Jump to content

Confused about Evil Twin attacks


nobody:nobody

Recommended Posts

So I have been reading about different social engineering based attacks and came across wifiphisher(if you don't know, it is an automated evil twin+captive portal tool to phish for wpa(or wep i guess) passwords by making up a story about a firmware update.) I dont understand how this is possible. As i understand the evil twin, it requires the evil ap to have all of the same info as the real one to convince the client to connect to it after the deauth right? Therefore it cannot be performed on an encrypted network as you could not forge the handshake right? Surely devices aren't dumb enough to connect to an open ap that it remembers as secured? So how does this tool work?

Link to comment
Share on other sites

Your right our devices are smart enough to not just connect but the phish

Is the trick it clones the encrypted WiFi and replaces it with a open and as soon as you connect it offers you a update just give me your password

It's a social engineering attack

Link to comment
Share on other sites

Karma would attract your device assume

I don't use evil twin but I am sure it de auth everyone from network 1 and and puts a network with the same name and uses karma to attract to open network

If your device is set to connect to open wireless yes it would just switch and offer you a pbishing page asking for password to update

Link to comment
Share on other sites

For many (generally older) devices, if there's two APs with the same ESSID (or BSSID in some later implementations) then it is simply a race condition to see which one is associated to. It essentially boils down to which one has the stronger signal (in most cases this will be the same as which is closer). Karma is excellent at grabbing these devices because it just replies to all probe requests (the packets spat out by a client asking which of its known APs are nearby), therefore Karma will most likely win the race condition and get the association.

However, if the target device is already associated to a nearby network, it won't do anything. This is where deauthenticating comes in.

If you were to look at your device settings, you'd see two APs with the same ESSID (name) but with different security settings. If the attack had worked, then you'd be connected to the Open one rather than the real (hopefully) encrypted one.

The the rest of this particular attack would then proceed, i.e. the user would be redirected to some web page asking for the WPA/WEP key.

Link to comment
Share on other sites

I've never tried this attack, but this attack would be more for open networks and not encrypted ones. WPA encrypted network clients would try authenticating to the AP, for which said AP would not be able to do the handshake. A user disconnected from their own AP or one with the same name, wouldn't automatically connect to the captive portal AP unless it was able to complete the handshake. The user would more than likely keep getting deauthed (if persistent) or eventually connect back to their own. Stronger signal would of course always win, but only if what the client expects to be in place would it work, otherwise would just cause a DoS in a sense.

If the client is on open networks though, then prompting them for WPA keys, would also pose a question as to "why" when they have an open AP. Now, if they phish strictly for the routers admin panel login, like putting up a clone of the manufacturers main page asking to login to update firmware for example, then yes, this may cause people to unknowingly post creds since it's a somewhat believable attack for un-savvy users, which I can see as happening more than trying to get WEP (which is already broken and easily crackable) and WPA keys(which if they use WPS pin code enabled on a PSK WPA setup, the pixie dust attack should crack it fairly easily - although not all are vulnerable to WPS attacks).

Link to comment
Share on other sites

I just tried the evil twin attack against my phone. (turned data off and only allowed wifi). On the phone side, I can see two things. One, the AP names listed I had saved, one now says disabled with WPA2, while the other, says the same thing with no encryption. In doing so, I can see the MAC address of my phone, try to associate from the console running airbase-ng, after I manually connect to it. However, my phone, did not connect to it automatically, even whenit had a closer signal(sitting next to it, and the real AP is at the other end of the house). I had to manually make the connection to the new AP that had the same name in order for me to see the mac address in the console and to get onto this network.This is why I think this will fail, although I still need to test with more wifi clients, such as windows and linux, my phones not going to automagically connect to the new AP, even when deauthed. It will probe for it, and it will try the request, but fails to connect automatically since it's looking for a saved encrypted connection. Until I manually connect to the new un-encrypted AP for the first time, it won't do it by itself. Then every time I turn the wifi off and on, it will then reconnect to the saved AP. if I set ti to forget again, I again have to manually make that connection.

If people don't pay attention that there are now two with the same name, one with and one without WPA2 setup, then yes, they will fall victim to this attack. They have to get deauthed, and then click the name in the top of their wifi clients list, which if not paying attention will get them into trouble. I'm sure i would fall for it too if I wasn't looking. My phone also has no settings, as far as I can tell, to tell it to not automaticlaly reconnect, which after testing, I advise you to "forget" the test network since a saved unencrypted network will connect like any other would. Windows clients have to go into and save the network, but after connected change the settings to not automatically connect, or even disconnect manually to change it.

I'm still playing with it to get it to work 100%, as the IP is being requested, and I can get one from DHCP on the VM's subnet just fine, but I can not get the forwarder to work. I seem to lose all internet connectivity, yet the DHCP server is working fine. I tested it locally and even went as far as to edit the dbphp file to save to a local text file, so I can tail -f the log for entries in the console in real time from the fake web form, which works, but unfortunately something is not working for me through IP tables and the forwarder once I get to the last steps. I've double checked my ip forward and iptables rules,but I can't even connect manually from the phone to the VM's Apache web server to see the fake page. That isn't a show stopper for me to be able to test different clients though and kick them off and see them connect. I just don't have the fake page server working after running the iptables, which will go back and test some more. iptables are not my cup of tea, and I possible hosed something in the terminal since airmon kept complaing about some processes I killed since my card kept going to managed mode on its own every couple of minues, which I think network manager was the issue.

edit:

I get the "taking too long" to connect now on my windows machine, which I attribute to the WPA2 connecting it has saved that it's trying to validate, while the fake unencrypted one is interfering since its closer with the same name. It's not however automatically connecting to the fake one. I even went in and made it so it would automatically reconnect, which didn't help. I keep it disabled by default though (right click your AP in the wifi list, and get properties, first tab uncheck automatically connect).

http://i.imgur.com/OQMqLhJ.png

edit:

one thing I did discover is it confuses the shit out of iPhones, or at least my sisters. Apparently they will downgrade the connection, but she may have hit it on her own without me knowing. Only reason I know is when I turned off the softap, she couldn't get online, and I had to reset the password on her phone for her.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...