This chapter covers evil twin and rogue access point (AP) attacks, two of the most common wireless attack vectors tested in the PT0-002 exam. Understanding these attacks is critical because they appear in approximately 5-8% of exam questions, often in the context of social engineering, man-in-the-middle, or wireless security. You will learn the technical mechanisms behind these attacks, how to execute them using tools like airbase-ng and mdk4, and how to defend against them. The exam expects you to differentiate between an evil twin (same SSID, stronger signal) and a rogue AP (unauthorized device on the network), and to identify appropriate mitigation strategies such as WIPS and 802.1X.
Jump to a section
Imagine a busy city street with a popular coffee shop that has a sign reading "Free Wi-Fi — Coffee House." A criminal opens a counterfeit storefront right next door, with an identical sign reading "Free Wi-Fi — Coffee House." The criminal's storefront looks exactly like the real one, with the same logo and color scheme. When a customer tries to connect to the coffee shop's Wi-Fi, their device sees both the real network and the counterfeit one. If the counterfeit signal is stronger, the device automatically connects to it. Once connected, the criminal's storefront acts as a man-in-the-middle: all the customer's traffic passes through the criminal's server, allowing the criminal to capture passwords, credit card numbers, and other sensitive data. The customer believes they are using the legitimate coffee shop's network, but they are actually interacting with a fake that forwards their requests to the real internet, logging everything along the way. This is exactly how an evil twin attack works: the attacker sets up a rogue access point with the same SSID as a legitimate network, often with a stronger signal, to trick clients into connecting. The rogue AP then captures or manipulates traffic, enabling credential harvesting, session hijacking, or malware injection. The victim has no visible indication that they are on a fake network because the SSID matches and the connection appears normal.
What Are Evil Twin and Rogue AP Attacks?
An evil twin attack occurs when an attacker sets up a wireless access point that impersonates a legitimate access point by using the same SSID (network name). The attacker typically broadcasts a stronger signal than the legitimate AP, causing client devices to automatically connect to the evil twin due to signal strength preferences. Once connected, the attacker can intercept, modify, or redirect traffic. A rogue AP is any unauthorized wireless access point connected to a wired network, often plugged in by an employee or an attacker to bypass security controls. While both are unauthorized, the key difference is that an evil twin is a fake AP that mimics a legitimate one, whereas a rogue AP is an unauthorized device that is physically or logically connected to the corporate network.
How Evil Twin Attacks Work Internally
1. SSID Spoofing: The attacker configures their wireless interface to broadcast the same SSID as the target network. Using tools like airbase-ng from the aircrack-ng suite, the attacker can create a virtual AP with any SSID.
- Command: airbase-ng -e "CorporateWiFi" -c 6 wlan0
- This creates a beacon frame with SSID "CorporateWiFi" on channel 6.
Signal Strength Manipulation: The attacker positions their antenna close to the victims or uses a high-gain antenna to ensure the evil twin's signal is stronger than the legitimate AP. Client devices typically connect to the AP with the highest RSSI (Received Signal Strength Indicator) for a given SSID. If the evil twin's signal is stronger, clients will deauthenticate from the legitimate AP and connect to the evil twin.
3. Deauthentication Attack (Optional): To force clients to disconnect from the legitimate AP and reconnect to the evil twin, the attacker can send deauthentication frames. These frames are not encrypted and can be sent using aireplay-ng:
- aireplay-ng -0 5 -a <BSSID of legitimate AP> -c <client MAC> wlan0
- This sends 5 deauth packets to the client, causing it to disconnect and then reconnect. Since the evil twin has a stronger signal, the client will likely connect to it.
Traffic Forwarding and Interception: Once a client connects to the evil twin, the attacker must forward traffic to the legitimate network or the internet to avoid raising suspicion. This is done by bridging the evil twin interface to a legitimate internet connection (e.g., using a wired Ethernet connection or a cellular hotspot). The attacker can then use tools like Wireshark, tcpdump, or ettercap to capture packets. For HTTPS traffic, the attacker may need to perform SSL stripping (e.g., using mitmproxy or sslstrip) to downgrade connections to HTTP.
Credential Harvesting: The attacker can set up a fake captive portal that mimics the legitimate login page. When the user tries to access a website, they are redirected to a phishing page that captures their credentials. This is often done with tools like WiFiPhisher or Fluxion.
