With that being said let's take a look at how to set up an evil twin access point in an WPA2 Enterprise environment.
What you'll need:
- VMWare or Virtualbox
- Kali Linux
- Router that supports WPA2 Enterprise
Please remember, this is solely for educational purposes.
The techniques mentioned below are not to be used for malicious purposes outside of a controlled research environment.
Why do we need a router?
Setting up the Evil Twin
Since we're going to be intercepting enterprise communications we must first set up a radius server. We will be using freeradius-wpe in this example. Once we set up our radius server on kali then we will configure our access point/router appropriately and should be all set!
- Download freeradius-wpe to your Kali Linux virtual machine (vm). I will be using free radius 2.1.12 in this example.
- Download the freeradius-wpe patch.
- Untar the download:
- Change directory into the freeradius-server folder and apply the patch:
- Configure, make and install:
- Make the certificates:
Alright. Now that we can confirm that our radius server installed correctly, let's make some changes to the configuration file.
- Let's change directories to the location of the configuration files: cd /usr/local/etc/raddb/
- Open radiusd.conf with your favorite editor and ensure that eth0 is uncommented. I've included a snippet of what this setting looks like below in order to facilitate finding it. This should be around line 290 of the configuration file.
- Next we're going to open clients.conf and add a new client with the address of our router and a secret phase (this can be anything). Below is the client I added to the configuration file.
- Create a log file named freeradius-server-wpe.log under the /usr/local/var/log/radius/ directory. This log file will store any credentials we capture during the test.
- Alright, now for the fun part. Let's configure our router to use WPA2 Enterprise and use the IP address of our Kali VM as the radius server. Enter the secret previously saved within the client.config file. I've included a screenshot of how my router settings looked like below. Note that the router's SSID is set to "eviltwin_test", attackers will usually set this to whatever SSID they are trying to spoof.
We are all set! Let's start up the radius server with the radiusd -X command and let's test it out. I will be using my phone to authenticate to the evil twin....annnnnddd success!! It worked!! Here are some screenshots on what the radius server should be outputting as well as the logfile containing the username and password I just entered.
A quick note. Not all clients who authenticate to the radius server will succeed. Additionally, not all passwords will be in clear-text, in fact most of the time hashes are the ones obtained.
Hope you guys learned something new. Remember this is an old school technique that can be used to learn or as a Plan B. Before you go check out how to prevent this from happening in your environment with some mitigation tips below.
Go Mitigation!
The example above depicts how to successfully spoof an access point and capture user credentials. An attacker can use these credentials to infiltrate a network and possibly obtain sensitive information. This is bad news for any environment. Let's explore some ways to protect against this attack:
- Ensure your environment is using a secure protocol such as EAP-TLS
- Implement client side certificates for authentication and validate those certificates
- Do not self-sign certificates
- Implement a Security Awareness program for employees
Additional Reading
For more detailed information on evil twin attacks and recommendations check out the following:
