Operations and securityWireless attacksIntermediate25 min read

What Is Evil twin? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

An evil twin is a fake Wi‑Fi access point that looks like a real one. When you connect to it, attackers can see your online activity, steal passwords, or inject malicious content. It works because your device trusts the network name, not the actual hardware.

Commonly Confused With

A rogue access point is any unauthorized wireless access point connected to the network, often by an employee for convenience. An evil twin is a specific type of rogue AP that impersonates a legitimate network's SSID to trick users into connecting. Not all rogue APs are evil twins, but all evil twins are rogue APs.

If an employee plugs in a personal Wi‑Fi router at their desk to get better signal, that is a rogue AP. If an attacker sets up a router with the same name as the corporate network to steal passwords, that is an evil twin.

A deauthentication attack sends forged frames to disconnect clients from an AP. It is often used together with an evil twin attack to force clients to reconnect and associate with the rogue AP, but it is a separate technique. The deauth attack does not create a fake AP; it just kicks clients off the real one.

Imagine someone yelling 'leave this room' to people in a meeting (deauth), and then opening a fake meeting room next door (evil twin). The yelling is the deauth, the fake room is the evil twin.

Evil twinvsMan-in-the-middle (MITM) attack

An evil twin attack is a method to achieve a man-in-the-middle position. The MITM attack is what happens after the victim connects to the rogue AP. The evil twin is the setup; the MITM is the exploitation. Not all MITM attacks involve evil twins, and not all evil twins need to perform a MITM (though that is the usual goal).

Setting up the fake Wi‑Fi is the evil twin. Intercepting your password after you connect is the MITM. The evil twin enables the MITM.

Must Know for Exams

The evil twin attack is a topic that appears across multiple IT certifications, including CompTIA Security+, CompTIA Network+, CEH, CISSP, and CWNA. In CompTIA Security+, it is covered under Objective 2.2 (Types of Attacks) as a type of wireless attack. You need to know how the attack works, how to detect it, and what countermeasures to implement. In CompTIA Network+, it appears under wireless network security topics, especially when discussing rogue access points and wireless security protocols. In CEH (Certified Ethical Hacker), the evil twin attack is part of the system hacking and wireless network hacking modules. You may be asked to describe the tools used (e.g., Aircrack-ng, hostapd) and the steps to execute the attack. In CISSP, the concept relates to wireless security controls and risk management under Domain 3 (Security Architecture and Engineering) and Domain 7 (Security Operations). In CWNA, the attack is covered in detail as a threat to enterprise WLANs. Exam questions often present a scenario where a user reports slow internet or suspicious pop-ups in a public Wi‑Fi environment, and you need to identify the attack as an evil twin. Other questions may ask for the best defense, such as using a VPN or disabling automatic connections to Wi‑Fi networks. Multiple-choice questions might list several attack types (evil twin, rogue AP, deauthentication) and ask you to differentiate them. Performance-based questions might require you to configure a wireless security policy that mitigates evil twin attacks, such as implementing WPA2-Enterprise with 802.1X and certificate validation. You should also be familiar with detection techniques like checking AP MAC addresses, using wireless scanners, and monitoring for duplicate SSIDs on different channels. Understanding the difference between an evil twin and a rogue access point is important: a rogue AP is any unauthorized AP on the network, while an evil twin is a specific type of rogue AP that impersonates a legitimate network. Memorizing the tools and the attack sequence can help you answer scenario-based questions confidently.

Given the prevalence of wireless attacks in modern networks, exam authors frequently include evil twin questions to test a candidate's ability to apply security principles in real-world contexts. It is a high-probability topic and one that rewards thorough preparation.

