Evil Twin

Evil Twin [T1557.004]

Information

Name: Evil Twin
ID: T1557.004
Tactics: TA0006, TA0009
Technique: T1557

Introduction

The Evil Twin technique (T1557.004) is a sub-technique within the MITRE ATT&CK framework under the Adversary-in-the-Middle (AiTM) tactic. It involves adversaries setting up rogue wireless access points (APs) that masquerade as legitimate Wi-Fi networks to intercept, manipulate, or monitor network traffic. These malicious APs typically have identical or very similar Service Set Identifiers (SSIDs) as legitimate networks, tricking users into connecting unknowingly and enabling attackers to carry out further exploitation or data collection.

Deep Dive Into Technique

The Evil Twin attack involves an adversary deploying a malicious wireless AP that closely resembles an authentic network, exploiting users' trust and familiarity. Technical execution typically includes the following steps:

Reconnaissance and Information Gathering:
- Identifying legitimate wireless networks in the target area.
- Collecting SSIDs, authentication methods (e.g., WPA2, WPA3), and signal strengths.
Deployment of Rogue AP:
- Configuring a malicious AP with identical SSID and similar MAC address to legitimate AP.
- Using specialized hardware (e.g., Wi-Fi Pineapple, Alfa network adapters) and software tools (e.g., hostapd, Airbase-ng) to create a convincing imitation.
Signal Strength Manipulation:
- Boosting signal strength or strategically placing rogue AP closer to targeted users to encourage connections.
- Using signal interference or jamming techniques to degrade legitimate AP signals.
Authentication and Credential Harvesting:
- Setting up captive portals to prompt users for authentication credentials.
- Capturing WPA/WPA2 handshake information to perform offline brute-force attacks.
Traffic Interception and Manipulation:
- Implementing man-in-the-middle (MitM) techniques to intercept, monitor, and alter user traffic.
- Leveraging tools such as Wireshark, Ettercap, Bettercap, or Burp Suite to analyze and exploit intercepted data.
Persistence and Further Exploitation:
- Maintaining persistent access to victim devices and networks.
- Using intercepted credentials and sensitive data for lateral movement, privilege escalation, or further targeted attacks.

When this Technique is Usually Used

Attackers typically deploy Evil Twin attacks during various stages and scenarios, including:

Initial Access Stage:
- Gaining unauthorized access to sensitive networks by capturing user credentials or network authentication information.
Credential Access Stage:
- Harvesting usernames, passwords, and authentication tokens from unsuspecting users.
Reconnaissance and Information Gathering:
- Collecting network traffic, sensitive corporate information, or personally identifiable information (PII) to facilitate targeted attacks.
Public and Semi-Public Environments:
- Targeting users in airports, hotels, cafes, conferences, or corporate facilities where free Wi-Fi is commonplace.
Targeted Attacks on High-Value Individuals:
- Specifically targeting executives, IT administrators, or government officials to obtain confidential or sensitive information.
Red Team Engagements:
- Employed by penetration testers or red team exercises to test organizational security posture and user awareness.

How this Technique is Usually Detected

Organizations can detect Evil Twin attacks through several methods, tools, and indicators of compromise (IoCs):

Wireless Intrusion Detection Systems (WIDS):
- Detecting multiple APs broadcasting identical SSIDs or unusual AP behaviors.
- Tools like Kismet, AirMagnet, or Cisco Wireless Intrusion Prevention System (wIPS).
Network Monitoring and Analysis:
- Monitoring network traffic for anomalies, unexpected authentication requests, or unusual DNS queries.
- Analyzing network packet captures with Wireshark, Zeek (formerly Bro), or Suricata to identify suspicious activities.
Client-Side Detection:
- Endpoint security solutions detecting unusual wireless network connections or unexpected changes in network configurations.
- Monitoring client devices for automatic connection attempts to unknown or malicious APs.
Indicators of Compromise (IoCs):
- Presence of rogue APs with identical SSIDs but different MAC addresses.
- Unusual SSL/TLS certificate warnings or mismatches during secure connections.
- Sudden influx of authentication attempts or captive portal prompts in known environments.
User Reports and Awareness:
- Reports from users experiencing unexpected wireless connection issues or suspicious login prompts.
- Security awareness training prompting users to report unusual Wi-Fi behavior.

