Note: For this article you will need Kali Linux If you do not have Kali Linux, you can buy a pre-made ready to boot USB with Kali Linux on it from our shop or you can buy Kali Linux on Amazon.
Have you ever used a public wi-fi hotspot? Chances are, you have, and you saw a page that asked you to make an account or give out some account details to access the internet. What would you do if one day, your own router did this to you? Would you give it your password?
If so, chances are that you have fallen victim to an Evil Twin Attack. Let’s learn a bit more about them.
What is an Evil Twin Attack?
An evil twin attack is primarily an information-gathering attack. It uses an “evil twin” of an existing wi-fi network (a new connection that looks just like the legitimate network) to trick users into providing sensitive information, whether by directly asking for it or by monitoring all network traffic flowing through the evil twin.
How to Identify an Evil Twin Attack
It can be difficult to identify an evil twin attack if properly executed. Some formats of the attack will directly ask for sensitive information (such as the captive portal variant). These are the easiest to identify, especially if you know the network you are on does not use a captive portal or that the usual portal looks different.
Another warning sign of this attack is getting disconnected from your current wi-fi connection. Even if it is quick, you should check to see if you are still on a secured network. It is possible that a hacker has used a Denial of Service (DoS) attack to disconnect you from your original network, or is simply broadcasting a stronger signal than the legitimate network.
Another warning sign is that the network you connected to does not have a strong connection or has no connection at all. This is especially true in the case of captive portal attacks. Look out for cases where the network asks for a password, tells you that you have entered the correct password, and then still doesn’t let you connect. In these cases, it is likely that a hacker without the means to connect their evil twin to the internet put up that portal and is trying to steal your passwords.
Performing an Evil Twin Attack
For the purposes of demonstration, we will be performing a captive portal evil twin attack. There are other types of evil twin attacks that are less obvious, but will still steal your information. However, the captive portal variant is the easiest to perform.
Performing the attack manually can be tricky. Fortunately, a script called airgeddon provides a full set of model cyber attacks in order to test network security. We will be using airgeddon to perform this attack.
Before we start, make sure you are only performing this attack on a network you own or have permission to attack. For testing purposes, I used my phone’s mobile hotspot.
- A Live USB of Kali Linux (links) or Live DVD of Kali Linux(links).
- A wi-fi adapter that supports monitor mode (links)
- Note: Your internal wifi chip might support this, but if it doesn’t this is the recommended adapter.
Most of the following commands will be happening within the terminal, so it will be useful to open one now.
First, we need to allow access to the Kali repositories so that our machine can download files. To do this, open up the source list in your editor of choice and make sure there is no ‘#’ in front of the line that reads “deb-src http://http.kali.org/kali kali-rolling main non-free contrib.”
To open the source list, run the following command in the terminal:
sudo nano /etc/apt/sources.list
Use Ctrl-X to exit the window, and hit ‘y’ to save the file.
After those changes, run the following commands to fully update your Kali Linux machine and all of its packages:
sudo apt update
sudo apt upgrade
This may take a while, especially if you are doing it for the first time, so take that time to read some more of our fantastic articles about Linux and hacking.
Run the following command to install the drivers for the recommended wi-fi adapter:
sudo apt install firmware-atheros
If you are using a different adapter, you will need to find and install the required drivers using
sudo apt install <driver name>.
The captive portal evil twin attack requires some digital components as well as physical ones. The most obvious is the airgeddon script, but there are some dependencies that the script relies on to perform this specific attack. These dependencies are
- Aircrack-ng: used to perform a Denial of Service (DoS) attack on the legitimate connection to get people to connect to the evil twin
- Hostapd: used to put up the evil twin hotspot
- DHCPD: puts up a DHCP server that gives every device connected to the evil twin an IP address. Also known as “isc-dhcp-server” in some package managers.
- DNSMasq: used to set up a DNS server that helps with the captive portal
- DSniff: same as DNSMasq
- LightTPD: a very light and fast web server that we will use to host the captive portal website
We will begin by installing airgeddon and all its dependencies:
sudo apt install airgeddon aircrack-ng hostapd isc-dhcp-server dnsmasq dsniff lighttpd
Next, we will use the command
iw dev to find the name of the interface attached to our special wi-fi card. We will need this for later, so remember it!
Now, we will start the airgeddon script and begin the attack!
