Evil Twin

Tutorial

Prerequisites
1. Kali Linux
2. Prior experience with
wireless hacking
You will also need to install a tool
(bridge utils) which doesn't come
pre-installed in Kali. No big dealapt-get install bridge-utils

Objectives
The whole process can be broken
down into the following steps1. Finding out about the access
point (AP) you want to
imitate, and then actually
imitating it (i.e. creating
another access point with
the same SSID and
everything). We'll use
airmon-ng for finding
necessary info about the
network, and airbase-ng to
create it's twin.
2. Forcing the client to
disconnect from the real AP
and connecting to yours.
We'll use aireplay-ng to
deauthenticate the client,
and strong signal strength to
make it connect to our
network.
3. Making sure the client
doesn't notice that he
connected to a fake AP. That
converted by Web2PDFConvert.com

basically means that we have

to provide internet access to
our client after he has
connected to the fake
wireless network. For that we
will need to have internet
access ourselves, which can
be routed to out client.
4. Have fun - monitor traffic
from the client, maybe hack
into his computer using
metasploit.
PS: The first 3 are primary
objectives, the last one is optional
and not a part of evil twin attack
as such. It is rather a man in the
middle attack. Picture credits :
firewalls.com

Information
Gathering - airmonng
To see available wireless
interfacesiwconfig

To start monitor mode on the

available wireless interface (say
wlan0)airmon-ng start wlan0

To capture packets from the air

on monitor mode interface
(mon0)
airodump-ng mon0

After about 30-40 seconds, press

converted by Web2PDFConvert.com

ctrl+c and leave the terminal as is.

Open a new terminal.

Creating the twin

Now we will use airbase-ng to
create the twin network of one of
the networks that showed up in
the airodump-ng list. Remember,
you need to have a client
connected to the network (this
client will be forced to disconnect
from that network and connect to
ours), so choose the network
accordingly. Now after you have
selected the network, take a note
of it's ESSID and BSSID. Replace
them in given codeairbase-ng -a <BSSID here> --essid <ESSID
here> -c <channel here> <interface name>

If you face any problems, a

shorter code will beairbase-ng --essid <name of network> mon0

Remove the angular brackets (< &

>) and choose any channel that
you want. Also, the BSSID can be
randomly selected too, and
doesn't have to match with the
target. The interface would be
mon0 (or whatever is the card you
want to use) . The only thing
identical about the twins has to be
their ESSIDs (which is the name of
the network). However, it is better
to keep all parameters same to
make it look more real. After you
are done entering the parameters
and running the command, you'll
see that airbase turned your
wireless adapter into an access
point.
Note : We will need to provide
converted by Web2PDFConvert.com

internet access to our client at a

later stage. Make sure you have a
method of connecting to the net
other than wireless internet,
because your card will be busy
acting like an AP, and won't be
able to provide you with internet
connectivity. So, either you need
another card, or
broadband/ADSL/3G/4G/2G
internet.

Man in the middle attack : Pic Credits: owasp.net

Telling the client to

get lost
Now we have to ask the client to
disconnect from that AP. Our twin
won't work if the client is
connected to the other network.
We need to force it to disconnect
from the real network and
connect to the twin.
For this, the first part is to force it
to disconnect. Aireplay will do that
for usaireplay-ng --deauth 0 -a <BSSID> mon0 -ignore-negative-one

The 0 species the time internal at

which to send the deauth request.
0 means extremely fast, 1 would
mean send a packet every 1
seconds, 2 would mean a packet
every 2 seconds, and so on. If you
keep it as 0, then your client
would be disconnected in a
matter of seconds, so fire up the
command, and press ctrl+c after a
few seconds only. Note that the
deauth is sent on broadcast, so all
the clients (not just one)
connected to the network will
disconnect. Disconnecting a
specific client is also possible.

Not the real one, but

converted by Web2PDFConvert.com

why the fake one

Even after being disconnected
from the real AP, the client may
choose to keep trying to connect
to the same AP a few more times,
instead of trying to connect to
ours. We need to make our AP
stand out, and for that, we need
more signal strength. There are 2
ways to do that1. Physically move closer to the
client.
2. Power up your wireless card
to transmit at more power.
The latter can be done with the
following command iwconfig wlan0 txpower 27

Here 27 is the transmission power

in dBm. Some cards can't transmit
at high power, and some can
transmit at extremely high power.
Alfa cards usually support upto
30dBm, but many countries don't
allow the card to transmit at such
powers. Try changing 27 to 30 and
you'll see what I mean. In Bolivia,
however, you can transmit at
30dBm, and by changing the
regulatory domain, we can
overcome the power limitation.
iw reg set BO
iwconfig wlan0 txpower 30

It is strongly advised to not break

laws as the transmission limits are
there for a reason, and very high
power can be harmful to health (I
have no experimental evidence).
Nevertheless, the client should
connect to you if your signal
strength is stronger than that you
the real twin.
Note : If you are unable to get
your client to connect to you,
there is another option. You can
leave him with no options. If
you keep transmitting the
deauth packets continuously
(i.e. don't press ctrl+c after the
client has disconnected), he will
have no choice but to connect
to you. However, this is quite an
unstable situation, and the
client will go back to the real
twin as soon as it gets the
chance.
converted by Web2PDFConvert.com

Give the fake AP

internet access
Now we need to provide internet
access to the fake AP. This can be
done in various ways. In this
tutorial, we will consider that we
have an interface x0 which has
internet connectivity. Now, if you
are connected to net via wireless,
replace x0 with wlan1 or wlan0, a
3G modem will show up as ppp0.
Nevertheless, you just have to
know which interface is providing
you with internet, and you can
route the internet access to your
client.

Interfaces
x0 - This has internet
access
at0 - This is create by
airbase-ng (wired face
of the wireless access
point). If you can
somehow give internet
access to at0, then the
clients connected to
your fake wireless
network can connect to
the net.
evil - This is an
interface that we will
create, whose job will
be to actually bridge
the networks.

Creating evil
We will use Bridge control utility
provided by Kali, brctl. Execute
the following codebrctl addbr evil

This will create the bridge. Now we

have to specify which two
interfaces have to be bridgedbrctl addif evil x0
brctl addif evil at0

We can assign an IP to the

interfaces and bring them up
usingifconfig x0 0.0.0.0 up
ifconfig at0 0.0.0.0 up

Also bring up the evil interface

(the interfaces aren't always up by
default so we have to do this
many times)
converted by Web2PDFConvert.com

ifconfig evil up

Now to auto configure all the

complicated DHCP settings, we'll
use dhclient
dhclient3 evil &

Finally, all the configurations have

been completed. You can execute
ifconfig and see the results, which
will show you all the interfaces
you have created.
Officially, the evil twin attack is
complete. The client is now
connected to your fake network,
and can use the internet pretty
easily. He will not have any way to
find out what went wrong.
However, the last objective
remains.

Have fun
Now that the client is using the
internet via our evil interface, we
can do some evil stuff. This
actually comes under a Man In
The Middle attack (MITM), and I'll
write a detailed tutorial for it later.
However, for the time being, I will
give you some idea what you can
do.

Sniffing using Wireshark

Now all the packets that go from
the user to the internet pass
through out evil interface, and
these packets can be monitored
via wireshark. I won't teach you
how to use it here, since it is a GUI
tool. You can take a look at their
website to get an idea on how to
use wireshark. Pic credits: The
picture on the right has been
directly taken from their website.
http://www.wireshark.org/docs/ws
ug_html_chunked/ChapterIntrodu
ction.html
Special Thanks
Matthew Bernard for his useful
converted by Web2PDFConvert.com

comment with some tips and a

number of corrections
http://www.kalitutorials.net/2014/
07/evil-twin-tutorial.html?
showComment=1406591245609#c
5539483407421385761
The screenshots have also been
taken by him and provided to me
for usage (I would love to see
more helpful visitors like him).

