EC-CouncilEthical HackingSecurityBeginner29 min read

What Is Evil Twin Attack? Security Definition

Also known as: evil twin attack, evil twin definition, wireless hacking, ethical hacking, CEH exam

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Legacy Exam Context section below. No direct current exam mapping is configured for this term yet — use the latest vendor objectives for your target exam.

On This Page

Quick Definition

An evil twin attack happens when a hacker sets up a fake Wi-Fi network that looks exactly like a real one, such as a coffee shop’s free Wi-Fi. When you connect to it, the hacker can see everything you do online, like your passwords or credit card numbers. It is similar to someone building a fake bank branch that looks identical to your real bank, so you hand over your money to the wrong person.

Must Know for Exams

Evil twin attacks appear prominently in the EC-Council Certified Ethical Hacker (CEH) exam under the domain of Wireless Network Hacking and also in CompTIA Security+ under Threats, Attacks, and Vulnerabilities. In the CEH exam, candidates must understand the attack lifecycle, including footprinting, scanning, gaining access, and maintaining access. Evil twin is categorized under the gaining access phase for wireless targets. Exam objectives explicitly require the learner to differentiate between evil twin, rogue AP, and ad hoc network attacks.

Question types vary. Multiple-choice questions may ask, What type of wireless attack involves setting up a fake access point with the same SSID as a legitimate one? Other questions present a scenario where a user complains about slow internet after connecting to a public Wi-Fi. The candidate must identify that an evil twin is present. Performance-based questions (PBQs) might require the candidate to configure a wireless intrusion detection system to detect rogue APs by analyzing SSID broadcast patterns and signal strength differences.

In the Security+ exam (SY0-601), evil twin is listed under wireless attacks within the attacks section. Candidates must know the difference between evil twin, on-path attack (previously man-in-the-middle), and de-authentication attack. Exam questions often combine concepts. For instance, a scenario might describe an attacker using a laptop to broadcast a network name and then de-authenticating users from the real network. The candidate must recognize that this is an evil twin combined with a deauth attack.

In the CEH exam, candidates should also be aware of tools used for evil twin attacks, such as airbase-ng, mana toolkit, and Wi-Fi Pineapple. Understand how the attacker captures the WPA handshake and how to defend using 802.1X with TLS or WPA3 SAE. The exam may also reference countermeasures such as disabling SSID broadcasting (though this is not a strong defense), enabling MAC filtering (also easily bypassed), and implementing 802.1X authentication. It is important to remember that evil twin is not prevented by encryption alone; it targets the association process, not the cipher.

For both exams, the concept appears in social engineering contexts as well. The attacker relies on the victim’s trust in a known network name. This makes evil twin a hybrid attack combining technical exploitation with psychological manipulation. Understanding this hybrid nature is key to answering scenario-based questions correctly.

Simple Meaning

Imagine you are walking down a busy street and you see a sign for a bank that looks exactly like your own bank. The colors, the logo, the font on the door all match perfectly. You walk in, hand over your deposit slip and cash to the teller, and leave. Later you discover that your money never reached your account. That was not your real bank. Someone built a perfect copy storefront down the street to trick you. An evil twin attack on Wi-Fi works the same way, but instead of a building, the hacker creates a fake wireless network.

When you are at a library, airport, or hotel, you typically look for a Wi-Fi network name, called an SSID. You might see one called Airport Free Wi-Fi and another called Airport Free Wi-Fi with a slightly different symbol. Both look official. One is real, the other is the evil twin. The hacker deploys a small device, sometimes just a laptop with special software, that broadcasts the same network name. Your phone or laptop does not know the difference. It only sees that the signal is strong and familiar. So your device connects to the fake network.

Once you are connected, the hacker sits in the middle of your internet connection. Every website you visit, every password you type, every message you send passes through the hacker’s system first. The hacker can log your keystrokes, inject fake pages that ask for your credit card details, or redirect you to a phishing site that looks like your bank’s login page. You think you are using safe, public Wi-Fi, but you have handed the keys to your digital life to a stranger.

