How to perform Evil Twin WiFi Attack [Step-by-Step]

Written by - Kennedy Muthii
Reviewed by - Deepak Prasad

Hello, in this guide we will be launching a captive portal evil twin attack using airgeddon tool. Evil twin attacks have been around for a long time. Attackers combine evil twin attacks and phishing to launch sophisticated social engineering attacks on unsuspecting victims using public hotspots found in cafes and airports. In evil twin attacks, the victim will be redirected to a cloned website requesting his/her credentials.

In evil twin attacks, the attacker deauthenticates a user connected to a legitimate internet access point, the attacker then creates a rogue access point looking similar to the legitimate internet access point. The victim unknowingly connects to the rogue access point. From the rogue access point, the attacker is able to launch phishing attacks.



  1. Have a running instance of Kali Linux.
  2. Have a WiFi card that supports both Access Point Creation and monitor mode.
  3. Have basic knowledge of the Linux command line and the commands.
  4. Have a target device. Any type of a device which can connect to an access point. Using another computer or a mobile phone is recommended (always remember to obtain consent where required before making an attack. Hacking is illegal and is punishable by law).
  5. Have an active internet connection.



Airgeddon is a Linux command line application with numerous features used by security engineers as they carry out different evil twin attack tests in their day to day work. Some of its features include:

  • Interface mode switcher keeping selection even on interface name changing
  • Denial of Service over wireless networks using different methods
  • Assisted WPA/WPA2 personal networks Handshake file and PMKID capturing
  • Cleaning and optimizing Handshake captured files
  • Offline password decryption on WPA/WPA2 captured files for personal networks
  • Evil Twin attacks (Rogue AP)
  • Only Rogue/Fake AP mode to sniff using an external sniffer
  • Simple integrated sniffing
  • Integrated sniffing, sslstrip2 and BeEF Browser Exploitation Framework (Hostapd + DHCP + DoS + Bettercap + BeEF)
  • Captive portal with "DNS black hole" to capture WiFi passwords
  • Optional MAC spoofing for all Evil Twin attacks
  • WPS features
  • Known WPS PINs attack (bully and reaver), based on online PIN database with auto-update
  • Integration of the most common PIN generation algorithms (ComputePIN, EasyBox, Arcadyan, etc.)
  • Offline PIN generation and the possibility to search PIN results on a database for a target
  • Parameterized timeouts for all attacks
  • Enterprise networks attacks
  • Fake AP using "smooth" and "noisy" modes capturing enterprise hashes and plain passwords
  • Custom certificates creation
  • WEP All-in-One attack (combining different techniques: Chop-Chop, Caffe Latte, ARP Replay, Hirte, Fragmentation, Fake association, etc.)


Steps to use Airgeddon to perform Evil Twin WiFi Attack

Step-1: Install Airgeddon

To install airgeddon, we first download the tool files from the GitHub repository using the command;

git clone


Step-2: Launching airgeddon

Before launching an evil twin attack, you have to make sure you have an active internet connection for it is required to install the required dependencies when running airgeddon for the first time. To launch airgeddon, we navigate to the tool’s folder we have just downloaded and run using the command as shown in the image below.

sudo ./

evil twin


Step-3: Choosing an interface to work with

After installing the required dependencies, airgeddon is ready to launch an evil twin attack but first, we need to choose the interface we will be working with. In our case, we will be using wlan0. We choose the interface and click enter.
evil twin


Step-4: Putting the interface on monitor mode

Before continuing, we have to put the interface on monitor mode This will enable us to scan and monitor our target access point. We choose option 2 as shown below.

evil twin


Step-5: Evil twin WiFi attack option

Now we have airgeddon on monitor mode, our next step to launching an attack is to select the evil twin attack option from where we will select the captive portal option. We will select option 7.
evil twin


Step-6: Choose the type of attack

In attack options, we will choose the evil twin attack with the captive portal option as shown in the image below.

evil twin


We let it run for some time to detect all the available access point and then close it. After closing, a screen displaying all the detected access points from the screen we select the access point we will attack as shown in the image below.

evil twin


Step-7: De-authenticating users and forcing the to connect to the rogue AP

On this screen, we need to choose the type of attack we want to launch against the target AP as shown in the image below.

evil twin


We will choose if we want to run the attack in pursuit mode(Pursuit mode - in some cases, you may find an access point that is set to run in channel hopping mode. This means the access point keeps on switching its channel after a certain period of time. In such a situation, you must use pursuit mode while launching an evil twin attack).

evil twin


Lastly, we will choose whether to spoof or keep the original mac address.

evil twin


If you want to store the captured handshake file during the evil twin attack, you have to allow it on the next screen as shown below.

evil twin


We have to select the timeout, but we can leave it at default (20 seconds). Finally, we need to select the language which we will use on the evil twin portal and continue with the attack.

evil twin


All the users will be de-authenticated from the access point, hence they will try to reconnect to another access point with similar features, this will be our rogue access point. Several screens will appear as shown in the image below.  After connecting to the rogue access point, the victim will get redirected to a portal requesting a password as shown in the image below.

evil twin


Step-8: Getting the captured passwords

On the screen below we are able to see the password that has been submitted by the victim on the portal.

How to perform Evil Twin WiFi Attack [Step-by-Step]



Evil twin attacks have been around for quite some time but still are very successful kinds of attacks. Using public internet access points makes you vulnerable to this kind of attack. When evil twin attacks are combined with phishing attacks, they are very difficult to be detected by a normal person who “just wants to use the internet access point for browsing”.  Normal users should be taught how to identify such kinds of attacks on them. For aspiring ethical hackers, launching evil twin attacks on the targets is a skill that should be added to your arsenal.


Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on LinkedIn.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to

Thank You for your support!!

1 thought on “How to perform Evil Twin WiFi Attack [Step-by-Step]”

Leave a Comment