Monday, July 14, 2014

Evil Twin Tutorial


  1. Kali Linux
  2. Prior experience with wireless hacking
You will also need to install a tool (bridge utils) which doesn't come pre-installed in Kali. No big deal-
apt-get install bridge-utils


The whole process can be broken down into the following steps-
  1. Finding out about the access point (AP) you want to imitate, and then actually imitating it (i.e. creating another access point with the same SSID and everything). We'll use airmon-ng for finding necessary info about the network, and airbase-ng to create it's twin.
  2. Forcing the client to disconnect from the real AP and connecting to yours. We'll use aireplay-ng to deauthenticate the client, and strong signal strength to make it connect to our network.
  3. Making sure the client doesn't notice that he connected to a fake AP. That basically means that we have to provide internet access to our client after he has connected to the fake wireless network. For that we will need to have internet access ourselves, which can be routed to out client.
  4. Have fun - monitor traffic from the client, maybe hack into his computer using metasploit. 
PS: The first 3 are primary objectives, the last one is optional and not a part of evil twin attack as such. It is rather a man in the middle attack. Picture credits :

Information Gathering - airmon-ng

To see available wireless interfaces-

To start monitor mode on the available wireless interface (say wlan0)-
airmon-ng start wlan0
To capture packets from the air on monitor mode interface (mon0)
 airodump-ng mon0
 After about 30-40 seconds, press ctrl+c and leave the terminal as is. Open a new terminal.

Creating the twin

Now we will use airbase-ng to create the twin network of one of the networks that showed up in the airodump-ng list. Remember, you need to have a client connected to the network (this client will be forced to disconnect from that network and connect to ours), so choose the network accordingly. Now after you have selected the network, take a note of it's ESSID and BSSID. Replace them in given code-

airbase-ng -a <BSSID here> --essid <ESSID here> -c <channel here> <interface name>
If you face any problems, a shorter code will be-
airbase-ng --essid <name of network> mon0 
Remove the angular brackets (< & >) and choose any channel that you want. Also, the BSSID can be randomly selected too, and doesn't have to match with the target. The interface would be mon0 (or whatever is the card you want to use) . The only thing identical about the twins has to be their ESSIDs (which is the name of the network). However, it is better to keep all parameters same to make it look more real. After you are done entering the parameters and running the command, you'll see that airbase turned your wireless adapter into an access point.
Note : We will need to provide internet access to our client at a later stage. Make sure you have a method of connecting to the net other than wireless internet, because your card will be busy acting like an AP, and won't be able to provide you with internet connectivity. So, either you need another card, or broadband/ADSL/3G/4G/2G internet.

Man in the middle attack : Pic Credits:

Telling the client to get lost

Now we have to ask the client to disconnect from that AP. Our twin won't work if the client is connected to the other network. We need to force it to disconnect from the real network and connect to the twin.
For this, the first part is to force it to disconnect. Aireplay will do that for us-
aireplay-ng --deauth 0 -a <BSSID> mon0 --ignore-negative-one

The 0 species the time internal at which to send the deauth request. 0 means extremely fast, 1 would mean send a packet every 1 seconds, 2 would mean a packet every 2 seconds, and so on. If you keep it as 0, then your client would be disconnected in a matter of seconds, so fire up the command, and press ctrl+c after a few seconds only. Note that the deauth is sent on broadcast, so all the clients (not just one) connected to the network will disconnect. Disconnecting a specific client is also possible.

Not the real one, but why the fake one

Even after being disconnected from the real AP, the client may choose to keep trying to connect to the same AP a few more times, instead of trying to connect to ours. We need to make our AP stand out, and for that, we need more signal strength. There are 2 ways to do that-

  1. Physically move closer to the client.
  2. Power up your wireless card to transmit at more power. 
The latter can be done with the following command -
iwconfig wlan0 txpower 27
Here 27 is the transmission power in dBm. Some cards can't transmit at high power, and some can transmit at extremely high power. Alfa cards usually support upto 30dBm, but many countries don't allow the card to transmit at such powers. Try changing 27 to 30 and you'll see what I mean. In Bolivia, however, you can transmit at 30dBm, and by changing the regulatory domain, we can overcome the power limitation.
iw reg set BO
iwconfig wlan0 txpower 30
It is strongly advised to not break laws as the transmission limits are there for a reason, and very high power can be harmful to health (I have no experimental evidence). Nevertheless, the client should connect to you if your signal strength is stronger than that you the real twin.

