We discussed earlier how to use Hostapd to configure our access point. In this example, we will also demonstrate another Kali Linux application, known as airbase-ng, to accomplish the same outcome. This is an alternative to the earlier procedure. When the wireless clients connect to our access point, we provide them with Internet connectivity through our wired Ethernet connection. While in this example, we assume that there is an available Ethernet connection on the attacker machine; this can also be accomplished via another wireless adapter or 3G/4G card.
Follow these steps:
- To begin, you will need a wireless adapter mapped to and enabled in the Kali Linux Virtual Machine. You can check the status of the adapter on Kali using the following command:
#ifconfigThe following output shows that the wireless adapter is up and ready for our attack setup.
#ifconfig –ashows all interfaces present in the system; in our case,wlan0is the wireless interface that we will use to set up our evil twin access point.
- Create a monitor mode interface on the
wlan0wireless interface. Depending on your unique configuration, the wireless interface may possibly be namedwlan1orwlan2. We will leverage the aircrack-ng suite of tools, specifically airmon-ng, to bring up this new monitor mode interface. Use the following command to start a monitor mode on thewlan0interface:#airmon-ng start wlan0The following screenshot shows the successful creation of the monitor mode interface on
wlan0, namedmon0. For monitor mode functions, we will be using this new virtual monitor interface rather than thewlan0interface directly.
- Use airbase-ng to create a new wireless access point. SSID and Channel will be the choice of the attacker; it should be chosen to reflect the target network. For this example. When an interface is specified, use the newly created monitor mode interface,
mon0:#airbase-ng –essid netgear –c 6 mon0You should be able to see something like what is shown in the following screenshot:
On the successful creation of the new access point, another new virtual interface named
at0will be created.Here are some airbase-ng options:
--essidSpecifies the SSID (the access point name) to be created
-cSignifies the channel on which the access point will be functioning
mon0The monitor mode interface
We have successfully created the new virtual access point interface. Now it is time to bridge the two networks with each other in order to provide Internet access to the wireless clients. Here, we assume that
eth0is the wired interface andat0is created by airbase-ng.mitmis the name of the bridged interface. - Creating a new bridged interface requires an additional package to be installed. The
brctlcommand used here is part of thebridge-utilspackage; use the apt package manager to install it with the following command:#apt-get install bridge-utils - To complete the creation of the new bridged interface, use the commands detailed as follows. This will create a new bridge interface, add the wired (Internet) and virtual AP interface, and assign IP addressing via DHCP.
Using either Hostapd or airbase-ng, the evil twin AP is now configured and ready to service client victims. The attacker is able to view which sites the clients are accessing through the access point; they can log the data for future reference and even alter the data using Ettercap. The key is getting the client to accept your access point and then using your position in the traffic flow to be able to capture sensitive information to further your penetration test.
Next, we'll demonstrate other techniques that can be leveraged once you've established your position as the MITM.