Awesome

Evil Twin Detector (ETD)

Written by: Mike Cromwell

The Evil Twin Detector monitors for devices that are trying to spoof your existing wireless access points, if any are found a notification is sent by email and/or syslog over UDP.

Requirements

Software

• Linux (could potentially run on other posix systems)
• Python 2.7
• systemd
• pip

Wireless Adapter

Wireless Adapter that supports monitoring, I have been using the Alfa AWUS051NH and have managed to get this working on both 2.4 & 5Ghz bands. I would imagine any of the usual wireless adapters that get mentioned for hacking on Kali would work fine.

Install

git clone https://github.com/stavinski/etd.git && cd etd

ETD can run in 2 modes standalone or as a systemd daemon service.

Standalone

sudo python etd.py

Note that the script must be ran as root.

Service

sudo ./setup.sh install

The existing etd.yaml config file will be copied into /etc/etd so any changes made for the service should be made here and the service restarted

Configuration

ETD uses a yaml config file, when you clone the repo it has a baseline version called etd.yaml, these will need to be tailored to your environment.

Global

• include_5ghz: (bool)
• wlan_iface: (string) defaults to 'wlan0' but you will want this to be the iface associated with your wireless adapter
• mon_iface: (string) defaults to 'mon0' this is the name that the created monitor iface will use change only if it conflicts
• 5ghz_channels: (list) this can be changed for your region

Logging

• level: (string) defaults to 'WARN', but can be changed to standard logging levels
• name:* (string) defaults to 'Evil Twin Detector'

SMTP

• enabled: (bool) defaults to No
• server: (string) defaults to 'localhost'
• port: (int) defaults to 25
• user: (string) defaults to EMPTY
• password: (string) defaults to EMPTY
• from: (string) defaults to 'etd@localhost'
• to: (string) defaults to 'root@localhost'
• subject: (string) defaults to 'ETD DETECTION'

Syslog

• enabled: (bool) defaults to No
• server: (string) defaults to 'localhost'
• port: (int) defaults to 514

Ignores

Contains a list of MAC addresses for wireless access points that you expect to be using an SSID you are pattern matching against so that you don't get false positives.

Patterns

Contains a list of strings that should be pattern matched against the SSID being broadcast so that you can filter which devices are actively trying to spoof known wireless access points.