Public WiFi networks at airports, coffee shops, hotels, and conference centers are a goldmine for attackers. The evil twin attack is one of the most effective techniques in wireless hacking — it creates a counterfeit WiFi network that looks identical to a legitimate one, silently capturing credentials, cookies, and unencrypted traffic from every device that connects.
How an Evil Twin Attack Works
The attack has four distinct phases:
Phase 1: Reconnaissance
The attacker uses a wireless adapter in monitor mode to passively capture beacon frames broadcast by nearby access points. Each beacon contains the network’s SSID (name), BSSID (MAC address), supported security protocols, and signal strength. Tools like airodump-ng capture this information:
airmon-ng start wlan0 # Enable monitor mode
airodump-ng wlan0mon # Capture nearby APs and clientsThe attacker identifies the target network — say, “AirportFreeWifi” — and notes its channel, BSSID, and which clients are connected.
Phase 2: Creating the Rogue AP
The attacker creates an access point with the identical SSID as the target. hostapd or airbase-ng are commonly used:
# Using airbase-ng to create a rogue AP on the same channel
airbase-ng -e "AirportFreeWifi" -c 6 wlan0monThe rogue AP doesn’t need to know the WiFi password — it typically operates as an open network (no encryption). When victims connect to an open evil twin, all their traffic is visible in plaintext to the attacker.
The attacker also sets up a network bridge between the rogue AP and their internet connection (mobile hotspot or another WiFi adapter), so victims get real internet access and don’t notice anything wrong.
Phase 3: Deauthentication Attack
If victims are already connected to the legitimate AP, the attacker sends 802.11 deauthentication frames spoofed from the legitimate AP’s BSSID. These management frames tell clients their connection has ended:
aireplay-ng --deauth 0 -a [legitimate-AP-BSSID] wlan0monThe --deauth 0 sends deauth frames continuously. Clients disconnect and automatically attempt to reconnect. Because the evil twin has a stronger signal (the attacker is physically closer to the victim), clients often connect to the rogue AP instead of the legitimate one.
Note: WPA3’s Protected Management Frames (PMF) makes deauthentication attacks significantly harder by requiring that management frames be authenticated.
Phase 4: Traffic Interception and Credential Theft
Once connected, all the victim’s unencrypted traffic flows through the attacker’s device. The attacker runs tools like Wireshark, ettercap, or bettercap to:
- Read plaintext HTTP traffic
- Strip HTTPS via SSLstrip (downgrade HTTPS to HTTP for sites without HSTS)
- Inject malicious content into unencrypted pages
Captive Portal Credential Theft
Many evil twin setups use a captive portal — a fake login page that appears when you connect, mimicking the hotel/airport/coffee shop’s legitimate WiFi login page. The attacker uses hostapd-wpe (WPE = Wireless Pwnage Edition) or tools like Wifiphisher to:
- Present a convincing login page asking for an email, password, or corporate credentials
- Capture submitted credentials
- Display an error and then let the user connect normally, so they don’t get suspicious
WPA2 Enterprise RADIUS Spoofing
In corporate environments using WPA2 Enterprise (802.1X authentication), the attack becomes more sophisticated. Standard WPA2 Enterprise requires users to present credentials to a RADIUS server. An evil twin targeting WPA2 Enterprise:
- Sets up a rogue RADIUS server
- Broadcasts the same enterprise SSID
- When clients connect, initiates PEAP or EAP-TTLS authentication
- GTC Downgrade: The attacker’s server negotiates EAP-GTC (Generic Token Card) instead of the more common EAP-MSCHAPv2. EAP-GTC sends credentials in plaintext to the RADIUS server — which the attacker captures directly.
hostapd-wpe automates this attack and has captured corporate Active Directory credentials in real penetration testing scenarios.
Detection Methods
Wireless Intrusion Detection Systems (WIDS)
Enterprise-grade WIDS products (Cisco Adaptive Wireless IPS, Aruba RFProtect, Fortinet FortiWLAN) monitor the RF environment for rogue APs by detecting:
- Same SSID broadcast from an unexpected BSSID
- APs not in the authorized AP list
- Unusual deauthentication frame floods
- Channel inconsistencies (legitimate AP on channel 6, rogue on channel 11 same SSID)
802.11 Management Frame Monitoring
A dedicated monitoring radio can capture all beacon and management frames in the area. Legitimate APs have consistent BSSIDs (tied to hardware MAC addresses). An evil twin will have a different BSSID even if the SSID matches.
You can do a rudimentary check with:
# On Linux with wireless tools
iwlist wlan0 scan | grep -E "ESSID|Address|Quality"
# Look for duplicate SSIDs with different BSSIDsClient-Side Detection
Some devices and endpoint security tools detect when a previously known WiFi network is broadcast with different characteristics (different BSSID, different security type, lower encryption). Windows 11’s “WiFi Sense” and macOS display warnings in some scenarios.
Defenses
Use a VPN on All Public Networks
A VPN encrypts all traffic between your device and the VPN server before it leaves your device. Even if you’re connected to an evil twin, the attacker sees only encrypted tunneled traffic — not the contents. This is the single most effective defense for individual users.
Choose a reputable VPN provider that supports WireGuard or OpenVPN. Split-tunnel configurations should be avoided on untrusted networks — force all traffic through the tunnel.
WPA3 and Protected Management Frames
WPA3 makes evil twin attacks harder in several ways:
- SAE (Simultaneous Authentication of Equals) replaces PSK handshakes, providing forward secrecy and resistance to offline brute force
- Protected Management Frames (PMF) are mandatory, preventing deauthentication spoofing
- WPA3 Enterprise 192-bit mode provides stronger RADIUS authentication with server certificate validation enforced
802.1X Client Certificates
For enterprise environments, deploy mutual TLS authentication — both the client and the RADIUS server must present valid certificates. The client won’t connect unless the server’s certificate is signed by the organization’s internal CA. An attacker’s rogue RADIUS server cannot present a valid certificate, so clients refuse to connect.
Configure supplicants (Windows, macOS, mobile devices) to:
- Validate the RADIUS server certificate
- Only accept certificates from your internal CA
- Alert and refuse if the certificate is invalid or mismatched
General Best Practices
| Practice | Benefit |
|---|---|
| Use cellular data instead of public WiFi | Eliminates evil twin exposure entirely |
| Verify network names before connecting | Spot subtle typos (AirportWifi vs AirportFreeWifi) |
| Disable auto-connect for public networks | Prevents automatic reconnection to evil twins |
| Use HTTPS everywhere (browser extension) | Forces TLS even if redirected |
| Trust only expected SSIDs from expected BSSIDs | WIDS or manual checks |
Evil twin attacks require physical proximity, but “physical proximity” at an airport or convention center means thousands of potential victims. Understanding how these attacks work helps you recognize when something is wrong — and why that VPN is worth running even when the free WiFi seems perfectly fine.