Eaphammer is a tool for executing evil twin attacks against wireless networks. The evil twin attacks executed during overt wireless penetration tests typically focus on capture of PSK handshakes and credentials used to authenticate to enterprise wireless networks.
The setup process is well documented on the Eaphammer GitHub repository. However, the following tips may assist you in your testing efforts. The general flow of an attack is to complete installation/setup, run the certificate wizard, and execute your attack(s). The following are tips that may help when executing attacks.
-
Certificate wizard:
Prior to executing the certificate wizard, attempt to connect to your target network(s) using a computer and/or mobile device. Unless the wireless infrastructure has a certificate signed by a public CA, the connection attempt will prompt you to trust the presented certificate. When the certificate is presented, inspect the details, transcribing information needed for certificate wizard completion to create a visual facsimile. This will not fool a properly configured client, but if a user manually connects, it will resemble the details for the legitimate network infrastructure.
-
Launching attacks:
During attacks, it is useful to have Kismet running. This will allow you to identify protective measures supported by the customer infrastructure. When an evil twin network is initialized in the presence of the legitimate network, if a Wireless Intrusion Prevention System (WIPS) is present, the network infrastructure will send deauthentication flood attacks to the evil twin access point. These will appear in the alerts tab of Kismet.
After initially running an attack with a default MAC address, if deauthentication occurs, change the MAC address of your evil twin to have the same base address as a legitimate access point, but increment the last byte of the MAC to not conflict with legitimate device addresses. Note whether deauthentication attacks cease.
-
Out-of-band attacks:
When evil twin attacks are mitigated via WIPS or associations are not being observed when in-range of the target wireless networks, it can be useful to execute out-of-band attacks. These are evil twin attacks executed out of range of the legitimate network infrastructure. Since the evil twin does not have to compete with the legitimate wireless infrastructure, clients may automatically connect to your device.
-
Non-corporate enterprise networks:
Corporate enterprise wireless networks are often well-secured. The corporate network may utilize EAP with mutual certificate-based authentication, making evil twin attacks impossible. However, organizations often make the decision to extend enterprise authentication to other wireless segments like Bring Your Own Device (BYOD) networks. Clients on these segments are often not managed using a Mobile Device Manager (MDM) and these devices are unlikely to have the CA certificate for the corporate network installed. As a result, it may be possible to harvest domain credentials by targeting this network with an evil twin attack.
If a customer pushes back on this being an issue (since the corporate network cannot be directly joined), ask whether an attacker close enough to perform wireless attacks might enter the facility or attempt to steal a legitimate device.
Eaphammer Attack Syntax
EAP Evil Twin Attack:
The syntax below is common for an eaphammer evil twin attack against a WPA2-Enterprise wireless network. The bssid and negotiate parameters can be omitted, but they are useful for attempting to bypass deauthentication attacks and to manage the authentication downgrade process respectively.
./eaphammer -i [interface] --channel [WIFI channel] --auth wpa-eap --bssid [attacker MAC] --essid [target SSID] --creds --negotiate balanced
Depending on the configuration of the client, the attack may yield hashes or cleartext credentials. Eaphammer will attempt to downgrade authentication as far as the client will support.
PSK Evil Twin Attack:
The syntax below is common for an eaphammer evil twin attack against a WPA2-PSK wireless network.
./eaphammer -i [interface] --channel [WIFI channel] --auth wpa-psk --bssid [attacker MAC] --essid [target SSID] --creds
The above PSK Evil Twin attack results in a .hccapx file being written into the loot folder. The .hccapx file must be converted to hashcat format using hcxhash2cap and hcxpcapngtool from hcxtools.
hcxhash2cap --hccapx=[hccapx file] -c [output cap file]
hcxpcapngtool -o [hash file] [output cap file]