireless device which requires some training on the user’s side, what we can do proactively is monitor the wireless airspace to see if we spot any spoofing devices show up and then we can take action against them by tracking the source and disabling the device, this is were ETD (Evil Twin Detector) fits in.
Evil Twin Defender is an open source python tool I wrote, I know it runs on Linux and I have tested it with this wireless adapter using both 2.4 & 5 GHz channels, the reason for choosing this configuration is because Linux already geared up for monitoring wifi out of the box so long as a you give it an adapter with a chipset that can be configured (check here for a good list)
Setting it up
ETD supports 2 modes of running:
- Standalone – As you’d expect lets you run from the command line directly this is handy for for first few runs to check it’s ok and for debugging any issues.
- Service – Runs the tool as a systemd service this makes for a more resilient pattern and you can then have monitoring software keep an eye on it as part of a security strategy.
Both modes you going to want to perform the following:
git clone https://github.com/stavinski/etd.git cd etd pip install -r requirements.txt
You will then want to setup the configuration in etd.yaml it should be fairly intuitive and there is an explanation on the README for each, as a test you will want to setup a pattern that matches one or more of your wireless access points, once this is done your good to go:
sudo python etd.py
Note that it must be ran as root, this is to enable the configuration of the wireless adapter to enable monitoring.
For running as a service you will need to run:
sudo ./setup.sh install
This will copy the relevant files and link the service file into systemd, please note that when you want to change config for the service you need to change the file in /etc/etd/etd.yaml and restart the service via sudo systemctl restart etd.service.
In this demo I’m going to have the attacker using Fluxion and we’ll see how ETD fairs against it! For those not familiar setting up a Wifi MitM attack typically relies on setting up a few items and getting them in place: scanning for access points (airmon-ng, kismet), setting up a new access point daemon (hostapd), dns spoofing (ettercap, dnsspoof) etc… Fluxion handles all this for you with some additional bits thrown in as well!
- Start Fluxion, it will carry out some tasks to make sure things that are expected are there.
- It will use airmon-ng to carry out a scan of targets, once your done CTRL-C
- Your presented with a list of which target to spoof
- Once this is chosen there are few more options to choose from before it then starts all the tasks running.
- I can see the Wifi Access point appear on my phone and the de-auth kicks me off and keeps me kicked off the genuine access point.
- As soon as I connect to it I can see all the dns spoofing in action and am presented with a fake captive portal page.
- I setup the config for my wireless adapter and run ETD, change the pattern to match my genuine wireless access point and setup an ignore for the real MAC address.
- After a few seconds I get a hit:
[+] 9 ca:0e:14:6f:2e:44 The Shire -37 OPN
This gives me the Channel, BSSID, ESSID and RSSI of the device.
- I also get a syslog entry:
Jun 4 20:10:21 2018-06-04 20: 10:21,356 Evil Twin Detector: 9#011ca:0e:14:6f:28:44 #011The Shire #011 -33#011OPN
- and an email alert:
As you can see the attacker did not take long to be found and the next steps would be to locate the spoof device and shut it down.