Why it is Important to Detect This Technique

Early detection of Evil Twin attacks is crucial due to the significant risks and potential impacts on organizations and individuals:

Credential Theft and Unauthorized Access:
- Attackers can harvest sensitive credentials, enabling unauthorized access to corporate resources, emails, cloud services, and critical infrastructure.
Data Interception and Exfiltration:
- Attackers intercept sensitive communications, intellectual property, financial data, or personal information, potentially leading to data breaches and compliance violations.
Man-in-the-Middle Attacks:
- Adversaries can manipulate network traffic, inject malicious payloads, or redirect users to malicious websites, significantly increasing the risk of malware infections or ransomware attacks.
Reputation and Financial Impact:
- Organizations suffering data breaches or credential theft may experience significant reputational harm, financial losses, regulatory penalties, and loss of customer trust.
Operational Disruption:
- Evil Twin attacks can disrupt legitimate network operations, causing outages, connectivity issues, and reducing productivity.
Insider Threat Facilitation:
- Attackers leveraging stolen credentials or intercepted communications may facilitate insider threats, lateral movement, and privilege escalation within networks.

Examples

Several real-world examples illustrate the execution and impact of Evil Twin attacks:

Wi-Fi Pineapple Attacks:
- Security researchers and attackers frequently utilize Hak5's Wi-Fi Pineapple device to create convincing rogue APs, intercept traffic, and harvest credentials during penetration testing engagements or malicious attacks.
Hotel and Airport Wi-Fi Attacks:
- Attackers have deployed rogue APs in hotels, airports, and conference centers, capturing sensitive corporate data, login credentials, and personal information from business travelers and executives.
DEF CON Wi-Fi Village Demonstrations:
- Security professionals at DEF CON's Wi-Fi Village routinely demonstrate Evil Twin attacks, highlighting the ease of execution, potential risks, and methods for detection and prevention.
Corporate Espionage Incidents:
- Documented cases where attackers deployed Evil Twin APs near corporate headquarters, targeting employees to intercept confidential communications, steal intellectual property, or gain persistent access to internal networks.
Government and Diplomatic Targeting:
- State-sponsored threat actors have used Evil Twin techniques against diplomatic personnel and government officials, aiming to intercept sensitive communications, credentials, and classified information.

These examples underline the importance of awareness, technical defenses, and proactive detection measures to mitigate risks associated with Evil Twin attacks.

Last updated 10 days ago

Was this helpful?

Introduction

Deep Dive Into Technique

Reconnaissance and Information Gathering:

Identifying legitimate wireless networks in the target area.
Collecting SSIDs, authentication methods (e.g., WPA2, WPA3), and signal strengths.

Deployment of Rogue AP:

Configuring a malicious AP with identical SSID and similar MAC address to legitimate AP.
Using specialized hardware (e.g., Wi-Fi Pineapple, Alfa network adapters) and software tools (e.g., hostapd, Airbase-ng) to create a convincing imitation.

Signal Strength Manipulation:

Boosting signal strength or strategically placing rogue AP closer to targeted users to encourage connections.
Using signal interference or jamming techniques to degrade legitimate AP signals.

Authentication and Credential Harvesting:

Setting up captive portals to prompt users for authentication credentials.
Capturing WPA/WPA2 handshake information to perform offline brute-force attacks.

Traffic Interception and Manipulation:

Implementing man-in-the-middle (MitM) techniques to intercept, monitor, and alter user traffic.
Leveraging tools such as Wireshark, Ettercap, Bettercap, or Burp Suite to analyze and exploit intercepted data.

Persistence and Further Exploitation:

Maintaining persistent access to victim devices and networks.
Using intercepted credentials and sensitive data for lateral movement, privilege escalation, or further targeted attacks.

When this Technique is Usually Used

Attackers typically deploy Evil Twin attacks during various stages and scenarios, including:

Initial Access Stage:

Gaining unauthorized access to sensitive networks by capturing user credentials or network authentication information.

Credential Access Stage:

Harvesting usernames, passwords, and authentication tokens from unsuspecting users.

