View Full Version : Hacking WPA-2 Key - Evil Twin Method (No Bruteforcing)

12-29-2011, 12:02 AM
Hey guys!

This is a technique I've been using recently. It's a little more complex than usual, however, if you play the cards rights you have pretty good chances.

This technique doesn't involve capturing handshakes at all. Check out the steps:

1. Identify target & do recon;
2. Clone the target network;
3. Redirect traffic on cloned AP to a service page (asking for the WPA-2 Key) -- this page has to be on point, convincing;
4. Deauthenticate the hosts on the original network, and wait 'till they connect to our cloned network;

Check out the video: http://vimeo.com/34309678

* Video made under controlled circumstances for educational purposes. ;]

12-30-2011, 10:14 AM
Nice video ! However it relies on some social engineering in which I have little trust in. But then you never know.....

Good post !

12-31-2011, 09:06 PM
Thanks man, appreciate the feedback!

I know how you feel about the social engineering... but bruteforcing is quite frustrating imo lol

Originally I wanted to find a way to clone a WPA-2 AP with the same BSSID and ESSID on a Karma-like router.
and Just register the authentication key they tried to use... then I came up with this idea.

But yea... timing is key for this method =)

Happy new years guys

01-03-2012, 11:13 AM
thanks for the great video and for the idea:))
the only thing (perhaps only me) since I installed the dhcp3-server my "alpha" begins to have some problems ... sometimes it goes down !!!!& have little ""driver-crash!""
thanks bye! :confused:
zimmaro the goat-brain!!

01-03-2012, 03:44 PM
Hey very nice video !
Could you give a little more explanation regarding these commands please ?

iptables --table nat --append POSTROUTING --out-interface [internet connection] -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
Redirect traffic:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination [IP address:80]
iptables -t nat -A POSTROUTING -j MASQUERADE

I understand that you redirect all tcp trafic to port 80 but where does DNS come in ?
Because you type google.com and you get redirected to your evil page :p
Do the domain names get resolved via your connection to the internet ?
And do you redirect your victims once they initialize the http connection ? Am I correct ?

Please help me understand this :)

01-03-2012, 06:46 PM
Hey Zimmaro!
Thanks for the feedback.
I have an Alfa also, the AWUS036NH - what I noticed is that the card locks on a channel if you don't specify otherwise.
That's why I restart the monitor interface in the middle of the video, using the following command:

airmon-ng start wlan0 [channel]

That way we can host the fake access point and do the deauthentication on the same card using the at0 and mon0 interfaces..
Hope that helps =)

01-03-2012, 07:24 PM
Hey LHYX1!
You pretty much answered all your questions lol
We have one wireless connection to the internet and we want to bridge it with the cloned access point to give it internet access, so we use network address translation.

Just to clear it up, each number corresponds to command:

1) We specify the internet connection -- in my case, I used a tethered connection from my phone. That's our output interface. Think of packets heading out from the interface.

2) We forward the packets to our cloned access point.

Note: At this point, if you access the cloned ap you should have normal internet connection. That's desirable, because you might want to implement sslstrip and such after the victim has given you the key... The cool part is we don't need to do ARP spoofing :)

3) Like you said, here we just redirect all tcp traffic to the evil page (our hosted apache). I have also used dnsspoof to do this and it worked (again, no need for arp spoofing). However, if you try to use ettercap you might break the cloned AP due to it altering iptables.

Basically the packets are altered when they arrive in the cloned AP from the AP connected to the internet.
Hope it helped! =)

01-04-2012, 12:32 PM
Thanx for your help :D

01-09-2012, 02:39 PM
good work :)

01-13-2012, 06:40 AM
Where can we download the ''service page'' ? and mssql datebase TKS

01-13-2012, 09:32 PM
I have posted the original article with links on my website:


Note that however you should still conduct your recon,
as that's your basis for making this attack realistic.

01-16-2012, 07:41 AM
nice method .........!! can this method work on others AP with WPA/WPA2??? but you did a good job

happy hunting!!

01-16-2012, 07:43 PM
Yes, this is intended for WPA/WPA2...
We get the key by tricking the victim!

Thanks for the feedback & be safe! ;]

01-17-2012, 11:11 AM
great video. very useful.
can you just explane steps. do I create database first, or create while working??
and, do I need to be connected to the internet to instal dhcp3-server or not??

01-18-2012, 08:54 AM
Just like any other attack, you should be comfortable before execution.
Set up apache, make sure it works nicely with the database; have your "service page" ready.

Then go by steps.

If you're a beginner don't try to do everything at once because it's a lot,
and it's hard to do things right if you don't understand what you're doing.

Try covering each one of the 4 steps individually,
once comfortable, put them all together.

01-21-2012, 09:55 PM
yes i'm beginner but i'll take it slow. i know a bit of linux but very little. i'm here to learn.
tnx for video. if any problem appears i'll ask :D

01-22-2012, 09:15 PM
What prevents us from faking an AP with exactly the same SSID and then capturing the WPA key when the victim's computer try to automatically connect?

