Tutorial: Setting up an “Evil Twin” Access Point

August 27, 2015 | Views: 8328

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello and welcome to this tutorial,

This time, we’re going to setup an ”Evil Twin.” Basically, an Evil Twin works to copy another access point and fool your target into connecting to it. However, people aren’t oblivious and will choose the wireless with a strongest connection. We can and, we will, fix that in this guide.

We’ll cover setting up the access point. We’ll see what can we do to make the wireless signal stronger than the actual owner of the “real” access point? We’re going to disconnect our targets from the actual access point and attempt to have them connect to ours.

Why are we setting up a fake access point? The main reason for those kinds of attacks is to receive the needed information for our targets. This can be done when performing a MITM – “Man in the Middle.” MITM is used to intercept example conversations and to receive personal information, including emails, usernames, passwords etc.

Let’s start…

Now, the part you’ve been waiting for: let’s open up our terminal and type “iwconfig” or “ifconfig”  – both work. Please note: your wireless card has to be operational, else this won’t work.

If it’s not operational, it will say “No wireless extension” – but look after eth0, wlan0 etc.

If your interface is wlan0, let’s type: “airmon-ng start wlan0”. We’ve enabled monitor mode and are ready for the actual performance.

it should say: “monitor mode enabled on interface”

We want to find the wireless access point of the target by capturing the traffic. Now, we’re going to type:

“airodump-ng mon0”

You see bunch of wireless access points, name, bssid – you name it. Just leave it running for about a minute.

Let’s say our target wireless name (SSID) is “Kevin netgear” and BSSID is “80:37:73:FD:83:D6” channel 6. It’s now time to create the “evil twin” by typing:

Airbase-ng –a (bssid) –-essid (wireless name) –c (channel) (interface)

It should look like this:

airbase-ng –a 80:37:73:FD:83:D6 –essid Kevin netgear –c 6 mon0

Time to time, a problem can appear when doing this. This can be fixed just by typing:

Airbase-ng –-essid Kevin netgear mon0

We have the evil twin set up. We want the users on that wireless to connect to our fake access point. How we do that is simple. We use aireplay-ng to bump them off the wireless.

Simply type:

aireplay-ng –deauth 0 –a 80:37:73:FD:83:D6 mon0 –ignore-negative-one

This will disconnect all the users on that wireless point. While the attack is running, they cannot connect to it.

Please note: the target will try to reconnect to that wireless. The target should be connecting to ours when done the last steps. We simply keep sending deauths until the target connects to ours.

But, before the target will want to connect to our access point, it will have to show a higher signal than the real one. This can be done by getting wireless card to transmit more power. Type in your terminal:  

iwconfig wlan0 txpower27

This means that the actual transmission power is at 27 in dBm. A problem here can be some cards cannot transmit a high power and others can. If you’re unsure about this, you can change 27 to 30 and see the point. By changing the regulatory domain to Bolivia, for example, we can overcome the power limitation. Type:

iq reg set BO

Then, you should be able to transmit a higher power at 30. Now, type again:

iwconfig wlan0 txpower 30

This pastebin will show how to give internet access to your evil twin: Thanks to kalitutorials for sharing how to give internet access to AP.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. is it possible to give a name to the fake one ( Free Facebook : ON ) , and then redirect the clients who conect to the fake one to a fake page like facebook then get their credentials ?

  2. Glad that you all like this share. Hope that everyone can use this and hopefully also perfectly execute. Else pm me in advance if any problems.

    Best regards, Kevin Mark.

  3. Is there a follow-up article to this? Like what to do after you’ve got connection to the evil twin? How to capture data, emails, etc.?

  4. cool to know.

Page 2 of 2«12
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?