A technical demo presentation showing an Evil Twin attack in action. The demo shows the attack from the victim, attacker, and evil twin perspectives. Background information is available. Full report is available at http://www.ericgoldman.name
2. I. Overview & Purpose of Attack
II. Equipment & Software Used
III. Attack Demonstration
IV. Comments & Thoughts
V. Questions
More presentations & reports: http://www.ericgoldman.name 2
3. What is an Evil Twin attack?
The Evil Twin is a Rogue AP Attack
Pretend to be Real AP, trick users into connecting
Not required, but can DoS attack the Real AP
What does this attack accomplish?
All user connections to network through Evil Twin
Can now redirect traffic, filter traffic, and do any
of a number of Man in the Middle Attacks
More presentations & reports: http://www.ericgoldman.name 3
4. How does it work?
We can create a fake AP using airbase-ng (part of
aircrack-ng suite) and a compatible Wi-Fi interface
Using another wireless or wired interface, all user
traffic is routed back to regular network/Internet
Windows XP will often automatically switch to a
better connection without asking user
Untrained user may even connect to Fake AP
manually because the SSID looks correct
More presentations & reports: http://www.ericgoldman.name 4
5. Real AP: Linksys WRT54Gv5
Standard Firmware, Version 1.02.5
Fake AP: IBM t42 Laptop
Running Backtrack 4 Beta Live CD
Monitor/Capture: IBM t42 Laptop
Running Backtrack 3 Live CD
Victim: IBM t42 Laptop
Running Windows XP SP3
Windows managed Wi-Fi
More presentations & reports: http://www.ericgoldman.name 5
6. Wireless Capturing
Aircrack-ng suite* (airmon-ng, airodump-ng)
Wireshark used for post-capture analysis
Fake AP
Access Point Functionality
▪ Aircrack-ng suite (airmon-ng, airebase-ng)
Client services provided by
▪ ISC dhcpd3, Netfilter’s iptables
*http://www.aircrack-ng.org
More presentations & reports: http://www.ericgoldman.name 6
7. Overview Information
Client MAC Address: 00:0E:9B:6E:28:7D
Real AP MAC Address: 00:14:BF:CF:C3:AE
Fake AP MAC Address: 00:0E:9B:BF:AA:B2
Real AP Subnet: 129.168.1.0/24
Fake AP Subnet: 10.0.0.0/24
More presentations & reports: http://www.ericgoldman.name 7
8. Real AP Configuration
The Real AP is a Linksys WRT54G-v5
No special settings
SSID: “Group5Test”
Channel: 2 (2.147 GHZ)
Video is on the next slide
More presentations & reports: http://www.ericgoldman.name 8
9. 3rd Party Attack Capture
Used airodump-ng to capture traffic
Terminal on Left: Real AP Filtered
Terminal on Right: Fake AP Filtered
Notice how the client connects to the Fake
AP soon after it is brought up
See is on the next slide
More presentations & reports: http://www.ericgoldman.name 9
10. Fake AP View of Attack
Terminal on Right: Launching Fake AP with
airebase-ng, mimicking Real AP settings
Terminal on Left: Scripted DHCP and routing
for client setup run after Fake AP started
Watch for Client authentication (right
terminal), then DHCP change (left terminal)
See is on the next slide
More presentations & reports: http://www.ericgoldman.name 10
11. Victim View of the Attack
Victim is already connected to the Real AP
The Fake AP is started, and the victim switches
to the Fake AP without any user intervention
Watch for the connection to go down, then for
DHCP information to change:
Originally 129.168.1.100, Fake AP gives 10.0.0.100
Video is on the next slide
More presentations & reports: http://www.ericgoldman.name 11
12. The Fake AP mimics settings of the real AP
The Fake AP provides stronger signal with the
same settings, client automatically switches
The client still has outside connection, and
the SSID is the same, hard to tell they have
been switched to a rogue AP
Now all traffic is going through the Fake AP,
can use Fake DNS or do other Man in the
Middle attacks on the Victim
More presentations & reports: http://www.ericgoldman.name 12
13. Preventing Evil Twin Attacks
Deploy Wireless Intrusion Prevention System
Use low-level authentication (LEAP, etc)
Perform regular site-surveys to find rogue APs
Do not allow client workstations to automatically
select and connect to Wi-Fi networks
More presentations & reports: http://www.ericgoldman.name 13