An Evil Twin attack is when an attacker:
- Creates a rogue access point
- Uses the same SSID as a legitimate network
- Tries to lure victims into connecting
- Captures credentials / performs MITM
Statistics
# Check communications (easy to triage victims)
Statistics → Conversations → IEEE 802.11
# List individual MACs
Statistics → Endpoints → IEEE 802.11
| Subtype (Hex) | Meaning | Why You Care |
|---|---|---|
0x00 | Association Request | Client trying to join AP |
0x01 | Association Response | AP accepting/rejecting |
0x02 | Reassociation Request | Client roaming |
0x03 | Reassociation Response | AP response |
0x04 | Probe Request | Client searching for SSID |
0x05 | Probe Response | AP answering |
0x08 | Beacon | AP advertising itself |
0x09 | ATIM | Rare (IBSS) |
0x0A | Disassociation | Graceful disconnect |
0x0B | Authentication | Auth phase (pre-association) |
0x0C | Deauthentication | Forced disconnect |
0x0D | Action | Advanced management (802.11n/ac/ax stuff) |
Filters
Beacon Frames (Access Points Advertising)
Rogue AP needs to advertise itself
wlan.fc.type_subtype == 0x08
Deauth
wlan.fc.type_subtype == 0x0c
# Broadcast Deauth Vector
wlan.fc.type_subtype == 0x0c && wlan.da == ff:ff:ff:ff:ff:ff
# Reason 7 = Class 3 frame received from nonassociated station
# If you see bursts, it's a red flag
wlan.fc.type_subtype == 0x0c && wlan.fixed.reason_code == 7
Encryption Differences
Inspect
- RSN Information
- WPA parameters
wlan.fc.type_subtype == 0x08 && wlan.ssid == "TARGET_WIFi"
Filter by MAC
wlan.addr == "TARGET_MAC"
Filter who connected to Evil-Twin
# Filter victim associationg
wlan.fc.type_subtype == 0x00 && wlan.bssid == EVIL_MAC
(wlan.fc.type_subtype == 0x00 || wlan.fc.type_subtype == 0x01) && wlan.bssid == EVIL_MAC
# If WPA - handshake confirms attempted authentication (IOC)
eapol && wlan.bssid == EVIL_MAC
Spoofed AP / Evil Twin Indicator
# Deauth frames where transmitter != BSSID may indicate spoofed deauth
wlan.fc.type_subtype == 0x0c && wlan.ta != wlan.bssid
Wireless Interfaces
iwconfig
Airmon-NG
sudo airmon-ng start wlan0
Monitor Mode
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up
Airodump-ng
sudo airodump-ng -c 4 --essid TARGET_WIFI wlan0 -w raw
Indicators of an attack:
- Multiple BSSIDs with SAME SSID
- Different Encryption Settings (Legit = WPA2, Rogue = Open)
- Sudden Strong Signal Strength (Legit = -60 dBm, Rogue = -30 dBm)
- Channel Mismatch (Legit = Channel 4, Rogue = Channel 11)
Baseline Legitimate AP
- BSSID
- Channel
- Encryption
- Vendor OUI
- Beacon interval
Look for:
- Duplicate SSID
- Different OUI (vendor mismatch)
- Sudden appearance
- Open encryption
- High deauth activity
Killchain
- Beacon (rogue AP appears)
- Deauthentication flood against legit AP
- Victim sends Probe Request
- Rogue responds
- Association Request to rogue
- Association Response
- EAPOL (if WPA)
- Data frames
Defense
Enable IEEE 802.11w (Management Frame Protection) if possibleUtilize WPA3-SAEModify our WIDS/WIPS detection rules
EAPOL (4-way handshake)
| Message | Purpose |
|---|---|
| 1/4 | AP sends nonce (ANonce) |
| 2/4 | Client sends nonce (SNonce) |
| 3/4 | AP confirms keys |
| 4/4 | Client confirms |