Simple Meaning

Imagine you are in a coffee shop and want to connect to their free Wi‑Fi. The shop has a network called "CoffeeShop_Free." You open your Wi‑Fi list and see two networks with that exact name. One is the real one provided by the coffee shop, and the other is a fake set up by someone sitting nearby. That fake network is an evil twin. It is called an "evil twin" because it looks identical to the legitimate network, like an evil twin sibling that copies everything about the good twin. When you connect to the fake network, all your internet traffic flows through the attacker's device. The attacker can then read everything you send and receive, including usernames, passwords, credit card numbers, and private messages. They can also redirect you to fake websites that look real, tricking you into entering sensitive information. The scary part is that your device often connects automatically to networks it has used before, so you might not even notice you are on the wrong network. The evil twin attack is a form of social engineering because it preys on your trust in a familiar network name. It does not require the attacker to break any encryption on the real network; instead, it simply tricks you into giving them access. This is why security professionals emphasize the importance of verifying network authenticity before connecting, especially in public places.

Think of it like a parking valet. You hand your car keys to someone wearing a uniform that looks exactly like the hotel's uniform. But that person is not actually employed by the hotel. They drive off with your car and your belongings. The evil twin attack works the same way: you trust the appearance (the network name) and hand over your connection, not realizing you are giving it to a criminal.

Full Technical Definition

An evil twin attack is a type of wireless network attack in which an attacker sets up a rogue access point (AP) that broadcasts a Service Set Identifier (SSID) identical to that of a legitimate access point. The goal is to deceive wireless clients into associating with the rogue AP instead of the genuine one. The attack exploits the fact that most client devices prioritize connection based on SSID and prior saved networks, rather than verifying the access point's identity through cryptographic means. When a client sends probe requests for known SSIDs, the rogue AP responds with a probe response, and the client may automatically connect if the signal strength is higher than that of the legitimate AP. Once connected, all traffic between the client and the internet passes through the attacker's device. The attacker can perform man-in-the-middle (MITM) attacks, capturing data packets, conducting session hijacking, injecting malicious code, or redirecting the victim to phishing sites. The attack does not break WPA2 or WPA3 encryption on the legitimate network; instead, it bypasses encryption entirely by making the client connect to the attacker's AP, which may have no encryption or a captive portal.

From a technical standpoint, the attacker typically uses a wireless network interface card (NIC) in monitor mode to scan for nearby networks. They then use tools such as airbase-ng (part of the Aircrack-ng suite), hostapd, or dedicated hardware like a Pineapple to create a rogue AP. The attacker sets the SSID, channel, and optionally the MAC address (BSSID) of the legitimate network to make the rogue AP appear identical. The attacker may also disable encryption on the rogue AP or set a passphrase that the victim already knows (e.g., the default password printed on the router). In more sophisticated attacks, the attacker uses a captive portal that mimics the login page of the legitimate network, capturing credentials when the victim attempts to log in. The evil twin attack is often combined with a deauthentication attack, where the attacker sends deauth frames to disconnect clients from the legitimate AP, forcing them to reconnect and increasing the chance they will choose the rogue AP. From a security perspective, the best defense is to use enterprise authentication (e.g., WPA2-Enterprise with 802.1X) that validates the server certificate, or to use a VPN that encrypts traffic end-to-end, making MITM attacks ineffective even on a rogue network.

Real-Life Example

Imagine you are at a large public library that offers free Wi‑Fi. The official network is called "Library_Public." You have used it many times before, and your phone automatically connects whenever you walk into the building. One day, a person sits in the corner with a laptop and a small portable router. They set up their router to broadcast the exact same SSID: "Library_Public." Their router is placed closer to where most people sit, so its signal is stronger than the library's official access points. As soon as you walk in, your phone sees the stronger signal and connects to the attacker's router instead of the library's network. You do not notice anything different because the internet seems to work normally. However, every website you visit, every password you type, and every email you read passes through the attacker's laptop. They can see all your unencrypted traffic, and even if a site uses HTTPS, the attacker can still see which sites you visit and potentially perform a downgrade attack to force you into using HTTP. The attacker could also display a fake login page that looks exactly like the library's welcome page, asking you to "sign in again" with your library card number and password. Once you do, they have your credentials. This scenario is common in airports, hotels, coffee shops, and conference centers where multiple people connect to the same public Wi‑Fi. The evil twin attack is effective because it takes advantage of our trust in a familiar name, our desire for a strong signal, and the automatic connection behavior of our devices.