33 comments:
Anonymous
July 16, 2014 at 2:04 AM
Hi,
thanks for this great
Tutorial :)
Although it's easy to
understand, I have some
problems with it:
When I want to create the
Fake-Network using
"airbase-ng -A -ESSID -c "
I get the message, that ESSID is an invalid
argument. When I use "-essid" instead, I get
"ioctl(SIOCGIFINDEX)
failed: no such device".
I found out, that I'm only
allowed to use a monitor
of airmon-ng, but I
thought, that's not what
we want to imitate
another
one's
AP,
especially access point's
MAC.
Next Problem: Even when
I use the mon created
with airmon-ng (e.g. after
Spoong my own MAC
with ifcong) the program
begins to send beacons to
a apparantly random
Client and won't stop that
until I tipe Ctrl+C, so I'm
not able to continue with
the next step.
What am I doing wrong?
Reply
Replies
Anonymous

July 28, 2014 at 10:17 AM

converted by Web2PDFConvert.com

I have the same problem as the rst guy who commented but when I
try airbase-ng -a -essid mon0 i get this:
root@kali:~# airbase-ng -a -essid ryanmatt mon0
Invalid AP MAC address.
"airbase-ng --help" for help.
But if I try to put the bssid after the -a then i get this:
root@kali:~# airbase-ng -a 00:26:F3:35:4D:31 -essid ryanmatt mon0
"airbase-ng --help" for help.

SHASHWAT CHAUDHARY

July 28, 2014 at 8:36 PM

Sorry, replace -essid with --essid.

Anonymous
July 20, 2014 at 3:17 PM
I really appreciate the time
that went into this. As a
beginner, this has been
hugely helpful. Thanks!
Reply
Replies

SHASHWAT CHAUDHARY

July 21, 2014 at 2:14 AM

Glad you found it useful.

Anonymous
July 27, 2014 at 8:57 AM
Can we hack his wi using
evil twin method.....
Reply
Replies

SHASHWAT CHAUDHARY

July 28, 2014 at 2:01 AM

We can, but it's kinda tricky. I will write on it after some time.

converted by Web2PDFConvert.com

RAVI RAM
July 27, 2014 at 12:51 PM
hey sashwat nally you
are able to run adsense
ads
on
your
blog...congrats.
Reply

MATTHEW BARNARD
July 28, 2014 at 4:50 PM
Sorry, actually .07mb/sec
upload speed.
Reply

MATTHEW BARNARD
July 29, 2014 at 5:45 PM
This comment has been
removed by the author.
Reply

SHASHWAT
CHAUDHARY
July 29, 2014 at 10:21 PM
I will into those captcha
related sources that
you've listed. Also, I've
sent you a mail.
Reply

CHROMIUMPT
February 18, 2015 at 9:40 AM
Hi, i get the following
error:
root@user:~# airbase-ng -essid Helder mon0
1 7 : 3 6 : 2 6 Created tap
interface at0
17:36:26 Trying to set MTU
on at0 to 1500
17:36:26 Trying to set MTU
on mon0 to 1800
17:36:26 Access Point with
BSSID 00:22:FB:88:A1:E8
started.
Error: Got channel -1,
expected a value > 0.

could you pls help me, ty.

LOVE THIS SITE BTW ;)
converted by Web2PDFConvert.com

Reply
Replies

SHASHWAT CHAUDHARY
February 18, 2015 at 8:46 PM
Try this
airbase-ng --essid Helder mon0 --ignore-negative-one

CHROMIUMPT

February 19, 2015 at 10:17 AM

ty for the fast reply, unfortunately that didn't work. i got this error:
root@user:~# airbase-ng --essid Helder mon0 --ignore-negative-one
airbase-ng: unrecognized option '--ignore-negative-one'
"airbase-ng --help" for help.

