Evil Twin Attack via Kali on Raspberry Pi

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

An Evil Twin is a rogue access point designed to imitate a legitimate access point in order to carry out malicious actions such as phising. Regular laptops and Wi-Fi adapters can be used to set up an Evil Twin, or Raspberry Pis, as these are quite small and can be easily packed into a bagpack when powered by a battery bank. This setup can then be left in one place for several days, for example, during which time the AP can phish information.

The main scenarios in the context of rogue access points or Evil Twins are:

  • Machine-in-the-Middle/Content Injection tion
  • Malicious webpages through e.g. DNS spoofing
  • Deauthentication attacks
  • Technique for social engineering for more in-depth scenarios

Kali Linux on Raspberry Pi

For example, Kali Linux can be installed on a Raspberry Pi 4 Model B with 8 GB RAM. The Raspberry Pi 4 Model B is equipped with a Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.8GHz. This information is relevant because Kali Linux provides an image specifically for ARM processors on their website. This image can be downloaded at Kali Linux on ARM The Raspberry Pi 4 is equipped with a 64-bit processor and supports the execution of 64-bit images. This results in two options: Either the Kali Linux RaspberryPi 2, 3, 4 32-bit or 64-bit image can be selected, whereby more documentation is available for the 32-bit variant. In addition, the 32-bit image ran with fewer problems than the 64-bit image during practical tests. To get the image onto the Raspberry Pi, it must be transferred to a micro SD card. Balena Etcher or similar software can be used for this purpose. Once the image has been successfully transferred to the SD card, it can be inserted into the corresponding slot on the Raspberry Pi 4. This can then be started and Kali Linux will boot from the SD card. The username and password are kali/kali.

A more detailed guide to installing Kali Linux on a Raspberry Pi can be found in the following article: Install Kali Linux on Raspberry Pi 3 & 4

Hands-on report

Kali Linux on a Raspberry Pi was tested extensively in the course of setting up an Evil Twin. Overall, the installation of the latest version of Kali Linux (as of December 2023) on a Raspberry Pi is not recommended for testing and lab purposes. The use for spawning an Evil Twin can also be achieved with other Linux systems, which is why it should be determined whether Kali Linux is absolutely necessary. The following bugs were observed:

  • After installing dependencies that were necessary to start Wifiphisher and Wifipumpkin 3, there were more boot problems
  • Overall, booting was often prone to errors. Depending on the connected screen, it took several attempts.
  • There were often non-reproducible bugs when starting programmes. For example, Wifiphisher did not work from time to time, no networks could be displayed and the like. The bugs occurred randomly and could not be reproduced.
  • There were also bugs in the GUI area. For example, the bar for maximising, minimising and closing windows suddenly disappeared and it was no longer possible to move windows. To fix this, the corresponding driver had to be restarted.

  • When starting a rogue access point with aireplay and without an external Wireless Adapter, an error message may appear. This can be rectified by increasing the MTU. This is not easily possible on the internal interface on the Raspberry Pi and is blocked as the kernel does not support an MTU higher than 1500. There are then 2 options: Option (1): revise kernel settings and recompile or option (2): use external network antenna. Due to the risk and the necessary knowledge, option (2) is preferable. This means that an external Wi-Fi adapter is required as a wireless network interface. In addition, actions can be carried out on both 2.4 GHz and 5 GHz when using an appropriate network adapter. Without an external antenna, you can only work on 2.4 GHz. The external network adapter choosen for the lab was an Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter. In the Linux environment, care should also be taken to ensure that the network adapters work with the respective distribution and kernel and that a corresponding driver is available. According to the manufacturer, the Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter can be used with Kali Linux without any problems.

Evil Twin

Evil Twin using native Kali Linux Tools

The following tools are all pre-installed on Kali Linux. All of the tools listed can be used to carry out an Evil Twin attack:

  • Airmon-ng: Display interfaces and stop potentially disruptive processes.
  • Airodump-ng: Can be used to carry out reconnaissance. All surrounding networks and associated devices can be detected.
  • Airbase-ng: Can be used to create a Wi-Fi access point. created.
  • Aireplay-ng: Can be used to carry out deauth- attacks
  • Accompanying activities: dns-masq can be used to set up a DNS server. Furthermore activation of a corresponding route on the interfaces as well as enabling IP forwarding and setting up firewall rules.