Rogue AP Attacks
A rogue AP is an unauthorized wireless access point connected to a wired network. For example, an employee might plug a consumer-grade router into the corporate network to get better Wi-Fi coverage, inadvertently creating a backdoor. Attackers can also physically install a rogue AP (e.g., a Raspberry Pi with a wireless dongle) that connects to the network and broadcasts an open or WPA2-PSK SSID. Once connected to the rogue AP, attackers can bypass network segmentation and access internal resources.
Detection of rogue APs relies on Wireless Intrusion Prevention Systems (WIPS) that monitor the airwaves for unauthorized SSIDs or MAC addresses. The IEEE 802.11w-2009 standard (Management Frame Protection) helps prevent deauthentication attacks but does not stop rogue APs. Rogue APs are often detected by: - SSID Monitoring: WIPS compares detected SSIDs with an approved list. - MAC Address Spoofing Detection: If a rogue AP uses the same MAC as a legitimate AP, it will cause a conflict. - Signal Strength Analysis: A sudden strong signal from a new AP can indicate a rogue. - Wired Network Correlation: WIPS can query switches via SNMP to find the switch port where a rogue AP is connected.
Key Components and Tools
airbase-ng: Creates a fake AP. Can use software encryption (WEP, WPA-PSK) or no encryption. For WPA2-PSK, you must provide a passphrase: airbase-ng -e "TargetSSID" -c 1 -W 1 wlan0 (the -W 1 enables WPA2).
aircrack-ng suite: Includes airodump-ng for scanning, aireplay-ng for deauth, and airbase-ng for fake AP.
mdk4: Can perform beacon flooding and deauth attacks. For evil twin, mdk4 can be used to flood the target AP with deauth packets.
WiFiPhisher: Automates captive portal phishing.
Fluxion: Automates evil twin with WPA handshake capture and fake captive portal.
hostapd: Can be used to create a legitimate-looking AP with encryption.
dnsmasq: Provides DHCP and DNS services for the evil twin network.
Default Values and Timers
Beacon Interval: Default 100 ms (10 beacons per second). The evil twin should match this to avoid detection.
DTIM Interval: Default 1-3 beacon intervals. Not critical for evil twin.
Channel: The attacker should use the same channel as the legitimate AP to avoid channel switching by clients.
RSSI Threshold: Clients typically connect to the AP with the highest RSSI. A difference of 5-10 dBm is often enough to cause a switch.
Deauth Packet Rate: Sending 1-5 deauth packets per second is usually sufficient. Too many can cause denial of service and alert users.
Interaction with Related Technologies
WPA2-Enterprise: Evil twin attacks are harder against 802.1X because the client validates the RADIUS server certificate. However, attackers can use a rogue RADIUS server to capture credentials (e.g., using FreeRADIUS with a self-signed certificate). The exam tests your knowledge of EAP downgrade attacks (e.g., forcing clients to use PEAP-MSCHAPv2 instead of EAP-TLS).
WPA3: Uses SAE (Simultaneous Authentication of Equals) which provides mutual authentication and is resistant to evil twin attacks. However, WPA3 Transition Mode (mixed WPA2/WPA3) can be vulnerable if clients use WPA2.
WIPS: A properly configured WIPS can detect evil twins by analyzing beacon frames for anomalies (e.g., different supported rates, different vendor OUI).
802.1X: If the network uses 802.1X, clients should be configured to validate server certificates. An evil twin would not have a valid certificate, so the client should refuse to connect. However, many clients are configured to accept any certificate, making them vulnerable.
Advanced Techniques
KARMA Attack: A tool like MANA (or KARMA) responds to probe requests from clients. When a client sends a probe request for any SSID it has previously connected to, the attacker's AP responds with a beacon for that SSID, tricking the client into connecting. This is effective even if the client is not actively looking for a specific network.
Known Beacon Attack: The attacker broadcasts multiple SSIDs that are commonly stored in client devices' preferred network lists (e.g., "attwifi", "xfinitywifi").
SSL Stripping: The attacker downgrades HTTPS connections to HTTP by modifying the response to a request for a secure page. Tools like sslstrip or mitmproxy can do this.
Mitigation
Client-side: Disable automatic connection to open Wi-Fi networks, forget networks after use, use a VPN, and validate server certificates.
Network-side: Deploy WIPS, use 802.1X with EAP-TLS, enable management frame protection (802.11w), and physically secure access points.
