With the ubiquity of WiFi devices, the ability to create a rogue access point (also known as an EvilAP) has never been more useful, or in the wrong hands, more dangerous. For a pentester, an EvilAP can be used to not only verify client devices are not automatically connecting to unauthorized access points, but to also test if the legitimate access points on the network can be spoofed without the users noticing.
Using EvilAP is fairly straightforward, but there are a few details and caveats you should be aware of for a successful deployment.
EvilAP Operating Modes
The EvilAP function can operate in two different modes: aggressive or static. The different modes have their own strengths and weaknesses, and selecting which one is appropriate for your task is important for best results.
In aggressive mode, EvilAP will listen for and answer any WiFi probe requests it receives. This allows EvilAP to spoof the SSID of whatever open networks the device has connected to previously. So if a user has his smartphone configured to automatically connect to his open home WiFi network named “linksys”, EvilAP’s aggressive mode will fool the device into thinking it’s connecting to the user’s home network.
The principle advantage of aggressive mode is that WiFi devices will automatically connect to the EvilAP without any user intervention, which makes it an excellent choice for performing spot checks in the test environment to find if any client devices have been incorrectly configured to connect to open networks within range.
To enable aggressive mode, select 1 when asked if you’d like to force clients to connect based on their probe requests.
Additionally, you’ll be given the opportunity to specify a beacon rate to use when sending probe requests. The default is 30 milliseconds, but it can be adjusted between 20 and 70 milliseconds if you’re finding that devices are not reliably making and maintaining a connection to the EvilAP.
Note: Aggressive mode can become unstable when operating in areas of high WiFi traffic. Keep an eye out for error messages, and try adjusting the beacon rate to see if performance improves.
In static mode, EvilAP will advertise itself as a specific (user supplied) SSID and wait for devices to connect. This mode is useful when targeting a specific access point, and has the advantage of greater stability than aggressive mode.
Naturally, the SSID must be a known ahead of time for static mode to operate. Accordingly, static mode is primarily useful when attempting to spoof a known access point during a pentest. It’s worth noting that valid SSIDs for use in static mode can first be found using EvilAP in aggressive mode.
Due to the more stable nature of static mode, it is the prefered mode to use when additional exploits are going to be run on top of the EvilAP.
Enabling static mode is simple, just give EvilAP an SSID to use, and it will handle the rest.
For a truly effective EvilAP deployment, Internet access is required so that it can be passed on to any victims which end up connecting to it. Aside from alerting the user to a problem, a lack of Internet access means the client won’t be able to communicate with any outside services, thus giving no opportunity to exploit it.
When using the Pwn Pad, you’ll have the option of using either the device’s 4G cellular modem, the internal WiFi, or an external Ethernet device.
Note: The internal WiFi radio (wlan0) will take routing preference over any other interface. Be sure that the Pwn Pad’s WiFi is not connected to any existing networks before attempting to use the other interfaces as a source of Internet connectivity.
With an EvilAP up and victims connecting to it without even realizing, you now have the perfect platform from which to launch a myriad of other attacks and exploits. Since all of the user’s Internet traffic will be passing through your EvilAP, it’s possible to collect user credentials, falsify web pages, or simply monitor the victim’s every move online.