Tools of the Trade: Evil Twin Attack with Hak5 Wi-Fi Pineapple — Part 1
Introduction
In the intricate tapestry of cybersecurity threats, the “Evil Twin Attack” stands out as a cunning and deceptive exploit that can wreak havoc on an unsuspecting victim, eager to utilize an open Wi-Fi network. Though the tools and specific tactics may vary, the fundamentals of this attack involve the creation of a rogue Access Point (AP) that masquerades as a legitimate network, enticing unsuspecting devices to connect, and ultimately exploiting various vulnerabilities via spoofed captive portals, sniffing network traffic, capturing handshakes, or other targeted data.
This is one of the more commonly known examples of an On-Path Attack (formerly known as a Man-in-the-middle attack). For the purpose of this article series, we will focus on replicating a legitimate AP/spoofing a captive web portal in order to capture user credentials and subsequent network traffic.
As mentioned earlier, one pre-requisite to conduct this attack is this use of a specialized AP that the attacker has complete control of. A popular choice amongst threat actors is the Wi-Fi Pineapple MkVII: A compact device from Hak5 that empowers attackers with the ability to seamlessly craft a convincing duplicate of a trusted Wi-Fi network (in addition to multiple other functionalities).
Once a victim unwittingly connects to this deceptive Evil Twin AP, the attacker gains an immediate gateway to eavesdrop on communications, intercept sensitive data, or even launch more sophisticated attacks.
What sets the Wi-Fi Pineapple apart is its amalgamation of simplicity and potency. Equipped with an intuitive user interface, this device automates the setup of the Evil Twin attack, making it accessible even to less experienced attackers. The tool exploits the inherent trust users place in their usual Wi-Fi connections, thereby elevating the potential impact of the attack.
Wi-Fi Pineapple setup and configuration
(Reference docs.hak5.org for more detailed configuration/troubleshooting documentation for all Hak5 products)
Before we can successfully launch the Evil Twin attack, there are a few preparatory steps that must be accomplished first, namely: AP Setup/Configuration, Target Reconnaissance, Captive Portal duplication, etc. The remainder of this article will primarily cover the pre-attack setup and configuration of the Wi-Fi Pineapple.
1 — Setup steps
a.) Power Up: Connect the WiFi Pineapple to a power source, such as a USB power bank, a wall adapter, or directly to your computer, using the provided USB-C cable. If connected to your computer, press the button once to initialize the set-up process.
b.) Access Interface: Connect to the Wi-Fi Pineapple’s default SSID and access the management interface through a web browser using the default IP address (172.16.42.1:1471)
c.) Initial Configuration: After updating to the most recent firmware, follow the initial setup wizard to configure basic settings, such as creating a secure admin password and selecting an operation mode (Client, Access Point, or both). After familiarizing yourself with the UI, proceed to the next step.
2 — Target Reconnaissance Phase
a.) Access Recon Module: Once the Wi-Fi Pineapple is configured, navigate to the recon module (Signified with the “Binoculars” icon). This tool is designed for scanning and analyzing the surrounding wireless networks, and will display various data points such as channel distribution, captured handshakes, etc.
b.) Conduct Network Environment Scan: Initiate a network scan using the recon tool. This process involves the Wi-Fi Pineapple passively listening to nearby wireless networks and collecting data with selectable options in both scan duration and intensity.
c.) Analyze Results: Review the scan results, which typically include information about nearby APs, their SSIDs, channels, signal strength, encryption methods, and clients connected to each AP.
- Note SSIDs and Channels
- Identify Open APs
- Identify Weak Encryption
d.) Identify Target: Based on the scan results, formulate a plan for ethical hacking activities. This may include configuring the Wi-Fi Pineapple to mimic vulnerable APs for security testing purposes.
3 — Pre-Attack Configuration
One variation of this attack relies upon the Evil Portal Module. The Evil Portal Module is a potent tool within the Hak5 WiFi Pineapple arsenal, designed for creating captive portals to deceive and intercept user credentials. This module enables attackers to craft convincing Wi-Fi portals that mimic legitimate login pages, enticing users to unwittingly provide sensitive information. Reference the following steps to utilize this technique:
a.) Download and Install Evil Portal Module: Navigate to the ‘Modules’ tab and locate the ‘Evil Portal’ Package. The portal library serves as a repository of pre-configured and malleable captive portal templates. These templates mimic various authentic login interfaces, streamlining the process of creating deceptive portals during Evil Twin attacks
By providing an interface that can support a selection of professionally crafted designs, the Portal Library simplifies the customization of captive portals, enhancing their authenticity and effectiveness in luring unsuspecting users to disclose sensitive information
b.) Clone Target Captive Web Portal: Cloning a captive web portal involves replicating or mimicking the appearance and structure of a target portal. This process captures the HTML, CSS, and other essential components, creating a duplicate that appears indistinguishable from the authentic portal. An attacker could attempt to replicate the webpage manually, but would most likely prefer an automated solution by using tools such as HTTrack to rapidly crawl and clone the target portal.
Alternatively, attackers may leverage portal templates from repositories (like the ones provided by kleo on GitHub), which offer pre-configured designs for various login interfaces. These cloned portals can then be hosted on the Hak5 WiFi Pineapple’s Evil Portal module, enabling attackers to deceive users into entering sensitive information.
In the context of an Evil Portal/Evil Twin attack, the cloned captive portal serves as a convincing bait, tricking users into unwittingly providing credentials or personal information, emphasizing the critical importance of robust security measures against such deceptive tactics.
*For the purpose of this demonstration, we will utilize a pre-configured template in Part 2, prior to launching the attack*
Conclusion
In conclusion, this article delved into the insidious tactics of Evil Twin attacks and the formidable capabilities of the Hak5 WiFi Pineapple. We briefly walked through the steps of setting up the WiFi Pineapple, configuring the Evil Portal module, and understanding the nuances of cloning/spoofing a captive portal in anticipation of an Evil Twin attack.
By understanding these techniques, security professionals can better fortify networks against such threats, while penetration testers and security researchers can leverage this knowledge responsibly for the purpose of testing and educational exploration.
Understanding the intricacies of these tools not only enhances our defensive capabilities but also underscores the critical need for ethical conduct in the realm of cybersecurity.
Be sure to follow for Part 2, the exploitation demonstration!
Thanks for reading! Follow me here on Instagram for more content