This is similar to a situation where you park your car in a parking lot and a person wearing a bright orange vest directs you to a spot. You assume they work for the parking lot because of the vest. But in reality, they are a thief who just put on a vest to look official. Once you walk away, they break into your car. The evil twin works the same way: the network name is the "vest" that makes the attacker look legitimate.

Why This Term Matters

The evil twin attack matters because it is one of the most common and dangerous threats to wireless network security, especially in public environments. For IT professionals, understanding this attack is critical for securing corporate networks and educating users about safe Wi‑Fi practices. In a corporate setting, an evil twin can be used to bypass perimeter security controls such as firewalls and intrusion detection systems. If a corporate laptop connects to a rogue AP, the attacker gains direct access to the corporate network through the VPN or remote access session that the employee initiates from the rogue network. This can lead to data breaches, credential theft, and lateral movement within the corporate environment. The attack is also difficult to detect because the rogue AP can be hidden in plain sight, broadcasting the same SSID as the legitimate network. Wireless intrusion prevention systems (WIPS) can help, but they require proper configuration and monitoring. The evil twin attack is often a stepping stone to more sophisticated attacks such as session hijacking, ransomware delivery, or watering hole attacks. From a compliance standpoint, organizations that handle sensitive data must protect against wireless attacks to meet standards such as PCI DSS, HIPAA, and GDPR. For individual users, the consequences include identity theft, financial loss, and privacy violations. Because the attack does not require advanced technical skills-many tools are available online with simple interfaces-it is accessible to a wide range of threat actors, from script kiddies to advanced persistent threats.

In the broader cybersecurity landscape, the evil twin attack highlights the fundamental weakness of SSID-based trust in wireless networks. It underscores the need for layered security measures including VPNs, certificate-based authentication, user awareness training, and regular monitoring for rogue access points. For IT certification students, understanding the evil twin attack is not just about passing an exam; it is about developing the mindset to think like an attacker so you can better defend networks in the real world.

How It Appears in Exam Questions

Evil twin questions in IT certification exams typically fall into three categories: scenario identification, mitigation selection, and attack differentiation. In scenario identification questions, you are given a description of a wireless network environment with a problem. For example: "An employee at a coffee shop connects to the 'CoffeeShop_WiFi' network. After connecting, they see a login page asking for their email and password. The internet works, but they notice that HTTPS indicates 'Not Secure' on several websites. What type of attack is likely occurring?" The correct answer is "evil twin." The trap options often include "phishing" or "man-in-the-middle," but the root cause is the rogue AP impersonating the legitimate network. In mitigation selection questions, you may be asked: "Which of the following is the most effective defense against an evil twin attack?" Options might include using WPA2-PSK, disabling SSID broadcast, using a VPN, or enabling MAC filtering. The correct answer is using a VPN, because it encrypts traffic end-to-end, making the rogue AP useless for data interception. Other good answers include using WPA2-Enterprise with certificate validation or a WIPS solution. In attack differentiation questions, you need to know how an evil twin differs from a deauthentication attack, a rogue AP, or a wireless eavesdropping attack. For example: "Which attack involves setting up an access point with the same SSID as a legitimate network to capture credentials?" The answer is evil twin. Some questions combine multiple concepts: "An attacker sends deauth frames to disconnect clients from the legitimate AP, then sets up a rogue AP with the same SSID. What is this combined attack called?" The answer is still an evil twin attack, because the deauth frames are used to facilitate the evil twin. Troubleshooting-style questions might show a Wi‑Fi analyzer output with two APs having the same SSID but different BSSIDs and channels, and ask you to identify the threat. Performance-based questions (e.g., in CompTIA Network+ N10-008) may ask you to configure a SOHO router to enable WPA2-Enterprise or to create a guest network policy. You should be prepared to explain why WPA3 is more resistant to evil twin attacks because it uses Opportunistic Wireless Encryption (OWE) or Simultaneous Authentication of Equals (SAE), though WPA3 is not a complete defense against rogue APs. Some questions also test knowledge of detection tools, such as using NetStumbler, Kismet, or a wireless intrusion prevention system to identify unauthorized APs.

To succeed, you must be able to map attack symptoms to the correct technique and choose the most practical countermeasure for a given scenario.

