Evil Twin Attacks – Part 1

Posted on by

An Evil Twin is a fake wireless access point that appears as a genuine hotspot offered by a legitimate provider.
The idea is to set up a malicious wireless network with the same SSID(Service Set Identifier) name as the original one.
Devices connecting to a Wi-Fi Network like laptops ,tablets and smart phones have no way to distinguish between two Wi-Fi networks with the same SSID name.
This enables hackers to set up malicious wireless networks that can capture the traffic and extract sensitive information from victims.
So, Evil Twin Attack simply means there is another fake Access Point which pretends like authentic and authorized Access Point to which a client can be connected.
This attack often happens in HotSpots like:
⚫ Restaurants
⚫ Bars
⚫ Airports

It provides fake Web-GUIs in some cases too.
For this attack to be a success, we need a little bit of phishing using good old social engineering.
A very good tool for such purpose : Wi-Fi phisher (provided in Kali Linux)
Attacker can sniff, phish, capture data by using this attack.
This attack is hard to trace since this can be launched and shut off suddenly or randomly and can last only for a short time after achieving their(attackers) goal.

Evil Twin Attack Methodology

Step 1

First scan the air for a target access point.
Then create an access point using airbase-ng with the same name and channel of the target access point, hence Evil TWIN attack.

Step 2

The client is now disconnected repeatedly from the original access point and as most modern system’s setting says… “Connect back to same ESSID (AP name) if disconnects”.
This also happens because when the client disconnects from any access point it starts sending probe requests in the air with the name of the access point it connected to earlier.
Hence BSSID isn’t a barrier, you just need BSSID to spoof the AP (Access Point).

Step 3

Client is now connected to the Evil Twin access point and now client may start browsing Internet.

Step 4

Client will see a web administrator warning saying “Enter WPA password to download and upgrade the router firmware

The moment client enters the password, she/he will be redirected to a loading page and the password will be stored in the MySQL database of the attacker machine.

NOTE

Many public Wi-Fi networks use web pages that require your login details to connect you to the internet.

The goal of this attack is to fool the victim into giving their authentication details for a legitimate Wi-Fi network.

Once the hacker has these details, they can log into the network, take control of it, monitor unencrypted traffic, and perform other MITM (Man-In-The-Middle) attacks.