Hacking WPA-2 Key - Evil Twin Method (No Bruteforcing)

Hey guys!

This is a technique I've been using recently. It's a little more complex than usual, however, if you play the cards rights you have pretty good chances.

This technique doesn't involve capturing handshakes at all. Check out the steps:

1. Identify target & do recon;
2. Clone the target network;
3. Redirect traffic on cloned AP to a service page (asking for the WPA-2 Key) -- this page has to be on point, convincing;
4. Deauthenticate the hosts on the original network, and wait 'till they connect to our cloned network;

Check out the video: http://vimeo.com/34309678

* Video made under controlled circumstances for educational purposes. ;]

Nice video ! However it relies on some social engineering in which I have little trust in. But then you never know.....

Good post !

Thanks man, appreciate the feedback!

I know how you feel about the social engineering... but bruteforcing is quite frustrating imo lol

Originally I wanted to find a way to clone a WPA-2 AP with the same BSSID and ESSID on a Karma-like router.
and Just register the authentication key they tried to use... then I came up with this idea.

But yea... timing is key for this method =)

Happy new years guys

hello
thanks for the great video and for the idea:))
the only thing (perhaps only me) since I installed the dhcp3-server my "alpha" begins to have some problems ... sometimes it goes down !!!!& have little ""driver-crash!""
thanks bye! :confused:
zimmaro the goat-brain!!

Hey very nice video !
Could you give a little more explanation regarding these commands please ?

Quote:

---

iptables --table nat --append POSTROUTING --out-interface [internet connection] -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
Redirect traffic:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [IP address:80]
iptables -t nat -A POSTROUTING -j MASQUERADE

---

I understand that you redirect all tcp trafic to port 80 but where does DNS come in ?
Because you type google.com and you get redirected to your evil page :p
Do the domain names get resolved via your connection to the internet ?
And do you redirect your victims once they initialize the http connection ? Am I correct ?

Please help me understand this :)

Hey Zimmaro!
Thanks for the feedback.
I have an Alfa also, the AWUS036NH - what I noticed is that the card locks on a channel if you don't specify otherwise.
That's why I restart the monitor interface in the middle of the video, using the following command:

airmon-ng start wlan0 [channel]

That way we can host the fake access point and do the deauthentication on the same card using the at0 and mon0 interfaces..
Hope that helps =)

Hey LHYX1!
You pretty much answered all your questions lol
We have one wireless connection to the internet and we want to bridge it with the cloned access point to give it internet access, so we use network address translation.

Just to clear it up, each number corresponds to command:

1) We specify the internet connection -- in my case, I used a tethered connection from my phone. That's our output interface. Think of packets heading out from the interface.

2) We forward the packets to our cloned access point.

Note: At this point, if you access the cloned ap you should have normal internet connection. That's desirable, because you might want to implement sslstrip and such after the victim has given you the key... The cool part is we don't need to do ARP spoofing :)

3) Like you said, here we just redirect all tcp traffic to the evil page (our hosted apache). I have also used dnsspoof to do this and it worked (again, no need for arp spoofing). However, if you try to use ettercap you might break the cloned AP due to it altering iptables.

Basically the packets are altered when they arrive in the cloned AP from the AP connected to the internet.
Hope it helped! =)

Thanx for your help :D

good work :)

Where can we download the ''service page'' ? and mssql datebase TKS