Practise Evil twin Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a security analyst for a mid-sized company that allows employees to work remotely from coffee shops and co-working spaces. One afternoon, you receive a call from an employee named Sarah. She says that while working from a coffee shop called "BrewTech," she connected to the Wi‑Fi network named "BrewTech_Free." After connecting, she noticed that her browser showed a warning that the website she was visiting was not secure. She ignored it and logged into the company's email system. Later, she received an email from what looked like the company's IT department asking her to click a link to reset her password because of a "security incident." The email looked professional and used the company logo. She clicked the link and entered her current password, but then she realized something was wrong because the URL looked odd. She called you to report it. You suspect an evil twin attack. The attacker could have set up a rogue access point named "BrewTech_Free" near Sarah's table. When she connected, the attacker used a man-in-the-middle tool to intercept the HTTP connection (or even break the HTTPS encryption using a certificate downgrade) and redirected her to a fake web page that captured her login credentials. Then, the attacker used those credentials to send a phishing email from within the company's email system, addressing the email to Sarah to make it appear more legitimate. The attack is dangerous because Sarah did not realize she was on a fake network until after she gave away her password. The company's security policy required using a VPN for all remote connections, but Sarah had not enabled it because she thought the coffee shop network was safe and she was in a hurry. This scenario shows how an evil twin attack can lead to credential theft, phishing, and potential data breaches. As a security analyst, you would need to remind all employees to always use a VPN on public Wi‑Fi, to verify network names with staff if possible, and to never ignore browser security warnings. You would also recommend implementing multi-factor authentication (MFA) so that even if credentials are stolen, the attacker cannot log in without the second factor.

you would consider deploying a company-wide wireless policy that automatically disables the ability to connect to open Wi‑Fi networks on company devices, or at least forces the use of a VPN before any network traffic is allowed. This scenario is a classic exam-style case study that tests your ability to identify the attack, understand the consequences, and propose appropriate controls.

Common Mistakes

Thinking an evil twin attack is the same as a rogue access point.

A rogue access point is any unauthorized AP plugged into the network, while an evil twin is a specific type of rogue AP that impersonates a legitimate network's SSID. All evil twins are rogue APs, but not all rogue APs are evil twins. A rogue AP might have a different SSID, set up by an employee who wants better coverage.

Remember that the key characteristic of an evil twin is that it uses the same SSID as a trusted network to trick users into connecting.

Believing that WPA2 or WPA3 encryption prevents evil twin attacks.

WPA2/WPA3 encryption protects the communication between the client and the AP, but it does not authenticate the AP itself to the client in WPA2-PSK mode. A client will connect to any AP that has the same SSID and passphrase. The attacker can set up an AP with the same passphrase if they know it or just open it up and use a captive portal.

Understand that evil twin attacks exploit SSID trust, not encryption strength. Use enterprise authentication (802.1X) with certificate validation to verify the AP's identity.

Assuming that disabling SSID broadcast prevents evil twin attacks.

Disabling SSID broadcast only hides the network name from passive scanning, but active devices still send probe requests that reveal the SSID. An attacker can easily discover hidden SSIDs using tools like Kismet. Also, the evil twin can simply broadcast the hidden SSID, and clients that have the network saved will still try to connect.

Realize that SSID hiding is a weak security measure. Focus on using authentication methods that verify the AP's identity, such as 802.1X with server certificates.

Confusing an evil twin attack with a deauthentication attack.

A deauthentication attack sends forged deauth frames to disconnect clients from an AP. It is often used as a precursor to an evil twin attack to force clients to reconnect, but it is a separate attack. The evil twin attack itself involves setting up a rogue AP with the same SSID.

Think of deauth as a tool to make the evil twin more effective. The attack itself is the rogue AP impersonation.

Thinking that using a VPN is unnecessary if the website uses HTTPS.

HTTPS encrypts the content of the communication between the client and the website, but it does not prevent the attacker from seeing which websites you visit (DNS queries), and sophisticated attackers can perform SSL stripping attacks to downgrade HTTPS to HTTP. A VPN encrypts all traffic, including DNS, and prevents the attacker from seeing any of your traffic patterns.

