Eric Goldman: http://www.ericgoldman.name presents

I. Overview & Purpose of Attack
II. Equipment & Software Used
III. Attack Demonstration
IV. Comments & Thoughts
V. Questions
More presentations & reports: http://www.ericgoldman.name 2

 What is an Evil Twin attack?
 The Evil Twin is a Rogue AP Attack
 Pretend to be Real AP, trick users into connecting
 Not required, but can DoS attack the Real AP
 What does this attack accomplish?
 All user connections to network through Evil Twin
 Can now redirect traffic, filter traffic, and do any
of a number of Man in the Middle Attacks
More presentations & reports: http://www.ericgoldman.name 3

 How does it work?
 We can create a fake AP using airbase-ng (part of
aircrack-ng suite) and a compatible Wi-Fi interface
 Using another wireless or wired interface, all user
traffic is routed back to regular network/Internet
 Windows XP will often automatically switch to a
better connection without asking user
 Untrained user may even connect to Fake AP
manually because the SSID looks correct
More presentations & reports: http://www.ericgoldman.name 4

 Real AP: Linksys WRT54Gv5
 Standard Firmware, Version 1.02.5
 Fake AP: IBM t42 Laptop
 Running Backtrack 4 Beta Live CD
 Monitor/Capture: IBM t42 Laptop
 Running Backtrack 3 Live CD
 Victim: IBM t42 Laptop
 Running Windows XP SP3
 Windows managed Wi-Fi
More presentations & reports: http://www.ericgoldman.name 5

 Wireless Capturing
 Aircrack-ng suite* (airmon-ng, airodump-ng)
 Wireshark used for post-capture analysis
 Fake AP
 Access Point Functionality
▪ Aircrack-ng suite (airmon-ng, airebase-ng)
 Client services provided by
▪ ISC dhcpd3, Netfilter’s iptables
*http://www.aircrack-ng.org
More presentations & reports: http://www.ericgoldman.name 6

Overview Information
 Client MAC Address: 00:0E:9B:6E:28:7D
 Real AP MAC Address: 00:14:BF:CF:C3:AE
 Fake AP MAC Address: 00:0E:9B:BF:AA:B2
 Real AP Subnet: 129.168.1.0/24
 Fake AP Subnet: 10.0.0.0/24
More presentations & reports: http://www.ericgoldman.name 7

Real AP Configuration
 The Real AP is a Linksys WRT54G-v5
 No special settings
 SSID: “Group5Test”
 Channel: 2 (2.147 GHZ)
Video is on the next slide
More presentations & reports: http://www.ericgoldman.name 8

3rd Party Attack Capture
 Used airodump-ng to capture traffic
 Terminal on Left: Real AP Filtered
 Terminal on Right: Fake AP Filtered
 Notice how the client connects to the Fake
AP soon after it is brought up
See is on the next slide
More presentations & reports: http://www.ericgoldman.name 9

Fake AP View of Attack
 Terminal on Right: Launching Fake AP with
airebase-ng, mimicking Real AP settings
 Terminal on Left: Scripted DHCP and routing
for client setup run after Fake AP started
 Watch for Client authentication (right
terminal), then DHCP change (left terminal)
See is on the next slide
More presentations & reports: http://www.ericgoldman.name 10

Victim View of the Attack
 Victim is already connected to the Real AP
 The Fake AP is started, and the victim switches
to the Fake AP without any user intervention
 Watch for the connection to go down, then for
DHCP information to change:
Originally 129.168.1.100, Fake AP gives 10.0.0.100
Video is on the next slide
More presentations & reports: http://www.ericgoldman.name 11

 The Fake AP mimics settings of the real AP
 The Fake AP provides stronger signal with the
same settings, client automatically switches
 The client still has outside connection, and
the SSID is the same, hard to tell they have
been switched to a rogue AP
 Now all traffic is going through the Fake AP,
can use Fake DNS or do other Man in the
Middle attacks on the Victim
More presentations & reports: http://www.ericgoldman.name 12

 Preventing Evil Twin Attacks
 Deploy Wireless Intrusion Prevention System
 Use low-level authentication (LEAP, etc)
 Perform regular site-surveys to find rogue APs
 Do not allow client workstations to automatically
select and connect to Wi-Fi networks
More presentations & reports: http://www.ericgoldman.name 13