SHASHWAT CHAUDHARY
February 19, 2015 at 9:17 PM
My bad. --ignore-negative-one is not present in airbase-ng. The
solution is a bit longer here.
1) airmon-ng check kill - Kill the processes.
2) If you are running monitor mode on wlan0, then turn down that
interface using iwcong wlan0 down (after turning on the monitor
mode on wlan0)

CHROMIUMPT

February 20, 2015 at 1:46 AM

ty, that worked! :)

CHROMIUMPT

February 20, 2015 at 4:03 AM

how do i connect to the internet later on now?

SHASHWAT CHAUDHARY
February 20, 2015 at 9:49 PM
root@user:# /etc/init.d/networking start

converted by Web2PDFConvert.com

This should start network manager again.

TEST TZTZ

April 22, 2015 at 5:15 AM

Dear Shashwat,
I have the same problem as Chromiupt and I have tried to follow your
instructions but there is still problems for me...
Indeed, everything works well when NetworkManager is stopped but I
will need it after in order to give internet access to the client.
It seems that as soon as I start NetworkManager, mon0 is not
assigned anymore to any channel (I check with iwlist mon0 channel) so
the "channel -1" error appears. Doing "airmon-ng start wlan0 6" (6 the
channel I want mon0 to be assigned), assigned mon0 only if
NetworkManager is OFF. For Example, I tried to turn NetworkManager
o, assign mon0 (it works) then turn on NetworkManager on, and
then mon0 was not assigned anymore.
I saw that someone else had the same problem (Astenon at
http://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-eviltwin-wireless-access-point-eavesdrop-data-0147919/) but could not
solve it either.
Is there any solution ? Will I have to give internet by ethernet ?
Thanks a lot for your answer,
Robert

IINQ
March 7, 2015 at 11:37 AM
Can somebody help me
please?
cant
bridge
interfaces...

my

brctl addif evil wlan0

cant add wlan0 to bridge
evil: Operation not
supported.
Thanks!
Reply
Replies
Anonymous

March 28, 2015 at 10:49 AM

You'll need something else to connect to the internet, like a second

converted by Web2PDFConvert.com

wireless card, because your wlan0 interface is already acting as an AP.

Anonymous

April 18, 2015 at 1:01 PM

I'm having the same issue, but with wlan1, which is connected to the
Internet. Apparently bridging is not possible with some wireless cards:
http://www.reddit.com/r/linux/comments/o3ub0/brctl_equivalent_for
_wlan0/c3e54tz

Anonymous
April 25, 2015 at 11:27 PM
wouldn't it be better to
give evil internet access
before sending the death
packet?
Reply
Anonymous
July 24, 2015 at 12:57 PM
After sending the deauth
command my tablet gets
disconnected from my
router and tries to
connect to the evil twin
but it never will. I just
keeps scanning over and
over. If I choose the
connection manually it
trys to authenticate but
never does it just shows
the network as saved or
turned o. Any ideas what
to do about this?
Reply
Replies
Anonymous

July 27, 2015 at 2:49 AM

I was encountering the same problem earlier. Three things:

1: Are you providing internet access to evil interface? (Not sure if this
step is necessary but worked for me.)
2: Is the AP having same bssid and essid? And is it on same channel? If
not then make it identical.
3: Donot send deauth continuously. Press ctrl^c to stop deauthing and
then try to connect to the twin.
Hope it helped! :)

converted by Web2PDFConvert.com

Anonymous
July 27, 2015 at 2:41 AM
I am setting the evil bridge
between eth0 and at0
interface.
I
have
successfully established a
connection with a device
after deauthing it. But
after [dhclient evil &]
command i am not able to
connect to internet.
PS: ifcong shows eth0
connected to router with
ip 192.168.1.5
ato is at ip 172.168.1.0
Please help.
Reply

