Jump to content

Evil Twin - Wrong IP assigned


Twips
 Share

Recommended Posts

Hi everybody,

sorry, as a new board member in general I take a look at the community first and introduce myself, but this time I have to start with a question / a problem I have since weeks... or months, I don't know exactly.

I'm experimenting with an evil twin access point based on kali linux.
I got the AP running, configured IP Tables and the isc-dhcp-server. Nevertheless, when I connect to the AP with my Microsoft Surface, I get a wrong IP assigned.

ifconfig says:

at0 Link encap:Ethernet HWaddr 00:12:32:31:23:11
inet addr:192.168.2.129 Bcast:192.168.2.255 Mask:255.255.255.128
inet6 addr: fe80::212:32ff:fe31:2311/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:393 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:37781 (36.8 KiB) TX bytes:5234 (5.1 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:978 errors:0 dropped:0 overruns:0 frame:0
TX packets:978 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:75004 (73.2 KiB) TX bytes:75004 (73.2 KiB)

mon0 Link encap:UNSPEC HWaddr F0-B4-79-17-9E-A2-3A-30-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1800 Metric:1
RX packets:166462 errors:0 dropped:2867 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14325051 (13.6 MiB) TX bytes:0 (0.0 B)

usb0 Link encap:Ethernet HWaddr 02:34:36:04:73:70
inet addr:192.168.42.108 Bcast:192.168.42.255 Mask:255.255.255.0
inet6 addr: fe80::34:36ff:fe04:7370/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:87848 errors:1 dropped:0 overruns:0 frame:1
TX packets:51654 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:117914166 (112.4 MiB) TX bytes:8952481 (8.5 MiB)

where at0 is the adapter of my interface where the Surface connects to.

Nevertheless, my tablet says sth like "connection is limited" ("Verbindung ist eingeschränkt" in German) takes the IP 169.254.130.252 and the status is "no network connection". But why?

I think it has sth to do with my isc-dhcp configuration

subnet 192.168.2.128 netmask 255.255.255.128
{
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option domain-name-servers 8.8.8.8;
option routers 192.168.2.129;
range 192.168.2.130 192.168.2.140;
}

but I really don't see whats wrong here.

You have some ideas where I could have messed it up?

Link to comment
Share on other sites

Welcome to the forums...haven't run this attack myself before so hopefully I can point you in the right direction though.

when I connect to the AP with my Microsoft Surface, I get a wrong IP assigned

I don't think you are getting that far because DHCP can't assign anything in the 169.254.x.x range(or shouldn't unless you explicitly send out leases in the APIPA IP range) but not sure without seeing a local wireshark pcap while trying to connect and then look for the DORA handshake(ports 67 and 68 traffic - Discover, Offer, Reply, Acknowledge). You most likely can't reach or aren't getting a reply from the server/service on the Kali machine at all, which is why you see the private IP range, not a "wrong" IP address assigned.

Looking at your adapters, which one are you trying to use to serve as a gateway, because the USB one, looks like it should be what you want to use for impersonating the SSID you want, and the AT0 should be your wired NIC, which I assume should be attached to the Internet. This in itself, may be where the issue is. Try changing the adapters so the wired is connected to your home internet, and the USB0 is servicing DHCP. Also, they may have to be in the same subnet to sniff the traffic for the subnet you capture on from MON0, but I am not reading the instructions you went by, just thinking about this from what was shown above and looking at it more from a basic networking standpoint.

Not sure if in the setup instructions you followed, if you also had to configure DNS as well for the forwarding/lookup to Google's 8.8.8.8, but you should also need a DNS server running as well (I would think) in addition to a DHCP server unless IP Tables handles all the forwarding(which it may), which without looking on google for how to do this attack, is there a step at any point you enabled forwarding of any kind (someone chime in and help me here, echo "1" > /somepath/ip_forward ).

You could try disabling and re-enabling the tablets adapter to see if that helps in case it needs it's own lease settings cleared(or if you can open a cmd window and run ipconfig /renew), but I don't think it is on the tablet end that isn't working and is more in your setup on the Kali machine. Maybe google for steps on this from another site or look for a video walk through, since they will probably show you a step you missed. Even though some Microsoft devices may not like classless network masks(surface shouldn't have this issue), and will only accept a class full subnet mask such as 255.0.0.0 for class A, 255.255.0.0 class B, and 255.255.255.0 class C IP Ranges (Windows XP and earlier suffer from this problem and something I ran into when trying to reach my own site from an XP box, would not see a website ending in 255 for it's IP address and had to have it changed) there is more than likely that you missed something, or have the adapter settings wrong on the Kali machine.

Edited by digip
Link to comment
Share on other sites

How are you creating the evil twin manually by terminal or by script ? i always say it is best to learn from terminal before going straight into scripts as then if you run a script you can figure out what is going wrong

but if you are in a rush to use a evil twin have a look at easycreds.sh for creating one and you can specify what ip, gateway etc to use with this script but if you are doing it manually try changing your Isc-dhcp config to this see if this works out for you

dens-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
authoritative;
subnet 10.0.0.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 10.0.0.255;
option routers 10.0.0.254;
option domain-name-servers 8.8.8.8;
range 10.0.0.1 10.0.0.140;
}

Link to comment
Share on other sites

pwnstar has always helped me in this case. as MadDog76 said, learn to do it in the terminal first, the long way, then you can make a script of use one later on to accomplish your task. The usual model for an ET attack is:

create a monitor interface > share your existing internet connection on any other interface (such as eth0) > run dhcp on the monitor so that it can allocate IP's to new clients > run ssl strip to monitor on the monitor interface and preferably ferret as well. You can modify this approach a bit to instead sidejack the device as well collecting cookies with ettercap and hamster.

Good luck!

Edited by localtracker
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...