Está en la página 1de 29

 GENERAL  WIRELESS  PENTESTING  WEB HACKING  KALI LINUX 

STARTERS GUIDE

Evil Twin Tutorial

Prerequisites
1. Kali Linux
2. Prior experience with wireless hacking
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
You will also need to install a tool (bridge utils)
which doesn't come pre-installed in Kali. No big
deal-

apt-get install bridge-utils

Objectives
The whole process can be broken down into the following steps-

1. Finding out about the access point (AP) you want to imitate, and then actually imitating it
(i.e. creating another access point with the same SSID and everything). We'll use airmon-
ng for finding necessary info about the network, and airbase-ng to create it's twin.
2. Forcing the client to disconnect from the real AP and connecting to yours. We'll use
aireplay-ng to deauthenticate the client, and strong signal strength to make it connect to
our network.
3. Making sure the client doesn't notice that he connected to a fake AP. That basically means
that we have to provide internet access to our client after he has connected to the fake
wireless network. For that we will need to have internet access ourselves, which can be
routed to out client.
4. Have fun - monitor traffic from the client, maybe hack into his computer using metasploit.

PS: The first 3 are primary objectives, the last one is optional and not a part of evil twin attack
as such. It is rather a man in the middle attack. Picture credits : firewalls.com

WAN Optimizer
Boost Speed & Save costs. WAN Compression on the fly.
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Information Gathering - airmon-ng
To see available wireless interfaces-
iwconfig

To start monitor mode on the available wireless interface (say wlan0)-


airmon-ng start wlan0

To capture packets from the air on monitor mode interface (mon0)


airodump-ng mon0

After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new terminal.

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Creating the twin
Now we will use airbase-ng to create the twin network of one of the networks that showed up in
the airodump-ng list. Remember, you need to have a client connected to the network (this
client will be forced to disconnect from that network and connect to ours), so choose the
network accordingly. Now after you have selected the network, take a note of it's ESSID and
BSSID. Replace them in given code-

airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name>

If you face any problems, a shorter code will be-


airbase-ng --essid <name of network> mon0

Remove the angular brackets (< & >) and choose


any channel that you want. Also, the BSSID can be
randomly selected too, and doesn't have to match
with the target. The interface would be mon0 (or
whatever is the card you want to use) . The only
thing identical about the twins has to be their
ESSIDs (which is the name of the network). However, it is better to keep all parameters same to
make it look more real. After you are done entering the parameters and running the command,
you'll see that airbase turned your wireless adapter into an access point.
Note : We will need to provide internet access to our client at a later stage. Make sure you have

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Note : We will need to provide internet access to our client at a later stage. Make sure you have
a method of connecting to the net other than wireless internet, because your card will be busy
acting like an AP, and won't be able to provide you with internet connectivity. So, either you
need another card, or broadband/ADSL/3G/4G/2G internet.

Telling the client to get lost


Now we have to ask the client to disconnect from
that AP. Our twin won't work if the client is
connected to the other network. We need to
force it to disconnect from the real network and
connect to the twin.
For this, the first part is to force it to disconnect.
Aireplay will do that for us-
Man in the middle attack : Pic Credits: owasp.net

aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one

The 0 species the time internal at which to send


the deauth request. 0 means extremely fast, 1
would mean send a packet every 1 seconds, 2
would mean a packet every 2 seconds, and so on.
If you keep it as 0, then your client would be disconnected in a matter of seconds, so fire up the
command, and press ctrl+c after a few seconds only. Note that the deauth is sent on
broadcast, so all the clients (not just one) connected to the network will disconnect.
Disconnecting a specific client is also possible.

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Not the real one, but why the fake one
Even after being disconnected from the real AP, the client may choose to keep trying to
connect to the same AP a few more times, instead of trying to connect to ours. We need to
make our AP stand out, and for that, we need more signal strength. There are 2 ways to do
that-

1. Physically move closer to the client.


2. Power up your wireless card to transmit at more power.

The latter can be done with the following command -


iwconfig wlan0 txpower 27

Here 27 is the transmission power in dBm. Some cards can't transmit at high power, and some
can transmit at extremely high power. Alfa cards usually support upto 30dBm, but many
countries don't allow the card to transmit at such powers. Try changing 27 to 30 and you'll see
what I mean. In Bolivia, however, you can transmit at 30dBm, and by changing the regulatory
domain, we can overcome the power limitation.
iw reg set BO

iwconfig wlan0 txpower 30

It is strongly advised to not break laws as the transmission limits are there for a reason, and
very high power can be harmful to health (I have no experimental evidence). Nevertheless, the
client should connect to you if your signal strength is stronger than that you the real twin.

