Evil Twin Attack: The Most Sinister Wifi Attack


Wi-Fi networks are designed by knowledgeable IT professionals but that doesn't mean that they are completely safe. Today, we'll show how a malicious twin attack could take Wi-Fi passwords and kick users off their preferred network, while creating a fake one. The victim is then forced to join the fake network, and provide the Wi-Fi password in order to gain internet access.

Although a more knowledgeable user could spot this kind of attack, it's actually quite efficient against people who aren't trained to spot suspicious activity on the network. The reason this is so effective is that the majority of users aren't sure what a genuine software update is, which leads to confusion when they realize the presence of an attack development.

What is an Evil Twin Attack?

An evil twin is form of Wi-fi attack which takes advantage of the majority of devices and smartphones, where one can only view just the "name" or ESSID of the wireless network. This can make it difficult to differentiate between wireless networks that have the same name, and the same type of encryption. 

Indeed the majority of networks include multiple network-extending access points that all share the same name, allowing for greater access, but without making it difficult for users to distinguish between them.

If you're interested in seeing what happens, make a Wi-Fi hotspot in your smartphone and label it with the same name as your home network. Once you do this, you'll find it difficult to discern the distinction between the two networks, or your computer might simply view both networks as being the same. 

A network sniffing tool for networks such as Wireshark or Tcpdump will clearly show the differences between these networks, however to the average person they will appear identical.

This is a great way to trick users into connecting if you have a network that has the identical name. But the problem here is, we don't have the password? We can't build a network to fool the user into connecting by itself, but we could use technique called  social engineering and attempt to make the user provide us with the password, by getting them removed from the actual network.

What is Fluxion?

Fluxion is a tool which can be used to conduct penetrating Testing and Security Auditing on Wireless Access Points (WAP). It employs Social Engineering to grab the authentication password from users.

It attempts to collect the WPA/WPA2 keys from the targeted Access Point by performing a Phishing attack. Two types of attacks can be carried out with Fluxion. One of these is an attack known as the Handshake Snooper attack, and the other is the Captive Portal.

We’ll talk more about these attacks in the coming paragraphs.

Step-1 Installing Fluxion

We now have a better understanding of the Fluxion tool's capabilities, so it is time for us to install it on our computer. This demonstration will be done with Kali Linux. 

Fluxion does not come with Kali Linux as a default, and there is no way to get it. We will need to clone its repository from Github. 

It contained directories like attacks, bin, docs, and docs as well as a shell script called fluxion.sh. In the previous versions, the file was different. Now you only need to add the parameter "-i" to install and check for dependencies.

git clone https://github.com/FluxionNetwork/fluxion.git

cd fluxion


./fluxion.sh -i


If you are a root user then you can directly use ./fluxion.sh , otherwise you need to use the command

sudo ./fluxion.sh

After using the above command, we'll be welcomed with the logo of the Fluxion, and it will automatically start examining the dependencies needed on its own. If any dependencies that are marked as missing, it's advised to install them yourself. 

In this particular instance we have all the dependencies installed , so we can now successfully run the tool.

Step-2 Selecting the Target 

After, the successful installation of the dependencies we would then be presented with a language selection menu. We'd like to select English so we'll enter the desired number in the selection menu , and then press the Enter.

We now need to choose which attack, we would like to carry out to an Access Point. We must record the handshake that occurs between the router in the network and the actual user. We will then use the handshake to verify and attempt to gain the credential needed to access  the Access Point. 

Therefore, we'll need to choose that Handshake Snooper. This Handshake Snooper attack attempts to recover the authentication hashes for WPA and/or WPA2 (the 4 way handshake) and then use them in the Captive Portal for key verification.

After choosing the wireless attack type, we need to select the Channel that is intended to be monitored. Because a large number of Wireless Access Points in current times can range from 2.4GHz to 5GHz, so we should select all channels within the range.

After selecting ‘Option 3’ , it will show a brand new window that is illustrated on the picture below. This is done after scanning every possible target within the network reach.

Make sure that you allow the process to continue for a few minutes until you can see your target within the window. Press Ctrl + C when you have located your target.

Step-3 Capturing a Handshake

After completing the previous step and terminating the fluxion scanner after discovering our target network, we are back on our main terminal. Based on the process we used previously we'll be able to access the Wi-Fi List with our target. In our example we will target the Intelliroot Wi-Fi. Therefore, we input the number in the next step.


We will now be asked about the interface for tracking targets. If, within your network you have a different wireless interface you wish to use to perform target tracking, then choose that interface. In our case, we're going to use the wlan0 interface to perform tracking too.