Reconnaissance and Information Gathering:

Collecting network traffic, sensitive corporate information, or personally identifiable information (PII) to facilitate targeted attacks.

Public and Semi-Public Environments:

Targeting users in airports, hotels, cafes, conferences, or corporate facilities where free Wi-Fi is commonplace.

Targeted Attacks on High-Value Individuals:

Specifically targeting executives, IT administrators, or government officials to obtain confidential or sensitive information.

Red Team Engagements:

Employed by penetration testers or red team exercises to test organizational security posture and user awareness.

How this Technique is Usually Detected

Organizations can detect Evil Twin attacks through several methods, tools, and indicators of compromise (IoCs):

Wireless Intrusion Detection Systems (WIDS):

Detecting multiple APs broadcasting identical SSIDs or unusual AP behaviors.
Tools like Kismet, AirMagnet, or Cisco Wireless Intrusion Prevention System (wIPS).

Network Monitoring and Analysis:

Monitoring network traffic for anomalies, unexpected authentication requests, or unusual DNS queries.
Analyzing network packet captures with Wireshark, Zeek (formerly Bro), or Suricata to identify suspicious activities.

Client-Side Detection:

Endpoint security solutions detecting unusual wireless network connections or unexpected changes in network configurations.
Monitoring client devices for automatic connection attempts to unknown or malicious APs.

Indicators of Compromise (IoCs):

Presence of rogue APs with identical SSIDs but different MAC addresses.
Unusual SSL/TLS certificate warnings or mismatches during secure connections.
Sudden influx of authentication attempts or captive portal prompts in known environments.

User Reports and Awareness:

Reports from users experiencing unexpected wireless connection issues or suspicious login prompts.
Security awareness training prompting users to report unusual Wi-Fi behavior.

Why it is Important to Detect This Technique

Early detection of Evil Twin attacks is crucial due to the significant risks and potential impacts on organizations and individuals:

Credential Theft and Unauthorized Access:

Attackers can harvest sensitive credentials, enabling unauthorized access to corporate resources, emails, cloud services, and critical infrastructure.

Data Interception and Exfiltration:

Attackers intercept sensitive communications, intellectual property, financial data, or personal information, potentially leading to data breaches and compliance violations.

Man-in-the-Middle Attacks:

Adversaries can manipulate network traffic, inject malicious payloads, or redirect users to malicious websites, significantly increasing the risk of malware infections or ransomware attacks.

Reputation and Financial Impact:

Organizations suffering data breaches or credential theft may experience significant reputational harm, financial losses, regulatory penalties, and loss of customer trust.

Operational Disruption:

Evil Twin attacks can disrupt legitimate network operations, causing outages, connectivity issues, and reducing productivity.

Insider Threat Facilitation:

Attackers leveraging stolen credentials or intercepted communications may facilitate insider threats, lateral movement, and privilege escalation within networks.

Examples

Several real-world examples illustrate the execution and impact of Evil Twin attacks:

Wi-Fi Pineapple Attacks:

Security researchers and attackers frequently utilize Hak5's Wi-Fi Pineapple device to create convincing rogue APs, intercept traffic, and harvest credentials during penetration testing engagements or malicious attacks.

Hotel and Airport Wi-Fi Attacks:

Attackers have deployed rogue APs in hotels, airports, and conference centers, capturing sensitive corporate data, login credentials, and personal information from business travelers and executives.

DEF CON Wi-Fi Village Demonstrations:

Security professionals at DEF CON's Wi-Fi Village routinely demonstrate Evil Twin attacks, highlighting the ease of execution, potential risks, and methods for detection and prevention.

Corporate Espionage Incidents:

Documented cases where attackers deployed Evil Twin APs near corporate headquarters, targeting employees to intercept confidential communications, steal intellectual property, or gain persistent access to internal networks.

Government and Diplomatic Targeting:

State-sponsored threat actors have used Evil Twin techniques against diplomatic personnel and government officials, aiming to intercept sensitive communications, credentials, and classified information.

These examples underline the importance of awareness, technical defenses, and proactive detection measures to mitigate risks associated with Evil Twin attacks.