Monitoring: Regularly scan for rogue APs using tools like Kismet or Wireshark. Use switch port security to prevent unauthorized devices.
Reconnaissance and Target Selection
The attacker first identifies a target network by scanning the area with a tool like airodump-ng or Kismet. They note the SSID, BSSID, channel, encryption type, and signal strength of legitimate APs. The attacker also observes client devices and their probe requests to understand which SSIDs clients are trying to connect to. This step is critical for choosing the right SSID to impersonate and determining the optimal channel and location for the evil twin. The attacker may also capture WPA handshakes to later crack the passphrase if needed.
Setting Up the Evil Twin AP
Using a wireless card capable of monitor mode and packet injection (e.g., Alfa AWUS036ACH), the attacker configures the evil twin. They set the SSID to match the target, choose the same channel, and optionally configure encryption (WPA2-PSK with a known passphrase or open). The attacker uses airbase-ng to create the fake AP: `airbase-ng -e "TargetSSID" -c 6 wlan0`. They also set up DHCP and DNS services using dnsmasq to assign IP addresses to connecting clients. The attacker may also bridge the evil twin interface to an internet connection to provide full network access.
Deauthenticating Legitimate Clients
To force clients to connect to the evil twin, the attacker sends deauthentication packets to the legitimate AP's clients. Using aireplay-ng, they send deauth frames to each client: `aireplay-ng -0 2 -a <BSSID> -c <client MAC> wlan0`. This causes the client to disconnect. Since the evil twin's signal is stronger, the client's device will automatically attempt to reconnect to the same SSID and will likely connect to the evil twin. The attacker may repeat this process multiple times to ensure all clients are migrated.
Traffic Interception and Manipulation
Once clients connect to the evil twin, all their traffic passes through the attacker's system. The attacker can capture plaintext data using Wireshark or tcpdump. For encrypted traffic, they may perform SSL stripping using sslstrip, which downgrades HTTPS to HTTP by modifying the initial HTTP response to replace secure links with insecure ones. The attacker can also inject malicious content, such as JavaScript for drive-by downloads or fake login forms. Tools like mitmproxy allow real-time modification of traffic.
Credential Harvesting and Exfiltration
The attacker sets up a captive portal that mimics the legitimate network's login page. When a client tries to access any website, they are redirected to this fake page. The attacker captures entered credentials and then forwards the user to the intended site to avoid suspicion. Alternatively, the attacker can simply log all POST requests containing form data. The harvested credentials are saved for later use. The attacker may also deliver malware or perform session hijacking using captured session cookies.
In enterprise environments, rogue APs and evil twins are a persistent threat. Consider a large corporation with multiple branch offices. An employee in a remote office plugs a consumer-grade router into the network to extend Wi-Fi coverage to a break room. This device, not configured with corporate security standards, becomes a rogue AP. It may have default credentials, outdated firmware, and an open or WPA2-PSK SSID. An attacker sitting in the parking lot can connect to this rogue AP and then pivot into the corporate network, bypassing firewalls and NAC (Network Access Control). To mitigate this, enterprises deploy WIPS like Cisco Prime Infrastructure or AirMagnet, which continuously monitor the radio frequency (RF) spectrum. WIPS can automatically detect and block rogue APs by sending deauth packets to clients or by disabling the switch port where the rogue AP is connected via SNMP. In one real-world incident, a hospital experienced a data breach after an attacker installed a rogue AP in a waiting room. The attacker captured patient data and medical records. The hospital had to implement 802.1X with EAP-TLS and deploy WIPS to prevent recurrence.
Another scenario involves public Wi-Fi hotspots. Attackers set up evil twins in coffee shops, airports, and hotels. For example, at an airport, the legitimate SSID might be "Airport_Free_WiFi". The attacker sets up an evil twin with the same SSID on a laptop. Travelers connect, and the attacker captures their emails, passwords, and credit card numbers. The attacker may also deliver ransomware. To defend, organizations should educate users to verify network names and use VPNs. Some advanced WIPS can detect evil twins by comparing the AP's fingerprint (e.g., beacon interval, supported rates, vendor OUI) against a baseline. If the fingerprint differs, an alert is generated.
A third scenario involves penetration testing. During a PT0-002 exam, you may be asked to simulate an evil twin attack as part of a social engineering test. The tester sets up an evil twin with a captive portal that asks for corporate credentials. The goal is to see how many employees fall for it. The tester then reports the results and recommends security awareness training and technical controls like WIPS and 802.1X.
