Evil Twin Attacks: How Fake Wi-Fi Hotspots Work and How to Detect Them
An evil twin is the oldest Wi-Fi phishing technique that still works. The attacker sets up a rogue access point that clones the SSID of a legitimate network — your corporate Wi-Fi, your home router, the airport lounge, the conference venue — deauthenticates nearby clients from the real access point, and waits for them to reconnect to the stronger signal. When the clients associate, the attacker intercepts DNS, redirects web traffic to a captive portal that mimics the look of the legitimate network provider, and asks the user to re-enter their Wi-Fi password, Microsoft 365 login, or corporate SSO credentials. The user, trained by a decade of genuinely intrusive hotel splash pages, types the password. Game over. This article covers how the attack works mechanically (with reference to the three most popular open-source frameworks: airgeddon, Fluxion and wifiphisher), why WPA2 and WPA3 both fail to prevent it in the general case, the user-side detection signals you can train yourself to notice, and the enterprise-grade defences that actually stop evil twins at scale.
Legal boundary
Operating an evil twin against networks or users you do not own is unauthorized access, unauthorized interception of electronic communications, and credential phishing under statutes in every country with a computer-misuse law. The tools described below are mentioned so that defenders understand the mechanics; operating them against anyone but yourself or a system you have written authorization to test is a crime. The detection and defence sections make up the majority of this article for a reason.
How an evil twin attack runs end to end
The attacker starts with reconnaissance: a quick passive scan of the target environment to identify the SSID, BSSID, channel, encryption mode and any connected clients of the legitimate access point. Any aircrack-ng or hcxdumptool workflow produces this information in under a minute. The attacker then clones the SSID into a hostapd configuration on their own laptop, matches the channel, and optionally matches the BSSID (trivial with ifconfig wlan0 hw ether AA:BB:CC:DD:EE:FF). The cloned SSID broadcasts on the same channel as the real one, and any client that sees the evil twin's signal stronger than the real AP will roam to it. To force the roam the attacker sends a short burst of deauthentication frames to the real AP, kicking associated clients off; half of them immediately reconnect to whichever SSID with that name has the best signal, which the attacker has arranged to be the evil twin.
Once a client associates, the attacker's laptop runs dnsmasq to hand out DHCP leases and resolve every DNS query to the attacker's own IP. iptables redirects all HTTP and HTTPS traffic on ports 80 and 443 to a local nginx instance running a captive-portal page. Modern operating systems (iOS, Android, ChromeOS, Windows 11, macOS) probe well-known URLs like captive.apple.com, connectivitycheck.gstatic.com, and www.msftconnecttest.com to detect captive portals and automatically pop up a browser sheet. The attacker's nginx returns a login page styled to match the legitimate network's operator — your ISP's logo, your employer's branding, the airport's colour scheme. The user types the password. The page posts the credential to the attacker's server and optionally redirects to the real internet so the user does not immediately notice.
Attack frameworks
airgeddon
Bash menu-driven framework. Covers evil twin with hostapd, deauth via aireplay-ng, DNS redirection, captive portal templates for dozens of ISPs. Single most popular hobbyist tool.
Fluxion
Bash framework focused specifically on harvesting WPA2 PSKs via captive portals. Validates harvested PSK against the captured handshake in real-time so the portal only accepts the correct password.
wifiphisher
Python framework with broader phishing templates: not just Wi-Fi passwords but Microsoft 365, Google Workspace, firmware update prompts. Better for corporate red-team engagements.
All three frameworks automate the same underlying chain: hostapd for the rogue AP, aireplay-ng or mdk4 for deauth, dnsmasq for DHCP and DNS spoofing, iptables for traffic redirection, and a local web server for the portal. The difference is mostly in menu ergonomics and the set of pre-built phishing templates. Defensive detection does not change based on which framework an attacker used; the on-the-wire signature is nearly identical.
Why WPA2-PSK and WPA3 transition mode do not save you
A common misconception is that WPA2 encryption defeats evil twins because the attacker does not have the PSK. That is partially true but misses the threat model. The attacker has two options. Option A: run the evil twin as an open (unencrypted) network with the same SSID. Devices that have the legitimate network saved in open mode — every hotel, airport, cafe and conference network — will connect without hesitation, because iOS, Android and Windows treat "same SSID, open security" as a continuation of a previously joined open network. Option B: run the evil twin with WPA2-PSK using a PSK the attacker has already harvested from a previous handshake crack. Clients that have the PSK stored will authenticate transparently. The attacker does not need to be a WPA2 peer of the original; they only need the PSK, which they got from any of the offline attacks described in our PMKID guide.
