Hello World! An evil twin attack uses the identical SSID name to force a client who has already been connected to a legitimate WiFi network to connect to the attacker's network. In this post, I'll go over how to set up an enterprise WiFi network with Hostapd Mana and entice users to steal RADIUS server login information.
Let's configure the wlan0 interface in the monitor mode to dump the WiFi traffic before continuing. You can do this by performing the commands listed below in the exact order.
If the first command fails with "ifconfig: interface wlan0 does not exist," it signifies that your system has a different name for the interface. In such a scenario, you must replace wlan0 with the appropriate name of the interface.
Let's capture the packets from both 2.4 GHz and 5 GHz bands through the wlan0 interface using the following command.
The "TigerSecurities" network is transmitting beacon frames on channel 6 as you can see, however it appears that no clients are connected, even though an evil twin attack requires at least one client to be connected.
It is possible that although the client is transmitting the frames, the packets are dropped or the device was unable to record them because airodump is hoping to use a different channel. Let's set the airodump channel to 6 using the --channel parameter.
If you would look at the output of stations sections, you will see that a client with MAC 02:00:00:00:03:00 is connected to the WiFi network.
Set-up Honeypot Access Point
The lab has provided all the necessary certificates in the /root/certs directory. Since we will be using TTLS encrypted authentication, certificates are required. I will be using these certificates because creating the certificates is outside the scope of this post.
Let's say you opt to not use the certificates, the client will then not able to verifiy the EAP server and it will result in the TLS verification failed message as seen below.
Similar to the hostapd setup I detailed in older posts, the hostapd mana configuration would look like that. However, the final configuration really has two mana-specific configuration.
Create the following file as any name, here I am using fakenet.conf.
I've used the bash comments to explain the purpose of particular configuration. They must be removed, along with any trailing space characters.
Create a new file with the same name as the one specified in the eap_user_file configuration variable, and place it in the same directory as fakenet.conf. Any user can now connect to the fakenet thanks to this.
Start the hostapd-mana with the configuration file hostapd-mana fakenet.confand you will see the traffic details in theairodump output.
Force Associated Client to Connect to Fakenet
The associated client needs to be disassociated from the legitimate network in order to be made to connect to the malicious access point. This can be done by replaying the deauthentication attack as shown below.
Wait for sometime and you will see in the airodump output, that the client has connected to our honeypot network.
Now switch back to the different tab where hostapd-mana is running, you will see the network is TTLS-PAP which uses TLS tunnel with clear text username and password – brian:sweetness
Use EAPHammer if you find it difficult to remember the configuration and certificates (I know I struggle with this) and are seeking for an automated solution with flexibility. I have discussed usage of EAPHammer in Steal WiFi Login for Enterprise Networks.