Note : If you are unable to get your client to connect to you, there is another option. You
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Note : If you are unable to get your client to connect to you, there is another option. You
can leave him with no options. If you keep transmitting the deauth packets continuously
(i.e. don't press ctrl+c after the client has disconnected), he will have no choice but to
connect to you. However, this is quite an unstable situation, and the client will go back to
the real twin as soon as it gets the chance.

Give the fake AP internet access


Now we need to provide internet access to the fake AP. This can be done in various ways. In this
tutorial, we will consider that we have an interface x0 which has internet connectivity. Now, if
you are connected to net via wireless, replace x0 with wlan1 or wlan0, a 3G modem will show up
as ppp0. Nevertheless, you just have to know which interface is providing you with internet, and
you can route the internet access to your client.
Interfaces
x0 - This has internet access
at0 - This is create by airbase-ng (wired face of the wireless access point). If you can
somehow give internet access to at0, then the clients connected to your fake
wireless network can connect to the net.
evil - This is an interface that we will create, whose job will be to actually bridge the
networks.

Creating evil
We will use Bridge control utility provided by Kali, brctl. Execute the following code-
brctl addbr evil

This will create the bridge. Now we have to specify which two interfaces have to be bridged-

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
brctl addif evil x0

brctl addif evil at0

We can assign an IP to the interfaces and bring them up using-


ifconfig x0 0.0.0.0 up

ifconfig at0 0.0.0.0 up

Also bring up the evil interface (the interfaces aren't always up by default so we have to do this
many times)
ifconfig evil up

Now to auto configure all the complicated DHCP settings, we'll use dhclient
dhclient3 evil &

Finally, all the configurations have been completed. You can execute ifconfig and see the
results, which will show you all the interfaces you have created.
Officially, the evil twin attack is complete. The client is now connected to your fake network, and
can use the internet pretty easily. He will not have any way to find out what went wrong.
However, the last objective remains.

Have fun
Now that the client is using the internet via our evil interface, we can do some evil stuff. This
actually comes under a Man In The Middle attack (MITM), and I'll write a detailed tutorial for it
later. However, for the time being, I will give you some idea what you can do.
Sniffing using Wireshark
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Sniffing using Wireshark
Now all the packets that go from the user to the
internet pass through out evil interface, and these
packets can be monitored via wireshark. I won't
teach you how to use it here, since it is a GUI tool.
You can take a look at their website to get an idea
on how to use wireshark. Pic credits: The picture
on the right has been directly taken from their
website.

http://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html

Special Thanks
Matthew Bernard for his useful comment with some tips and a number of corrections
http://www.kalitutorials.net/2014/07/evil-twin-tutorial.html?
showComment=1406591245609#c5539483407421385761
The screenshots have also been taken by him and provided to me for usage (I would love to see
more helpful visitors like him).

39 comments:

Anonymous July 16, 2014 at 2:04 AM

Hi,
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
thanks for this great Tutorial :)
Although it's easy to understand, I have some problems with it:
When I want to create the Fake-Network using
"airbase-ng -A -ESSID -c "
I get the message, that -ESSID is an invalid argument. When I use "--essid" instead, I get
"ioctl(SIOCGIFINDEX) failed: no such device".
I found out, that I'm only allowed to use a monitor of airmon-ng, but I thought, that's not what we want
to imitate another one's AP, especially access point's MAC.

Next Problem: Even when I use the mon created with airmon-ng (e.g. after Spoofing my own MAC with
ifconfig) the program begins to send beacons to a apparantly random Client and won't stop that until I
tipe Ctrl+C, so I'm not able to continue with the next step.

What am I doing wrong?

Reply

Replies

Anonymous July 28, 2014 at 10:17 AM

I have the same problem as the first guy who commented but when I
try airbase-ng -a -essid mon0 i get this:

root@kali:~# airbase-ng -a -essid ryanmatt mon0


Invalid AP MAC address.
"airbase-ng --help" for help.
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
"airbase-ng --help" for help.

But if I try to put the bssid after the -a then i get this:

root@kali:~# airbase-ng -a 00:26:F3:35:4D:31 -essid ryanmatt mon0


"airbase-ng --help" for help.

SHASHWAT CHAUDHARY July 28, 2014 at 8:36 PM

Sorry, replace -essid with --essid.

Anonymous July 20, 2014 at 3:17 PM

I really appreciate the time that went into this. As a beginner, this has been hugely helpful. Thanks!

Reply

Replies

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
SHASHWAT CHAUDHARY July 21, 2014 at 2:14 AM

Glad you found it useful.

Anonymous July 27, 2014 at 8:57 AM

Can we hack his wifi using evil twin method.....

Reply

Replies

SHASHWAT CHAUDHARY July 28, 2014 at 2:01 AM

We can, but it's kinda tricky. I will write on it after some time.

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
RAVI RAM July 27, 2014 at 12:51 PM

hey sashwat finally you are able to run adsense ads on your blog...congrats.