But I know most of you would be confused, so you can simply select the skip option and let fluxion decide it by itself. To make this tutorial much easier for you, we’ll be using the skip option.

Now, we are at a point in which we have to choose the method of handshake retrieval. There are three options offered by Fluxion. The first method is called Monitor or passive mode. The passive approach makes us go quiet, making the attack undetectable or invisible and allows for more effective listening. 

This technique is best when the target is located far away from us but the drawback is that the device has to listen until it is connected to the target access point. 

This could take a considerable amount of time. The two other methods, aireplay-ng deauthentication as well as mdk4 are extremely aggressive. They employ the deauthenticator. 

They send deauthentication packets to devices or users that are connected to the target access point. This method is a bit contentious since it blocks connections between access point and the users. 

When the connection is blocked or disconnected , a few users will attempt to connect with the device, which will transmit the 4-way handshake, however this time Fluxion will capture that handshake. 

It is your choice to use either of these methods as they work equally well. We will however make use of the mdk4 technique.

The next step is to choose which tool to use to check the hash of the authentic handshake. 

We can observe that the aircrack-ng approach is regarded as unreliable because it hasn't been updated in several years, so we’ll opt for the cowpatty method since it is suggested by Fluxion itself.

As we move down further, our steps become easier as fluxion keeps recommending the best options for us and we just have to choose them.

The next step is to choose the verifier's synchronicity. It determines the method of verification that happens with the recording of data. It asks whether we wish to record data asynchronously or synchronously.

It’s necessary to understand the difference between these two. 

Asynchronous: Asynchronous option will start the verification process while the system is taking in data. Because this is multitasking on an upper level, it requires more threads. If you're running an aggressive OS like Kali Linux direct on your system, then you are able to use it. However, if you're operating Kali Linux using a virtual Machine as we do, it may cause issues as there are a limited number of threads that can be used by Kali.

This Synchronous option will not capture data prior to trying to verify the handshake. Because this isn't multitasking, it won't cause problems when you have a low number of threads. There is however an issue with these options as they end the process of capturing data and you may lose some handshakes. But you needn’t worry as we had already decided to verify the verifier each 30 seconds and not miss any handshakes.

Go for the synchronous one if you are running kali on a VM, if you have a high specs system or have Linux directly installed as an OS then you should go with the asynchronous option.

Step-4 Gathering the Handshake/Handshake Snooper Attack

Now, the attack begins and a new window pops up. This window is called, “Handshake Snooper Arbiter Log”. This one is the log viewer.  

It shows the events in the order they start. The process of deauthenticating all clients will begin, and in a only a few minutes, all the customers will have been disconnected from their Wi-Fi devices. When any of these users or devices attempt to reconnect to the Wi-Fi, we'll be able to record the handshake. 

As, we see that the attack worked and we managed to obtain an acceptable hash. Now, we shut down the viewer in order to start the next phase of our attack.

As, we have recorded the handshake, it is possible to utilize this handshake for the Captive Portal Attack which is sometimes referred to in as The Evil Twin Attack. As, we close the Handshake Log window, we are asked whether we would like to choose an additional attack, as shown below. We will select the 1 option, as we want to start a new attack.

Step-5 Starting the Captive Portal Attack

Captive Portal Attack or as we usually refer to it The Evil Twin Attack, is the kind of attack in which we attempt to steal the access point's WPA/WPA2 password by utilizing a rogue internet using an authorization portal that collects the credentials. 

After having captured the handshake using Handshake Snooper the user will be again redirected to the main menu of fluxion like before. But this time we will this choose the Captive Portal.

Fluxion is an amazing tool as it had already detected the access point of our target after capturing the handshake.  So, we will select the Yes or ‘Y’ option.

Fluxion now requests us to choose an interface for target tracking.
 If you're in a location that has numerous wireless interfaces that could be used to tack select the one you prefer. If not, you can skip this step by selecting option 2.

Now we need to select the wireless connection that Fluxion will use to transmit the signals for de-authentication. Because we require a wireless interface, we'll select the wireless network wlan0. Don’t worry, you won’t be overwhelmed with so many interfaces as shown below, you would only have a few to choose from.

We now have to decide on the methods or tools to be used for deauthentication of Wi-Fi users. This is also based on the kind of environment and individual preferences.

Each of the three approaches is equally efficient. However, we'll be using the mdk4 method which we used while capturing handshake in step 3.

As mentioned earlier, we select the option that fluxion best recommends. Hence the 1st option, hostapd. There is also another reason for not choosing airbase-ng as it is slow compared to hostapd.

Now, we choose the hash verifier method. We’ll go with the option that fluxion recommends the best, i.e. cowpatty also this is the method we used earlier.

