The threat of an evil access point has been around for a long time, in addition to with the rise of open public Wi-Fi, the threat is actually often overshadowed by how many third-party open networks we interact with in coffee shops in addition to additional places. While potent, evil access points can be a pain to configure manually. This kind of article will demonstrate the usage of MitmAP, a Python script to configure an evil access point.
Before you can begin creating an evil access point, you will need at least two network interfaces. One with an internet connection, in addition to one for victims to connect to. The concept behind an evil access point is actually simple, create a WiFi access point, log its usage, attempt to strip encryption, in addition to gather credentials coming from anyone who connects.
Evil access points can work in a couple different ways. In some cases, they can be used to cast a wide net. For example, an open access point gathering information coming from anyone who connects in addition to uses This kind of to browse the web.
In additional cases, they may be part of a more targeted attack. In This kind of case, the evil access point is actually configured to mimic an existing access point. Due to the nature of WiFi, devices will often send out probe requests looking for access points that will they are familiar with, revealing information about networks the device trusts. If your evil access point’s signal is actually stronger than the real access point the device is actually searching for, then the device will connect to your evil access point instead. This kind of can even be used to target someone on an individual level, providing you can have done enough information gathering.
With the background out of the way, let’s build ourselves an evil access point!
Step 1: Install MitmAP
MitmAP is actually not part of the Kali Linux toolkit, so we will be installing This kind of coming from its Github repository. I will be using Kali Linux, in addition to running as the root user during This kind of article. Since we’re installing coming from Github, these instructions should work on most Linux flavors. Before we get into the actual install, we should probably update our system. In Kali, This kind of is actually done with apt inside terminal as seen below.
apt update && apt upgrade
With that will out of the way, we can continue our MitmAP install. We’ll use git to clone the repository by typing the following command into a terminal window.
If you’re using a Raspberry Pi, MitmAP comes using a style specifically for Raspberry Pi called, mitmAP_rpi.py. My machine is actually similar to a Raspberry Pi in size in addition to specifications, yet the processor is actually an Intel, which means that will I will be using the standard mitmAP.py.
Once we’ve cloned the repository, we can run mitmAP.py to install our dependencies. If you’re using a Raspberry Pi, substitute all mitmAP.py commands with mitmAP_rpi.py.
Before we start, we should do a quick ip a to determine the device names of the interfaces we will be using, since the script will ask us later. This kind of will show the names of our network cards, in addition to we should note the one providing an internet connection.
Step 2: Configure Your Evil Access Point
To get commenced, let’s type the following command into our terminal window.
This kind of command specifies to use the Python 3 interpreter, in addition to launches MitmAP. When MitmAP launches, This kind of gives us the option to install or update dependencies. I recommend allowing MitmAP to do its updates on the first run by pressing “y” in addition to then enter.
Once MitmAP has completed the installation or upgrade of its dependencies, This kind of’s time to configure the access point.
If you did not get your interface names, right now is actually the time. End the process with ctrl-c. You will need two device names to configure the AP.
The first device is actually the wireless interface that will you wish to use as the AP, in addition to the second device is actually the interface that will you wish to use for WAN connection. The names of the devices can be found using the “ip” command, as seen below.
I have two wireless cards on my system, one of them is actually an external USB card, in addition to the additional is actually built-in. The built-in card is actually significantly less powerful than the external, so I will be using the external card, or wlan1, for my AP. For my WAN connection, I’ll be using a corded connection on eth0. Once you have sorted out your interfaces, run mitmAP again with the command below.
After you have entered the interface names, you will be asked if you want to use SSLStrip. SSLStrip will attempt to downgrade client connections to HTTP instead of HTTPS. This kind of is actually can be an excellent way to capture credentials, so I will enable This kind of.
The next prompt asks if the user would likely like to capture unencrypted images with Driftnet. If you opt to do so, Driftnet will read the TCP stream looking for images in addition to pull them down. I did not enable This kind of option since This kind of doesn’t work in headless mode.
