Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)
Chapter 19: Dealing with Fake Wi-Fis
If you are on the go and you need to send a quick email, it would be fairly tempting to log-in to any available wireless network that seems to be unprotected by a password. Now, wouldn’t you think that it is just too convenient that an unprotected WLAN is available?
Hackers have what it takes for people to take the bait of a free Wi-Fi – it is because people do not think twice before connecting to an available hotspot in a public place. Because hackers know that most people are not thinking about their devices’ safety when there is free internet access on the line, they are confident that people would fall for their trap.
Fake Wireless Access Point Theft
This hacking technique, also known as evil twin access point, is mostly done in public areas, wherein a hacker would mask an access point as free internet connection and prompt people to connect to it. Once a victim connects to the fake wireless connection, they would be able to collect sensitive data from the connected device. Usually, hackers who use this technique prompt the user to log in using any sensitive information (such as credit card information) in exchange for free access. While the hacker stores this information for future use, he would redirect the targeted user to other sites that people commonly visit, such as a web browser, email landing page, or even social media sites. From here on, the hacker would collect password information. Hackers then use the collected data to log in to other sites, assuming that their victims are using the same passwords for multiple sites.
Apart from knowing just the password of a targeted Internet user, an evil twin access point also allows you to see the traffic that comes in and out of a connected device. That means that creating an evil twin access point also allows you to view all the activities of a potential target.
The biggest telltale sign that you have been a victim of this type of hack is when you receive notices from your credit card company about charges that you did not make or that your social media account has been taken over. However, if you think that you have connected to an evil twin access point, there is no telling what kind of information about your computer usage, or your files, have already been shared to thousands of hacker forums.
How an Evil Twin Access Point is Made
Creating a fake wireless access point would need almost the same tools that you use in hacking a Wi-Fi, which are the wireless card and the aircrack-ng suite. This suite has the tool called airbase-ng, which can convert your wireless card into an access point. This tool would allow you to see all the traffic coming from a connected device and also enable you to make a man-in-the-middle attack.
The following hack would enable you to clone an existing access point (or your neighbor’s internet connection) and fool a target into connecting to a fake access point. The objective of this hack is for you to know how a criminal hacker would be able to easily select a target within range, bump him off his own connection, and then force him into connecting to a false duplicate of his WLAN connection. This would show you how any hacker would be able to monitor his target’s traffic, and also obtain sensitive information.
Here are the steps that you need to take in order to create an evil twin access point:
1. Start Airmon-Ng and check your wireless card. Run the following command:
bt > iwconfig
After doing so, you would be able to see that your wireless card is operational. It would most probably be assigned as wlan0 once it is up and running.
2. Once your wireless card is set, run it into monitor mode. To do this, simply enter:
bt >airmon-ng start wlan0
3. By running the previous command, you would be able to see all the wireless traffic that your wireless card can monitor with its antenna. That means that you would be able to see all the SSIDs of access points that people around you are connecting to. Now, you would need to capture this traffic. To do this, enter:
bt > airodump-ng mon0
4. In order for you to dupe people into connecting to a fake wireless connection, you would need to clone an existing access point and convert it into an evil twin. Doing so would also allow you to insert your own packets or pieces of data into a target’s computer.
5. Now, all you need to do is to wait for your target computer to connect to his internet connection. When that happens, it would appear on the lower part of the screen.
6. Once your target has connected to his own access point, you would need to create a new access point using the same SSID and MAC Address of his WLAN. The MAC Address would appear as the BSSID in the list of access points that your wireless card was able to detect during monitor mode. You would also need the channel where your target’s signal is. Once, you have the information that you need, pull up a new terminal and enter the following command:
bt > airbase-ng -a (BSSID) --essid "(name of the access point)" -c (channel) mon0
7. Now, you would need to take your target off his access point and force him to automatically reconnect to the fake access point that you have created in the previous step. To do this, you would need to insert a deuth packet using the following command:
bt > aireplay-ng --deauth 0 -a (BSSID of target)
8. Here is one crucial aspect that hackers are aware of when they are creating an evil twin: the fake access point that you have should be close to the strength or stronger than the signal of the target’s true access point. If you are in a public place, this should not be a problem. However, if you are targeting devices that are far from you, you would need to turn up your fake access point’s power. To boost your access point’s signal to its maximum, key in the following command:
iwconfig wlan0 txpower 27
Typing in this command would allow you to boost your access point’s output to the maximum allowable power in the United States, which is 500 miliwatts or 27dBm. If your target is too far, you may need to boost your access point’s power up to what your wireless card would allow you to.
