Evil Twin Enterprise WiFi Network using Hostapd-Mana
Hello World! An evil twin attack uses the identical SSID name to force a client who has already been connected to a legitimate WiFi network to connect to the attacker's network. In this post, I'll go over how to set up an enterprise WiFi network with Hostapd Mana and entice users to steal RADIUS server login information.
This lab is provided by the AttackDefense platform, you can try this here – https://attackdefense.com/challengedetails?cid=1290
Capture Wireless Traffic
Let's configure the wlan0 interface in the monitor mode to dump the WiFi traffic before continuing. You can do this by performing the commands listed below in the exact order.
Let's capture the packets from both 2.4 GHz and 5 GHz bands through the wlan0 interface using the following command.
The "TigerSecurities" network is transmitting beacon frames on channel 6 as you can see, however it appears that no clients are connected, even though an evil twin attack requires at least one client to be connected.
It is possible that although the client is transmitting the frames, the packets are dropped or the device was unable to record them because airodump is hoping to use a different channel. Let's set the airodump channel to 6 using the --channel
parameter.
If you would look at the output of stations sections, you will see that a client with MAC 02:00:00:00:03:00 is connected to the WiFi network.
Set-up Honeypot Access Point
The lab has provided all the necessary certificates in the /root/certs
directory. Since we will be using TTLS encrypted authentication, certificates are required. I will be using these certificates because creating the certificates is outside the scope of this post.
Let's say you opt to not use the certificates, the client will then not able to verifiy the EAP server and it will result in the TLS verification failed message as seen below.
Similar to the hostapd setup I detailed in older posts, the hostapd mana configuration would look like that. However, the final configuration really has two mana-specific configuration.
Create the following file as any name, here I am using fakenet.conf.
Create a new file with the same name as the one specified in the eap_user_file configuration variable, and place it in the same directory as fakenet.conf. Any user can now connect to the fakenet thanks to this.
Start the hostapd-mana with the configuration file hostapd-mana fakenet.conf
and you will see the traffic details in the airodump output.
Force Associated Client to Connect to Fakenet
The associated client needs to be disassociated from the legitimate network in order to be made to connect to the malicious access point. This can be done by replaying the deauthentication attack as shown below.
Wait for sometime and you will see in the airodump output, that the client has connected to our honeypot network.
Now switch back to the different tab where hostapd-mana is running, you will see the network is TTLS-PAP which uses TLS tunnel with clear text username and password – brian:sweetness