Creating a fake Evil Twin Wi-Fi hotspot

[Carding]

Everything brilliant is simple. And before you start brute – forcing hashes and sorting through WPS passwords, it's best to start with a simple one.

Everything brilliant is simple. And before you start brute – forcing hashes and sorting through WPS passwords, it's best to start with a simple one. The attack that we will discuss today is effective in the immediate vicinity of the attacked point. The more powerful your signal – the more effective the attack. The effect directly depends on the area covered by the attacked access point. For example, if you are located in an office building and the access point is located in one office, the client is in another, and you and your laptop managed to fit in the corridor between them – this is a direct profit. We will talk about how to implement such an attack and how to achieve maximum power from your Wi-Fi adapter in this article.

What is a fake access point?

A fake or fraudulent access point is one that behaves exactly like the real one and forces the end user to connect to it. In our aircrack-ng Suite, there is a tool called airbase-ng that you can use to turn your wireless adapter into an access point. This is a powerful client-side hack that allows you to see all traffic and conduct an intermediary attack.

What shall we do

In this scenario, we will assume the role of a private investigator. A client has asked us to investigate the possibility that his neighbor is downloading and selling child pornography. We need to find out if this is really the case, and then gather evidence against him.

Step 1: Launch Airmon-Ng

First, we need to check if our wireless card is working.

bt > iwconfig
Launch Airmon-Ng

As you can see, our wireless card is quite functional and is called wlan0. The next step is to switch the wireless card to monitoring mode, also called mixed mode. To do this, run the following command:

bt >airmon-ng start wlan0
airmon-ng start wlan0

Airmon-ng switched our card to monitoring mode and changed its name to mon0. Now our card is able to accept any wireless traffic.

Step 2: Run Airdump-Ng

Next, we need to start intercepting traffic using our wireless card. To do this, enter:

bt > airodump-ng mon0
Run Airdump-Ng

We see all wireless access points within their scope, as well as their important statistics. A neighbor suspected of downloading and selling child pornography uses an access point with the SSID "Elroy".

If we do everything right, we can clone his access point and force him to connect to our rogue wireless access point. After that, we will be able to monitor all his traffic and insert our own packets/messages/code into his computer.

Step 3: Wait for the suspect to connect to the access point

Now all we have to do is wait for the suspect to connect to his access point. Once this happens, you will see a corresponding message at the bottom of the airodump-ng screen.

Step 4: Create a new access point with the same SSID and MAC address

After the suspect connects to their access point, we can use airbase-ng to create a fake access point. Open a new terminal window and type:

bt > airbase-ng -a 00:09:5B:6F:64:1E --essid "Elroy" -c 11 mon0

Create a new access point with the same SSID and MAC address

Where 00: 09: 5B: 6F: 64: 1E is the BSSID, Elroy is the SSID, and -c 11 is the suspect's hotspot channel.

Step 5: Deauthenticate or disconnect from the access point

Now we need to disconnect the "neighbor" from its access point. In the 802.11 standard, there is a special frame called deauthentication, which, as you might expect, throws everyone out of the access point. When his computer tries to log in again, he will connect to the access point with the ESSID "Elroy", which has the strongest signal.

To do this, we can use aireplay-ng with the deauth package:

bt > aireplay-ng --deauth 0 -a 00:09:5B:6F:1E

Note that we reused its BSSID in the aireplay-ng command. If our signal is stronger than that of their own access point, the suspect will automatically connect to our fake network !

Step 6: Increase the fake point power

One of the most important aspects of hacking using this method is that the fake access point signal must be stronger than the original access point signal. If there is no physical access, this can become a critical vulnerability. In airports and other public places, there is no problem, but in this scenario, we do not have physical access and it is very likely that his point is closer and transmits a more powerful signal than ours. But don't despair!

First, we can increase the capacity of our own access point. This may work because most access points automatically reduce their signal strength to a minimum value that is sufficient to maintain client connections. To increase the power of your point to the maximum, enter:

iwconfig wlan0 txpower 27

After executing this command, the power of our access point will come very close to the legal limit in the United States of 27 dBm or 500 milliwatts.