Note : If you are unable to get your client to connect to you, there is another option. You can leave him with no options. If you keep transmitting the deauth packets continuously (i.e. don't press ctrl+c after the client has disconnected), he will have no choice but to connect to you. However, this is quite an unstable situation, and the client will go back to the real twin as soon as it gets the chance.

Give the fake AP internet access

Now we need to provide internet access to the fake AP. This can be done in various ways. In this tutorial, we will consider that we have an interface x0 which has internet connectivity. Now, if you are connected to net via wireless, replace x0 with wlan1 or wlan0, a 3G modem will show up as ppp0. Nevertheless, you just have to know which interface is providing you with internet, and you can route the internet access to your client.


  • x0 - This has internet access
  • at0 - This is create by airbase-ng (wired face of the wireless access point). If you can somehow give internet access to at0, then the clients connected to your fake wireless network can connect to the net.
  • evil - This is an interface that we will create, whose job will be to actually bridge the networks.

Creating evil

We will use Bridge control utility provided by Kali, brctl. Execute the following code-
brctl addbr evil
This will create the bridge. Now we have to specify which two interfaces have to be bridged-
brctl addif evil x0
brctl addif evil at0
We can assign an IP to the interfaces and bring them up using-
ifconfig x0 up 
ifconfig at0 up
 Also bring up the evil interface (the interfaces aren't always up by default so we have to do this many times)
ifconfig evil up
Now to auto configure all the complicated DHCP settings, we'll use dhclient
dhclient3 evil & 
Finally, all the configurations have been completed. You can execute ifconfig and see the results, which will show you all the interfaces you have created.
Officially, the evil twin attack is complete. The client is now connected to your fake network, and can use the internet pretty easily. He will not have any way to find out what went wrong. However, the last objective remains.

Have fun

Now that the client is using the internet via our evil interface, we can do some evil stuff. This actually comes under a Man In The Middle attack (MITM), and I'll write a detailed tutorial for it later. However, for the time being, I will give you some idea what you can do.

Sniffing using Wireshark

Now all the packets that go from the user to the internet pass through out evil interface, and these packets can be monitored via wireshark. I won't teach you how to use it here, since it is a GUI tool. You can take a look at their website to get an idea on how to use wireshark. Pic credits: The picture on the right has been directly taken from their website. 

Evil Twin Attack to Hack WPA-2 network

Somewhat of a mixture of man in the middle and evil twin, this attack fools a client into giving away the password of a WPA protected AP to your fake AP. Sounds cool? Read here-

Hacking WPA/WPA-2 without dictionary/bruteforce : Fluxion

Special Thanks

Matthew Bernard for his useful comment with some tips and a number of corrections
The screenshots have also been taken by him and provided to me for usage (I would love to see more helpful visitors like him).


  1. Hi,
    thanks for this great Tutorial :)
    Although it's easy to understand, I have some problems with it:
    When I want to create the Fake-Network using
    "airbase-ng -A -ESSID -c "
    I get the message, that -ESSID is an invalid argument. When I use "--essid" instead, I get "ioctl(SIOCGIFINDEX) failed: no such device".
    I found out, that I'm only allowed to use a monitor of airmon-ng, but I thought, that's not what we want to imitate another one's AP, especially access point's MAC.

    Next Problem: Even when I use the mon created with airmon-ng (e.g. after Spoofing my own MAC with ifconfig) the program begins to send beacons to a apparantly random Client and won't stop that until I tipe Ctrl+C, so I'm not able to continue with the next step.

    What am I doing wrong?

    1. I have the same problem as the first guy who commented but when I try airbase-ng -a -essid mon0 i get this:

      root@kali:~# airbase-ng -a -essid ryanmatt mon0
      Invalid AP MAC address.
      "airbase-ng --help" for help.

      But if I try to put the bssid after the -a then i get this:

      root@kali:~# airbase-ng -a 00:26:F3:35:4D:31 -essid ryanmatt mon0
      "airbase-ng --help" for help.

    2. Sorry, replace -essid with --essid.

  2. I really appreciate the time that went into this. As a beginner, this has been hugely helpful. Thanks!

  3. Can we hack his wifi using evil twin method.....

    1. We can, but it's kinda tricky. I will write on it after some time.

    2. Just saw this comment from more than two years ago. I have a tutorial for hacking WPA with this attack now-

  4. hey sashwat finally you are able to run adsense ads on your blog...congrats.

