We hear it nearly every time we are some place where we need to access e-mail, banking, social media and even instant messaging. "Never use an access point that you are unsure of." It's beat into us all the time regarding the ramifications in which may occur if we "accidentally" associate with an access point that is "evil." More over, evil twin access points leverage our trust and we probably don't even know it.
The goal of this article is to discuss how an attacker may go about setting up an evil twin, and also sniffing traffic directly from the access point. Within this example we are using two computer for the article. The first one is a windows box, a Linux box and finally an OS X box. We've gone through setting up the network in a specific manor in which will allow us to sniff the traffic -- set the access points to the network. Please be advised that the Hub that we are using has been phased out quite a few years ago. None-the-less you can find a few of them floating around on amazon. The hub is a Linksys Ethernet 5-port workgroup hub. From there it is hooked up to a modified Linksys WRT54GS that has been modified with a custom firmware. From these points the access point and hub are then attached to our POC (point of contact) placed within the DMZ as any other location further up the network would compromise our security (yes we are conscience hackers for our own needs).
Although we were going to attempt to set up an evil twin that was with the same name as our neighbor, we did not. Too much work for testing and reporting :-X Instead the tests you see are all internal and within our own network.
For the tools segment you will need the following things. First you will need either A) A network tap, or B) a Hub if you can get your hands on one. If you can get any one of these objects you are well on your way to doing some pwnage. Before we begin we do need to jump into some specifications. And, yes we are taking these specifications from the CCNA (ICND2).
Network Tap & Hub Specifications
Depending on your specifications of the network that you are tapping into, or the speed of the network you are on you might need to do a few things before jumping into this exercise. Coming from a penetration testing prospective you don't readily want to have the entire network bog down because you need to catch Jane in accounting connecting to any access point because her security morals are just like her personal ones. There are some things to consider.
For the most part, if you have a 10/100 link speed, and a 54Mbps connection that is fine. You can throw in a hub that operates at 10/100 there will be no issues to speak of. Now, if you have a network that is end-to-end gigabit and you throw in a 10/100 802.11BG device with a 10/100 hub, we have a bit of a problem. Why is this much of a problem? Well, for starters your devices will actually negotiate the slowest speed of that network and slow down your devices to that speed. Huh? Anthony WTF are you talking about? Well, say you have a gigabit switch on your network, it is possible for the switch to operate at 10, 100, or 1000 Mbps. All devices are having a gigabit party when all of a sudden Susie stupid comes along and plugs in a device that only goes up to 100Mbps (10/100), the switch has to now step down from the gigabit party to an old peoples bingo extravaganza. Simply put, it's like taking someone who is learning a language and throwing them into a fast paced rapidly speaking situation. Now everyone has to slow down.
The problems that this may cause are extreme bottlenecks for a corporation that is dependent on fast network speeds. So, if you enter a location doing something like this chances are -- you're going to get thrown out. This will definitely create a DoS, a beautifully inadvertent DoS. The same thing for hubs can be said for network taps. Know what you are getting into before you get into it.
Within any sniffing situation you will need a few tools. First and foremost we've done some of our testing with dsniff, wireshark, and if you'd like tcpdump. Also for the simplicity of things we've also used a Kali Linux distribution that had all of the packages we normally use pre-installed for our beautiful needs.
Should you be starting out with doing something like this, you can issue the following commands within a Debian / Ubuntu based Linux (sudo apt-get install wireshark dsniff tcpdump --yes) that should install the packages for you and automatically say yes. The commands that we've used for the "attack" are posted within the video at the end, so you should have a pretty easy time when doing this. For any other operating systems where you'd want to download these packages you can use the following links: Wireshark Download, TCP Dump for Windows. Some of these tools should come with the WinPcap files but if they don't download them from the same location Win Pcap Page
Evil Twin Video