In some cases, even increasing the capacity to 500 mW may not be enough. If we try to raise the signal strength of our Alfa wireless card to the maximum possible 1000 mW or 30 dBm, we will get an error message, which you can see in the screenshot below (some of the new cards are capable of transmitting a signal of up to 2000 mW, which is four times higher than the limit allowed in the United States).

iwconfig wlan0 txpower 30

Increasing the capacity of the access point

Each country has its own laws governing Wi-Fi. Some States allow the use of more channels and signals of higher power than the United States. For example, Bolivia allows you to use 12 channels and 1000 mW of power. To switch our card to the Bolivian restrictions, just enter:

iw reg set BO

Being in the regulatory domain of Bolivia, we can increase the power of our signal to the maximum by using the following command:

iwconfig wlan0 txpower 30
iwconfig wlan0 txpower 30

Check the output power with the command:

iwconfig

Increase the capacity of your own access point

Judging by the end of the second line, the power of our signal is now 30 dBm or 1000 mW. This is enough to overcome any local access point, even at a distance of several houses!

Fake access point works

Now that a neighbor has connected to our access point, we can analyze their activities.

For example, we can use an application like Ettercap to perform an intermediary attack. Thanks to this, we will be able to intercept and analyze his traffic and even send our own traffic to his computer. In other words, because it connected to our access point, we got full control over all incoming and outgoing data. If they actually upload child porn, we'll see.

In addition, we can intercept emails and passwords to other applications and networks. If you want, we can even implement meterpreter or another wiretapping application in its system if you want to get more information.

 

[Lord777]

How to find a Wi-Fi device using a directional antenna
If, for example, you suspect a neighbor of being connected to your Wi-Fi network and can't verify your guesses, this technique can help you gather evidence.

If you've ever thought about tracking the source of Wi-Fi signal transmission, this task is relatively easy to solve when using the right equipment.

For example, using a directional Wi-Fi antenna and Wireshark, we can create a screen filter for any target device that is in the available range, in order to plot the signal strength. By moving the antenna in different directions, we can easily detect the direction the signal is coming from by observing the power peaks in the graph.

Why search for a Wi-Fi signal
If you've ever seen someone else's Wi-Fi network, you've probably wondered if you can figure out where the signal is coming from. The source of this signal may be a suspicious access point that has appeared near your workplace, or a new network with a strong signal near your home, or a hotspot from a smartphone that seems to be high-power and is extremely close.

In any of the above cases, signal search can help detect client Wi-Fi devices. Accordingly, you can track the location of malicious devices that suddenly appear on your wireless network.
The idea of tracking radio signals is not something new, but for a novice researcher who wants to localize the source of a Wi-Fi network, initially the possibilities may seem limited. While walking around a nearby area with a device (such as a smartphone) that displays the signal strength, you can observe how you are approaching and moving away from the broadcast source. However, this method is not accurate enough, because the Wi-Fi signal bounces off walls and other obstacles.

When using this approach, there is a problem associated with a non-directional antenna, which has a radiation pattern similar to a doughnut. This pattern allows you to perfectly receive a signal from a nearby network in almost any direction, but it does not allow you to find the exact direction from which this signal originates.
Alternative: use an antenna with a narrow radiation pattern, such as a Yagi, panel or parabolic array. Unlike a doughnut diagram, a directional antenna receives a stronger signal when pointing at a target.

Using Wireshark to track signals
When faced with the task of visualizing the signal strength in a visual form in order to track suspicious devices, Wireshark is very useful, since it can display the strength of the transmitted signal from all nearby Wi-Fi devices that we specify.

Although this feature is not well documented, the process of identifying the target device and displaying signal strength graphically is surprisingly simple. In conjunction with a network adapter in monitoring mode and a Wi-Fi antenna with a narrow radiation pattern, Wireshark can quickly detect the location of any Wi-Fi device located within an accessible viewing radius.