Always advise that a VPN is the most reliable defense against evil twin attacks because it creates an encrypted tunnel even over an untrusted network.

Exam Trap — Don't Get Fooled

{"trap":"In an exam question, the scenario describes a user connecting to a public Wi‑Fi network and then seeing a fake login page. The trap answer is \"Phishing attack\" because the user is tricked into entering credentials on a fake page. However, the root cause is the evil twin attack that allowed the fake page to be served in the first place."

,"why_learners_choose_it":"Learners focus on the visible symptom-the fake login page-and immediately think of phishing. They overlook the underlying wireless attack that made the phishing possible.","how_to_avoid_it":"Always consider the attack chain.

The fake login page is the method, but the reason the user ended up on that page is because they connected to a rogue AP. Identify the initial access vector. In exams, the question will often ask, 'What type of attack is MOST likely occurring?'

and the answer will be the root cause, not the subsequent action."

Step-by-Step Breakdown

1

Reconnaissance

The attacker scans the target area for available wireless networks using a tool like Kismet or Wi‑Fi analyzer. They capture the SSID, BSSID (MAC address of the AP), channel, and encryption type of the legitimate network. This information is used to clone the network.

2

Rogue AP setup

The attacker configures their wireless NIC or a portable router to broadcast the same SSID as the target network. They may set the channel to one that gives them a stronger signal or use an omni-directional antenna for better coverage. The rogue AP may be open (no encryption) or use the same passphrase if known.

3

Deauthentication (optional but common)

The attacker uses a tool like aireplay-ng to send deauthentication frames to the legitimate AP, spoofing the MAC address of connected clients. This forces the clients to disconnect from the real AP. When they try to reconnect, the client will scan for the SSID and likely connect to the rogue AP if its signal is stronger.

4

Client association

The victim's device automatically or manually connects to the rogue AP because it has the same SSID and possibly a stronger signal. The device may also save the network for future use, making subsequent attacks easier. The attacker's device now acts as the gateway for the victim's traffic.

5

Traffic interception and manipulation

Once connected, all unencrypted traffic (HTTP, FTP, SMTP) is visible to the attacker. They can use tools like Wireshark to capture data, or use MITM frameworks like Bettercap to inject code, redirect to phishing pages, or downgrade HTTPS connections. The attacker can also set up a captive portal that mimics the legitimate login page.

6

Exploitation

The attacker harvests credentials, session cookies, or other sensitive data. They may use the gathered information to access corporate networks, send phishing emails from compromised accounts, or sell the data on the dark web. The attack may go undetected because the victim still has internet access and may not notice any anomaly.

Practical Mini-Lesson

As an IT security professional, understanding the evil twin attack is essential for both offensive and defensive roles. From an offensive perspective, you need to know how the attack works to test your own network's resilience. You can set up a controlled evil twin in a lab environment using a Raspberry Pi with a Wi‑Fi dongle and hostapd software. Configure hostapd to broadcast the same SSID as your lab's legitimate network. Then, use a client device to connect to the rogue AP. Use Wireshark on the Pi to capture traffic and verify that you can see the client's data. This hands-on exercise helps you understand the attack mechanics and the importance of encrypted protocols. From a defensive standpoint, you should implement multiple layers of protection. First, enforce the use of enterprise authentication (WPA2-Enterprise or WPA3-Enterprise) with 802.1X. This requires clients to authenticate against a RADIUS server, and the server presents a digital certificate to the client. Clients should be configured to validate the server certificate, ensuring they only connect to authorized APs. Second, deploy a Wireless Intrusion Prevention System (WIPS) that uses sensors to detect rogue APs by analyzing RF signatures, looking for duplicate SSIDs on different channels, and correlating MAC addresses with known authorized devices. Third, educate users about the risks of public Wi‑Fi and enforce a mandatory VPN policy on all company devices. The VPN should use strong encryption (AES-256) and should be configured to start automatically before any network traffic is allowed. Fourth, implement network access control (NAC) that checks the health of devices before allowing them on the network, including verifying that the VPN is active. Fifth, regularly conduct wireless site surveys to identify unauthorized APs and ensure that your authorized APs are not being impersonated.