Every country has Wi-Fi regulations, and the maximum allowable power for access points in another country may be illegal in yours. Make sure that when you do the following hack, you would are backed by your company and that you have assumed written prior consent by your practice target to avoid any legal repercussions of the next steps.
If you want to use another country’s maximum regulated power to boost your access point a little further (Bolivia has more available channels and can allow you to boost up to 1000 mWs), you can use the following command to switch regulations:
iw reg set BO
Once you are in this country’s regulatory domain, you can boost your wireless card to the maximum by typing the following command:
iwconfig wlan0 txpower 30
To check for the output power, type:
Now, you are guaranteed that all device users that are looking at available networks around you are seeing your access point in its full signal. If you boosted the signal to 30dBm or 1000mWs, your fake access point would possibly be seen even from a few blocks away. By boosting the signal, hackers are able to create the impression that their fake network is legitimate.
However, there is something you should keep in mind as you boost your wireless equipment’s power – overheating becomes a much greater risk as you move towards higher output. So, it is recommended to at least consider lowering the device’s temperature, which is usually done by increasing airflow.
9. Now that you have successfully created a fake access point, the next step is to monitor the activity of your targets. You can use the software called Ettercap to start creating man-in-the-middle activities, which means that you can set up shop in this connection by intercepting, injecting traffic, or analyzing all the data that comes and goes into a target device. Through this activity, you would be able to intercept all possible sensitive information that he may unknowingly pass through the evil twin network, such as passwords, credit card information, downloads and uploads.
Now that you know how most hackers can set up shop in your devices by duping you into connecting to a fake access point, it’s time to take preventive measures. Here are some ways on how you can prevent attacks like this:
1. Ask for legitimate Wi-Fi service
The best defense against evil twin attacks is to verify what network you are connecting to before you connect. If you are in a public space, such as a café, make sure that you ask for the shop’s SSID and password. If you think that free Wi-Fi is too good to be true, it most probably is.
2. Always use different log-ins.
If there is no choice but to log in to a free public Wi-Fi, then make sure that you are using a different username and password to prevent giving everyone listening to the network a free pass to your most sensitive accounts.
3. Use a Virtual Private Network (VPN)
A VPN masks your device’s physical location by assigning you a different IP address and even a MAC Address. It would also encrypt the data that you are sending out, which means that all the information that you are using to fill out any form on an evil twin network would not be deciphered by any hacker that would be listening on the other end.
VPNs are also great when it comes to detecting any evil twin network – if a free hotspot is prompting you to disconnect your VPN before you continue, then you know that the hackers on the other end are forcing you to disable any encryption that they can’t read through so that they can steal your data.
4. Be extra cautious when your devices suddenly disconnect from your secured internet, especially when all other devices that are connected to the network are also bumped off. It is very possible that a deuth packet has just been inserted into your access point, forcing every device connected to it to disconnect. When this happens, turn off the auto connect feature of your devices to prevent them from connecting to a potential evil twin access point.
5. If you are in an unfamiliar public area, turn off the auto connect to hotspot feature of your devices.
6. Pay attention to any pop ups and dialog boxes that tell you that there is another device that connected to your network.
7. Pay extra attention to the URL of the pages that you are connecting to. Most companies do advertise unencrypted versions of their websites, simply because http is easier to remember than https. Always remember that the added “s” means that you are visiting a secure site. Also make sure that there is a lock icon on the browser when you are entering sensitive information.