The process of searching for signals in Wireshark is organized roughly as follows. First, we switch the network adapter to monitor mode and start scanning targets using airodump-ng to detect the channel where the device is located. As soon as the corresponding channel from which our target broadcasts is detected, you can proceed to scan a specific channel to receive packets and display the received information in graphical form.

After pinning it to the desired channel, we can open Wireshark, find packets from the device we want to track, and then create a screen filter so that only packets transmitted from the desired device are displayed. At the end of the process, we use a graph that shows the signal strength as a function of time, during the movement of the directional antenna, we try to find spikes.

What you'll need
To follow this guide, you will need a computer where you can run Wireshark and put the network adapter in monitoring mode, which is available on any system based on the Kali / Debian distribution or on a virtual machine running on macOS or Windows.

You will also need an external Wi-Fi network adapter that supports monitoring mode. I recommend a model like AWUS036NEH. If you are looking for something more reliable, then the Alfa Tube-UN model is protected from moisture and designed for outdoor use. Finally, you'll need a directional Wi-Fi antenna, such as a panel antenna. An antenna is also suitable Yagi, a parabolic grid, or a can antenna if you want to make your own directional antenna.

Step 1. Switch the map to monitoring mode
First, connect the wireless network adapter to your Kali or Debian system, and then use the ifconfig command to find out the name of the card. It should have a name like "wlan1". If it doesn't show up, run the ip a command to verify that the desired interface is up.

If your map is displayed when you run the ip a command, but is not displayed when you run the ifconfig command, run the ifconfig wlan1 up command. Now the map should also be displayed when you run the ifconfig command .

Now switch the map to monitoring mode using the command below. Your adapter name is assumed to be "wlan1"and the interface is up.

~# airmon-ng start wlan1 Found 3 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 538 NetworkManager 608 wpa_supplicant 2446 dhclient PHY Interface Driver Chipset phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01) phy4 wlan1 rt2800usb Ralink Technology, Corp. RT5372 (mac80211 monitor mode vif enabled for [phy4]wlan1 on [phy4]wlan1mon) (mac80211 station mode vif disabled for [phy4]wlan1)
After switching to monitoring mode, your card name should change to "wlan1mon". Using the wireless network adapter in monitoring mode, we can start listening to Wi-Fi traffic by running the following command:

~# airodump-ng wlan1mon

Step 2: Identifying the target and broadcast channel
In the previous step, we started listening for traffic using the following command:

~# airodump-ng wlan1mon

Now we should see a list of nearby networks, each of which is our potential target:

CH 10 ][ Elapsed: 0 s ][ 2019-08-04 03:33  BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID  CC:400:6C:731 -40 2 0 0 8 195 WPA2 CCMP PSK SuicideGirls C0:8AE:B9:CD8 -50 2 0 0 1 130 OPN SpectrumWiFi C0:8AE:79:CD8 -50 2 0 0 1 130 WPA2 CCMP MGT SpectrumWiFi Plus C0:8AE:39:CD8 -49 2 0 0 1 130 OPN CableWiFi 00:9C:022:5E:B9 -65 2 0 0 1 54e. WPA2 CCMP PSK HP-Print-B9-Officejet Pro 8600 88:96:4E:50:FF:40 -45 3 0 0 1 195 WPA2 CCMP PSK ATTMfRfcmS 78:96:84:00:B5:B0 -48 2 0 0 1 130 WPA2 CCMP PSK The Daily Planet BSSID STATION PWR Rate Lost Frames Probe C0:8AE:79:CD8 4A:F3:2A:2A:4E:E6 -68 0 - 1 0 2

Press Ctrl-C to stop interception when the target network is found. Now we need to determine the channel where the network we want to track is located. The log above shows several networks. Suppose we want to monitor a network with the SSID "ATTMfRfcmS".

If we want to get a rough idea of where the network was previously visible, we can enter the BSSID on the site Wigle.net and view the results of previous observations. The picture below shows that our target was observed twice.

