top of page

And Yet Another Weekend Post! (YAWP) In this article, we’ll show you how an attacker executes an Evil twin Attack to get cleartext WPA2 passphrase on automation using a rogue Access Point.

This can lead to several severe leakages of Information like domain social login passwords, credentials, credit card information etc.

Evil Twin Attack’s purpose is to eavesdrop on WiFi users to steal corporate or personal information without user’s knowledge.

We will not be using any automated script, rather we will understand the concept and perform it manually so that you can make your own script to automate the task and make it simple and usable on ordinary devices.

Let’s jump in!

Evil Twin Attack concept

in a nutshell🥜

1: Attacker sniffs the air for the target access point information. Information like Channel number, MAC Address and SSID name

Then, He uses that information to create an access point with the same characteristics, hence Evil Twin Attack.

2: Clients on the legitimate AP are repeatedly disconnected, forcing them to connect to the fake access point. (#Deauthentication attack)

3: As soon as the client is connected to the fake access point, He may start browsing the Internet.

4: Client opens up a browser window and sees a web administrator warning saying “Enter WPA password to download and upgrade the router software or something like that”

Step 5: When client enters the password, he will be redirected to a loading page and the password is stored in the MySQL database of the attacker machine. The persistent storage and active deauthentication make the Evil Twin attack automated.

An attacker can also abuse this automation by simply changing the webpage adapting its content to match language and region and sometimes interests of the victim. (This hackers are close to the danger of extinction! (as far as I know)😆)

Imagine the same WPA2 password warning is replaced by “Enter domain credentials to access network resources”. The fake AP will be up all time and storing legitimate credentials in persistent storage.

A WiFi user could be using a MacOS, Android, iOS,or a windows laptop. Almost every device is vulnerable to it.


Below is the following list of hardware and software used in creating this article. Use any hardware of your choice until it supports the software you’d be using.

Hardware used:
  • A Laptop (8GB RAM, Intel i7 processor)

  • Huawei 3G WiFi dongle for Internet connection to the Kali Virtual Machine

  • Alfa AWUS036NH 1W wireless adapter

Software Used
  • VMWare Workstation 15

  • Kali Linux 2019 (Attacker)

  • DNSmasq

  • Iptables

  • Apache, mysql

  • Airmon-ng, airodump-ng, airbase-ng, and aireplay-ng

  • Firefox web browser on Ubuntu 16.10 (Victim)

Installation of the requirements

With the assumption of that we have aircrack-ng suite of tools, apache, mysql, iptables pre-installed in our Kali Linux virtual machine.

We just need to install dnsmasq for IP address allocation to the client.

  • Install dnsmasq in Kali Linux

Type in terminal:

apt-get update

apt-get install dnsmasq -y

This will update the cache and install latest version of dhcp server in your Kali Linux box.

Now all the required tools are installed. We need to configure apache and the dhcp server so that the access point will allocate the IP address to the client/victim and the client would be able to access our webpage remotely.

Now we will define the IP range and the subnet mask for the DHCP server.

  • Configure dnsmasq

Create a configuration file for dnsmasq using vim or your favorite text editor and add the following code.

sudo vi ~/Desktop/dnsmasq.conf

change the dnsmasq configuration file:


Save and exit. Use your desired name for .conf file.

Important hint: Replace at0 with wlan0 everywhere when hostapd is used for creating an access point

We are ready to begin now.

Put wireless adapter into monitor mode

Bring up the wireless interface

ifconfig wlan0 up # Yours could be different

airmon-ng start wlan0

Putting the card in monitor mode will show a similar output

mike@pheniix:~# airmon-ng start wlan0

Now our card is in monitor mode without any issues with network manager. You can simply start monitoring the air with command

airodump-ng wlan0mon

Please continue reading in Part 2 of this article!


All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.

bottom of page