You should see something that looks like this.
Let the startup sequence play. If you don’t have any of the required dependencies (which should come installed by default on any Kali machine) then install them with
sudo apt install <package> and run airgeddon again.
Performing the Attack
You will need to select an interface with which to perform the attack. Select the interface we identified previously.
The next thing we need to do is to put our interface into monitor mode, which allows it to detect packets being sent to and from other devices. Luckily, the script can handle that for us, and will automatically switch interfaces to the monitor mode interface. Select 2. Put interface in monitor mode.
Once our card is in monitor mode, we can proceed. Select 7. Evil Twin attacks menu to see all the different types of attacks.
For the captive portal attack, select option 9. If any dependencies are missing, the option will appear red and it will have the name of the dependencies next to it in parentheses (see number 7 in the image above). If your option 9 looks like that, exit the script and install the required dependencies. Otherwise, proceed.
The script will bring up a new window to explore for targets. Check the ESSID column until you see the name of the wi-fi connection you want to attack. Then, click on the new window and press Ctrl-C to stop exploring.
The script will bring up a window of all the networks it found. Find the number next to your target connection and enter it.
From the new Evil Twin menu, select 2. Deauth aireplay attack to perform a DoS attack using the aireplay tool from aircrack-ng. This will use our monitor mode card to send out deauthorization packets to every device connected to the legitimate access point, making it so that they cannot connect.
DoS pursuit mode is optional, but you can choose to enable it if you like.
Spoofing a MAC address is also optional.
The next step in the attack is to capture a handshake file. If you already have a file, enter “y” and then give airgeddon the path to the captured file. Otherwise, enter “n” and then enter a timeout value (how long the script will wait to capture a handshake file before quitting). I chose the maximum of 100 seconds to timeout.
The script will then ask for locations to store the captured handshake file and to eventually store the password for the legitimate network. You can enter your own paths for these or accept the default.
Airgeddon comes with many translated versions of the captive portal. Select the language users will expect to see.
Once all the setup is complete, airgeddon will begin the attack, spinning up many terminal instances to carry out various components. To end the attack, go back to the main terminal and press enter.
The terminal in the topmost right will show the results of the attack. It will show the last password entered, the number of connection attempts, and will confirm that the attack has finished when someone enters the correct password.
From the client side, the captive portal looks like this. Any passwords entered will show up in the previously mentioned terminal.
The window will look like this while the attack is in progress.
Once the attack finishes, the window will look like this, and show the correct password and the location of the password file.
Anyone who enters the correct password will see this screen.
The final output file will look like this.
Congratulations! You have performed an evil twin attack!
Defending Against an Evil Twin Attack
Evil Twin attacks are the easiest to perform and the hardest to detect on public wi-fi networks. If you have to connect to a public network, make sure to follow these tips:
- Don’t handle sensitive information while connected to a public network
- Apps running in the background can and will send out and receive packets, so turn them off if they might contain sensitive information.
- If you need to handle sensitive information, make sure the site you are using it on uses HTTPS. This is not a perfect solution and there are still potential security vulnerabilities, but if you use HTTPS connections, a hacker with an evil twin shouldn’t be able to see your private information.
- Use a VPN. This is still not true end-to-end encryption, but it adds another layer of security.
- Anything with end-to-end encryption is as secure as possible. A hacker with an evil twin will still be able to see that you are sending and receiving data, but will not be able to read that data.
Evil Twin attacks can also be conducted on private networks. In this case, they are much easier to recognize. Make sure to follow these tips to stay safe:
- Understand your network. If a hacker targets your private network, but you are familiar enough with it, it will be incredibly easy to spot the attack and prevent hackers from stealing your information.
- If you suddenly find yourself on a network with no password (or a captive portal) when your private network should be a secured, password-protected network, it is likely that there is an evil twin attack going on.
- Continue to look for HTTPS connections when handling sensitive information.
- VPNs and end-to-end encrypted services are still good security ideas, but they are less necessary unless you are handling extremely important information.
One tip that works regardless of network type is to use multi-factor authentication (MFA) for important accounts. This way, even if a hacker gains access to sensitive account details, they will not be able to carry out malicious activity as long as they do not have access to your MFA device.
Evil Twin attacks are simple and hard to detect. It is important to stay vigilant and look for suspicious connections, as well as to take all necessary steps to maintain network security.