Location of the target wireless network

The most important information received after launching airodump-ng is the channel number in which our target transmits. Now we know that broadcasting takes place on channel 1. We restart airodump-ng to scan only this channel.

Step 3. Listen to a specific channel and launch Wireshark
In the terminal, run the airodump-ng command again, but this time we add the –c flag with the target channel number. In the case of channel 1, the command will look like this:

# airodump-ng wlan1mon -c 1

It is extremely important to specify the channel, because Wireshark cannot manage the wireless card itself, and we need to run airodump-ng in order to connect to the correct channel and avoid packet loss during scanning of the wrong channel.

As soon as airodump-ng started working on a specific channel (in our case, channel 1), it was time to start Wireshark. After opening Wireshark, select the "wlan1mon" card in monitoring mode as the intercept source, and then click on the blue shark fin icon in the upper-left corner of the screen to start intercepting packets on channel 1.

Selecting a map for packet interception

You should now see a lot of packets being intercepted by Wireshark! The next task is to find the packet from the target device that will be used to create the screen filter.

Step 4: Detect the target and create a screen filter
When we have a set of packets, we can search for beacon frames with the target network name. After clicking on the frame, click on the arrow next to "IEEE 802.11" and pay attention to the "Transmitter address" or "Source address" fields, on the basis of which we will create an on-screen display in order to track only the target device.

Content of one of the target network's signal frames

Right-click on the "Transmitter address" field, select "Apply as filter", and then "Selected" to create an on-screen filter that will show only packets transmitted from the device with the specified BSSID. All transmitted packets from the network of interest will be displayed.

Creating a screen filter

A new filter should appear in the filter panel that looks something like "wlan.ta = =" with the BSSID of the target wireless device. The logic of this filter is simple: "show only packets with the same transmission address as the specified one".

As a result, we isolated the device by two parameters: first, we found the channel in which this device broadcasts, and then we created a filter with the transmission address from the device we are tracking. After isolation, you can move on to displaying the signal strength as a graph.

Step 5. Graphical display of the filtered signal power
To display the signal strength as a graph, copy the created on-screen filter, click on "Statistics", and then "I/O Graph" to open the graph window. Click on the plus ( + ) icon to create a new chart and uncheck all other charts that may be enabled.

Enter a name for the chart (something easy to remember), and then paste the on-screen filter you copied earlier into the Display Filter field. Next, insert wlan_radio. signal_dbm in the Y Field and select "AVG(Y Field)" asthe Y Axis. Finally, set the style to "Line" and enter "10 Interval SMA" in the SMA Period field.

After all the settings, the graph should look as shown in the figure below, and the signal strength should start to be displayed.

Graph of signal strength from the monitored device

This graph shows the average signal strength coming from the target device as a function of time. Don't move the directional antenna just yet, and let the graph run for a while to understand the average level. At first, it may seem that the signal changes a lot, since Wireshark captures even small changes, but this graph will be more useful when we start walking indoors and encounter stronger and weaker signals that will stretch the average values of the graph.

Step 6. Move the antenna to search for signal peaks
The moment of truth has arrived. Slowly rotate the directional antenna 360 degrees and watch for peaks in signal strength that help determine the direction from which the transmission is coming.

The graph below shows a large spike that appeared during the slow rotation of the panel antenna after aligning with the direction of the signal source.

Signal power surge after combining the directional antenna with the source

After turning back and forth several times, you should see signal peaks. Follow the direction where the burst was detected and rotate the antenna again to narrow down the estimated location of the transmission source.

Conclusion
Whenever a Wi-Fi network appears in the wrong place, or a device starts connecting to your wireless network without permission, Wireshark and the network adapter can help detect the source of the signal. This technique makes it relatively easy to detect a malicious hidden access point or actor trying to connect to your wireless network without permission. If, for example, you suspect a neighbor of being connected to your Wi-Fi network and can't verify your guesses, this technique can help you gather evidence.

Hopefully this is a guide dedicated to tracking your Wi-Fi device using Wireshark, you liked it.