What can go wrong? Many organizations assume that WPA2-PSK is sufficient because it uses encryption. But as you now know, the PSK is shared among all users, and an attacker can set up a rogue AP with the same PSK. Another common mistake is relying on MAC address filtering, which can be easily spoofed. The most effective defense is to combine enterprise authentication with user awareness and a VPN. In a real-world incident, if you suspect an evil twin attack, immediately isolate the affected client, scan the area with a Wi‑Fi analyzer to identify the rogue AP’s location (using signal strength triangulation), and physically remove the device. Notify all users in the area to disconnect and reconnect only after the threat is neutralized. Change the PSK if using WPA2-PSK, and consider upgrading to WPA3. This practical knowledge is directly applicable to both exam scenarios and daily IT operations.

Memory Tip

Think of an evil twin as a "Wi‑Fi doppelgänger", it looks exactly like the real network but has malicious intent. The key exam hint: if the question mentions a fake AP with the same name, it's an evil twin.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

Can an evil twin attack work on a WPA2-encrypted network?

Yes. If the attacker knows the pre-shared key (e.g., because it is a default password or shared publicly), they can set up a rogue AP with the same SSID and passphrase. Even without the key, the attacker can set up an open network with the same SSID, and clients that have the network saved may still connect if they are configured to prefer that SSID.

How can I detect an evil twin attack on my network?

Use a Wi‑Fi analyzer tool to scan for multiple access points with the same SSID but different BSSIDs (MAC addresses). Check if the rogue AP is on a different channel. Look for APs with unusually strong signal from unexpected locations. WIPS systems can automate this detection.

Does using WPA3 prevent evil twin attacks?

WPA3 with SAE provides stronger authentication and forward secrecy, but it does not inherently prevent evil twin attacks because the client still trusts the SSID. However, WPA3 also includes Opportunistic Wireless Encryption (OWE) for open networks, which improves privacy but does not authenticate the AP. Enterprise mode (WPA3-Enterprise) with 802.1X and certificate validation is the best defense.

What is the difference between an evil twin and a honeypot?

An evil twin is a specific attack where a rogue AP impersonates a legitimate network. A honeypot is a decoy system set up to attract attackers and study their behavior. A honeypot can be an AP, but its purpose is defensive intelligence gathering, not credential theft.

Should I disable the SSID broadcast on my home router to prevent evil twins?

No. Disabling SSID broadcast is ineffective because attackers can easily discover hidden networks. It also does not stop an attacker from broadcasting that SSID. Use a strong passphrase and WPA2 or WPA3, but understand that evil twins can still work if the passphrase is known.

Can a VPN protect me from evil twin attacks?

Yes. A VPN encrypts all traffic from your device to the VPN server, so even if you are on a rogue AP, the attacker cannot read your data. However, the attacker could still perform a denial-of-service attack or redirect you to a fake VPN login page. Always verify that your VPN connection is active before transmitting sensitive data.

Summary

The evil twin attack is a wireless network threat where an attacker sets up a rogue access point that mimics a legitimate network by using the same SSID. The goal is to trick users into connecting to the rogue AP, allowing the attacker to intercept, manipulate, or steal sensitive data. This attack exploits the trust that users and devices place in network names rather than in cryptographic authentication. While WPA2/WPA3 encryption provides some protection, it does not prevent evil twins because the attacker can still set up an AP with the same SSID, especially if the passphrase is known or the network is open. The most effective defenses include using enterprise authentication with 802.1X and certificate validation, deploying a VPN on all remote connections, employing a Wireless Intrusion Prevention System to detect rogue APs, and training users to verify network authenticity.

For IT certification exams, the evil twin attack is a high-frequency topic across Security+, Network+, CEH, CISSP, and CWNA. You need to be able to identify the attack from a scenario, differentiate it from related attacks like rogue APs and deauth attacks, and recommend appropriate countermeasures. Common exam traps include confusing the evil twin with phishing or assuming encryption alone is a sufficient defense. Mastering this concept will not only help you pass exams but also prepare you to secure wireless networks in real-world environments.