2.5
- Attack "Evil Twin" spoofing the SSID and MAC of the AP
- The
"Evil Twin" attack consists of introducing a new AP by the
attacker, sharing the same name or SSID and/or the same MAC address
with the legitimate AP from the authorized network. In that way, some
unaware users could connect to the malicious AP believing that it is
a reliable AP. After this evil connection is done, the attacker could
act as a Man-In-The-Middle (MITM), getting access to all the packets.
a)
spoofing only the SSID (name of the network)
- First
of all, we show information about the legitimate AP
(00:25:F2:9B:91:23) and its network called "spaniard":
- The
laptop "roch" (28:C6:8E:63:15:6B) is connected to the
legitimate AP (00:25:F2:9B:91:23):
- Next, a new and fake AP will be created, using airbase-ng command. The fake MAC address will be AA:AA:AA:AA:AA:AA, the SSID "spaniard" (imitating the legitimate one), and the working channel the 6:
- Wireshark
captures broadcast Beacon frames from new AP, whose BSSID =
AA:AA:AA:AA:AA:AA announcing its SSID = "spaniard":
- Also,some
seconds after the creation of the fake AP, the client "roch"
detects the existence of this new AP, called "spaniard" as
the legitimate one:
- Now,
let's connect the client "roch" to the fake AP. Remember
that it could be done by the attacker just deauthenticating the
client (or all clients) and waiting for the client to reconnect
itself, like shown at previous example 9.2. But in this case it will
be done manually, for the ease of this demonstration:
- Checking
what's happening at fake AP (AA:AA:AA:AA:AA:AA) with airodump-ng,
we can verify that the client "roch" is connected to the
attacker's new created AP. As seen at the image, the fake AP does not
have any authentication (OPN = open):
- So,
as a result of the creation of the fake AP "spaniard", the
client or victim "roch" would not be able to difference
between the good "spaniard" and the evil "spaniard"
AP.
- The
final deciding factor fo connecting would be the signal strength,
because the client would connect to the one with higher signal
strength, what depends usually on proximity. In this way, the
attacker achieves the goal of having the victim connected to the fake
AP, in the false believe that it is connected to the legitimate one.
b)
spoofing the ESSID (name of the network) and the BSSID (MAC address)
- In
previous example we used a very easy to discover MAC
(AA:AA:AA:AA:AA:AA), but now it will be spoofed not
only
the ESSID but also the BSSID or MAC address.
- Using
again airbase-ng command, a new AP is created with both ESSID
and BSSID imitating the legitimate AP:
- The fake network is detected by airodump-ng, showing that it does not use encryption (OPN=open):
- But
airodump-ng also detects the legitimate network, with WPA-PSK
CCMP encryption:
- So,
although working in different bands and channels, there are 2
networks and APs sharing same SSID ("spaniard") and same
BSSID (00:25:F2:9B:91:23).
- Any
client could connect to the attacker's one, being unaware of the
deception.
- Also,
using Vistumbler network detector, both "spaniard" networks
are available, whith the same MAC address:
- As
it can be seen at previous screenshot, the only difference between
both "spaniard" networks is the authentication type: the
legitimate one uses WPA2-CCMP and the evil one uses Open
authentication. Which one of both would an unware user pick up? in
case his knowledge about Wi-Fi security is low, he probably would
choose the open one, falling into the attacker's trap.
