EvilTwinFramework: A Framework written in Python 2 for Pentesters to Perform Evil Twin attacks
EvilTwinFramework is a framework for pentesters that facilitates evil twin attacks as well as exploiting other wifi vulnerabilities.
It uses hostapd-wpe to create the access point, so it is highly configurable.
It uses dnsmasq to run the dhcp and dns services.
It uses apache with help of dnsmasq to launch spoofed webpages as well as captive portals!
Packet sending and receiving is all done via Scapy!
Motivation
The EvilTwinFramework is meant to replace all existing Wi-Fi hacking tools by integrating all features necessary for Wi-Fi penetration testing in one framework. The 3 core features needed are:
* Packet Sniffing
* Packet Injection
* Access Point Creation
All Wi-Fi attacks can be implemented with one or a combination of these core features. By having this platform it will always be possible to contribute with new Wi-Fi attacks that depend on these features.
Features of EvilTwinFramework
All Forms of Evil Twin AP:
All Forms of Evil Twin AP:
The Evil Twin Framework, with the help of hostapd can mimick any type of Wi-Fi Network. And by using the hostapd-wpe patch it is easy to get WPA-EAP credentials.
One can configure it as a catch-all honeypot to find out the encryption type of a network that was probed for.
One can even create a karma attack and mimick many networks with different ssids on the same Wi-Fi card (as long as it supports ap-mesh mode). This can be done manually, if you want different encryption types for different networks, or automatically. The automation works by sniffing for popular probe requests and then creating the most popular one according to how many virtual access points you Wi-Fi card supports.
Handshake and Credential Logging:
One can configure it as a catch-all honeypot to find out the encryption type of a network that was probed for.
One can even create a karma attack and mimick many networks with different ssids on the same Wi-Fi card (as long as it supports ap-mesh mode). This can be done manually, if you want different encryption types for different networks, or automatically. The automation works by sniffing for popular probe requests and then creating the most popular one according to how many virtual access points you Wi-Fi card supports.
Handshake and Credential Logging:
As said before, with the help of hostapd-wpe WPA-EAP credential sniffing is easy!
You can also spoof DNS with dnsmasq and even create captive-portals to force browsers to your webpage!
You can sniff for WPA-Handshakes and even Half-WPA-Handshakes for ap-less password cracking!
You can also spoof DNS with dnsmasq and even create captive-portals to force browsers to your webpage!
You can sniff for WPA-Handshakes and even Half-WPA-Handshakes for ap-less password cracking!
Integrated Man-In-The-Middle:
An Evil-Twin is nothing without a proper MITM arsenal!
The framework uses the mitmproxy library to create a local proxy capable of custom Level3 packet manipulation! Some fun ones have already been implemented such as beef hook injection into someones webpage, download content replacement with other files (idea stolen from the Wi-Fi Pumpkin Project). And my favorite: .exe file infection with PEInjector. PEInjector does a great job by seemlessly injecting a payload into an exe file without changing its size while at the same time obfuscating the payload to pass AV software.
You can easily contribute and/or make your own custom MITM packet manipulation and add it to the framework. More information will be in the wiki.
Wi-Fi Reconossaince: The framework is able to sniff for access points, probe requests and responses and associating them to Wi-Fi clients. You can also log all of this information.
Packet Injection:
Packet Sniffing and Injection is all done via Scapy. This makes it possible to contribute with any feature that involves packet sniffing and custom packet assembly and injection.
For now the only packet injection feature is deauthentication packets since it is a nice thing to have when trying to catch WPA-Handshakes.
Spawners:
Spawners are a great and easy way to use your custom tools in conjunction with the framework. Some tools have already been added since they make a lot of sense: Ettercap, Beef, MITMFramework and SSLStrip.
Using EvilTwinFramework
First enter the ETF Console interface as root: sudo ./etfconsole.py
For now there only is a console interface that is very easy to use and has tab completion! The whole thing will work according to the etf.conf file. You can view and change all configurations via de console, just type:
config
to list the modules available for configuration. While working on the console type: listargs
to view the available parameters (here you can check if configurations are OK), then type: set
If a parameter is (dict) it means it is another configurable module within.
To start an access point make sure you have it configured correctly, type: config airhost
check if everything is OK (use listargs)
config aplauncher
check if everything is OK (use listargs)
config dnsmasqhandler
check if everything is OK and start the access point
start airhost
You can also configure an access point by copying one that is nearby. Start scanning:
config airscanner
config airscanner
check if everything is OK (use listargs)
start airscanner
... wait ...
show sniffed_aps
This lists the sniffed access points with their ids: copy ap
OR:
show sniffed_probes
copy probe
Then start the fake access point: start airhost
You can deauthenticate others from their network while running the acces point. To add access points or clients to be deauthenticated type:
show sniffed_aps
add aps
The filter_string follows an easy syntax, it goes:
The args can be any of the column names listed in the table. The filter keywords are 'where' for inclusive filtering or 'only' for exclusive filtering, examples:
This will add the access point whose id is 5 to the deauthentication list (this is adding a single and specific AP): add aps where id = 5
This will add the access point whose ssid is 'StarbucksWifi' to the deauthentication list:
add aps where ssid = StarbucksWifi
add aps where ssid = StarbucksWifi
This will add the access point whose encryption type has 'wpa' OR 'opn' to the deauthentication list: add aps where crypto = wpa, crypto = opn
This will add the access point whose ssid id 'freewifi' AND is on channel 6 to the deauthentication list: add aps only ssid = freewifi, channel = 6
You can use the same interface for injecting packets while running the fake access point. You can check and set configurations with:
config airinjector
listargs
After all that run the Injector (which by default performs Deauthentication attack):
start airinjector
start airinjector
Same can be done when deleting from the deauth list with the del command. The show command can also be followed by a filter string.
Contributors can program Plugins in python either for the airscanner or airhost or airdeauthor. Contributors can also code MITM scripts for mitmproxy.
