Evil Twin Attack: Steal Wi-Fi Password

4 min readJul 5


Cracking wifi password through a dictionary attack can only be successful if the password is listed in the wordlist that you are using. Even if you try brute-forcing the password, a complex password will take a lot of time. So it's better to get the password using the phishing technique by creating a fake access point using the same MAC address and ESSID of the victim's wifi.

For this, we will be using Airgeddon to create a fake access point and capture the wifi password of the victim’s wifi.

You can download and install the Airgeddon tool from GitHub. “https://github.com/v1s1t0r1sh3r3/airgeddon

Disclaimer: This article is intended for educational and ethical purposes only. It should only be used on your own personal Wi-Fi network or on a network where you have obtained explicit permission from the owner to perform security testing. Unauthorized hacking of someone else’s Wi-Fi network is illegal and unethical.

As everything is ready let's start the attack.

  1. Start Airgeddon

cd into the Airgeddon directory and run the command sudo ./airgeddon.sh

It will check if all the required tools are installed or not.

2. Select the interface you want to use for the attack.

In this case, wlan0 is used to perform the evil twin attack.

3. Set the selected interface to monitor mode.

After the interface is selected, select option 2 which will put the interface in monitor mode.

3. Select Evil Twin Attack from the menu

After putting the interface in monitor mode, select option 7 which is the Evil Twin Attack menu.

4. Run Evil Twin Attack with a captive portal

Now select option 9 from the menu which will run the Evil Twin AP Attack with captive portal.

Now the program scans all the available wifi networks and lists them in the terminal. Select the target network from the list.

5. Select the option to run the Deauth Aireplay attack

6. Capture the handshake file

Two terminal windows will be automatically opened. One is used to death the user from the target network and another terminal is used to capture the handshake file.

Once the handshake file is captured it is shown in the Capturing Handshake terminal and the terminal will be closed automatically.

7. Choose the language to display

Now the Evil Twin AP is running and waiting for the victim to enter the password on the login page. It also de-authenticates the victim device forcing it to connect to Evil Twin AP.

When the victim connects to the Evil Twin AP and enters the password the password is captured and shown in the terminal and also it is saved to a file.

When the victim connects to the Evil Twin AP, this is how it is displayed on the victim's device.

Now when the victim enters the correct password, the password is saved in the file and if the victim enters the wrong password the error page is displayed saying the password is incorrect and prompts the victim to enter the correct password again.

For this attack to succeed, the target must exhibit ignorance or a lack of cybersecurity awareness. Moreover, the victim must willingly connect to an unknown network with the same name as their trusted network, despite warnings about different encryption. They must also enter their network password into a potentially suspicious-looking phishing page, which can be identified by language inconsistencies, incorrect router branding, or spelling errors. It’s worth noting that unfamiliarity with router admin page appearances may make these details less noticeable to some users.

Thank you for reading and hope you find this article informative.

Twitter: Vengenace0x0




Penetration Tester | Trader/ Investor | Cyber Security Enthusiast | Bibliophile