4

If I create an evil twin hotspot next to a legitimate AP and simply clone the SSID, I know that my WiFi client will see these as 2 different APs and both will show up in a list of available networks (both with the same SSID). This can happen because the BSSIDs are different.

But what If I also clone the BSSID on the evil twin? I know that ultimately I'm going to connect to the stronger signal. But is a WiFi client able to tell that there are two networks, or will one just be drowned out? If I look at a list of networks on iOS or Android will I see 2 networks with the same name or only one?

Sander Smith
  • 215
  • 1
  • 3

3 Answers3

1

In large wireless network setups, numerous access points will broadcast the same SSID and will appear as only one SSID on the client device. For example, some large lecture halls at my university have over 15 access points in them which are broadcasting the same SSID. Even though the BSSID of each device differs, the client still groups by SSID.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
0

As far as what your network list will show, it depends! The Android ScanResults function returns a variety of information, and this Stackoverflow question about duplicate wifi results has some information that indicates that one default is SSID+BSSID.

However, without knowing what your client software considers a "duplicate", you can't tell - perhaps it thinks different frequencies matter, or different bandwidths, or different authentication/security capabilities, or sufficiently different signal strengths.

Assuming the "good" hotspot is using WPA2, then the four way handshake means both sides must know the authentication data first, be it a shared key or LDAP integraton.

For a shared key (WPA2-AES Personal), the most common reasonable consumer AP standard, there are two choices:

  • The evil twin was set up with the actual passphrase by someone who knew it. Now it'll get and respond to some of the data, while the actual AP does the same

  • The evil twin was not set up that way, and doesn't work.

Open AP's are a problem.

Good AP's spot this and report on it.

Anti-weakpasswords
  • 9,785
  • 2
  • 23
  • 51
  • My question is far simpler than all of this. I really don't care whether either of the APs are set up with any type of encryption. I'm interested in what happens BEFORE you even try to connect. When I look at a list of available networks (before I try to connect to one) will I see one or two for that particular SSID? – Sander Smith Feb 20 '16 at 17:38
0

Let's say I use macchanger and airbase-ng to create an evil twin AP for some netowork so that they share the same SSID and BSSID; everyone who opens up their wifi manager on their phone, laptop, etc. would see two identical networks listed there.

They would be sorted by signal strength, which can be "forced" by the attacker if they change their regulatory region and boost the wireless adapters power.

Taken a step farther: assuming regular users of some public network would choose to "Automatically Connect" to it, if I de-auth devices connected to the original AP, their wifi manager would find and connect to my evil twin if the signal is stronger and the SSID and BSSID are identical.

The fact that most wireless managers work like this (eg. simply remember APs based on SSID + BSSID) is the reason why EvilTwin attacks work so well.

WorseDoughnut
  • 761
  • 5
  • 18