Skip to content

Evil Twin

Andrea Vaccaro edited this page Aug 3, 2024 · 8 revisions

🌐Evil-Twin with Captive Portal

Evil Twin Example

This manual walks you through the process of configuring and executing an Evil Twin attack with a captive portal. This attack is designed to impersonate a legitimate Wi-Fi access point in order to trick users into connecting to it.


Aside from 📚dependencies, the most important requirement is the NIC (Network Interface Card).

  • The first NIC selected during gapcast startup (from parameter -i <iface>) is used to run AP.

  • The secondary NIC (selected during attack startup) is used to deauthenticate the victim AP (optional but highly recommended).


⚠️It's important that both these NICs support monitor mode.


🚀How to start Evil-Twin environment

  1. Open the INJ Table.
  2. Select the third available attack option, which is Evil-Twin.
  3. Upon selection, an input bar will appear, After selection, an input bar will appear to fill in the victim AP.

🔧Alternatively, you can bypass step 3 by using the -b <BSSID> parameter to specify the BSSID directly.

🗞Setup steps

➡️As a first step there is the selection of the web template for the Captive Portal, in version 1.0.3 there are 2 templates available:

  • GoogleLogIn: GoogleLogIn model is a clone of Google page login.
  • CustomVideo: CustomVideo model open a video in full-screen automatically.

In the case of login pages, the input that the user will give will be reported in the Gapcast log.

📝If these templates do not meet the requirements, you can create a template from scratch using this guide.

➡️As a second step there is the selection in the NIC, the secondary NIC that will be selected will be used for deauthentication. In the selection the NIC in use will be discarded (for running the AP) and in case it is not present or you do not need to use it, just do not select anything.

📜Logs

🔍[LOG] log: Indicates preliminary commands before Evil Twin operation and termination.

🔍[AP-INFO] log:

  • Provides details of the fake AP:
    • Name. (prefixed with a blank character to prevent AP substitution issues)
    • MAC Address. (with the last byte of the last octet modified)
    • Transmission channel.

🔍[HOSTAPD-LOG] log: Logs related to hostapd software.

🔍[INJ-LOG] log:

  • Logs related to injection, detailing:
    • Start of deauthentication.
    • Any errors of deauthentication.
    • Conclusion of injection.

🔍[INFO-GRABBED] log:

  • Interpreter for apache2 logs. (Connections, GET/POST requests with ACTION spec)
  • Grabbed information from user inputs.

✨How to create custom web model

To create a custom web model, you must first create a folder with the name of the model in the gapcast/EvilTwin/models path.

In this folder you need to add a file called DESCRIPTION without extensions and you need to insert 2 lines with this syntax (replace <...> with your preferences):

  1. &TITLE: <model name>
  2. &DESCRIPTION: <model description>

Always in this folder you have to add a folder called HTML and an index.html file which will be the main file started by the web server.

If the model is used to take user information then it will be essential to use a PHP (or Javascript) file started from an html form that will write the content to the infograbbed.txt file with the append method. Here is an example:

<?php
header('Location:http://10.1.1.1/passwd.html');

$handle = fopen("infograbbed.txt", "a");
$counter = 0;

foreach($_POST as $variable => $value) {
   if ($variable == "submit") {
      continue;
   }
   fwrite($handle, $variable);
   fwrite($handle, ": ");
   fwrite($handle, $value); 
   $counter++; 
}

fwrite($handle, "\n");
fclose($handle);
exit;
?>

Important

The information taken at a time must be written in a single line, if you want to save this information over time it's better to save it separately because Gapcast when starting Evil Twin resets the infograbbed.txt file.