Evil-Twin and Evil-Portal Attack

Evil-Twin and Evil-Portal Attack

Capturing credentials via an Evil Portal attack using a Pineapple WiFi

How does an Evil Twin attack work?

Evil Twin

An “Evil Twin” attack is a type of cybersecurity attack that is carried out by creating a WiFi access point that imitates or clones a legitimate WiFi network. This type of attack aims to trick devices into connecting to the malicious network instead of the legitimate network. Once a user has connected to the Evil Twin, the attacker can carry out a variety of malicious actions, from espionage to more elaborate attacks such as Man-in-the-Middle (MitM).

How does an Evil Portal attack work?

An Evil Portal attack involves presenting the user with a fake home page or captive portal after they have connected to a WiFi network. This page could imitate that of an Internet service provider, a hotel, a cafe or even a system update, and usually requests the entry of sensitive data such as credentials, credit card numbers, etc. The steps generally involve the following:

  1. Connection Establishment: First, the attacker must get the target to connect to a controlled WiFi network, which could be an Evil Twin or any other type of unsecured network.
  2. Traffic Redirection: Once the user is connected, web traffic is redirected using techniques such as DNS manipulation or iptables rules, forcing the user to a specific web page: the Evil Portal.
  3. Portal Presentation: The user sees the fake home page and, if the attack is successful, enters their sensitive data believing that they are on a legitimate portal.
  4. Data Capture: The fake portal captures the entered data and sends it to the attacker, who can use it for malicious purposes.

How does a network redirect a client to the captive portal?

Redirection to a captive portal is usually done through a combination of firewall rules and DNS manipulation on the access point or server controlling the network. Here’s a high-level summary:

  1. Firewall Rules: When a new device connects to the network, firewall rules redirect all HTTP/HTTPS traffic from the device to the captive portal IP address. This is often done using iptables or other similar packet manipulation tools.
  2. DNS Manipulation: In addition to firewall rules, a fake or manipulated DNS server is often configured to resolve all name queries to the captive portal IP address. This way, when the user tries to navigate to any website, the DNS query redirects them to the portal.
  3. Session and Authentication: Once the user completes the interaction with the captive portal (either entering information or accepting terms and conditions), the firewall and DNS rules are updated to allow the device to access the network as usual.

Evil Portal Module

The Evil Portal module provides us with a graphical interface for the configuration and deployment of an Evil-Portal attack in a much more automated way. To use it we must first install it from the modules section of the left panel.

Once the module is installed, we must clone the following repository:

Evil Portals from Kleo

Subsequently, we must follow the steps indicated in the repository to copy the portals via SCP to the Pineapple Wifi in the /root/portals path. By doing this, we will be able to see the portals in the portal library in the Evil-Portal module.

Now to enable the Evil Portal, we must start the web service and enable the portal to which we want to redirect the clients that connect to the fake AP, in this case Starbucks.Login will be enabled and finally we must simply press the Start button.

Configure the Open AP

The first thing to do once the Evil Portal module is installed and configured is to configure the Open AP. The option to hide the Open Access Point must be checked to avoid suspicion and the option must also be checked to make the APs in the Spoofed AP Pool respond to probe requests. With this configuration, clients will be able to connect to the APs listed in the Spoofed AP Pool.

Add SSIDs to the Spoofed AP Pool

Now we must add the SSIDs that we want to impersonate to the Spoofed AP Pool.
When you add an SSID to the “Spoofed AP Pool” on a Pineapple WiFi, you are configuring the device to broadcast that SSID as if it were a legitimate WiFi network. In simple terms, Pineapple WiFi will start broadcasting the specified SSID as an open network or as a network that appears to be legitimate. This way, any nearby device that is looking for that particular network could connect to the Pineapple WiFi thinking it is a legitimate network.

Here is a breakdown of what happens on a technical level:

  1. Beacon Frames Transmission: The Pineapple WiFi will begin transmitting “beacon frames” with the SSID that you have added to the Spoofed AP Pool. These “beacon frames” are packets that announce the existence of a WiFi network.
  2. Scan and Connect: Nearby devices scan for known WiFi networks. If they have previously been connected to an SSID that matches the one you added to the pool, they will likely try to connect automatically.
  3. Connection Establishment: Once a device attempts to connect to the issued SSID, the WiFi Pineapple can allow the connection, acting as an access point.
  4. Traffic Interception: Now that the target device is connected to the Pineapple WiFi, all of its network traffic passes through the device. This offers the opportunity to carry out MitM attacks, packet capture, and other types of malicious or investigative activities.
  5. Traffic Manipulation: In this phase, an attacker could carry out different types of attacks, from simply spying on traffic to modifying it to inject malware or redirect the user to malicious websites.

In this case we are going to add the SSID “Star Bucks Free Wifi”

When scanning the nearby WiFi networks we can see that the network that we just added to the Spoofed AP Pool appears.

When we connect to the Fake AP that we just created from another device, we will be automatically redirected to the Evil Portal where we will be asked for credentials to access.

When entering the credentials, a notification will be sent to the Pineapple Wifi indicating that someone has fallen into the trap and we will be able to see the data entered in the captive portal logs.


© 2023. All rights reserved.