Evil Twin Attack Setup
Creating fraudulent wireless access points mimicking legitimate networks to intercept traffic and capture credentials.
Creating fraudulent wireless access points mimicking legitimate networks to intercept traffic and capture credentials.
Continue your mission
An evil twin attack creates a fraudulent wireless access point that mimics a legitimate network to intercept traffic, capture credentials, or deliver malware. The rogue access point broadcasts the same SSID as the target network, tricking clients into connecting to the attacker-controlled infrastructure instead of the legitimate access point.
The attacker sets up an access point using tools like hostapd and dnsmasq that clones the target network SSID, BSSID characteristics, and encryption settings. For WPA2-Enterprise networks, the evil twin runs a RADIUS server (using tools like eaphammer or hostapd-mana) that accepts any credentials, capturing usernames and password hashes. The attacker may use deauthentication frames to force clients off the legitimate network, causing them to automatically reconnect to the stronger evil twin signal. For captive portal attacks against open networks, the evil twin presents a convincing login page that harvests credentials. All traffic through the evil twin can be intercepted, modified, or redirected, enabling credential theft, session hijacking, and malware injection.
Evil twin attacks exploit the fundamental trust model of wireless networking where clients automatically connect to known SSIDs. WPA2-Enterprise credential capture is particularly dangerous because it reveals Active Directory credentials. The attack is effective in high-traffic areas like conference rooms, lobbies, and public spaces where multiple networks compete for client connections.
CDA addresses evil twin attacks within the VSD and IAT domains. Theater missions include evil twin deployment and detection exercises. Our training emphasizes both the offensive setup and the defensive countermeasures including 802.1X certificate validation, wireless IDS deployment, and client configuration hardening.
CDA Theater missions that address topics covered in this article.
Rogue access point detection identifies unauthorized wireless APs on the network using WIPS sensors, wired-side monitoring, and signal triangulation to prevent network bypass.
LLM security risks include data leakage, prompt injection, model supply chain attacks, and unauthorized tool execution, requiring organizations to treat AI models as high-privilege components.
Written by CDA Editorial
Found an issue? Help improve this article.