An Evil Twin attack stands up a rogue access point (rogue AP) that broadcasts the same SSID (network name) as a legitimate AP — usually with a stronger signal — to lure victims into connecting to the attacker instead of the real network. Once a client connects, the attacker becomes the man-in-the-middle (MITM): sniffing traffic, presenting a fake login page (a captive portal) to harvest credentials, and running DNS spoofing or sslstrip. The root cause is a design weakness: Wi-Fi clients identify an AP only by its SSID and auto-reconnect to remembered networks. This article covers the mechanism, the classic four-step chain, the two variant families, and defenses via WPA3 / 802.11w, server-certificate validation, VPNs, and WIDS/WIPS.
The essence is three things. (1) An Evil Twin is "a fake Wi-Fi with the same name as the real one, set up to pull users onto it." Once pulled in, the attacker sits in the middle of the traffic. (2) Why it works: phones and PCs identify an AP only by its SSID (name), and they auto-reconnect to a name they have seen before. A same-named, stronger AP is trusted unconditionally. (3) Defense: never type your Wi-Fi password into a web page, use a VPN on unknown Wi-Fi, and (for enterprises) make server-certificate validation mandatory. Jamming or sniffing someone else's signals without permission violates Japan's Radio Act and Unauthorised Computer Access Act.
What an Evil Twin is — a rogue AP impersonating the same SSID #
An Evil Twin is a kind of rogue access point set up by an attacker, whose defining feature is that it claims the exact same SSID as a legitimate AP. It typically broadcasts with a stronger signal than the real AP, leading a victim's device to decide "this one has a stronger, smoother signal" and gravitate toward it.
The moment the victim connects to this fake AP, the attacker sits in the middle of the traffic as a man-in-the-middle (MITM). From there, the possibilities are broad.
- Sniffing cleartext traffic
- Presenting a captive portal (fake login page) to harvest email / passwords / the Wi-Fi PSK
- DNS spoofing to redirect to fake sites
- sslstrip to downgrade HTTPS to HTTP and steal the contents
An Evil Twin is like "a fake shop that puts up the same sign as a popular store, in a more visible spot." Customers (devices) pick a shop by its sign (SSID) alone, so if the sign is identical and more prominent, they walk into the fake one. Once inside, the clerk (attacker) hears all the conversation (traffic) and makes them enter their PIN (password) at the register (the login page).
Why it works — the SSID-identification and auto-reconnect weaknesses #
The reason an Evil Twin works is simple: Wi-Fi's design itself has two weaknesses.
| Weakness | Detail |
|---|---|
| Identifies an AP only by SSID | On open / PSK (WPA2-Personal) networks, the client distinguishes an AP by its name (SSID) and does not demand any "cryptographic identity" from the AP. An AP with the same name is treated as the same network |
| Auto-reconnect to remembered SSIDs | Many devices remember an SSID once connected, and when a same-named signal appears nearby they auto-reconnect with no user action. If the attacker puts out a stronger signal, the device hops over to it |
In short, an "AP with the same name and a stronger signal" is trusted unconditionally by the device. This is the decisive strength of the Evil Twin, and also the reason a fake AP can be stood up without knowing the password (on open networks, or when the PSK is obtained / lured separately).
Devices have a roaming behavior of basically "for the same SSID, pick the stronger signal (RSSI)." If the attacker puts a strong fake AP near the victim and then cuts them off the real AP with a Deauth (below), the device naturally gets drawn to the fake AP.
Legal and ethical considerations #
An Evil Twin combines acts that are each illegal on their own: "standing up a fake AP," "jamming someone else's signal (Deauth)," and "sniffing someone else's traffic." Operating a rogue AP and capturing others' traffic without permission can be a clearly illegal act under Japan's Radio Act and Unauthorised Computer Access Act (and their equivalents elsewhere).
- Radio Act — jamming via Deauth falls under Article 109(2) (obstruction of radio communications). Broadcasting on the same SSID is also a problem if the purpose is to obstruct someone else's communications
- Unauthorised Computer Access Act — harvesting someone's credentials via a captive portal and using them to log into a service constitutes an unauthorized-access act
- Others — sniffing and impersonation can, depending on circumstances, escalate to fraud, obstruction of business, or violation of the secrecy of communications
- An environment self-contained with equipment you own and administer — your own AP, your own devices, an isolated lab where the signal does not leak outside
- Targets you have explicit written permission for — a red-team / pentest contract where the scope (target SSID, period, physical area) is documented
- Legitimate learning platforms — lab environments where Wi-Fi attack exercises are permitted
"Just trying it at a cafe or airport" is a crime the instant you do it. In public environments the odds of detection by WIDS / WIPS are high, and the social and legal cost of being identified is immeasurable. The eviction (Deauth) step is detailed in the related article Deauthentication Attack — see there for its legal standing too.
The attack chain — Recon → Deauth → fake AP → Captive Portal #
A typical Evil Twin proceeds in roughly four steps: a multi-stage chain that pries the victim off the real AP, gets them to switch to a same-named, same-channel fake AP, and finishes with a fake page.
airodump-ng to learn the target AP's SSID / BSSID / channel / connected clients. This is the prep needed to clone the fake AP to look just like the real one.aireplay-ng to disconnect clients from the real AP. See the related article Deauthentication Attack for details. A disconnected device is more likely to reconnect to the same-named, stronger fake AP.hostapd / airbase-ng, or a framework such as wifipumpkin3 / airgeddon / Fluxion / eaphammer.$ airodump-ng wlan0mon
# lists nearby APs; identify the target's
# SSID / BSSID / CH / connected clients$ aireplay-ng -0 0 -a <BSSID> wlan0mon
# -0 0 send Deauth with 0 = unlimited count
# -a the BSSID of the legitimate AP to evict from$ airbase-ng -e "FreeWiFi" -c 6 wlan0mon
# -e the SSID to impersonate (same name as the real one)
# -c the same channel number as the real APVariants — public-Wi-Fi impersonation / WPA-Enterprise credential theft #
Evil Twins come in two broad variant families, differing in the kind of credentials they target.
| Variant | Goal | Representative tools |
|---|---|---|
| Open / captive-portal type (public-Wi-Fi impersonation) | Pose as "Free Airport WiFi" etc. and have the victim type email / passwords directly into a login page | wifipumpkin3 / airgeddon / Fluxion |
| WPA-Enterprise (802.1X) type | Impersonate the RADIUS / AP and capture EAP credentials (challenge/response hashes such as MSCHAPv2) to crack offline | eaphammer / hostapd-mana / hostapd-wpe |
1. Open / captive-portal type — public-Wi-Fi impersonation #
The pattern of posing as the "free Wi-Fi" common at airports, cafes, and hotels. When the victim connects to an SSID like "Free Airport WiFi," a fake login page appears and steals their email address or social-media password as they type it. Even when HTTPS is in use, combining with sslstrip can sometimes still steal the cleartext.
2. WPA-Enterprise (802.1X) type — credential theft #
The pattern targeting WPA-Enterprise (802.1X), used on corporate Wi-Fi. A tool like eaphammer impersonates the legitimate RADIUS server / AP and captures the EAP credentials the client sends (for example, an MSCHAPv2 challenge/response hash). The captured hash is cracked offline and used for initial access into the internal network.
The biggest factor in a WPA-Enterprise attack succeeding is that the client does not validate the RADIUS server's certificate (or is set to "always allow"). If the certificate were validated, the rogue RADIUS could not present the correct certificate and authentication would halt. Detailed in the defense section below.
Defense — WPA3 / 802.11w / server-certificate validation / VPN / WIPS #
Because an Evil Twin is a multi-stage attack of "stand up a fake AP," "pry off with Deauth," and "steal via a fake page," the defense is layered too.
| Countermeasure | Effect |
|---|---|
| WPA3 / 802.11w (PMF) | Protects management frames and neutralizes the forced disconnect via Deauth → makes it harder to trigger a switch to the fake AP (details in Deauthentication Attack) |
| Server-certificate validation (Enterprise) | Make RADIUS server-certificate validation mandatory on clients. A rogue RADIUS without the right certificate is rejected — the key defense in an 802.1X environment |
| Use a VPN | On untrusted Wi-Fi, run a VPN so traffic is encrypted between the device and the VPN server → a man-in-the-middle cannot read the contents |
| HSTS / TLS everywhere | If the site applies HSTS + TLS comprehensively, sslstrip is neutralized |
| WIDS / WIPS | Detect "multiple BSSIDs claiming the same SSID" and "unregistered rogue APs" (Aruba / Cisco / Meraki, etc.) and defend automatically |
| User education | Never type your Wi-Fi password into a web page. Be wary of open networks. Be suspicious of unfamiliar "re-login" prompts |
The heart of WPA-Enterprise (802.1X) Evil Twin defense is enforcing server-certificate validation on the client side. Concretely, pin the "trusted CA / server certificate" in the connection profile and forbid settings like "don't validate the certificate" or "ask the user each time." This alone makes a rogue RADIUS — which cannot hold the right certificate — fail at the authentication stage, and eaphammer-style attacks no longer work.
(1) Don't type your Wi-Fi password into a page that pops up in the browser — a legitimate AP almost never asks for such re-entry. (2) Use a VPN on unknown open Wi-Fi at stations, airports, cafes, and the like. (3) Turn auto-connect off when you don't need it, and don't let your device remember unknown SSIDs. These three greatly reduce Evil Twin harm at the individual level.
Summary — related tools and where the attack sits #
- An Evil Twin attack stands up a "fake AP that broadcasts the same SSID as the legitimate one, with a stronger signal" to pull victims onto the attacker's side — a man-in-the-middle attack
- The root reason it works is that Wi-Fi identifies an AP only by SSID and auto-reconnects to remembered networks. So a same-named, strong-signal AP is trusted unconditionally
- The classic chain is the four steps Recon → Deauth → fake AP → Captive Portal. The eviction step is detailed in the related article Deauthentication Attack
- The variants are two families: (1) public-Wi-Fi impersonation (harvesting email/passwords via a captive portal) and (2) WPA-Enterprise EAP credential theft (eaphammer, etc.)
- Common implementations of the fake AP include
airbase-ng/hostapd/wifipumpkin3 - Defense: neutralize Deauth with WPA3 / 802.11w, make server-certificate validation mandatory in Enterprise, and on the user side don't type passwords into the web, use a VPN. However simple it is technically, firing it at someone else's signal violates Japan's Radio Act and Unauthorised Computer Access Act. Learn only on your own equipment or contracted targets