At this point we provide the captured handshake. If the handshake is in the form of a captured file (.cap) file, you can select the second option and then provide the correct path of the handshake file.

Since we captured the handshake using Handshake Snooper, the hash was automatically recognized by Fluxion. So, we selected the option of , ‘Use hash found’.

As we choose cowpatty in the previous steps, then we will again go with the same option and also it is the most favorable one.

Now, we are required to choose an SSL/TLS certificate source for our captive portal. You can select the deactivate SSL option, but this will cause suspicion since the general web portal that is used for captive uses SSL certificate. 

If you've got an SSL certificate, then fluxion will automatically detect it. As we don't possess one, we decided to create an SSL Certificate.

As this is a social engineering attack, we need to be as much precise as possible.

We must now choose the internet connection type for the rouge network users will connect to. As explained before we’ll go with the recommended option.

You can choose emulated option but sometimes it creates problem for android and iOS users also the portal doesn’t appear much authentic.

But if you choose the disconnected option then, when users connect to our network they will be presented with a portal that is captive. This  doesn’t mean that the disconnected option is perfect, instead it is less likely to fail.

The next step is to select our Portal template. As by default Fluxion has some amazing templates. In most of the situations, users would be deceived by these templates but sometimes it won’t work with cautious users. 

In our case we'll be using the general portal using English language.

Step-6 Capture Network Credentials

After the success of Captive Portal attack, fluxion will be able to de-authenticate all users from the targeted access point. Users will be removed from their Wi-Fi connection and be shown two networks. One is a real Network and the other is a fake network. 

The below image shows how the attack appears from the perspective of the victim. It is evident that there are two networks with the identical name Intelliroot. 

Now let's resume our attack. When we select the template for the network, we'll notice that multiple windows pop up. Let's have a look. 

The first one on the left is The DHCP Service. If the victim connects to our network it is the duty to the DHCP service to simulate the connection and assign the IP address for the victim's device. 

To the right, we will see an hostapd Window. This is our Captive Portal. It records the activities of our clients as they visit through our Captive Portal. 

To the right, we will are able to see an AP Authenticator window. It records information such as the SSID, MAC, and other details that are relayed by your device to the target's. We can track the attempts made by the user in case they enter the wrong password. You can view the list of clients that are connected to our network. 

Starting from the down left side, we've got an option to use the DNS Service. Because we don't provide internet connectivity, all DNS queries that are generated by your device be handled via this server. 

Moving on the right side, we can see the logs for the Web Service which is hosted by the victim. 

Finally, we are able to access our Jammer Service that is in charge of deauthenticating the different devices connected to the specifically targeted Access Point. 

As soon as the victim enters the right password for the target Access Point in the captive portal, we would be notified in the authenticator window and the attack will finish.

Let’s now look from our victim’s perspective. If you click the rouge network from the Wi-Fi tab in the previous step , the victim will be shown an in-browser interface that is based on the template we gave. 

It displays the correct name of this Access Point in the heading. It then asks for the WPA password from the victim and the victim is required to enter the password, which begins the process of the four-way handshake.

The hash of the password is verified with the correct hash that we have captured earlier. If the user typed in the wrong password then they are required to enter the new password until they are sure that the hash is matched.

Once the victim has entered the correct password to connect to the Access Point, the victim is then automatically moved from the fake AP to the authentic access point (AP), and the jammer or deauthenticator is stopped.

All users who were blocked are now able to connect to the correct access point. The captured password is saved at /home/kali/Desktop/fluxion/attacks/Captive Portal/netlog/ as demonstrated below.

Note: This address can be different for everyone as it depends on which directory you have your fluxion tool installed.


Step-7 Checking out the Password

Now we need to check out the saved password. For that we have to visit the location given by fluxion in the step above.

As, you can see how interesting this attack was and how easily hackers could manipulate you to give them the passwords for your network.

Defending against Evil Twin Attack

The best method of protecting against an Evil Twin attack is to educate yourself more about cyber security threats. There are also a few things to keep in mind like, If you suddenly lose the possibility of connecting to your trusted network , and suddenly discover an active wireless network bearing the identical name, they aren't a coincidence, nor an ordinary occurrence.

You could be a victim of the sinister Evil Twin Attack!

So, DO NOT ever connect to an unidentified wireless network that claims as your own, specifically one that is not encrypted. If you think you’re being frequently disconnected from your router then switch off your router and turn it on once again.

Thanks for reading this article. If you have any questions or doubts then please leave a comment and don’t forget to check out more of Intelliroot cyber security articles.

Written By,
Dhabaleshwar Das
(Security Analyst)

Post a Comment