Hardware requirements

At least the following hardware is required to set up an Evil Twin:

  • Raspberry Pi 4 Model B - 8GB incl. accessories such as power cable and MicroSD
  • Two external wireless adapter, whereby the following can be recommended: 2 x Alfa AWUS036ACH Wide Range AC1200 Wireless Adapter


To find out which networks exist in the environment and which devices are associated with which network, the airodump-ng tool can be used for reconnaissance. The information such as BSSID, SSID or channel is important for the next steps.

The following command can be used for starting the reconnaissance using airodump-ng:

 sudo airodump-ng <interface> -b abg

The attributes a,b,g describe the bands on which airodump should sniff should sniff. 'b' and 'g' use 2.4GHz and 'a' uses 5GHz

Spawning Rogue Access Point

With the pre-installed tools airmon-ng, airodump-ng, airbase-ng and aireplay-ng in Kali Linux, it is possible to initiate both a rogue access point and an Evil Twin attack. The only significant drawback is that these tools do not offer a captive portal option.

An access point can be spawned as follows:

 sudo airbase-ng -e <wifiname> -c <channel> <interface>

To increase the range of the access point, the transmission power can be increased:

 sudo iwconfig interface txpower <NmW/NdBm>

In addition to the tools in the corresponding Deauth chapter, a Deauth attack can also be carried out using aireplay-ng:

 sudo aireplay-ng --deauth 50 -a <BSSID>

Deauthentication attack

Deauthentication attacks are a subtle yet serious threat. The targeted de-authentication attacks, which aim to remove connected devices from a Wi-Fi network, have the potential to have a significant impact on the availability and integrity of connections.

The channel of the AP or the devices that are connected to the AP can be taken from the reconnaissance. For setting the channel on the Wi-Fi adapter:

 sudo iwlist <interface> channel
 sudo iwconfig <interface> power off
 sudo iwconfig <interface> channel {channel, ex. "23"}
 sudo iwconfig <interface> power on

To check whether the channel has been set

 sudo iwlist {interface} channel

For carrying out a deauth attack on 2.4 GHz:

 aireplay-ng -0 0 -a <MAC address of the TargetAP> -c 
 <MAC address client> <interfacename>
    -0 for Deauthentication
    0  Number of deauths to be sent, 0 means, 
       that they are sent continuously

For carrying out a deauth attack on 5 GHz:

 sudo mdk4 <interface> d -E <WLAN SSID>

Alternative all-in-one frameworks

All-in-one frameworks that combine the activities described above in one software are, for example, wifiphisher and wifipumpkin3

Potential measures to protect against Evil Twins

Organisational measures are closely linked to personal measures. As an organisational measure, it can be established, for example, that different passwords must be used for different services and applications. This can prevent the same password being used for VPN access as for Wi-Fi access. In the corporate context, the operation of a structured and continuously improving information security management system can also be categorised as an organisational measure.

In the client-side area, care can be taken to ensure that the devices are configured so that only that only TLS-encrypted connections (e.g. HTTPS) are permitted. are allowed. This at least prevents the rogue access point from accessing data in plain text or manipulate it unnoticed.

The use of a VPN can also be recommended as a technical measure against MitM attacks. This is usually accompanied by increased information security through encryption of the traffic, which prevents transmitted data from being read or manipulated. In the context of a Wi-Fi MitM attack, a VPN hides the client's communication, encrypts the network traffic and hides metadata such as IP addresses or domain names.

Personal measures focus on the end user. Awareness-raising measures in particular can be derived in this context. It is important to sensitise users to the existing risks, make them aware and motivate them to support and implement the technical and organisational security measures. An easy-to-understand personal measure can be, for example, to pay attention to Wi-Fi names and other irregularities and to report these to the relevant reporting centres in the event of anomalies. This allows a quick response in the case of an emergency.