This attack is dangerous because it requires very little technical skill to execute. Free tools are available online. The victim often has no warning. The network name looks correct, the connection works, and the internet seems fast. You only realize you were attacked later when your accounts show strange activity. That is why understanding evil twin attacks is critical for anyone using public Wi-Fi or managing networks in organizations.

Full Technical Definition

An evil twin attack is a type of wireless local area network (WLAN) attack that falls under the category of rogue access point attacks. The attacker sets up a wireless access point (AP) that broadcasts the same service set identifier (SSID) as a legitimate AP. The goal is to lure wireless clients into associating with the malicious AP instead of the authorized one. Once a client connects, the attacker can perform man-in-the-middle (MITM) attacks, packet sniffing, session hijacking, credential harvesting, or inject malicious payloads into the traffic stream.

The technical mechanism relies on the way Wi-Fi clients choose which AP to connect to. In most cases, clients connect to the AP with the strongest signal strength for a given SSID. The attacker typically places the evil twin AP physically close to the target area, often using a high-gain antenna or a portable device like a Raspberry Pi running Kali Linux with tools such as airbase-ng. The evil twin may also de-authenticate clients from the legitimate AP using de-authentication frames (deauth attacks) to force them to reconnect, at which point the evil twin offers a stronger signal and captures the connection.

Evil twin attacks do not necessarily require the attacker to break any encryption on the legitimate network. If the target network uses open authentication (no password), the evil twin simply mimics that open network. If the network uses WPA2 or WPA3 with a pre-shared key, the attacker can set up the evil twin with the same SSID. The victim’s device will attempt to authenticate, and the attacker can capture the four-way handshake. The attacker can then attempt to crack the password offline using a dictionary or brute-force attack. In some cases, the attacker sets up the evil twin without any encryption and relies on the user choosing to connect because the legitimate network is temporarily unavailable.

In enterprise environments, evil twin attacks are more complex to execute because of 802.1X authentication using RADIUS servers, which require certificates. However, attackers can still deploy evil twins if they can trick the user into accepting a self-signed certificate or if the client device is configured to trust any certificate for that SSID. Modern evil twin attacks also use captive portal pages that mimic legitimate login screens, collecting usernames and passwords. Some advanced attacks use a technique called KARMA or MANA, where the evil twin responds to probe requests from any device looking for previously connected networks, even if those networks are not currently present.

Prevention techniques include using VPNs, disabling auto-connect features on devices, verifying certificate chains for enterprise networks, using WPA3 with Simultaneous Authentication of Equals (SAE) which provides mutual authentication, and deploying wireless intrusion prevention systems (WIPS) that detect rogue APs by analyzing MAC addresses, signal patterns, and channel usage.

Real-Life Example

Think about how a library operates. You walk into a library with your own books and you need to check them out. You go to the main checkout counter, where the librarian scans your card, stamps the due date, and hands you a receipt. That is the legitimate system. Now imagine that another person sets up a small table near the entrance with a sign that says Library Checkout, with the same font and colors as the official counter. They even have a scanner that looks real. You go to that table, hand over your books and your library card. The fake librarian scans your card, gives you a fake receipt, and tells you everything is fine. In reality, they have copied your library card number and your address from the card. Later they use that information to check out books under your name or even access your personal account online.

The fake checkout table is the evil twin. The legitimate checkout counter is the real Wi-Fi network. You choose the fake one because it is closer, or the signal is stronger, or the real one is temporarily busy. The librarian (the hacker) now has access to your credentials and can track everything you do. In the Wi-Fi world, every website you visit, every password you type, and every email you send passes through the hacker’s machine. The attack works because both the real and fake systems look identical, and you have no easy way to tell the difference without special equipment.

In the library analogy, you might have avoided the fake table if you had checked the librarian’s badge or asked for identification. In Wi-Fi, you can avoid evil twins by using a VPN that encrypts your traffic, by verifying the network’s security certificate, or by asking an employee for the exact official network name. But many people connect automatically without thinking, just as they would walk to the nearest checkout table. That is what makes the evil twin attack so effective and dangerous.

Why This Term Matters

Evil twin attacks matter because they target one of the most common and vulnerable activities in modern IT: connecting to wireless networks. Almost every organization, from small businesses to large enterprises, relies on Wi-Fi for internal operations, guest access, and bring-your-own-device (BYOD) policies. A successful evil twin attack can give an attacker a foothold inside the network perimeter without needing to breach a firewall or exploit a software vulnerability. Once the attacker is in the middle of the traffic, they can capture sensitive data, including login credentials, email content, financial information, and proprietary documents.

For IT professionals and cybersecurity engineers, understanding evil twin attacks is essential for designing secure wireless architectures. This includes implementing wireless intrusion prevention systems (WIPS) that can detect rogue access points by monitoring for duplicate SSIDs, changes in signal strength, or mismatched MAC addresses. Network administrators must also enforce policies such as disabling client-side auto-connect, using enterprise authentication with certificates (EAP-TLS), and segmenting guest networks from internal resources. Without these controls, a single evil twin can compromise an entire organization.

The attack also matters because it is a common vector for credential theft. Attackers often use evil twins in public places like airports, hotels, coffee shops, and conference centers. For example, a hacker can set up an evil twin at a tech conference and capture login credentials from attendees accessing their corporate email. Those credentials can then be used to breach the corporate network remotely. For certification candidates, particularly those studying for EC-Council CEH or CompTIA Security+, evil twin attacks represent a classic example of social engineering combined with technical exploitation. Knowing how they work and how to defend against them is a practical skill that directly translates to real-world security operations.

Additionally, evil twin attacks are a stepping stone for more advanced attacks, such as session hijacking, HTTPS stripping, and DNS spoofing. By intercepting traffic at the link layer, the attacker can bypass many encryption protections if the user does not use proper end-to-end encryption. This makes the attack relevant to topics in network security, ethical hacking, and penetration testing.

How It Appears in Exam Questions

Evil twin attack questions appear in several common patterns across certification exams. The most straightforward pattern is direct identification. A question will describe an attacker who sets up a wireless access point with the same SSID as a legitimate network and tricks users into connecting. The candidate must select the name of the attack from a list of options, which may include rogue AP, evil twin, deauth attack, bluejacking, or war driving. The correct answer is evil twin, because the keyword same SSID is the defining characteristic.

A second question pattern involves scenario analysis. The candidate reads a short paragraph describing a network situation. For example: A user at a coffee shop connects to a Wi-Fi network called CoffeeShop_Free. After connecting, the user notices that web pages load slowly and are redirected to a login page that looks unusual. What is the most likely cause? The correct answer is that an evil twin attack is occurring, and the login page is a phishing page hosted on the fake AP. The candidate must connect the symptoms of slow performance (because the attacker’s device may have limited bandwidth) and the spoofed login page (indicating credential harvesting).

A third question pattern is tool-based. The exam may ask: Which tool would an attacker use to create an evil twin access point? The answer is airbase-ng or mana toolkit. Alternatively, the question may ask for the correct command syntax to set up an evil twin using airbase-ng. The candidate needs to recall that airbase-ng requires the interface name, the SSID, and optionally a channel. For example: airbase-ng -e CoffeeShop_Free -c 6 wlan0. This type of question tests both theoretical knowledge and practical familiarity.

A fourth pattern involves defensive techniques. The question might state: A network administrator wants to prevent evil twin attacks on the corporate wireless network. Which of the following is the most effective method? Options could include disabling SSID broadcast, enabling WPA2 encryption, implementing 802.1X with EAP-TLS, or using MAC filtering. The correct answer is 802.1X with EAP-TLS because it provides mutual authentication, meaning both the client and the AP must present valid certificates. This prevents the evil twin from impersonating the legitimate AP because the attacker does not have the correct certificate.

Finally, there are hybrid questions that combine evil twin with social engineering. For instance: An attacker sends a phishing email to employees of a company, urging them to connect to a Wi-Fi network named Company_Guest. This is an example of what type of attack? The answer is evil twin combined with social engineering. The candidate must recognize that the email is used to direct victims to the fake network, increasing the success rate of the attack. These question patterns require the candidate to think critically and apply concepts in realistic contexts, not just memorize definitions.

Study ec-ceh

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Maria is a sales representative who frequently travels for work. She arrives at a hotel and needs to check her email before a morning meeting. She opens her laptop and sees two Wi-Fi networks: Hotel_Guest and Hotel_Guest_Free. She remembers that the front desk told her the network name is Hotel_Guest, but the signal for Hotel_Guest is weak. The second network, Hotel_Guest_Free, has a strong signal. She assumes it is an alternative network offered by the hotel and clicks connect. Her device successfully obtains an IP address, and she can browse the internet.

Maria logs into her corporate email using her web browser. She does not notice that the page looks slightly different from normal. She enters her username and password. Moments later, her email sends out spam messages to her contacts. What Maria did not know is that Hotel_Guest_Free was an evil twin set up by an attacker in the hotel lobby. The attacker used a small device to broadcast the convincing network name with a stronger signal. When Maria connected, the attacker captured her login credentials. The attacker then logged into her email and used it to spread phishing links.

This scenario shows how the attack unfolds in a real environment. The attacker did not need to crack any password. Maria’s own device chose the stronger signal. The attacker relied on her trust in a familiar-looking network name and her desire for a faster connection. For the certification exam, this scenario illustrates why users should always verify the official network name with staff and use a VPN when connecting to public Wi-Fi. It also shows why organizations should provide clear signage about their official network name and consider using certificate-based authentication for guest networks.

Common Mistakes

Believing that WPA2 encryption completely prevents evil twin attacks.

WPA2 encrypts the data after the client connects to the real AP, but an evil twin can mimic the same SSID and capture the four-way handshake. The attacker does not need to break the encryption immediately; they can capture the handshake and crack the password offline. Additionally, if the evil twin uses the same password, the client may still connect, and the attacker can intercept traffic if the client does not verify the AP's identity.

Use mutual authentication like 802.1X with EAP-TLS, which requires the AP to present a valid certificate. WPA3 with SAE also provides mutual authentication, making evil twin attacks much harder. Encryption alone is not a defense against impersonation.

Thinking that disabling SSID broadcast hides the network from attackers.

Disabling SSID broadcast only stops the network name from appearing in the list of available networks. However, clients still send probe requests that include the SSID when trying to connect. An attacker can capture these probes and create an evil twin with that exact SSID, even if it is not broadcast. SSID cloaking provides no real security.

Instead of hiding the SSID, focus on strong authentication and WIPS monitoring. If you must hide the SSID, understand that it is only a minor inconvenience for attackers. Use enterprise authentication and disable client auto-connect for hidden networks.

Assuming that MAC address filtering will block the evil twin.

MAC addresses can be easily spoofed. The attacker can capture the MAC address of the legitimate AP by scanning the airwaves and then set their evil twin to use the same MAC address. MAC filtering does not identify the AP as legitimate; it only checks the source MAC, which is trivial to forge.

Do not rely on MAC filtering as a security measure for wireless networks. Use it only as a minor administrative control. For security, implement 802.1X with RADIUS and certificates, and deploy a WIPS that can detect behavioral anomalies like an AP with a cloned MAC address operating on a different channel.

Confusing an evil twin attack with a simple de-authentication attack.

A de-authentication attack only disconnects clients from the real AP by sending spoofed deauth frames. It does not create a fake AP. An evil twin attack creates a fake AP and often uses deauth frames to force clients to reconnect to the evil twin. However, the defining feature of an evil twin is the presence of a rogue AP with the same SSID. The deauth frames are just a tool to drive victims to the evil twin.

Learn the distinction clearly. A deauth attack is a denial-of-service technique. An evil twin is a man-in-the-middle attack that includes a rogue AP. Both can be combined, but they are not the same thing.

Thinking that using a VPN makes you completely safe from evil twin attacks.

A VPN encrypts traffic between your device and the VPN server, which protects your data from being read by the attacker. However, the evil twin still sees that you are using a VPN, and the attacker can still perform attacks before the VPN connection is established. For example, the attacker might inject a fake update or malware download that runs before the VPN connects. Also, the attacker can target the VPN credentials themselves if the user connects to a fake captive portal.

Use a VPN that starts automatically before any network traffic, and ensure the VPN client is configured to block all traffic if the VPN is not connected. But remember that a VPN is a strong defense, not a perfect one. Combine the VPN with proper authentication and avoid auto-connecting to open networks.

Exam Trap — Don't Get Fooled

An exam question describes an attacker who sets up a fake access point with the same SSID as the legitimate network, but the question also mentions that the attacker uses a directional antenna to target a specific area. The options include evil twin, rogue AP, and war driving. Many candidates choose rogue AP because the fake AP is unauthorized, and they think evil twin only applies if the SSID is identical.

But every evil twin is a rogue AP by definition. The trap is that the question tests whether you know the specific term for a rogue AP that mimics the SSID of a legitimate network. Memorize the precise definition: evil twin is a type of rogue AP that specifically uses the same SSID as a legitimate network to impersonate it.

All evil twins are rogue APs, but not all rogue APs are evil twins. A rogue AP could have a different SSID and still be unauthorized. When the question says same SSID, the correct answer is evil twin.

Read the scenario carefully for the presence of SSID duplication.

Commonly Confused With

Evil Twin AttackvsRogue Access Point

A rogue access point is any unauthorized AP connected to a network, regardless of its SSID. An evil twin is a specific type of rogue AP that intentionally uses the same SSID as a legitimate network to trick users. All evil twins are rogue APs, but not all rogue APs are evil twins.

If an employee plugs a personal router into the office network to get better signal, that is a rogue AP. If an attacker sets up a fake AP outside the building that broadcasts the same network name as the company, that is an evil twin.

Evil Twin AttackvsMan-in-the-Middle Attack

Man-in-the-middle (MITM) is a broader category of attack where the attacker intercepts communication between two parties. An evil twin is one method of achieving a MITM position on a wireless network. Not all MITM attacks involve fake Wi-Fi; they can also use ARP spoofing, DNS spoofing, or proxy attacks on wired networks.

An evil twin attack puts the attacker in the middle of your Wi-Fi connection, that is a MITM. But a MITM can also happen on a wired network when an attacker sends fake ARP messages to redirect traffic through their machine. Evil twin is a wireless-specific way to become the MITM.

Evil Twin AttackvsDeauthentication Attack

A deauthentication attack sends fake frames to disconnect clients from a Wi-Fi AP. It is often used as a step in an evil twin attack to force clients to reconnect. However, a deauth attack alone does not create a fake AP and does not capture data. An evil twin includes both the fake AP and often the deauth component.

An attacker sends deauth frames to kick everyone off the hotel Wi-Fi, causing a denial of service. That is just a deauth attack. If the attacker then sets up a fake network with the same name and uses the deauth to drive people to it, that is an evil twin attack.

Evil Twin AttackvsKARMA Attack

A KARMA attack is a type of exploit where an attacker configures a device to respond to any probe request from a Wi-Fi client. The client sends out probes for any SSID it has previously connected to, and the attacker claims that those networks are available. This can be used to set up an evil twin dynamically, but KARMA is a specific technique for luring clients into connecting without needing to know the target network name in advance.

If your phone sends a probe saying, Are there any networks called HomeWiFi? and the attacker’s device says Yes, I am HomeWiFi, that is a KARMA attack. The attacker can then set up an evil twin based on that SSID. KARMA is a method to discover and exploit the SSID, while evil twin is the fake network itself.

Evil Twin AttackvsPhishing

Phishing is a social engineering attack that uses fake emails, websites, or messages to trick users into revealing sensitive information. An evil twin attack often includes a phishing element, such as a fake captive portal login page, but the underlying mechanism is wireless network impersonation. Phishing does not require a fake Wi-Fi network.

An email claiming to be from your bank asking for your password is phishing. An evil twin that shows a fake login page when you try to browse the internet is using phishing as part of the wireless attack, but the core of the attack is the fake AP, not the email.

Step-by-Step Breakdown

1

Reconnaissance and Target Selection

The attacker surveys the area to identify the target wireless network. They note the SSID, the channel, the signal strength, and the approximate location of the legitimate AP. They also observe user behavior, such as peak connection times and typical client devices. This step is essential for placing the evil twin in a location where it will be more attractive than the real AP.

2

Setting Up the Evil Twin Access Point

The attacker configures a wireless device, such as a laptop with an external Wi-Fi adapter or a Raspberry Pi, to broadcast an SSID identical to the target network. The attacker may use software like airbase-ng or the MANA toolkit. The device is configured to use the same channel as the real AP to maximize visibility. The attacker may also spoof the BSSID (MAC address) of the legitimate AP to make the fake one appear even more authentic.

3

Forcing Clients to Connect via Deauthentication

The attacker sends deauthentication frames to the legitimate AP, causing connected clients to be disconnected. These frames are not encrypted and can be sent with a tool like aireplay-ng. The victim’s device automatically searches for the network again. Because the evil twin is often placed closer or has a stronger signal, the victim’s device connects to the evil twin instead of the real AP. This step increases the success rate of the attack.

4

Traffic Interception and Man-in-the-Middle Operations

Once a client is connected to the evil twin, the attacker acts as a transparent proxy. All traffic from the client passes through the attacker’s device. The attacker can log HTTP requests, capture cookies, inject malicious scripts, or redirect the user to a fake captive portal. The attacker may also use tools like Wireshark, ettercap, or Bettercap to analyze and manipulate the traffic in real time.

5

Credential Harvesting and Data Exfiltration

The attacker presents a fake login page, often mimicking the captive portal of a hotel, airport, or corporate network. When the user enters their credentials, the attacker stores them in a file. The attacker may also capture email contents, financial transactions, or any unencrypted data. If the traffic is encrypted with HTTPS, the attacker may attempt SSL stripping or use a self-signed certificate to downgrade the connection. The harvested data is then exfiltrated to the attacker’s remote server.

6

Covering Tracks and Maintaining Access

After gathering sufficient data, the attacker may disable the evil twin to avoid detection. Alternatively, the attacker may leave the evil twin running to continue harvesting data over a longer period. The attacker may also use the captured credentials to access the corporate network remotely, establishing a persistent foothold. Logs on the victim’s device typically show only that they connected to a network with the correct SSID, making forensic identification difficult.

Practical Mini-Lesson

An evil twin attack is one of the most common and easily executed wireless attacks that you will encounter in penetration testing and real-world security threats. As an IT professional, understanding the full lifecycle of this attack is crucial, not just for passing exams but for protecting your organization’s network. The attack begins when an attacker physically positions a wireless device near the target location. The device can be as small as a Raspberry Pi with a battery pack, costing under fifty dollars. The attacker does not need to break any encryption to start the attack. They simply need to broadcast a network name that people trust.

In practice, many public Wi-Fi hotspots use no encryption at all. The attacker simply sets up an open network with the same name as the venue. For encrypted home or corporate networks, the attacker can still capture the WPA2 handshake when a client tries to connect. That handshake file can be cracked offline with tools like Hashcat or John the Ripper. However, the attacker does not always need to crack the password. If the client device is configured to connect automatically to a previously used network, and the attacker broadcasts that SSID, the client may attempt to authenticate. The attacker can then capture the authentication exchange and replay it later, or use a technique called PMKID attack to derive the key.

What can go wrong during an evil twin attack from the attacker’s perspective? The attacker may accidentally broadcast on a channel that interferes with the real AP, causing clients to see both networks without preferring the evil twin. The attacker may also be detected by a wireless intrusion prevention system (WIPS) that identifies a duplicate SSID broadcasting from a different location. In an active defense scenario, the WIPS can send deauth frames to the evil twin itself. The attacker also risks being identified if they do not use a VPN or anonymizing tools, since their own traffic could be traced back to their physical location.

For the defender, the best countermeasure is implementing 802.1X with EAP-TLS, which uses digital certificates on both the client and the server. Even if an evil twin appears, the client will refuse to connect because the evil twin cannot present a valid certificate signed by the organization’s internal Certificate Authority. This is called mutual authentication. Another strong defense is WPA3 with SAE (Simultaneous Authentication of Equals), which also provides mutual authentication and is resistant to offline dictionary attacks. For environments that cannot upgrade to WPA3, using a VPN with always-on configuration is the next best option.

This attack connects to broader IT concepts such as network access control (NAC), endpoint security, and physical security. An evil twin attack underscores that network security is not just about strong passwords or firewalls. It is also about controlling physical access to the airwaves and training users to recognize social engineering tactics. As a penetration tester, you might deploy an evil twin as part of a red team exercise to test the organization’s detection capabilities and employee awareness. In a certification exam, you will be expected to know the tools, the techniques, and the defenses inside out. Always remember that the core of the evil twin is impersonation, and the defense is authentication.

Memory Tip

Think of Evil Twin as Identical Impersonation: The twin shares the same name (SSID) but is evil. Remember the acronym T.I.P. for defense: Trust nothing, use mutual authentication (802.1X), and Implement a VPN.

Covered in These Exams

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Can an evil twin attack work on a network that requires a password, like a home Wi-Fi?

Yes. The attacker sets up an evil twin with the same SSID. When your device tries to connect, it will attempt the saved password. The attacker captures the encrypted handshake and can try to crack the password offline. If the password is weak, the attacker gains access to your network.

How can I tell if I am connected to an evil twin instead of the real network?

On most devices, you cannot easily tell by looking at the network name. You may notice slower speeds, unexpected login pages, or certificate warnings. The only reliable way is to use a VPN and verify the network’s authentication (like a certificate) with the venue staff.

Does using HTTPS protect me from an evil twin attack?

HTTPS protects the data content from being read, but the evil twin can still see which websites you visit (domain names through DNS). The attacker can also perform SSL stripping, which downgrades your connection to HTTP, or use a fake certificate to decrypt traffic. HTTPS is not completely foolproof against an evil twin.

What is the difference between an evil twin and a rogue access point?

A rogue access point is any unauthorized AP on a network. An evil twin is a specific type of rogue AP that uses the same SSID as a legitimate network to trick users. Every evil twin is a rogue AP, but not every rogue AP is an evil twin.

Can an evil twin attack be performed without deauthenticating users?

Yes. Sometimes the evil twin simply has a stronger signal or is placed in a more convenient location. Users may voluntarily choose that network without being forced off the real one. Deauthentication is a technique to increase the attack’s success rate but is not mandatory.

How do organizations detect evil twin attacks?

Organizations use wireless intrusion prevention systems (WIPS) that monitor for multiple APs broadcasting the same SSID, especially from unexpected physical locations. WIPS can also detect anomalies like a different MAC address, a different channel, or a mismatched vendor OUI. Some systems use location triangulation to identify unauthorized APs.

Is the evil twin attack only a wireless attack?

The term specifically refers to wireless networks. However, the concept of impersonating a trusted service to intercept traffic exists in other contexts, such as fake cellular base stations (Stingrays) or fake Bluetooth devices. But in IT certification exams, evil twin is exclusively a wireless Wi-Fi attack.

Summary

An evil twin attack is a deceptive and dangerous wireless hacking technique where an attacker creates a fake Wi-Fi access point that impersonates a legitimate network. The attacker relies on the similarity of the network name (SSID) and often a stronger signal to trick users into connecting. Once connected, the attacker can intercept all unencrypted traffic, capture login credentials, and launch further attacks like phishing or malware injection.

This attack is a common topic in the EC-Council CEH and CompTIA Security+ exams, where candidates must distinguish it from similar terms like rogue AP and deauthentication attack. The most effective defenses include using mutual authentication with 802.1X and EAP-TLS, deploying WPA3 with SAE, and enforcing a company-wide VPN policy.

For exams, remember that the core of the attack is impersonation, and the best defense is authentication. Do not rely on encryption alone, SSID hiding, or MAC filtering, as these are easily bypassed. Understanding evil twin attacks prepares you for real-world security challenges and certification success.