Whats the difference between an evil twin and a rogue access point?

Question

I'm having a hard time to understand the difference between a rogue AP and an evil twin? I've spend some time searching for it but I don't understand it fully I think. Is it pretty much the same thing except the AP is a physical device that needs to be plugged in physical (Ethernet cable and port) into a existing network and the evil twin can be a computer or raspberry pi, only using Wi-Fi to connect to its victim and a legitimate AP? Is this somewhat correct or have i misunderstood it?

OscarAkaElvis · Accepted Answer · 2017-03-02T20:39:41.130

13

Yeah, but an Evil Twin is a kind of Rogue AP.

The most common Rogue AP is an ilegitimate AP that is plugged in a network to create a bypass from outside into the legitime network.

An Evil Twin is a copy of a legitimate AP. The target is different. It tries to hook clients to connect to the fake network to steal information, but is a kind of Rogue AP too. A lot of people is wrong about this. They think an Evil Twin is not a Rogue AP but it is too. Look at the definition on Wikipedia: Rogue AP. You can read there "... it is tagged as rogue access point of the second kind, which is often called an Evil Twin".

The Evil Twin has too "good" or "positive" usage. It can be used during a pentesting over a corporate network to measure the "security education" or better said, the user's security awareness. To see how many bite the lure.

edited Mar 02 '17 at 20:39

answered Mar 02 '17 at 20:34

OscarAkaElvis

5,185
3
17
48

Evil twin or Rogue AP are undetectable by the user or the Device, they are basically an exploit of the [Wi-Fi roaming](https://en.wikipedia.org/wiki/Wi-Fi#Multiple_access_points) feature. Most devices for simplicity just connect to known networks. Actually there are techniques/courses to find rogue AP inside corporate networks. – Azteca Mar 02 '17 at 20:44
2

Not exactly. In an Evil Twin, you can "clone" a network but not entirely. I mean, it is supossed you clone "almost all" network characteristics.For example usually is cloned SSID, same channel but the BSSID usually is cloned except one digit. The reason is because an Evil Twin usually is launched at the same time with a DoS to the legitimate network to force users to disconnect. And your fake network can't be exactly the same or the clients of fake network will be kicked too. So the user usually should click voluntairly in the fake network as a consecuence of desperation of not having internet – OscarAkaElvis Mar 02 '17 at 20:48
1

If you have doubts, check it out. Look at known scripts how they do Evil Twin attacks: [airgeddon](https://github.com/v1s1t0r1sh3r3/airgeddon), [Linset](https://github.com/vk496/linset). You can check what I'm talking about! In addition, I'll say, usually you clone a network with security but you usually don't know the key of that wifi network. So the Evil Twin is different (an open network) than the user victims have saved in their devices. So the Evil Twin has a big percentage of "social engineering" part. – OscarAkaElvis Mar 02 '17 at 20:50
Should click what? In a network list it's almost always only listed the ESSID, not the BSSID, the user doesn't even know about the Evil Twin he only selects the "network name". Same channel? Why would you even do that? That might create interference, you only need more signal strength and hope for the configuration to have higher ["roaming aggressiveness"](http://www.intel.com/content/www/us/en/support/network-and-i-o/wireless-networking/000005546.html) – Azteca Mar 02 '17 at 21:02
Well... I was parting from the point of the Evil twin already knowing the key of the network, hence the right Encryption, hence, merging with the original network. – Azteca Mar 02 '17 at 21:06
In Evil Twin you try to trick the user, so is the reason to put same channel. To be as much similar as possible. Is an usual practice of Evil Twin. Regarding the BSSID, exactly, the users usually don't know about that. Is the reason because is the unique element almost but not complete equal. And the consequence of this is: if is not 100% equal, there is not automatic connection for the users. – OscarAkaElvis Mar 02 '17 at 21:06
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/54712/discussion-between-azteca-and-oscarakaelvis). – Azteca Mar 02 '17 at 21:07
Anyway, even if you know the key of the network, you can't clone it 100% because as I said, If you perform DoS attack to the legitimate network is going to affect to your network too (same channel, BSSID, ESSID). The other option is as you said, just have better signal (which is very difficult usually) and not perform DoS... in that case they can connect automatically but is a very strange and uncommon scenario. – OscarAkaElvis Mar 02 '17 at 21:08
I call "BS" on Evil Twin being considered a Rogue AP. The wiki article is not a "definition". It has no citation. In fact, the original version called it a "honeypot" until a single user edited it. There is no explanation. And that *discussion* point directly contradicts the lead paragraph of the article. So, quoting this wiki article as authoratative is dubious and not strong enough to stand on as justification especially since the same article can be used to prove that an Evil Twin is *not* a Rogue AP.. – schroeder Jun 29 '21 at 09:30

Azteca · Answer 2 · 2017-03-02T20:50:20.700

You are correct

A rogue access point is specifically an AP inside a network not administered by the network owner, giving it unwanted access to network.

An evil twin is a copy of a legitimate access point not necessarily giving it access to a specific network or even to internet. The wireless mode of these connections are ad-hoc, you can have an evil twin of your home network on a public park, just for the purpose of connecting your device to that network to do... evil things?

score 1 · Answer 3 · answered Mar 02 '17 at 23:16

I'll try to explain it my way, the way I understand it:

1) Rouge Access point

It is an AP of your device, which you use to perform a MiTM attack, to redirect traffic from targeted persons to the router through your device. As you are already inside their network, you don't need to advertise your AP as a decoy for others to connect to.

2) Evil twin

As opposed to the rogue AP, here the main directive is to get others to connect to your local network through your AP. Not their network but your network. So you make your AP visible to others and try to clone it as much as possible to look like it's their network in order to trick people associating with it. Usually, this is an open network because if the attacker had password, he would go with option 1.

See the difference between the two? For the latter you are the king and owner as opposed to former where you are just a pawn among pawns on a chessboard.

There is also a 3rd option where similarly to 2nd an AP is set up as a bait for people to connect to but is not targeted to specific organization or people. Its purpose is to catch anyone trying to utilize free access to internet, hence the term phishing. It is also an open network just like evil twin. You'll know when you see one...

Rouge Access point redirects data to YOU! Well said. – Nicolas Raoul Mar 03 '17 at 10:20 — Nicolas Raoul, Mar 03 '17 at 10:20

Whats the difference between an evil twin and a rogue access point?

3 Answers3

Linked