Of course I don't know how to do it, but it seems to be an easy idea, so I'd like to know if someone knows the answer.

Thanks in advance :o

01-24-2012, 09:01 PM
Hey iRiKi!
I'm glad you bring that up, because that was the original idea behind the attack. =)
However, when trying to implement it, I realized (after looking through many packets on wireshark) that the password works much like a hash.
The router simply compares the two "hashes" for a match.
All of this would boil down to the same method already known of capturing the 4-way handshake and bruteforcing/wordlist the password.
Sorry if my explanation doesn't make too much sense, but if you run Wireshark & analyze the process you will see what I'm talking about...
Appreciate the feedback. ;]

01-26-2012, 04:29 AM
Have developed this method since the old times.(hadn't posted since ages...)
Some personal tweaks.
For de-authenticating use airdrop-ng it has far more options and its perfect for the situation.(you can de-authenticate everyone that connects to a certain access-point automatically without your intervention)
Then i personally try to guess the router vendor by the mac or by the ssid(mostly here ssid's are standard) and use a modified router page as a key enter page.Justifying everything with a router firmware update going on and the need to enter the key to continue navigation.

04-13-2012, 07:09 AM
Hi Deathcrops, ty for this method...really great..! i want you u somethink.. You can add a higher-resolution video for me? Thanks in advance .

04-14-2012, 06:36 AM
evil twin metod problem

"""root@bt:~# apt-get install dhcp3-server -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
dhcp3-server: Depends: dhcp3-common (= 3.1.3-2ubuntu3.2) but 3.1.3-2ubuntu3.3 is to be installed
E: Broken packages"""

04-21-2012, 04:07 AM
I need help for : airmon-ng :
it shows blank for wlan /wifi hardware, I need to make it working my CPU: e8400, 2GB DDR2, HD5450 1 GB GPU. THANKS IN ADVANCE

05-04-2012, 03:04 AM
hi, love the video but got a question how to i set up web server ???

05-24-2012, 05:39 AM
excellent tutorial

I have a question

Redirect traffic, it all ip address redirect in your tutorial

How to set iptables to redirect traffic only one ip address no all?


11-14-2012, 05:51 AM
Why not turn on fake page.fake page is only writes.
explained the matter, and I'm doing video.fake does not redirect to the page.

ifconfig usb0 up
apt-get install dhcp3-server -y
airmon-ng start wlan0
airodump-ng mon0
gedit /etc/dhcp3/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet netmask {
option subnet-mask;
option broadcast-address;
option routers;
option domain-name-servers;
ifconfig usb0 up
apt-get install dhcp3-server -y
airmon-ng start wlan0
airodump-ng mon0
gedit /etc/dhcp3/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet netmask {
option subnet-mask;
option broadcast-address;
option routers;
option domain-name-servers;

Which of these IP adress need to change?

12-06-2012, 01:14 PM
i have connected the client but, i cant redirect to the fake page and cant connect to the internet either, but if i insert ip mannualy it success .
why m i like that?

12-08-2012, 09:21 AM
Why not turn on fake page.fake page is only writes.
explained the matter, and I'm doing video.fake does not redirect to the page.

what client do u use?
i have problem like you before , and i found out why like that, because the client i try is opera in my android, and when i turn off the opera turbo, voila, redirected sucessfully , maybe its because opera turbo dont use port 80
so if you use opera on your rabbit, you must have opera turbo turn off :D

12-15-2012, 08:28 AM
Hello guys,

It's interesting to learn about all this stuff, but i have a question and i'm dying to hear a solution for it.

How to redirect a victim, to this "service page", if no internet connection is available? Scenario is - i have a two laptops and one access point. One of the laptops is "victim" and the other one is "attacker". AP is secured with a strong password and WPA2/AES (WPS disabled), but i have no other internet connection available in the field, so i can't connect my "Attacker" laptop to any wired or wireless internet connection.

All i can do is to "trick the victim" into connecting my fake AP, so i have an IP level connectivity with him, but i can't redirect all his requests to my service page. The only way, he can access this "service page" is by entering an IP address of the attacker machine.

I would be happy if someone post a solution for this. Sorry for my not so good English, i hope you guys understood this challenge. :)

EDIT: Seems that somehow i found a simple solution, by looking to a few other scripts


Just needed to fire up a "dnsspoof" utility after i got the ip level connectivity. ("dnsspoof -i at0")

Anyways, as you probably see, i still need to research many of these utilities and functions to get a complete understanding, but at least i'm happy that i have some clue.

12-22-2012, 08:16 PM
Interesting video...I am very much a noob to *nix, however the power from the cmd line is intoxicating.

12-26-2012, 09:17 AM

01-12-2013, 09:20 AM
Can't download fake page from command apt-get install dhcp3server -y