The PT0-002 exam tests evil twin and rogue AP attacks under Objective 3.5: "Explain the techniques used to exploit wireless and RF-based vulnerabilities." You must be able to:
Differentiate between an evil twin and a rogue AP.
Identify the tools used (airbase-ng, aircrack-ng, mdk4, WiFiPhisher).
Understand the attack flow: reconnaissance, deauth, evil twin setup, traffic interception.
Know mitigation techniques: WIPS, 802.1X, management frame protection, client-side VPN.
Common wrong answers: 1. "An evil twin is a type of rogue AP." This is partially true but imprecise. The exam expects you to know the distinction: an evil twin impersonates a legitimate SSID, while a rogue AP is simply an unauthorized AP on the network. Evil twin is a subset of rogue AP, but not all rogue APs are evil twins. 2. "Evil twin attacks require a deauthentication attack." While deauth is common, it is not strictly required if the evil twin's signal is naturally stronger or if clients probe for the SSID. 3. "WPA2 encryption prevents evil twin attacks." WPA2-PSK does not prevent evil twin because the attacker can know the passphrase (e.g., it's publicly shared) or crack it. Only mutual authentication (like WPA3 or EAP-TLS) prevents evil twin. 4. "A rogue AP can only be detected by physical inspection." Actually, WIPS can detect rogue APs via RF monitoring and switch integration.
Specific exam values:
Deauth frame type: Management frame (type 0, subtype 12).
Beacon frame interval default: 100 ms.
Tool for fake AP: airbase-ng.
Tool for deauth: aireplay-ng.
Standard for management frame protection: 802.11w.
Edge cases:
If the legitimate AP uses WPA2-Enterprise and clients validate server certificates, an evil twin with a self-signed certificate will be rejected. However, if clients do not validate (common in BYOD), the attack works.
In WPA3 Transition Mode, clients using WPA2 are vulnerable to evil twin.
A rogue AP that uses the same MAC as a legitimate AP will cause a conflict and may be detected by duplicate MAC alerts.
To eliminate wrong answers, focus on the underlying mechanism: evil twin exploits the lack of mutual authentication in WPA2-PSK and open networks. If the answer mentions "mutual authentication" or "certificate validation," it is likely correct for mitigation. If it says "use WPA2" without further detail, it is likely wrong.
Evil twin attacks exploit the lack of mutual authentication in WPA2-PSK and open networks.
The primary tool for creating an evil twin is airbase-ng from the aircrack-ng suite.
Deauthentication frames (management frames) are used to force clients off the legitimate AP.
WPA3 SAE and 802.1X with EAP-TLS provide mutual authentication and resist evil twin attacks.
WIPS (Wireless Intrusion Prevention Systems) detect rogue APs by monitoring beacon frames and switch ports.
Client-side mitigations include using a VPN, disabling auto-connect, and validating server certificates.
The default beacon interval is 100 ms; attackers should match this to avoid detection.
KARMA/MANA attacks respond to probe requests for any SSID, enabling connection to previously used networks.
These come up on the exam all the time. Here's how to tell them apart.
Evil Twin Attack
Impersonates a legitimate SSID to trick clients into connecting.
Typically uses a stronger signal to attract clients.
Often involves deauth attacks to force client migration.
Main goal is man-in-the-middle or credential harvesting.
Detected by comparing AP fingerprints or SSID anomalies.
Rogue AP Attack
An unauthorized AP connected to the wired network, often with a different SSID.
May not impersonate any SSID; could be a personal hotspot.
No deauth needed; clients may connect if they find the SSID attractive.
Main goal is to bypass network security and gain access to internal resources.
Detected by WIPS via RF monitoring and switch port correlation.
Mistake
An evil twin attack requires the attacker to know the WPA2 passphrase.
Correct
The attacker can set up an evil twin with no encryption (open network) or with WPA2-PSK using a known passphrase (e.g., if the passphrase is publicly shared). The attack works because clients will connect to any AP with the same SSID, regardless of encryption. If the legitimate network uses WPA2, the client will try to connect with the stored passphrase, but if the evil twin is open, the client may still connect if it is configured to auto-connect to open networks. Alternatively, the attacker can capture the WPA2 handshake and crack the passphrase offline.
Mistake
Deauthentication attacks are necessary for an evil twin to succeed.