WPA3 with SAE does add mutual authentication, which raises the bar significantly. However, almost every WPA3 deployment in 2026 runs in transition mode (WPA2/WPA3 mixed) to support legacy devices, and the attacker simply forces the WPA2 code path. Pure WPA3-only deployments do defeat the classic evil twin; very few consumer and enterprise networks are pure WPA3-only yet.
User-side detection signals
1. Captive portal asking for your Wi-Fi password
Legitimate captive portals ask for a room number, loyalty number, or accept terms — never the Wi-Fi PSK, because by that point the portal is already on the network. If a splash page asks you to re-enter the Wi-Fi password, disconnect immediately. This is the single highest-signal tell.
2. Missing or invalid TLS certificate
If you navigate to a known HTTPS site and get a certificate warning, you are MITMed. Never click through. Disconnect from the Wi-Fi and re-test on mobile data. An evil twin cannot forge a valid certificate for a site it does not control.
3. DNS returns your gateway IP for everything
Run nslookup apple.com, nslookup google.com, nslookup anything.invalid. If all three return the same IP and it matches your gateway, DNS is being spoofed. A clean network returns different IPs per domain and an NXDOMAIN for the invalid one.
4. Unusually strong signal from an unusual direction
In a building where the real AP is down the hall, a suddenly very strong signal with the same SSID from a different direction (for example a person sitting nearby at a coffee shop) is a physical anomaly worth noticing.
5. OUI mismatch of BSSID
The first three bytes of a BSSID (the OUI) identify the chipset manufacturer. Cisco enterprise networks use Cisco OUIs, airport networks typically use Aruba or Meraki OUIs, your home router has a Netgear or TP-Link OUI. A BSSID with the same SSID as your corporate network but a Realtek USB-adapter OUI is almost certainly rogue.
Enterprise defences: WIPS and 802.1X
Home users cannot deploy a Wireless Intrusion Prevention System, but enterprise operators can and should. A WIPS consists of dedicated sensors — either standalone radios or integrated into enterprise access points (Cisco Meraki, Aruba, Ubiquiti, Juniper Mist) — that continuously monitor the RF environment for BSSIDs with known corporate SSIDs but unknown OUIs, rapid deauth bursts, hostapd-style DHCP fingerprints, and similar anomalies. When the WIPS detects a likely rogue, it can either alert or automatically emit deauth frames at the rogue to keep clients off (legal grey area in some jurisdictions; vendor defaults usually alert-only).
On the client side, the durable defence is 802.1X / EAP-TLS with server certificate validation. Instead of a shared PSK, every device authenticates with a client certificate and validates the RADIUS server's certificate. A rogue AP cannot forge the server certificate, so clients refuse to complete EAP. The catch is that certificate validation must actually be enforced; operating systems historically allowed users to click through cert warnings, and enterprises that shipped self-signed certificates trained their users to always click "trust". Modern MDM-enrolled devices pin the expected server certificate common name or SHA-256 fingerprint, which closes this gap.
Home and travel defence checklist
What actually helps
- Never type your Wi-Fi password into a captive portal. Legitimate portals do not ask for it.
- Always respect TLS certificate warnings. If a known HTTPS site throws a warning, disconnect.
- Run a VPN as soon as the network is up. Mullvad, IVPN, ProtonVPN, WireGuard to your own VPS.
- Disable automatic join on networks you rarely use (Starbucks, airport, hotel, conference).
- Forget networks you no longer use; every saved open network is a reconnect target.
- On iOS and Android, turn off "Auto-Join" for chain networks while travelling.
- Use 4G/5G instead of public Wi-Fi when credentials need to be entered.
- For enterprise: move off PSK to 802.1X EAP-TLS with certificate pinning via MDM.
