Tools of the Trade: Evil Twin Attack with Hak5 Wi-Fi Pineapple — Part 2

Disclaimer: The content of this article is strictly for research and educational purposes only. Each system/tool was accessed with the express permission of the owner.

Introduction

How many times have you visited a coffee shop to take a break from a busy day and connected to the free WiFi? Or had a long layover at a hectic airport and started browsing the web using the complimentary internet-access to pass the time? These seemingly innocuous and every-day occurrences are a foundation upon which threat actors rely while conducting an Evil Twin attack.

This article will demonstrate one possible tactic an attacker could use to gain a victim’s user credentials, by spoofing a legitimate captive web-portal and hosting it on the Evil Portal Module within the Hak5 WiFi Pineapple.

The set-up and configuration steps for both the WiFi Pineapple and the Evil Portal Module were previously covered in Part 1, as well as the Target Reconnaissance Phase. So if you haven’t read that yet, check it out here!

Pre-Attack Preparation Phase

Once the target reconnaissance is completed, the attacker makes the final edits to both the WiFi Pineapple access point and cloned web portal, to ensure accuracy and and maximum efficiency via the following steps:

• Edit WiFi Pineapple SSID to match the legitimate Access Point (AP)
• Alter WiFi Pineapple operating channel if needed

Both SSID, BSSID, and Channel broadcast configurations can be configured at the “Open AP” tab

• Position WiFi Pineapple in a high-traffic area/closer to users than the legitimate AP in order to provide the strongest signal
• Edit minor HTML/CSS details within the Evil Portal as needed, to ensure it matches the legitimate web portal (i.e., phone numbers, logos, location address, etc.) *Attention to detail makes the attack exponentially more effective*

Description: Editing HTML/CSS elements to ensure accurate replication of target web portal

After all final edits have been made, and the WiFi Pineapple is in place, the hacker is poised to launch the Evil Twin attack by activating the selected Evil Portal and initiating the Web Server.

Activate Portal -> Start Web Server -> Start -> View Log

Exploitation Phase

(WARNING: It’s crucial to note that engaging in the following activities without express authorization of the system owner is both illegal and unethical. This information is provided for educational purposes only)

• The victim notes the complimentary WiFi SSID and unwittingly connects to the deceptive Evil Twin network via their mobile device, since this network is both open (does not require a Pre-Shared Key) and has the strongest signal.

• Once the user connects, they are presented with the sign-in page below. The pre-configured Evil Portal mimics a legitimate login interface, prompting the victim to enter their credentials (email and password).

Web portal source

• Believing it to be an authentic connection, the victim unwittingly provides the sensitive information to the Evil Portal web page.
• The Hak5 WiFi Pineapple effectively logs, timestamps and stores the entered credentials (IP Address, Email, Password, Hostname, and MAC Address) in the Evil Portal (.logs) file.

• The attacker gains unauthorized access to the victim’s email and password, potentially compromising personal and sensitive information, and is now able to “sniff” (intercept) all network traffic from the connected victim.

Ramifications of Compromise

Once the attacker gains the user credentials, they could utilize potentially dozens of other vectors to pivot by gaining unauthorized access to various accounts and systems. This could involve attempting to log into the victim’s email, social media, or financial accounts.

Alternatively, the attacker might leverage the obtained credentials for more targeted and sophisticated attacks, such as spear-phishing or accessing sensitive corporate networks if the victim’s credentials are linked to work-related accounts.

Conclusion/Mitigation

To safeguard against such nefarious tactics, users must adopt a proactive stance. Avoiding connection to open networks without proper authentication and implementing encryption tools like Virtual Private Networks (VPNs) or ensuring the use of encrypted protocols (e.g. TLS) are essential measures.

Evil Twin Attack in action

Additionally, utilizing best-practices for account passwords (i.e. password complexity, Multi-Factor Authentication, password managers/avoiding password reuse, etc.) will provide an additional layer to the “defense-in-depth” concept, in the event a password is compromised.

As the digital landscape continues to evolve, understanding the tactics behind malicious tactics, such as the Evil Twin Attack, becomes imperative in enabling individuals and organizations alike to fortify their defenses against the ever-evolving specter of cyber-threats.

Thanks for reading! Follow me here on Instagram for more content