Written by: Mike Cromwell
The Evil Twin Detector monitors for devices that are trying to spoof your existing wireless access points, if any are found a notification is sent by email and/or syslog over UDP.
- Linux (could potentially run on other posix systems)
- Python 2.7
- systemd
- pip
Wireless Adapter that supports monitoring, I have been using the Alfa AWUS051NH and have managed to get this working on both 2.4 & 5Ghz bands. I would imagine any of the usual wireless adapters that get mentioned for hacking on Kali would work fine.
git clone https://github.com/stavinski/etd.git && cd etd
ETD can run in 2 modes standalone or as a systemd daemon service.
sudo python etd.py
Note that the script must be ran as root.
sudo ./setup.sh install
The existing etd.yaml config file will be copied into /etc/etd so any changes made for the service should be made here and the service restarted
ETD uses a yaml config file, when you clone the repo it has a baseline version called etd.yaml, these will need to be tailored to your environment.
- include_5ghz: (bool)
- wlan_iface: (string) defaults to 'wlan0' but you will want this to be the iface associated with your wireless adapter
- mon_iface: (string) defaults to 'mon0' this is the name that the created monitor iface will use change only if it conflicts
- 5ghz_channels: (list) this can be changed for your region
- level: (string) defaults to 'WARN', but can be changed to standard logging levels
- name:* (string) defaults to 'Evil Twin Detector'
- enabled: (bool) defaults to No
- server: (string) defaults to 'localhost'
- port: (int) defaults to 25
- user: (string) defaults to EMPTY
- password: (string) defaults to EMPTY
- from: (string) defaults to 'etd@localhost'
- to: (string) defaults to 'root@localhost'
- subject: (string) defaults to 'ETD DETECTION'
- enabled: (bool) defaults to No
- server: (string) defaults to 'localhost'
- port: (int) defaults to 514
Contains a list of MAC addresses for wireless access points that you expect to be using an SSID you are pattern matching against so that you don't get false positives.
Contains a list of strings that should be pattern matched against the SSID being broadcast so that you can filter which devices are actively trying to spoof known wireless access points.