Reply

MATTHEW BARNARD July 28, 2014 at 4:50 PM

Sorry, actually .07mb/sec upload speed.

Reply

MATTHEW BARNARD July 29, 2014 at 5:45 PM

This comment has been removed by the author.

Reply

SHASHWAT CHAUDHARY July 29, 2014 at 10:21 PM

I will into those captcha related sources that you've listed. Also, I've sent you a mail.

Reply

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
CHROMIUMPT February 18, 2015 at 9:40 AM

Hi, i get the following error:

root@user:~# airbase-ng --essid Helder mon0


17:36:26 Created tap interface at0
17:36:26 Trying to set MTU on at0 to 1500
17:36:26 Trying to set MTU on mon0 to 1800
17:36:26 Access Point with BSSID 00:22:FB:88:A1:E8 started.
Error: Got channel -1, expected a value > 0.

could you pls help me, ty.

LOVE THIS SITE BTW ;)

Reply

Replies

SHASHWAT CHAUDHARY
February 18, 2015 at 8:46 PM

Try this
airbase-ng --essid Helder mon0 --ignore-negative-one

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
CHROMIUMPT February 19, 2015 at 10:17 AM

ty for the fast reply, unfortunately that didn't work. i got this error:
root@user:~# airbase-ng --essid Helder mon0 --ignore-negative-one
airbase-ng: unrecognized option '--ignore-negative-one'
"airbase-ng --help" for help.

SHASHWAT CHAUDHARY
February 19, 2015 at 9:17 PM

My bad. --ignore-negative-one is not present in airbase-ng. The


solution is a bit longer here.

1) airmon-ng check kill - Kill the processes.


2) If you are running monitor mode on wlan0, then turn down that
interface using iwconfig wlan0 down (after turning on the monitor
mode on wlan0)

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
CHROMIUMPT February 20, 2015 at 1:46 AM

ty, that worked! :)

CHROMIUMPT February 20, 2015 at 4:03 AM

how do i connect to the internet later on now?

SHASHWAT CHAUDHARY
February 20, 2015 at 9:49 PM

root@user:# /etc/init.d/networking start

This should start network manager again.

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
TEST TZTZ April 22, 2015 at 5:15 AM

Dear Shashwat,

I have the same problem as Chromiupt and I have tried to follow your
instructions but there is still problems for me...
Indeed, everything works well when NetworkManager is stopped but I
will need it after in order to give internet access to the client.

It seems that as soon as I start NetworkManager, mon0 is not


assigned anymore to any channel (I check with iwlist mon0 channel) so
the "channel -1" error appears. Doing "airmon-ng start wlan0 6" (6 the
channel I want mon0 to be assigned), assigned mon0 only if
NetworkManager is OFF. For Example, I tried to turn NetworkManager
off, assign mon0 (it works) then turn on NetworkManager on, and
then mon0 was not assigned anymore.

I saw that someone else had the same problem (Astenon at


http://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-
twin-wireless-access-point-eavesdrop-data-0147919/) but could not
solve it either.

Is there any solution ? Will I have to give internet by ethernet ?

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Thanks a lot for your answer,

Robert

IINQ March 7, 2015 at 11:37 AM

Can somebody help me please?

cant bridge my interfaces...

brctl addif evil wlan0


cant add wlan0 to bridge evil: Operation not supported.

Thanks!

Reply

Replies

Anonymous March 28, 2015 at 10:49 AM

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
You'll need something else to connect to the internet, like a second
wireless card, because your wlan0 interface is already acting as an AP.

Anonymous April 18, 2015 at 1:01 PM

I'm having the same issue, but with wlan1, which is connected to the
Internet. Apparently bridging is not possible with some wireless cards:
http://www.reddit.com/r/linux/comments/o3ub0/brctl_equivalent_for
_wlan0/c3e54tz

Anonymous April 25, 2015 at 11:27 PM

wouldn't it be better to give evil internet access before sending the death packet?

Reply

Anonymous July 24, 2015 at 12:57 PM

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
After sending the deauth command my tablet gets disconnected from my router and tries to connect to
the evil twin but it never will. I just keeps scanning over and over. If I choose the connection manually it
trys to authenticate but never does it just shows the network as saved or turned off. Any ideas what to
do about this?

Reply

Replies

Anonymous July 27, 2015 at 2:49 AM

I was encountering the same problem earlier. Three things:

1: Are you providing internet access to evil interface? (Not sure if this
step is necessary but worked for me.)
2: Is the AP having same bssid and essid? And is it on same channel? If
not then make it identical.
3: Donot send deauth continuously. Press ctrl^c to stop deauthing and
then try to connect to the twin.

Hope it helped! :)

Anonymous
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Anonymous July 27, 2015 at 2:41 AM

I am setting the evil bridge between eth0 and at0 interface. I have successfully established a connection
with a device after deauthing it. But after [dhclient evil &] command i am not able to connect to internet.
PS: ifconfig shows eth0 connected to router with ip 192.168.1.5
ato is at ip 172.168.1.0

Please help.

Reply

FILOGASBA August 26, 2015 at 1:26 AM

"iwconfig wlan0 txpower 30", but at default how high it is set?

If I set a value, at a reboot the value return at default?

Reply

UNKNOWN September 14, 2015 at 3:39 PM

So Can I Obtain The Wifi's Router Password Using This Method?

Reply

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
UNKNOWN October 21, 2015 at 1:19 AM

what ip address should we assign here after creating the bridge? Should i type "ifconfig at 0.0.0.0 up" and
"ifconfig eth0 0.0.0.0 up"? once i created the bridge i can no longer get out to the internet

Reply

Anonymous October 25, 2015 at 11:35 PM

For all of you having trouble with internet access after running

brctl addbr evil


brctl addif evil eth0
brctl addif evil at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig evil up

dhclient3 evil &

I found if I changed "dhclient3 evil &" to "dhclient evil &" it worked fine. ***remove quotes

Reply

Anonymous October 31, 2015 at 2:39 PM

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
It works great but after doing all this my wlan0 disappeared in my ifconfig.. there is only the evil left

Reply

Anonymous November 16, 2015 at 12:07 AM

how to see the victim's password?

Reply

Anonymous December 1, 2015 at 3:22 AM

somebody can tell me how to see the victim's password please

Reply

Anonymous December 15, 2015 at 1:25 AM

For testing purpose, I use two wifi cards in Desktop computer. Can I use the same AP Wifi(Internet
source-mobile phone) for victim client Internet and Desktop comp alternative Internet access, if
deauthenticate only selected victim client-not myself:) ?

Reply

TAYLOR HOUSTON December 16, 2015 at 3:35 PM

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
wouldn't it be better to bridge them first? That way the client will have internet access as soon as he
connects??

Reply

NEHAT KHAN December 24, 2015 at 9:37 AM

i am using kali in vmware and having wifi connection! so can you please tell me how to bridge the
network! it will be very helpful! thanks

Reply

outhman mdarhri January 22, 2016 at 9:39 AM

after doing all of that how we can crack the wpa 2 psk
and exploit the machine

Reply

PRIYANSU SAHOO January 22, 2016 at 9:58 AM

E: Unable to locate package error while installing package

Reply
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Anonymous March 17, 2016 at 8:49 AM

You guys should probably try easycreds if u find the tutorial difficult to follow. It's automated

Reply

Enter your comment...

Comment as: Select profile...

Publish Preview

Search

Kali Tutorials
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Kali Tutorials
4,254 likes

Like Page Use App

Be the first of your friends to like this

SPONSORED

POPULAR POSTS

Tutorial on Hacking With Kali Linux


Hacking With Kali Linux Why Kali Linux? With Kali Linux, hacking becomes much easier since
you have all the tools (more than 300 pre...

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Hack WPA/WPA2 WPS - Reaver - Kali Linux
WPA/WPA-2 When it was known that a WEP network could be hacked by any kid with a laptop
and a network connection (using easy peasy tuto...

Wifi Hacking - WEP - Kali Linux Aircrack-ng suite


Alright, this post is written assuming you have Kali Linux up and running on your computer. If
not, here is a post on hacking with kali linu...

Penetration Testing - Hacking XP


Our approach to penetration testing is going to be simple. I already made a post about the
ideal way to begin penetration testing. But we ar...

Wifite : Hacking Wifi The Easy Way : Kali Linux


Wifite While the aircrack-ng suite is a well known name in the wireless hacking , the same can't
be said about Wifite. Living in th...

Hack WPA/WPA-2 PSK Capturing the Handshake


WPA password hacking Okay, so hacking WPA-2 PSK involves 2 main steps- Getting a
handshake (it contains the hash of password, i.e. enc...

Hack Facebook Account : Stuff You Should Know


Hack Facebook? Okay, so you got lured into the idea of hacking a Facebook account? I won't
ask why. Everyone has their reasons. If you...
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
ask why. Everyone has their reasons. If you...

Evil Twin Tutorial


Prerequisites Kali Linux Prior experience with wireless hacking You will also need to install a
tool (bridge utils) which doesn'...

Denial Of Service Attacks : Explained for Beginners and Dummies


Just like most other things associated with hacking, a denial of service attack is not everyone's
cup of tea. It, however, can be unders...

Hacking Website with Sqlmap in Kali Linux


A screenshot from the SQLmap official website In the previous tutorial, we hacked a website
using nothing but a simple browser on a Wind...

AUTHOR

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
Shashwat Chaudhary
google.com/+ShashwatChaudhary1

1st year CSE @ IIIT Delhi

Follow

707 followers

open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com