Online Digital Forensics Courses and Labs

Funded by National Science Foundation (NSF)
Funded by Florida Center for Cybersecurity (Cyber Florida) Capacity Building Program

Evil Twin Attack in WiFi Network


Instructor: Dr. Omar Nakhila,
                     Dr. Cliff Zou, 407-823-5015,


  • Knowledge of basic usage of Linux machine
  • Basic knowledge of wireless networking and TCP/IP

Goals of this tutorial:

  • Learn how to create wireless network using Linux OS.
  • Eavesdropping wireless communication.
  • Inject crafted wireless frames.

Software Needed:

  • Kali Linux  (download iso from here, or download virtual machine image from here).

Hardware Needed:

  • Attacker device : laptop with at least one wireless compatible interface card to act as the rouge access point (RAP). Refer to the following website for more information ( Link )
  • Client device : any wireless capable device that can act as a client device to target.
  • Access point : an access point to act as the legitimate access point (LAP).


Basic Introduction

Insecure Wi-Fi networks provide a tempting environment for attackers to initiate many attacks, one of them is called Evil Twin Attack (ETA) as illustrated in Figure 1. ETA refers to a Wi-Fi rogue access point (RAP) impersonating a legitimate access point (LAP) to eavesdrop wireless client WC’s Wi-Fi data. Since a Wi-Fi network can only be recognized by its SSID and MAC address, the attacker can set up a RAP with the same SSID of the LAP.



Figure 1 : Illustration of ETA scenarios. The RAP can successfully lure WC connecting to it instead of the LAP when it provides stronger/better signal to those WCs.

Furthermore, the attacker's RAP may have better and more powerful signal than the LAP, which will lure the WC to connect to it first. Once the WC is connected to the RAP, the attacker have two options to direct WC's data traffic to the Internet. First, the attacker can use another Wi-Fi interface card and connect to the LAP as a rogue wireless client (RWC). The attacker use the RWC to pass the WC traffic to the Internet. Both LAP and RAP use the same ISP gateway as shown in Figure 1a. Hence, we call this attack option as ETA using single ISP gateway.

The attacker has another option to avoid connecting to the LAP. Due to the increase in Internet access speed of mobile broadband connections, such as 4G Long Term Evolution (LTE) or WiMAX, the attacker can use her own cellular broadband link to connect the WC to the Internet. In this scenario, the attacker is placed between the RAP and her broadband connection as illustrated in Figure 1.b. We call this attack option as using different ISP gateways.

Selecting the Target

In this lab, we will implement Evil Twin Attack using different ISP gateways. The attacker can use his own hotspot, phone tethering or any other network connection to the Internet. The attacker use WiFi interface to create the RAP and use the other network interface to route data to the internet.

Using Kali linux terminal, we will list the current network interfaces by using the following command:


Figure 2 : Listing network interfaces in the attacker machine


Wlan0 is the wireless interface that will be used to create the evil twin access point.

eth0 is the attacker internet connection.

lo is the loop back interface.

To select a the target network and client, we will need to monitor the wireless traffic. Wlan0 interface will be placed in the monitoring mode. Airmon-ng software is being used to change the Wlan0 operation mode from managed to monitor. We need to terminate any application that may prevent the Wlan0 mode of operation change by using the following Linux commands:

#airmon-ng check kill


Figure 3 : Stopping applications that might prevent wlan0 operation mode change.

Wlan0 is ready to be placed into the monitoring mode by using the following Linux command.

#airmon-ng start wlan0 4


Figure 4 : Placing Wlan0 interface in the monitoring mode.


4 is the default operation channel in the 2.4 GHz spectrum. 

Wlan0 is the monitoring wireless interface.

A new virtual wireless interface with the name wlan0mon will be created.

At this point wlan0mon is in the monitoring mode. To start capturing wireless data, we will use the following command:

#airedump-ng wlan0mon


Figure 5 : Capturing wireless traffic. By default, airodump-ng hops on 2.4GHz channels.

From figure 5, the target network BSSID is 00:C0:CA:1C:75:4C and the client MAC address is 1C:99:4C:41:F2:A1. The client is already connected to the Free Cafe WiFi. The network is open with no wireless security.

Setup the Evil Twin WiFi

To start the fake access point, we used airebase-ng with the following switches.

# airbase-ng -c 4 -e "Free Cafe WiFi"  wlan0mon


Figure 6 : Creating Evil Twin access point with the same SSID of the LAP.


c 4 the channel of operation.
e "Free Cafe WiFi"   the WiFi name, SSID.

wlan0mon the monitoring wireless interface.

Airebase will create a new network interface, at0, that can be used to send and receive data from the evil twin access point. Airedump may be ran again to confirm the creation of the RAP.

# airedump-ng wlan0mon


Figure 7 : Confirm the creation of the Evil Twin access point.

The RAP is operational and we need to have a DHCP server running to provide the client with the evil twin network settings. DHCP server software needs to be installed on the attacker machine.

#apt-get install isc-dhcp-server

configure the DHCP server to provide the following subnet

#nano -w /etc/dhcp/dhcpd.conf


Figure 8 : DHCP server configuration.

Specifying what interface to be used by the DHCP

#nano -w /etc/default/isc-dhcp-server


Figure 9 : Selecting the interface that will be utilized by DHCP.

Bring at0 up and set a static IP address to it.

#ifconfig at0 up

Starting DHCP server

#service isc-dhcp-server start

Allow the attacker computer to route traffic to Internet

#echo 0 > /proc/sys/net/ipv4/ip_forward

Disconnecting the Wireless Client From the Real Access Point.

The client might automatically disconnect from the LAP and switch to the RAP when the RAP have more power. However, if the victim stayed connected to the RAP, the attacker can start the deauthincation attack using arieplay-ng

#aireplay-ng -0 0 -a 00:C0:CA:1C:75:4C -c 1C:99:4C:41:F2:A1 wlan0mon


Figure 10 : Disconnecting the client from the LAP.

The victim did disconnect from the real access point and connected automatically to the evil twin access point as shown in Figure 11

#airedump-ng wlan0mon


Figure 11 : The client is connected to the RAP instead of the LAP.

The client disconnected automatically from the LAP and connected to the RAP.

The attacker now can monitor the client data and apply man in the middle attacks. We used WireShark to capture and display the traffic generated by the client on the network adapter at0. From the client side, we did send ping request to



Figure 12 : Using WireShark to eavesdrop client traffic.

The client traffic is passing through the evil twin access point and captured by the WireShark. Wide spectrum of attacks can be applied such as (LINK).