Home 0P3N Blog Tutorial: Setting up an "Evil Twin" Access Point
Ready to Start Your Career?
Create Free Account
Kevin Marks profile image
By: Kevin Mark
August 27, 2015

Tutorial: Setting up an "Evil Twin" Access Point

By: Kevin Mark
August 27, 2015
Kevin Marks profile image
By: Kevin Mark
August 27, 2015

Tutorial: Setting up an "Evil Twin" Access Point

Hello and welcome to this tutorial,

This time, we're going to setup an ”Evil Twin.” Basically, an Evil Twin works to copy another access point and fool your target into connecting to it. However, people aren’t oblivious and will choose the wireless with a strongest connection. We can and, we will, fix that in this guide.

We'll cover setting up the access point. We'll see what can we do to make the wireless signal stronger than the actual owner of the “real” access point? We're going to disconnect our targets from the actual access point and attempt to have them connect to ours.

Why are we setting up a fake access point? The main reason for those kinds of attacks is to receive the needed information for our targets. This can be done when performing a MITM - “Man in the Middle.” MITM is used to intercept example conversations and to receive personal information, including emails, usernames, passwords etc.

Let's start...

Now, the part you've been waiting for: let’s open up our terminal and type “iwconfig” or “ifconfig”  - both work. Please note: your wireless card has to be operational, else this won't work.

If it’s not operational, it will say “No wireless extension” - but look after eth0, wlan0 etc.

If your interface is wlan0, let's type: “airmon-ng start wlan0”. We've enabled monitor mode and are ready for the actual performance.

it should say: “monitor mode enabled on interface”

We want to find the wireless access point of the target by capturing the traffic. Now, we're going to type:

“airodump-ng mon0”

You see bunch of wireless access points, name, bssid - you name it. Just leave it running for about a minute.

Let’s say our target wireless name (SSID) is “Kevin netgear” and BSSID is “80:37:73:FD:83:D6” channel 6. It’s now time to create the "evil twin" by typing:

Airbase-ng –a (bssid) –-essid (wireless name) –c (channel) (interface)

It should look like this:

airbase-ng –a 80:37:73:FD:83:D6 –essid Kevin netgear –c 6 mon0

Time to time, a problem can appear when doing this. This can be fixed just by typing:

Airbase-ng –-essid Kevin netgear mon0

We have the evil twin set up. We want the users on that wireless to connect to our fake access point. How we do that is simple. We use aireplay-ng to bump them off the wireless.

Simply type:

aireplay-ng --deauth 0 –a 80:37:73:FD:83:D6 mon0 –ignore-negative-one

This will disconnect all the users on that wireless point. While the attack is running, they cannot connect to it.

Please note: the target will try to reconnect to that wireless. The target should be connecting to ours when done the last steps. We simply keep sending deauths until the target connects to ours.

But, before the target will want to connect to our access point, it will have to show a higher signal than the real one. This can be done by getting wireless card to transmit more power. Type in your terminal:  

iwconfig wlan0 txpower27

This means that the actual transmission power is at 27 in dBm. A problem here can be some cards cannot transmit a high power and others can. If you're unsure about this, you can change 27 to 30 and see the point. By changing the regulatory domain to Bolivia, for example, we can overcome the power limitation. Type:

iq reg set BO

Then, you should be able to transmit a higher power at 30. Now, type again:

iwconfig wlan0 txpower 30


This pastebin will show how to give internet access to your evil twin: Thanks to kalitutorials for sharing how to give internet access to AP.

Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry