Results 1 to 4 of 4

Thread: [HOW-TO] Evil twin password phishing using Open-WRT

  1. #1
    Join Date

    [HOW-TO] Evil twin password phishing using Open-WRT

    This is a write-up on how I performed an Evil Twin attack to "phish" the WPA password from an access point using nothing but the gullability of the average comsumer and an OpenWRT router.

    I will not get into how to reprogram the router to OpenWRT as that is beyond the scope of this write-up. !!!DO NOT ASK!!!
    This may or may not be specific to the setup I am using and there are probably better ways of doing this, this is just how I did it.
    Also, this is not a n00b write-up and will require that you have some basic understandings of how OpenWRT works.

    With that said...

    This will start with an OpenWRT router factory default settings.

    Firstly, we need to change the ESSID to the target:

    Network -> Wifi -> Edit -> ESSID

    Change to the target ESSID then click Save & Apply.

    Next you must ssh to the device. (get used to it, a good portion of this is done in a shell).
    Type this into the shell.

    nvram set il0macaddr=[TARGET MAC]
    nvram commit
    Now we have the router set up as an evil-twin, but we still need to configure the captive portal.

    Install PHP(the router needs to be connected to internet for this step):

    opkg update
    opkg install php5
    opkg install php5-cgi
    Open /etc/config/uhttpd and reconfigure LuCI to a different port, say port 88(or whatever).
    Change the listen line in the "main":

    list listen_http
    Next step is we need to set up the uhttp server on port 80 to serve the pages we want(the captive portal).
    I have my own pre-made pages for Xfinity and Verizon(poorly done, i don't care, they have worked for me), I will pust a link to an upload for any who are interested.
    What I did was alter the router config pages so that any input into the password field is dumped into a text file on /tmp/data.txt via a php script.
    Add this to the bottom to start the captive portal server

    config uhttpd evilap
            list listen_http  
            option home             /www2
            list interpreter        ".php=/usr/bin/php-cgi"
    Note now you must type whatever port you chose) to connect to LuCI now.

    Create a directory called /www2 and place all files to be served in it.

    Now for making the captive portal captive: making EVERY address resolve to a single IP... our router.


    echo "address=/#/" >> /etc/dnsmasq.conf
    Reboot the device.

    Now, if you use the files i made, all inputed passwords will be dumped into /tmp/data.txt

    Here is the directory i made:

    This may need some cleanup, let me know if this works for anyone else.

  2. #2
    Join Date
    To aanarchyy

    Just for our own clarity here.

    When you say reprogram the router to OpenWrite do you mean overwriting the existing router firmware with OpenWrite.

    We are not asking you how as that is well covered by OpenWrite however we would like any routers you recommend.


  3. #3
    Join Date

    Yes, you will need to completely reflash the router to do this.
    Specifically the router I did this with was a WRT54GS v2 though any router that can run openwrt should work just fine.

    I've also gotten this to work on my vocore.

  4. #4
    Join Date
    soory for my english its not my native i just ask annarchyy if theres a youtube videos same like yours to watch you recommend. so i watch and fully understand i want to test im interested because i have a router wrt stock i did not use so i can use it thank you more power to you.

Similar Threads

  1. Evil Twin Attack
    By Jamesthomas in forum General Archive
    Replies: 5
    Last Post: 2015-10-19, 23:11

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts