This chapter covers evil twin wireless attacks, a critical security threat where a rogue access point impersonates a legitimate one to intercept network traffic. For the N10-009 exam, understanding evil twin attacks falls under Domain 4.0 (Network Security) and Objective 4.1 (Explain common security vulnerabilities and attacks). Approximately 5–10% of exam questions touch on wireless security attacks, with evil twin being one of the most commonly tested scenarios. You must be able to identify the attack, explain how it works, and recommend mitigation techniques.
Jump to a section
Imagine a bank lobby where customers wait in line to deposit cash. A legitimate teller sits behind a clearly marked window, wearing a uniform with the bank logo. A criminal sets up a second teller window a few feet away, with a fake sign that looks identical to the real one—same logo, same font, same color scheme. The criminal wears a similar uniform and smiles at customers. When a customer approaches the fake window, the criminal asks for their account number and PIN, then claims the system is down and returns the card. The customer walks away thinking nothing is wrong, but the criminal now has their credentials. The real teller cannot stop this because the fake window broadcasts a stronger signal (louder voice) and appears more inviting. The bank has no way to authenticate which window is real because customers have no secure method to verify the teller's identity. This mirrors an evil twin attack exactly: the fake access point (AP) mimics the legitimate AP's SSID, uses a stronger signal to attract victims, captures credentials or sensitive data, and the victim has no cryptographic proof of the AP's authenticity unless 802.1X or a VPN is used.
What is an Evil Twin Attack?
An evil twin attack is a type of wireless network attack where an attacker sets up a rogue access point (AP) that broadcasts the same Service Set Identifier (SSID) as a legitimate wireless network. The rogue AP is configured to have a stronger signal than the legitimate AP, causing wireless clients to associate with it instead. Once associated, the attacker can capture sensitive information such as login credentials, session cookies, or other unencrypted data. The attack is passive from the client's perspective—the victim does not realize they are connected to a malicious network because the SSID appears identical.
How It Works Internally
Wireless clients typically connect to the AP with the strongest signal for a given SSID. The attacker places a rogue AP near the target area, often using a high-gain antenna or a device like a Raspberry Pi with a wireless card in monitor mode. The rogue AP broadcasts beacon frames with the same SSID as the legitimate network. These beacon frames include information such as supported data rates, channel, and security settings. If the legitimate network uses no encryption (open) or WEP, the rogue AP can easily mimic it. For WPA/WPA2 networks, the attacker must know the pre-shared key (PSK) to allow clients to connect; otherwise, clients will see a mismatch in security parameters and may not connect. However, if the attacker captures the PSK via a separate attack (e.g., WPS PIN brute force), they can configure the rogue AP with the correct PSK.
Key Components and Defaults
SSID: The network name. The rogue AP must use the exact same SSID as the target.
BSSID: The MAC address of the AP. The rogue AP will have a different BSSID (its own MAC), but clients do not typically verify BSSID consistency.
Channel: The rogue AP can be set to the same channel as the legitimate AP or a different one. Clients will scan all channels and associate with the strongest signal.
Signal Strength: The attacker aims to make the rogue AP's signal stronger than the legitimate AP's at the client's location.
Security Settings: If the legitimate network uses WPA2-PSK with AES, the rogue AP must also advertise WPA2-PSK with AES. If the PSK is unknown, clients will fail to authenticate and the attack will not succeed (unless the client is configured to connect to open networks).
Configuration and Verification
Attackers commonly use tools like airbase-ng from the aircrack-ng suite to create a rogue AP. Example command:
sudo airbase-ng -a 00:11:22:33:44:55 -e "CorporateWiFi" -c 6 wlan0mon-a specifies the BSSID (optional, default is random)
-e sets the SSID
-c sets the channel
wlan0mon is the wireless interface in monitor mode
To capture traffic, the attacker can use Wireshark or tcpdump on the rogue AP's interface. For credential harvesting, a tool like Ettercap or a simple DNS spoofing setup can redirect victims to a fake login page.
Interaction with Related Technologies
802.1X/EAP: If the legitimate network uses 802.1X (WPA-Enterprise), the rogue AP cannot easily mimic it because the attacker would need to act as a RADIUS server. However, attackers can set up a fake RADIUS server to capture credentials (like in a "Rogue RADIUS" attack).
WPA3: WPA3 uses Simultaneous Authentication of Equals (SAE) which provides mutual authentication. This makes evil twin attacks much harder because the client can verify the AP's identity. However, if the client is downgraded to WPA2, the attack may still work.
VPN: A VPN encrypts traffic end-to-end, so even if the client connects to an evil twin, the attacker only sees encrypted traffic. However, the attacker can still perform a man-in-the-middle (MITM) attack if the VPN is not used or if the user ignores certificate warnings.
Captive Portals: Evil twins are often used to present a fake captive portal that mimics a legitimate login page (e.g., hotel or airport Wi-Fi). The victim enters their credentials, which are captured by the attacker.
Detection and Prevention
Wireless Intrusion Prevention Systems (WIPS): These systems monitor for rogue APs by comparing BSSIDs against a known list of authorized APs. They can also detect changes in signal strength or channel that indicate a potential evil twin.
Client-side verification: Users should verify the AP's certificate or use a VPN. For enterprise environments, deploying 802.1X with server-side certificates ensures clients authenticate the AP.
Disable automatic connections: Clients should not automatically reconnect to open networks or networks with the same SSID without verification.
Use WPA3: If possible, upgrade to WPA3 which provides mutual authentication.
Regular site surveys: Administrators should periodically scan for rogue APs using tools like Kismet or Wireshark.
Real-World Impact
Evil twin attacks are common in public Wi-Fi hotspots like coffee shops, airports, and hotels. Attackers can capture login credentials, credit card numbers, and other sensitive data. In 2017, a vulnerability in the Android Wi-Fi stack (CVE-2017-13156) allowed an attacker to force a device to connect to an evil twin without user interaction. The attack is also a vector for spreading malware or conducting man-in-the-middle attacks.
Exam Relevance
For N10-009, you must understand:
The difference between an evil twin and a rogue AP (all evil twins are rogue APs, but not all rogue APs are evil twins—rogue APs may have a different SSID).
How signal strength plays a role.
The importance of mutual authentication in preventing evil twin attacks.
Tools used to detect evil twins (e.g., WIPS, spectrum analyzers).
Mitigation techniques: 802.1X, WPA3, VPNs, and user education.
Attacker deploys rogue AP
The attacker sets up a wireless access point using a device like a laptop with a wireless card, a Raspberry Pi, or a commercial router with custom firmware. The rogue AP is configured to broadcast the same SSID as the target legitimate network. The attacker places the device in a location where the target clients are present, such as near a coffee shop or office building. The attacker may use a high-gain antenna to amplify the signal. The rogue AP is often set to the same channel as the legitimate AP to avoid channel switching by clients. The attacker also ensures that the security settings (encryption type, authentication method) match the legitimate network as closely as possible. If the legitimate network uses WPA2-PSK, the attacker must know the PSK; otherwise, clients will fail to authenticate.
Rogue AP broadcasts beacon frames
The rogue AP begins sending 802.11 beacon frames at regular intervals (typically every 100 time units, or about 102.4 ms). These beacons contain the SSID, supported data rates, capabilities (e.g., QoS, security), and the BSSID (the MAC address of the rogue AP). The beacon frames are identical to those of the legitimate AP except for the BSSID. The rogue AP may also send probe responses to active scans from clients. Because the rogue AP is physically closer or has a stronger transmitter, its beacon frames arrive at the client with a higher received signal strength indicator (RSSI) than those from the legitimate AP.
Client associates with rogue AP
When a wireless client (e.g., a laptop or smartphone) scans for available networks, it receives beacon frames from both the legitimate AP and the rogue AP. The client's wireless driver typically selects the AP with the strongest signal for a given SSID. If the rogue AP's signal is stronger, the client initiates an association request to the rogue AP. The rogue AP responds with an association response. If the network uses WPA2-PSK, the client and rogue AP perform the 4-way handshake. Since the rogue AP knows the PSK (or the client is configured to connect to open networks), the handshake succeeds. The client now believes it is connected to the legitimate network.
Attacker captures or intercepts traffic
Once the client is associated with the rogue AP, all traffic from the client passes through the attacker's device. The attacker can capture unencrypted data (e.g., HTTP requests, FTP passwords) or perform a man-in-the-middle attack. For example, the attacker can use ARP spoofing to intercept traffic between the client and the internet, or set up a fake captive portal that mimics a login page. The attacker may also forward traffic to the legitimate network (through a separate connection) to avoid suspicion. The victim experiences normal connectivity, but the attacker can log all packets. Tools like Wireshark, tcpdump, or Ettercap are used to capture and analyze the traffic.
Attacker harvests credentials or data
The attacker extracts sensitive information from the captured traffic. Common targets include login credentials for websites (via HTTP POST requests), session cookies, email passwords, or credit card numbers. If the attacker sets up a fake captive portal, the victim enters their username and password, which are stored by the attacker. The attacker may also inject malicious code into web pages to install malware. The attack continues until the victim disconnects or the attacker stops the rogue AP. The victim may never realize they were connected to an evil twin, especially if the attacker forwards traffic to the legitimate network and the session appears normal.
Enterprise Scenario 1: Coffee Shop Wi-Fi
The most common real-world deployment of evil twin attacks is in public Wi-Fi hotspots. A coffee shop offers free Wi-Fi with SSID "CoffeeShopFree". An attacker sits in the shop with a laptop running a rogue AP that broadcasts the same SSID. The attacker's device is placed on a table closer to customers, so its signal is stronger. Customers' devices automatically connect to the rogue AP. The attacker then uses a tool like Ettercap to perform ARP poisoning and capture HTTP traffic. Within minutes, the attacker can harvest email passwords and session tokens. The coffee shop owner has no visibility into the attack because the rogue AP is not on the network. Mitigation for users is to use a VPN; for the shop, deploying a WIPS can detect the rogue AP by its BSSID and alert staff.
Enterprise Scenario 2: Corporate Office
In a corporate environment, an attacker may target employees by setting up an evil twin with the company's SSID (e.g., "CorpNet"). The legitimate network uses WPA2-Enterprise with 802.1X and RADIUS authentication. The attacker cannot easily mimic this because they would need a RADIUS server. However, the attacker can set up a rogue AP with a fake RADIUS server that accepts any credentials, capturing the employee's username and password. Alternatively, the attacker may use a downgrade attack: if the client supports both WPA2 and WPA3, the attacker can force the client to use WPA2 by not broadcasting WPA3 capabilities. The captured credentials can then be used to access the corporate VPN or other resources. To prevent this, organizations should enforce 802.1X with server-side certificates, use WPA3, and deploy WIPS to detect rogue APs.
Enterprise Scenario 3: Hotel or Conference Venue
Hotels and conference venues often provide Wi-Fi with a captive portal. An attacker can set up an evil twin with the same SSID (e.g., "HotelGuest") and present a fake captive portal that looks identical to the legitimate one. Guests enter their room number and last name, which the attacker captures. The attacker can then use this information to access the hotel's internal network or commit fraud. The legitimate hotel network may be overloaded, making the rogue AP's faster connection seem more appealing. Mitigation includes using WPA2-Enterprise with unique credentials per guest, or implementing a WIPS that monitors for duplicate SSIDs and alerts the IT staff.
N10-009 Exam Coverage
The N10-009 exam tests evil twin attacks under Objective 4.1: Explain common security vulnerabilities and attacks. Specifically, the exam expects you to:
Identify an evil twin attack scenario (e.g., a user connects to a network with a known SSID but experiences slow speeds or a login page).
Differentiate between evil twin and other wireless attacks like rogue AP (different SSID), deauthentication attack, or jamming.
Know mitigation techniques: 802.1X, WPA3, VPNs, and WIPS.
Understand that evil twin attacks exploit the lack of mutual authentication in WPA2-PSK.
Common Wrong Answers
"The attacker must be within range of the legitimate AP" — This is false. The attacker can set up the rogue AP anywhere within range of the clients; they do not need to be near the legitimate AP.
"Evil twin attacks only work on open networks" — Incorrect. They can work on WPA2-PSK if the PSK is known or if the client is configured to connect to open networks. WPA3 provides mutual authentication and is resistant.
"A rogue AP is the same as an evil twin" — Not exactly. A rogue AP is any unauthorized AP; an evil twin is a specific type of rogue AP that uses the same SSID as a legitimate network.
"Using a strong password prevents evil twin attacks" — No. A strong PSK does not prevent the attack; the attacker only needs to know the PSK to set up the rogue AP. Mutual authentication is key.
Specific Values and Terms
SSID: The network name that is cloned.
BSSID: The MAC address of the AP; different for the rogue AP.
RSSI: Signal strength indicator; clients choose the AP with higher RSSI.
Beacon interval: Typically 100 time units (102.4 ms).
WPA2-PSK: Vulnerable if PSK is known.
WPA3-SAE: Resistant due to mutual authentication.
802.1X: Provides mutual authentication with server-side certificates.
WIPS: Wireless Intrusion Prevention System used for detection.
Edge Cases
Hidden SSID: If the legitimate network hides its SSID, the attacker must know the SSID to set up the evil twin. Clients that are configured to connect to hidden networks will send probe requests with the SSID, which the attacker can capture.
5 GHz vs. 2.4 GHz: The attack can be performed on either band. If the legitimate AP uses both, the attacker may target the band with weaker signal.
Client behavior: Some clients remember APs by BSSID and may not switch to the rogue AP if the BSSID is different. Attackers can deauthenticate the client from the legitimate AP to force a reconnection, which may lead to the rogue AP.
How to Eliminate Wrong Answers
If a question describes a scenario where a user connects to a known SSID but sees a login page, the answer is likely an evil twin attack.
If the question mentions "stronger signal" or "same network name", eliminate answers like "rogue AP" (if the SSID is different) or "deauthentication attack".
For mitigation, look for options that involve mutual authentication (802.1X, WPA3) or encryption (VPN).
If the question asks how to detect, look for WIPS or spectrum analysis.
An evil twin attack uses a rogue AP with the same SSID as a legitimate network to trick clients into connecting.
The attacker typically positions the rogue AP to have a stronger signal than the legitimate AP, causing clients to associate automatically.
WPA2-PSK is vulnerable if the PSK is known; WPA3-SAE provides mutual authentication and is resistant.
802.1X with server-side certificates (EAP-TLS) prevents evil twin attacks by authenticating the AP to the client.
Detection methods include WIPS, spectrum analysis, and monitoring for duplicate BSSIDs on the same SSID.
A VPN encrypts traffic but does not prevent the initial connection to an evil twin; user awareness is critical.
Common tools used by attackers: airbase-ng, Ettercap, Wireshark.
The exam expects you to differentiate evil twin from rogue AP and deauthentication attacks.
These come up on the exam all the time. Here's how to tell them apart.
Evil Twin Attack
Uses the same SSID as a legitimate network
Exploits client's automatic connection to strongest signal
Often used for credential harvesting or MITM
Detection requires matching SSID and BSSID
Mitigation includes mutual authentication (802.1X, WPA3)
Rogue AP Attack
May use a different SSID (e.g., 'Free Wi-Fi')
Relies on users manually connecting to an enticing SSID
Can be used for same purposes but less stealthy
Detection is easier if SSID is not authorized
Mitigation includes WIPS and user education
Evil Twin Attack
Involves setting up a rogue AP
Victim connects to attacker's AP
Attacker can capture traffic passively
Attack continues until victim disconnects
Mitigation: mutual authentication, WIPS
Deauthentication Attack
Involves sending deauth frames to disconnect clients
Victim is disconnected from legitimate AP
Often used to force clients to reconnect (may lead to evil twin)
Attack is active and short-lived
Mitigation: 802.11w (Management Frame Protection)
Mistake
Evil twin attacks only work on open (unencrypted) networks.
Correct
Evil twin attacks can also work on WPA2-PSK networks if the attacker knows the pre-shared key. The attacker configures the rogue AP with the same PSK, and clients connect normally. WPA3 is resistant because it uses SAE with mutual authentication.
Mistake
A rogue access point is the same as an evil twin.
Correct
A rogue AP is any unauthorized AP on the network. An evil twin is a specific type of rogue AP that uses the same SSID as a legitimate network to impersonate it. Not all rogue APs are evil twins.
Mistake
Using a strong password (PSK) prevents evil twin attacks.
Correct
A strong PSK does not prevent the attack because the attacker can still set up a rogue AP with the same PSK (if they obtain it through other means). The real defense is mutual authentication, which ensures the client verifies the AP's identity.
Mistake
Evil twin attacks require the attacker to be physically close to the legitimate AP.
Correct
The attacker only needs to be close to the victims, not the legitimate AP. The rogue AP's signal must be stronger than the legitimate AP's signal at the victim's location. Attackers often place the rogue AP near the victims.
Mistake
A VPN makes you immune to evil twin attacks.
Correct
A VPN encrypts traffic between the client and the VPN server, so the attacker cannot see the contents. However, the attacker can still perform a man-in-the-middle attack if the VPN is not used or if the user ignores certificate warnings. Also, the attacker can block VPN traffic or force the client to use a fake VPN.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An evil twin attack is a type of wireless attack where an attacker sets up a rogue access point that broadcasts the same SSID as a legitimate network. When clients connect to the stronger signal, the attacker can intercept their traffic, capture credentials, or perform man-in-the-middle attacks. The attack exploits the lack of mutual authentication in WPA2-PSK and open networks.
A rogue AP is any unauthorized access point on the network. An evil twin is a specific type of rogue AP that uses the same SSID as a legitimate network to impersonate it. All evil twins are rogue APs, but not all rogue APs are evil twins (e.g., an AP with SSID 'FreeWiFi' in a corporate environment is a rogue AP but not an evil twin because it doesn't mimic a legitimate SSID).
Yes, if the attacker knows the pre-shared key (PSK). The attacker configures the rogue AP with the same PSK, and clients will connect normally. However, if the PSK is unknown, clients will fail the 4-way handshake. The attacker may obtain the PSK through other means (e.g., WPS PIN brute force or social engineering).
Detection methods include using a Wireless Intrusion Prevention System (WIPS) that monitors for duplicate SSIDs with different BSSIDs, performing site surveys with spectrum analyzers, and checking for sudden changes in signal strength. Users can verify the AP's MAC address (BSSID) against a known list, but this is not practical for most users.
The best defense is mutual authentication, which ensures the client verifies the AP's identity. This is achieved with 802.1X (WPA-Enterprise) using server-side certificates (EAP-TLS) or WPA3-SAE. Additionally, using a VPN encrypts traffic so even if connected to an evil twin, the attacker cannot read the data. User education about not connecting to open or unknown networks is also important.
Yes, WPA3 uses Simultaneous Authentication of Equals (SAE), which provides mutual authentication. The client verifies the AP's identity during the handshake, preventing impersonation. However, if a client is configured to fall back to WPA2, an attacker could force a downgrade and still perform the attack.
Common tools include airbase-ng (part of aircrack-ng) to create the rogue AP, Ettercap or Bettercap for man-in-the-middle attacks, Wireshark for packet capture, and tools like Fluxion or Wi-Fi Pumpkin that automate the process. Attackers may also use a Raspberry Pi or laptop with a wireless card in monitor mode.
You've just covered Evil Twin Wireless Attacks — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?