A framework for pentesters that facilitates evil twin attacks as well as exploiting other wifi vulnerabilities
It uses hostapd-wpe to create the access point, so it is highly configurable.
It uses dnsmasq to run the dhcp and dns services.
It uses apache with help of dnsmasq to launch spoofed webpages as well as captive portals!
Packet sending and receiving is all done via Scapy!
I did a couple of video tutorials on the framework. Some basic use cases and a couple of actual demos.
Tutorial Playlist: https://www.youtube.com/watch?v=3HE4aVFF2Dc&list=PLwkyhOBmFMuo9sTQeVSh8IxDjtwsbYlQk New Youtube channel with more engineering endeavors: https://www.youtube.com/channel/UCBxzOQd2v9wWfiMDrf_RQ7A
The Evil Twin Framework is meant to replace all existing Wi-Fi hacking tools by integrating all features necessary for Wi-Fi penetration testing in one framework. The 3 core features needed are:
Packet Sniffing
Packet Injection
Access Point Creation
All Wi-Fi attacks can be implemented with one or a combination of these core features. By having this platform it will always be possible to contribute with new Wi-Fi attacks that depend on these features.
All Forms of Evil Twin AP
The Evil Twin Framework, with the help of hostapd can mimick any type of Wi-Fi Network. And by using the hostapd-wpe patch it is easy to get WPA-EAP credentials.
One can configure it as a catch-all honeypot to find out the encryption type of a network that was probed for.
One can even create a karma attack and mimick many networks with different ssids on the same Wi-Fi card (as long as it supports ap-mesh mode). This can be done manually, if you want different encryption types for different networks, or automatically. The automation works by sniffing for popular probe requests and then creating the most popular one according to how many virtual access points you Wi-Fi card supports.
Handshake and Credential Logging
As said before, with the help of hostapd-wpe WPA-EAP credential sniffing is easy!
You can also spoof DNS with dnsmasq and even create captive-portals to force browsers to your webpage!
You can sniff for WPA-Handshakes and even Half-WPA-Handshakes for ap-less password cracking!
Integrated Man-In-The-Middle
An Evil-Twin is nothing without a proper MITM arsenal!
The framework uses the mitmproxy library (https://mitmproxy.org/) to create a local proxy capable of custom Level3 packet manipulation! Some fun ones have already been implemented such as beef hook injection into someones webpage, download content replacement with other files (idea stolen from the Wi-Fi Pumpkin Project: https://github.com/P0cL4bs/WiFi-Pumpkin/). And my favorite: .exe file infection with PEInjector. PEInjector does a great job by seemlessly injecting a payload into an exe file without changing its size while at the same time obfuscating the payload to pass AV software.
You can easily contribute and/or make your own custom MITM packet manipulation and add it to the framework. More information will be in the wiki.
Wi-Fi Reconossaince
The framework is able to sniff for access points, probe requests and responses and associating them to Wi-Fi clients. You can also log all of this information.
Packet Injection
Packet Sniffing and Injection is all done via Scapy. This makes it possible to contribute with any feature that involves packet sniffing and custom packet assembly and injection.
For now the only packet injection feature is deauthentication packets since it is a nice thing to have when trying to catch WPA-Handshakes.
Spawners
Spawners are a great and easy way to use your custom tools in conjunction with the framework. Some tools have already been added since they make a lot of sense: Ettercap, Beef, MITMFramework and SSLStrip.
You can easily add your own, more information will be in the wiki.
Clone the project and run the setup file:
./setup
One of the MITM Plugins relies on peinjector service, this has to be installed manually following the instructions of the project.
First enter the ETF Console interface as root:
./etfconsole
For now there only is a console interface that is very easy to use and has tab completion! The whole thing will work according to the etf.conf file. You can view and change all configurations via de console, just type:
config <press double tab>
to list the modules available for configuration. While working on the console type:
listargs
to view the available parameters (here you can check if configurations are OK), then type:
set <parameter> <value>
to change it.
If a parameter is (dict) it means it is another configurable module within.
To start an access point make sure you have it configured correctly, type:
config airhost
check if everything is OK (use listargs)
config aplauncher
check if everything is OK (use listargs)
config dnsmasqhandler
check if everything is OK and start the access point
start airhost
You can also configure an access point by copying one that is nearby. Start scanning:
config airscanner
check if everything is OK (use listargs)
start airscanner
... wait ...
show sniffed_aps
This lists the sniffed access points with their ids
copy ap <id>
OR
show sniffed_probes
copy probe <id>
Then start the fake access point
start airhost
You can deauthenticate others from their network while running the acces point. To add access points or clients to be deauthenticated type:
show sniffed_aps
add aps <filter_string>
The filter_string follows an easy syntax, it goes:
<filter_keyword> <filter_args>
The args can be any of the column names listed in the table. The filter keywords are 'where' for inclusive filtering or 'only' for exclusive filtering, examples:
This will add the access point whose id is 5 to the deauthentication list (this is adding a single and specific AP):
add aps where id = 5
This will add the access point whose ssid is 'StarbucksWifi' to the deauthentication list:
add aps where ssid = StarbucksWifi
This will add the access point whose encryption type has 'wpa' OR 'opn' to the deauthentication list:
add aps where crypto = wpa, crypto = opn
This will add the access point whose ssid id 'freewifi' AND is on channel 6 to the deauthentication list:
add aps only ssid = freewifi, channel = 6
You can use the same interface for injecting packets while running the fake access point. You can check and set configurations with:
config airinjector
listargs
After all that run the Injector (which by default performs Deauthentication attack):
start airinjector
Same can be done when deleting from the deauth list with the 'del' command. The 'show' command can also be followed by a filter string
Contributors can program Plugins in python either for the airscanner or airhost or airdeauthor. Contributors can also code MITM scripts for mitmproxy.