— VCA WIR-101 lecture notes">
Classroom Glossary Public page

WIR-101 Week 5 — Rogue APs, Evil Twins, and Wireless Deception

1,067 words

"An evil twin is not a vulnerability in the protocol. It is a feature of the way humans trust familiar names." — VCA WIR-101 lecture notes

Lecture (50 min)

5.1 The Rogue AP Threat Model

A rogue AP is any access point on a corporate wireless network that was not authorized by the network administrator. There are several variants:

Unintentional rogue: an employee plugs in a consumer AP to extend coverage, bypassing NAC and firewall policy. The AP may have weak security (WEP, open, or a guessable PSK). It is on the authorized network because it plugged in via Ethernet.

Intentional rogue (insider): a malicious insider deploys a covert AP to create a persistent backdoor into the network segment.

Evil twin: an attacker deploys an AP with the same SSID (and sometimes the same BSSID, using MAC spoofing) as a legitimate network, positioned to attract clients. The attacker controls all traffic.

Karma attack: a class of attack where the rogue AP responds to all Probe Requests with a matching response, impersonating whatever SSID the client is looking for. Clients that auto-join known SSIDs are vulnerable.

5.2 How Clients Choose an AP

802.11 clients maintain a "Preferred Network List" (PNL) of previously joined SSIDs. Behavior varies by OS:

Windows: automatically attempts to connect to any AP whose SSID matches a PNL entry. Until Windows 10 (2019), it also sent directed Probe Requests advertising PNL SSIDs, making the Karma attack straightforward.

macOS / iOS: as of 2020, uses MAC address randomization for Probe Requests; no longer broadcasts PNL SSIDs in Probe Requests by default.

Android (9+): similar privacy protections; randomized MAC per network.

Legacy devices (IoT, embedded): often use WEP or open SSID; no randomization; highly vulnerable to evil twin.

Signal strength (RSSI) is the primary selection criterion when multiple APs share an SSID. A high-power rogue can outcompete the legitimate AP for client connections.

5.3 Building an Evil Twin with hostapd

# hostapd.conf
interface=wlan1
driver=nl80211
ssid=TARGET_SSID
hw_mode=g
channel=6
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0



sudo hostapd hostapd.conf &
sudo dnsmasq -C dnsmasq.conf  # DHCP + DNS for clients
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  # optional: upstream access

With upstream access enabled, connected clients may not notice they are on a rogue AP if the internet functions. All HTTP traffic, and TLS sessions where the client accepts the attacker's certificate, are interceptable.

5.4 Certificate Pinning and the Limits of Evil Twin

For applications using TLS, the evil twin MitM fails if:

  • The client validates the certificate chain (normal browser behavior)
  • The application uses certificate pinning (hardcodes the expected leaf or CA cert)

In practice: browsers display a certificate error, which many users dismiss. Mobile applications with certificate pinning resist. HTTP traffic (still present in 2026 for legacy endpoints and IoT) is fully visible.

Captive portal phishing: many evil twin frameworks display a captive portal page styled to look like the corporate login page. Users submitting credentials here deliver them to the attacker. This bypasses TLS entirely because the user navigated to a page controlled by the attacker, not the legitimate server.

Tools for this attack chain: hostapd-wpe (adds WPA2-Enterprise credential capture to hostapd), eaphammer, wifiphisher.

5.5 Detection and Defense

Detection:

  • Wireless IDS (WIDS): Cisco WCS, Rogue AP detection in enterprise WLCs, open-source options (Kismet in WIDS mode). Monitors for SSID collisions, BSSID spoofing, unusual beacon intervals.
  • BSSID monitoring: legitimate APs have predictable OUI prefixes. An AP with your SSID but an unexpected OUI is suspicious.
  • RF fingerprinting: legitimate APs have consistent signal characteristics. An evil twin will likely have a different RF profile (different hardware, different power level, different location).

Prevention:

  • WPA2-Enterprise (802.1X + RADIUS): mutual authentication. The client validates the RADIUS server certificate; a rogue AP cannot impersonate the real RADIUS server. Much harder to evil-twin than PSK.
  • Certificate pinning for sensitive apps: prevents MitM even if a client connects to a rogue AP
  • NAC (Network Admission Control): prevents unauthorized APs from reaching the production VLAN even if plugged in
  • MAC-address-aware port security: switches block new MACs on access ports beyond one authorized device

5.6 Wireless Phishing in Penetration Tests

In a pentest scope that includes social engineering or wireless assessments, evil twin + captive portal is a common credential-harvesting technique. Proper scope requires:

  • Written authorization naming the SSID(s) being impersonated
  • Limitations on geographic or temporal scope (do not set up an evil twin in a public park)
  • Rules around how harvested credentials will be handled (destroy after reporting; do not use for further access beyond the agreed scope)

Lab Preview

Lab 5 (first half) deploys an evil twin against the lab AP. Lab 5 (second half) is the PMKID attack from Week 4 lecture -- both are graded as Lab 5 in the lab index. See Lab 5 file for full instructions.

Homework

Reading (45 min): Read the Karma attack original paper by Dino Dai Zovi and Shane Macaulay (2004 -- linked from course portal), even though client behavior has changed since 2004. Focus on the passive discovery mechanism and why it worked. Then read Apple's 2020 privacy changes for Wi-Fi Probe Requests (linked).

Hands-on (60 min): Set up a basic hostapd open AP (no encryption) on the authorized lab machine. Use your phone (with Wi-Fi off for production networks) or a second lab machine to connect. Verify DHCP is assigned and the machine appears in your AP's ARP table. Document the setup steps and confirm connectivity. This is infrastructure-only; no traffic analysis.

Toolchain Diary Entry

First-introduce this week: hostapd, dnsmasq, wifiphisher (conceptual), iptables NAT

hostapd hostapd.conf: user-space daemon that drives a Wi-Fi interface as an access point.

dnsmasq -C dnsmasq.conf: lightweight DHCP + DNS server; commonly paired with hostapd for rogue AP setups.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE: NAT masquerade for routing connected clients through the attacker's upstream interface.

iw dev wlan1 set type __ap: set interface to AP mode without NetworkManager conflicts (alternative to airmon-ng for AP mode).

Key Terms

  • Rogue AP: any AP on a network not authorized by the administrator; ranges from accidental (employee plug-in) to malicious (insider backdoor)
  • Evil twin: rogue AP with the same SSID (and optionally BSSID) as a legitimate AP; positioned to attract clients via higher signal strength
  • Karma attack: rogue AP that responds to all Probe Requests, impersonating any SSID the client is probing for; effective against clients with a large PNL and active scanning
  • PNL: Preferred Network List; OS-maintained list of previously joined SSIDs; drives auto-join behavior
  • Captive portal phishing: fake login page served by the rogue AP to harvest credentials without breaking TLS
  • WPA2-Enterprise (802.1X): mutual-authentication wireless protocol; client validates RADIUS server certificate; resistant to evil-twin attack
  • hostapd: open-source user-space daemon for 802.11 AP operation on Linux