During a penetration test, an ethical hacker sets up a rogue access point with the same SSID as the corporate network and broadcasts a stronger signal. Users inadvertently connect to the rogue AP, allowing the hacker to capture credentials. What is this attack called?
This is the correct term for a rogue AP impersonating a legitimate one.
Why this answer
The correct answer is C, Evil twin attack. This attack involves setting up a rogue access point that broadcasts the same SSID as a legitimate corporate network but with a stronger signal, causing users to connect to it instead. Once connected, the attacker can capture credentials or other sensitive data through man-in-the-middle techniques, exploiting the lack of mutual authentication in many Wi-Fi implementations.
Exam trap
The trap here is that candidates confuse 'Evil twin' with 'Karma attack' because both involve rogue APs, but Karma attack specifically targets probe requests to impersonate any SSID the client has previously trusted, whereas an evil twin broadcasts a specific SSID to mimic a known network.
How to eliminate wrong answers
Option A is wrong because a deauthentication attack specifically sends deauth frames (management frames) to disconnect clients from an access point, often used to force reconnection for capturing handshakes, not to set up a rogue AP with the same SSID. Option B is wrong because ARP spoofing (or ARP poisoning) operates at Layer 2 by sending forged ARP replies to associate the attacker's MAC address with the IP of a legitimate host, typically on a wired or bridged network, not by broadcasting a rogue wireless SSID. Option D is wrong because a Karma attack is a specific type of evil twin that responds to probe requests from clients by impersonating any SSID the client has previously connected to, rather than broadcasting a single corporate SSID with a stronger signal.