You can't simply Force a client, but to trick him!
As long as the device's WiFi is running, it keeps sending probe requests, searching for your previous connected networks. Using some software like airodump-ng
, you can easily sniff out those probes.
Then the attacker may create a similar evil twin using the BSSID and ESSID gathered from the previous probes.
So, as the device sees the pre-saved network up again, it re-connects thinking it is the legit network.
However, there is something to be aware of:
Only works with public networks. This does not work with secured networks unless you already know the security phrase.
Important note:
This attack also can be done to pre-saved networks with passphrase, if the passphrase is weak enough to be cracked. steps are:
- Create the evil twin networks using the BSSID, ESSID AND the same auth type of the spoofed network "WPA, WPA2 or WEP"
- The client will try to connect to the network providing the passphrase challenge
- The authentication won't work obviously, but you can sniff the challenge
- Using some cracking tool, you can crack the phrase
- Re-create the network using the new passphrase
Now the client will connect to the spoofed network even if it has some security level, so it's always a good idea to use a strong phrases!