FILOGASBA
August 26, 2015 at 1:26 AM
"iwcong wlan0 txpower
30", but at default how
high it is set?
If I set a value, at a reboot
the value return at
default?
Reply

UNKNOWN
September 14, 2015 at 3:39
PM
So Can I Obtain The Wi's
Router Password Using
This Method?
Reply

UNKNOWN
October 21, 2015 at 1:19 AM
what ip address should we
assign here after creating
the bridge? Should i type
"ifcong at 0.0.0.0 up" and
"ifcong eth0 0.0.0.0 up"?
once i created the bridge i
can no longer get out to
the internet
Reply
Anonymous
October 25, 2015 at 11:35 PM

converted by Web2PDFConvert.com

For all of you having

trouble with internet
access after running
brctl addbr evil
brctl addif evil eth0
brctl addif evil at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig evil up
dhclient3 evil &
I found if I changed
"dhclient3 evil &" to
"dhclient evil &" it worked
fine. ***remove quotes
Reply
Anonymous
October 31, 2015 at 2:39 PM
It works great but after
doing all this my wlan0
disappeared in my
ifcong.. there is only the
evil left
Reply
Anonymous
November 16, 2015 at 12:07
AM
how to see the victim's
password?
Reply
Anonymous
December 1, 2015 at 3:22 AM
somebody can tell me
how to see the victim's
password please
Reply

converted by Web2PDFConvert.com

Enter your comment...

Comment as:
Select profile...
Publish

Preview

Kali Tutorials
3,804 likes

Like Page

Use App

Be the first of your friends to like this

SPONSORED

converted by Web2PDFConvert.com

POPULAR POSTS

Tutorial on Hacking
With Kali Linux
Hacking With Kali Linux Why Kali
Linux? With Kali Linux, hacking
becomes much easier since you have all the
tools (more than 300 pre...

Hack WPA/WPA2 WPS Reaver - Kali Linux

WPA/WPA-2 When it was known
that a WEP network could be
hacked by any kid with a laptop and a network
connection (using easy peasy tuto...

Wifi Hacking - WEP Kali Linux Aircrack-ng

suite
Alright, this post is written
assuming you have Kali Linux up and running
on your computer. If not, here is a post on
hacking with kali linu...

Penetration Testing Hacking XP

Our approach to penetration
testing is going to be simple. I
already made a post about the ideal way to
begin penetration testing. But we ar...

Wifite : Hacking Wifi The Easy

Way : Kali Linux
converted by Web2PDFConvert.com

Wifite While the aircrack-ng suite is a well

known name in the wireless
hacking , the same can't be said
about Wifite. Living in th...

Hack WPA/WPA-2 PSK

Capturing the
Handshake
WPA password hacking Okay,
so hacking WPA-2 PSK involves 2 main
steps- Getting a handshake (it contains the
hash of password, i.e. enc...

Hack Facebook Account

: Stuff You Should Know
Hack Facebook? Okay, so you
got lured into the idea of hacking
a Facebook account? I won't ask why.
Everyone has their reasons. If you...

Evil Twin Tutorial

Prerequisites Kali Linux Prior
experience with wireless hacking
You will also need to install a tool
(bridge utils) which doesn'...

Denial Of Service
Attacks : Explained for
Beginners and Dummies
Just like most other things
associated with hacking, a denial of service
attack is not everyone's cup of tea. It,
however, can be unders...

Hacking Website with

Sqlmap in Kali Linux
A screenshot from the SQLmap
official website In the previous
tutorial, we hacked a website using nothing
but a simple browser on a Wind...

AUTHOR

Shashwat Chaudhary
google.com/+ShashwatChaudhary1
1st year CSE @ IIIT Delhi
Follow
569 followers

converted by Web2PDFConvert.com

converted by Web2PDFConvert.com