MitmAP will ask if This kind of should create a brand-new Hostapd file. This kind of will create a brand-new configuration for your Hostapd, in addition to should be used. Next you will be prompted to enter an SSID (service set identifier) for the AP (access point). This kind of is actually the name of the AP. Depending on the type of evil AP you are attempting to create, This kind of may be beneficial to name the AP after a publicly accessible network in your area. I will be naming my AP, “evilAP”.
MitmAP will ask for a channel for the AP, This kind of decision is actually up to the user. I selected channel 1. The most commonly used are 1, 6, in addition to 11. Once you have selected the channel, MitmAP will ask if you want to enable WPA2 encryption.
If you enable encryption, you will have to set a password. If you are trying to trick a user into connecting to your evilAP by mimicking a public SSID, you will want to keep This kind of as close to the original as possible. If the AP you are targeting uses WPA2, you should enable WPA2 with the same password as the AP you are mimicking. If you are just setting up a honey pot AP, This kind of is actually advisable to run This kind of unencrypted. This kind of will draw users who are just looking for any web connection. I configured my AP without WPA2.
You will be asked if you want to set a speed limit for clients. I opted not to. MitmAP will ask if you want to start Wireshark on your AP interface. This kind of will capture the packets in addition to allow you to browse the traffic later at your leisure, providing that will you are not running headless.
Since I am working using a headless system I selected no. When you select no to Wireshark you are asked if you would likely like to use Tshark. Obviously, with This kind of attack to be useful, I want a PCAP log, so I selected yes. Lastly, MitmAP will ask if you want to manually configure DNS spoofing. I left the default option of no.
After selecting the final option, the script should start. The AP is actually right now up in addition to running.
Step 3: Wait, What Else?
No, definitely that will’s This kind of. This kind of AP is actually right now a fully functioning evil AP. inside example, I will make some connections to the AP to simulate users connecting. I connected to the evilAP with my desktop machine, in addition to MitmAP shows the connection inside example below.
coming from a user’s perspective, everything appears to be normal. Though in some cases SSLStrip does cause pages to break, I was able to browse many sites that will I commonly use without any issues. Some sites, however, were able to force encryption. When I switched to Firefox, some of these same sites were downgraded to HTTP. Firefox does provide a warning when attempting to enter credentials into a downgraded site, though This kind of may not be enough to dissuade an average user.
right now that will we’ve captured some information, let’s see what we get when we shut down the evilAP. To shut down the AP, you can use ctrl-c twice in a row. MitmAP shuts down in addition to fixes its modifications to the system.
All of our information is actually stored inside mitmAP/logs folder. I completed one login request on a site that will is actually normally HTTPS. I was able to find the credentials inside SSLStrip logs using the following command in terminal.
grep -a sitename mitmap-sslstrip.log | grep passwd –coloration=always
This kind of command searches the file for the string “passwd” in addition to colors This kind of. The -a argument processes a binary file as if This kind of were text. This kind of is actually necessary because the generated log is actually a data file.
in addition to just like that will, we’ve turned someone’s trust in an unknown wireless network into an intercepted network credential!
MitmAP saves a lot of time in configuration. As with any script that will configures your system to operate in a certain manner, you do lose out on some customizability when doing things This kind of way. The tool is actually very powerful though! While I was working with MitmAP, I commenced getting additional connections to my access point, which were happily passing data around inside clear. I killed the AP scrubbed the logs, in addition to restarted with WPA2 enabled, yet was still amazed at the various devices connecting.
Based on how quickly I got connections, I think the potential for a honeypot with This kind of script is actually high! Even with the name evilAP, you will get connections. Many devices just look for WiFi all the time, with no concern for the network they are connecting to. Unfortunately the same goes for people.
One thing to note is actually that will MitmAP uses SSLStrip to attempt to downgrade HTTPS connections. This kind of isn’t one hundred percent reliable. The effectiveness seems to vary depending on the website the target visits, in addition to in some cases, the browser. Even though you may not capture credentials for all sites, sometimes one successful capture is actually all This kind of takes. Using the MitmAP log files, you will be able to piece together additional sites visited in addition to try any captures credentials on additional sites too.
As always, feel free to comment or question, in addition to follow me on Twitter for additional infosec shenanigans @0xBarrow!