  5. Sorry, actually .07mb/sec upload speed.

  6. This comment has been removed by the author.

  7. I will into those captcha related sources that you've listed. Also, I've sent you a mail.

  8. Hi, i get the following error:

    root@user:~# airbase-ng --essid Helder mon0
    17:36:26 Created tap interface at0
    17:36:26 Trying to set MTU on at0 to 1500
    17:36:26 Trying to set MTU on mon0 to 1800
    17:36:26 Access Point with BSSID 00:22:FB:88:A1:E8 started.
    Error: Got channel -1, expected a value > 0.

    could you pls help me, ty.


    1. Try this
      airbase-ng --essid Helder mon0 --ignore-negative-one

    2. ty for the fast reply, unfortunately that didn't work. i got this error:
      root@user:~# airbase-ng --essid Helder mon0 --ignore-negative-one
      airbase-ng: unrecognized option '--ignore-negative-one'
      "airbase-ng --help" for help.

    3. My bad. --ignore-negative-one is not present in airbase-ng. The solution is a bit longer here.

      1) airmon-ng check kill - Kill the processes.
      2) If you are running monitor mode on wlan0, then turn down that interface using iwconfig wlan0 down (after turning on the monitor mode on wlan0)

    4. how do i connect to the internet later on now?

    5. root@user:# /etc/init.d/networking start

      This should start network manager again.

    6. Dear Shashwat,

      I have the same problem as Chromiupt and I have tried to follow your instructions but there is still problems for me...
      Indeed, everything works well when NetworkManager is stopped but I will need it after in order to give internet access to the client.

      It seems that as soon as I start NetworkManager, mon0 is not assigned anymore to any channel (I check with iwlist mon0 channel) so the "channel -1" error appears. Doing "airmon-ng start wlan0 6" (6 the channel I want mon0 to be assigned), assigned mon0 only if NetworkManager is OFF. For Example, I tried to turn NetworkManager off, assign mon0 (it works) then turn on NetworkManager on, and then mon0 was not assigned anymore.

      I saw that someone else had the same problem (Astenon at but could not solve it either.

      Is there any solution ? Will I have to give internet by ethernet ?

      Thanks a lot for your answer,


  9. Can somebody help me please?

    cant bridge my interfaces...

    brctl addif evil wlan0
    cant add wlan0 to bridge evil: Operation not supported.


    1. You'll need something else to connect to the internet, like a second wireless card, because your wlan0 interface is already acting as an AP.

    2. I'm having the same issue, but with wlan1, which is connected to the Internet. Apparently bridging is not possible with some wireless cards:

    3. I am having this exact issue. I am using 2 wlan interfaces. Wlan0 - used for airbase-ng and wlan1 used for Internet Access. I have created an interface using brctl addbr testint. I then run brctl addif testint wlan1 and receive output "Operation not supported"

  10. wouldn't it be better to give evil internet access before sending the death packet?

  11. After sending the deauth command my tablet gets disconnected from my router and tries to connect to the evil twin but it never will. I just keeps scanning over and over. If I choose the connection manually it trys to authenticate but never does it just shows the network as saved or turned off. Any ideas what to do about this?

    1. I was encountering the same problem earlier. Three things:

      1: Are you providing internet access to evil interface? (Not sure if this step is necessary but worked for me.)
      2: Is the AP having same bssid and essid? And is it on same channel? If not then make it identical.
      3: Donot send deauth continuously. Press ctrl^c to stop deauthing and then try to connect to the twin.

      Hope it helped! :)

  12. I am setting the evil bridge between eth0 and at0 interface. I have successfully established a connection with a device after deauthing it. But after [dhclient evil &] command i am not able to connect to internet.
    PS: ifconfig shows eth0 connected to router with ip
    ato is at ip

    Please help.

    1. Same here. Doesnt figured out...

  13. "iwconfig wlan0 txpower 30", but at default how high it is set?

    If I set a value, at a reboot the value return at default?