Real-world incident anatomy
To make the theoretical threat concrete, consider a real pattern seen repeatedly in coffee-shop and conference venues during 2024 and 2025. The attacker arrives with a laptop and a USB Wi-Fi adapter in monitor mode, sits at a corner table for ten minutes running hcxdumptool passively to enumerate nearby access points and their clients. They pick the target SSID — typically the free venue Wi-Fi because it is open and therefore auto-joins — and launch airgeddon with the captive portal template for that venue already pre-configured. The portal asks for an "email and confirmation code" supposedly sent by the venue's loyalty program; users who are in a hurry and assume they are dealing with yet another intrusive sign-up page paste their work email and a recent 6-digit code from their authenticator app. The attacker now has a valid email + TOTP pair which they can use for roughly 30 seconds against the target's Microsoft 365 or Google Workspace login.
A more sophisticated variant targets corporate networks specifically. The attacker first sits in the lobby of the target company running hcxdumptool to harvest PMKIDs from the corporate SSID. If the PSK is weak enough to crack offline (they usually are — corporate Wi-Fi PSKs rotate rarely and tend to be memorable), the attacker returns the next day with the PSK in hand, stands up a WPA2-encrypted evil twin using the captured PSK, and presents a captive portal styled to look like the company's Okta or Entra ID login. Users associate transparently because their device already has the PSK saved; the portal asks them to re-authenticate to the corporate SSO and harvests valid session cookies. Neither WPA2 nor basic 802.1X defeats this variant; only certificate-pinned EAP-TLS does.
Operating-system behaviour that makes the attack easier
Modern operating systems prioritise connectivity over security in several design decisions that make evil twins more effective than they should be. iOS and Android both auto-join known SSIDs aggressively: if you ever connected to "Starbucks WiFi" anywhere in the world, your phone will auto-join any open SSID with that name, anywhere. Windows 11's captive portal detection opens a non-sandboxed browser view at www.msftconnecttest.com that is easily redirected by the attacker's dnsmasq. macOS's captive portal assistant at captive.apple.com does validate the expected response string but silently falls back to a regular browser if anything looks off, which loads the attacker's page. ChromeOS's portal assistant does the same.
All four operating systems now offer settings to disable auto-join for individual networks, auto-forget networks not used in N days, or require explicit confirmation before joining any open network. These settings are not on by default and most users never change them. A privacy-conscious traveller spends a minute in Wi-Fi settings on each of their devices disabling auto-join for every "public" SSID they have ever touched, which is the single highest-leverage action an individual can take. For enterprises, pushing a device management policy that disables auto-join for non-corporate SSIDs and forces certificate validation on EAP methods removes most of the attack surface at once.
Relationship to handshake cracking and rogue AP detection
Evil twins and offline handshake attacks are complementary tools. An attacker who has cracked your WPA2 PSK offline (via a captured handshake or PMKID) can stand up an indistinguishable evil twin because they know the PSK; an evil twin attacker who cannot crack the PSK offline will often run an open twin and rely on user saved networks. Defensive hygiene against one attack improves posture against the other: a strong 20-character passphrase defeats the offline crack, and skepticism about captive portals defeats the twin. For the broader rogue-AP detection story including WIPS deployment and signature-based anomaly tools, see our rogue access point detection guide. For the underlying handshake mechanics that make the PSK crackable in the first place, see what is a WPA handshake.
Frequently asked questions
What is an evil twin attack?
An evil twin is a rogue access point that clones the SSID of a legitimate network to trick devices and users into connecting. Once associated, the attacker intercepts traffic, runs man-in-the-middle on unencrypted connections, and typically serves a captive portal that asks for credentials.
How is an evil twin different from a rogue access point?
A rogue AP is any unauthorized AP in the RF footprint. An evil twin specifically impersonates a legitimate network to phish. Every evil twin is a rogue AP; not every rogue AP is an evil twin.
What tools do attackers use?
airgeddon, Fluxion and wifiphisher are the three most common open-source frameworks. All automate SSID cloning, deauth, hostapd rogue AP, dnsmasq spoofing and captive portal delivery.
Can WPA2 or WPA3 protect me?
Partially. The attacker can run the twin as an open network to catch devices with saved open SSIDs, or reuse a previously cracked PSK. WPA3 in transition mode still exposes the WPA2 path. Pure WPA3-only or 802.1X EAP-TLS with cert pinning are the strong defences.
Does a VPN protect me?
A VPN protects confidentiality and integrity once the tunnel is up, defeating the MITM half. It does not protect against captive-portal phishing that runs before the VPN connects. Refuse captive portals that ask for passwords.
Suspect a rogue AP on your network?
Learn detection techniques and WIPS deployment in our rogue access point article.