Correct
Deauth attacks accelerate the process by forcing clients to disconnect from the legitimate AP, but they are not required. If the evil twin's signal is significantly stronger, clients may automatically roam to it when they attempt to reconnect after a normal disconnection. Additionally, if a client is probing for the SSID (e.g., after waking from sleep), the evil twin can respond first.
Mistake
WPA2 encryption protects against evil twin attacks.
Correct
WPA2-PSK only encrypts the data between the client and AP, but it does not authenticate the AP to the client. The client assumes any AP with the correct passphrase is legitimate. An attacker who knows the passphrase (or sets up an open network) can create a valid evil twin. Only mutual authentication (e.g., WPA3 SAE or EAP-TLS) prevents evil twin attacks.
Mistake
A rogue AP is the same as an evil twin.
Correct
A rogue AP is any unauthorized access point connected to the network, regardless of its SSID. An evil twin is a specific type of rogue AP that impersonates a legitimate SSID. All evil twins are rogue APs, but not all rogue APs are evil twins. For example, an employee plugging a personal router with a different SSID is a rogue AP but not an evil twin.
Mistake
Evil twin attacks are only effective against open networks.
Correct
Evil twin attacks are effective against any network where the client trusts the SSID without verifying the AP's identity. This includes WPA2-PSK networks (if the passphrase is known) and even some WPA2-Enterprise networks if clients do not validate the server certificate. WPA3 SAE is resistant because it provides mutual authentication.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An evil twin is a rogue AP that specifically impersonates a legitimate SSID to trick clients into connecting. A rogue AP is any unauthorized wireless access point connected to a network, regardless of its SSID. For example, an employee plugging a personal router into the corporate network creates a rogue AP, but it is not an evil twin unless it uses the same SSID as the corporate network. The exam tests this distinction: all evil twins are rogue APs, but not all rogue APs are evil twins.
The most common tool is airbase-ng from the aircrack-ng suite. It creates a fake AP with a specified SSID and channel. Other tools include mdk4 for deauth attacks, WiFiPhisher and Fluxion for automated captive portal phishing, and hostapd for setting up a legitimate-looking AP. For traffic interception, attackers use Wireshark, tcpdump, sslstrip, or mitmproxy. The exam expects you to know airbase-ng and aireplay-ng specifically.
No. WPA2-PSK only encrypts data and authenticates the client to the AP, but not the AP to the client. If an attacker knows the passphrase (e.g., it is shared publicly or cracked), they can set up an evil twin. Clients will connect because they trust any AP with the correct passphrase. Only mutual authentication, such as WPA3 SAE or 802.1X with EAP-TLS, prevents evil twin attacks by requiring the AP to prove its identity.
Defenses include: (1) Using WPA3 or 802.1X with EAP-TLS for mutual authentication. (2) Deploying a WIPS to detect and block evil twins. (3) Configuring clients to validate server certificates. (4) Educating users to avoid connecting to open or untrusted networks. (5) Using a VPN to encrypt all traffic. (6) Disabling automatic connection to Wi-Fi networks. The exam emphasizes 802.1X and WIPS as enterprise solutions.
A deauthentication attack sends forged deauth frames to disconnect clients from an AP. These frames are management frames and are not encrypted, so they can be easily spoofed. In an evil twin attack, the attacker sends deauth packets to clients connected to the legitimate AP, forcing them to disconnect. When the clients try to reconnect, they see the evil twin with a stronger signal and connect to it instead. Tools like aireplay-ng or mdk4 are used for this.
KARMA (Karma Attack Radio Machine Automaton) is a technique where an attacker's device responds to any probe request from a client. When a client sends a probe request for an SSID it has previously connected to, the attacker's AP responds with a beacon for that SSID, tricking the client into connecting. This works even if the client is not actively looking for a specific network. The modern version is MANA. The exam may ask about this as an advanced evil twin technique.
A WIPS (Wireless Intrusion Prevention System) uses sensors to monitor the RF spectrum. It detects rogue APs by: (1) Comparing detected SSIDs against an approved list. (2) Analyzing beacon frames for anomalies (e.g., different supported rates, vendor OUI mismatches). (3) Correlating wireless signals with wired network information via SNMP to find the switch port where the rogue AP is connected. Once detected, the WIPS can block the rogue AP by sending deauth packets or disabling the switch port.
You've just covered Evil Twin and Rogue AP Attacks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?