  14. So Can I Obtain The Wifi's Router Password Using This Method?

  15. what ip address should we assign here after creating the bridge? Should i type "ifconfig at up" and "ifconfig eth0 up"? once i created the bridge i can no longer get out to the internet

  16. For all of you having trouble with internet access after running

    brctl addbr evil
    brctl addif evil eth0
    brctl addif evil at0
    ifconfig eth0 up
    ifconfig at0 up
    ifconfig evil up

    dhclient3 evil &

    I found if I changed "dhclient3 evil &" to "dhclient evil &" it worked fine. ***remove quotes

  17. It works great but after doing all this my wlan0 disappeared in my ifconfig.. there is only the evil left

  18. how to see the victim's password?

  19. somebody can tell me how to see the victim's password please

  20. For testing purpose, I use two wifi cards in Desktop computer. Can I use the same AP Wifi(Internet source-mobile phone) for victim client Internet and Desktop comp alternative Internet access, if deauthenticate only selected victim client-not myself:) ?

  21. wouldn't it be better to bridge them first? That way the client will have internet access as soon as he connects??

  22. i am using kali in vmware and having wifi connection! so can you please tell me how to bridge the network! it will be very helpful! thanks

  23. after doing all of that how we can crack the wpa 2 psk
    and exploit the machine

  24. E: Unable to locate package error while installing package

  25. You guys should probably try easycreds if u find the tutorial difficult to follow. It's automated

  26. Hiya,before I begin I would like to first say that this site has been extremely helpful as a beginner and you played a big part in my enjoyment of pen-testing.
    Thank You.
    On to my question, you see I do everything you do but I keep hitting the same problem, well the same two problems, let me explain. When I use the long command to create the twin it never stays on my
    victim machine's radar for more then a few seconds even with me not ending the command via ctrl + c. Secondly, even when I get the opportunity to connect to the evil I can never ACTUALLY connect to it. It always says "Obtaining IP" but it always stops and defaults to the wifi the evil twin is copying, is this because I'm trying to use a phone (Noob intensifies) to connect to the evil. Please reply as soon as you can, thank you.
    P.S it appears

    1. sorry I didnt finish my P.S, disregard it

  27. i want to know that same thing? i feel like my hotspot on my phone combined with my laptop plugged in via ethernet I should be all good right? use the ethernet my phone to provide the AP and ethernet to provide internet. Also how could you incorporate ettercap with a successfully running evil twin.

    One other thing i was thinking, couldnt I just use my hotspot, make it public, make it the same name as the ssid you want to mimmick, jack up the TX, and use something like macchanger to mimmick the bssid? It seems way more practical because I can look at my phone and it tells me who is connected with their local IP and MAC address. All I would need is something like ettercap to spoof dns, throw in some SET to get a provided fb or gmail page, and wait... im a noob so please correct me if i am wrong on any of this

  28. Thanks for the Tutorial here's how to do Automated Evil Twin Attack
    Automated Evil Twin Attack Tutorial

  29. Guys, its possible, when enable the fake wifi, create a WEP one, and fishhing the password?

  30. Nice job,Thank you

  31. Really informative, thank you. But I want to use this bridging for fluxion and it doesn't seem to work, could you help me out here?

  32. why i can not connect to my fake access point ? it stuck on "obtaining ip address"
    Please help me :/

    1. This could be an issue with dhclient. Look up on DHCP.

  33. there is a way to monitor when the client connect to our fake AP? and when he disconnects to the real AP?

  34. After attack I can`t use my wifi adapter. How to restore it to be as normal.

  35. Hello, i have a problem, after i make the wi-fi connection and connect to it its unstable it disconnects me and then reconnects me, can anyone help?

  36. Hello, I wonder, if you create the Evil Twin, with same SSID, with stronger signal, how does the client PC running Windows connect? I mean, when we create the evil twin, does it have a blank password or how we force the victims PC to automatically connect without notice?

    1. Same Problem. My PC won't connect to the twin because there is no key.

  37. Help, when I type the last command:

    dhclient3 evil &

    I get this error:

    [1] 4628
    bash: dhclient3: command not found

    If I try to use dhclient instead of dhclient3
    I get this error:

    [2] 4646
    [1] Exit 127 dhclient3 evil
    root@KaliLinuxComplete:/# smbd.service is not active, cannot reload.
    invoke-rc.d: initscript smbd, action "reload" failed.
    RTNETLINK answers: File exists

    Any help would be appreciated, thanks.

    1. Same here any solutions?


© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC