BIPI
BIPI

Evil Twin and Captive Portal Phishing: Building a Real Rogue AP Lab

Cybersecurity

Rogue AP attacks remain the highest yield wireless tradecraft, but most write-ups stop at hostapd. This guide builds a realistic captive portal lab with proper DHCP, DNS hijack, TLS-aware redirect, and a credential capture flow that mirrors what clients see on real corporate guest networks.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 5, 2023 · 10 min read

#evil-twin#rogue-ap#captive-portal#wifi#red-team

Why evil twin still works

Users trust SSIDs. KARMA-style probe response attacks exploit that trust by impersonating networks the device has seen before. Combine with a captive portal that looks like the real guest portal and you collect credentials without the user ever doubting the page.

Hardware that actually works

  • Alfa AWUS036ACH or AWUS1900 for dual-band capable of monitor and AP mode.
  • A second adapter for upstream internet, otherwise the captive portal feels dead.
  • A Pi 4 or small NUC running Kali to keep the rig portable.

Stack: hostapd, dnsmasq, nginx

hostapd hosts the SSID, dnsmasq handles DHCP plus DNS hijack to a local IP, and nginx serves the portal with proper TLS. The trick is making the portal interception feel native so iOS and Android trigger the captive portal helper.

Triggering captive portal detection

  • Respond to captive.apple.com with a non-Success page to wake iOS helper.
  • Respond to connectivitycheck.gstatic.com to nudge Android.
  • Serve a 302 to your portal for any HTTP host.

Wifiphisher and Evilginx for the front end

Wifiphisher gives you ready-made phishlets for firmware update and OAuth lookalike pages. Evilginx2 or Evilginx3 sits behind it for real MFA-aware credential capture on services the user assumes are trustworthy.

Deauth or polite waiting

  • Targeted deauth against a single client is faster but trips WIDS.
  • Passive higher transmit power and matching ESSID lures roaming clients on their own.
  • Best practice: dwell in a coffee area near the office at lunch and let phones come to you.

Capturing what matters

  • Credentials posted to the portal go to a SQLite store with timestamp and source MAC.
  • DNS queries are logged for later business email enumeration.
  • TLS metadata via JA3 fingerprints reveals managed vs personal devices.

Detection your blue team should build

  1. WIDS alerts on duplicate BSSID with mismatched fingerprint.
  2. MDM compliance check for known SSID set with cert pinning.
  3. User education that questions every captive portal that asks for AD credentials.

Remediation

  • WPA3-Enterprise with EAP-TLS removes the password from the wire.
  • Disable auto-join on guest SSIDs in corporate MDM profiles.
  • Block known captive portal credential domains at the egress proxy.
44%
Devices auto-joined rogue AP
27%
Users submitted creds in 1h
19%
MFA prompts approved blindly
The portal that looks boring is the one that works. Polish kills phish.

Operational hygiene

Burn the SSID, wipe the DHCP lease file, and rotate MAC addresses between engagements. A reused rogue AP fingerprint is the easiest threat-intel breadcrumb a blue team will ever get.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.