Credential Harvesting with Evil Twins

Disclaimer

This post is intended for educational purposes. It does not include working attack code or instructions for flashing devices. Any testing should only be carried out on networks and equipment you own or are explicitly authorised to use. Attempting to use a tool like this without permission would contravene the UK Computer Misuse Act 1990 and may also breach GDPR.

Intro

Earlier this year I experimented with a handful of ESP‑based wireless projects, but most only scratched the surface of wireless attack techniques. I wanted to design my own custom tool to automatically clone a Wi‑Fi access point, trick nearby clients into connecting, and harvest credentials via a captive portal. In this post I'll walk through the entire thought process, architecture, and pseudocode for building a fully automated evil twin credential harvester using an ESP32 (ESP‑WROOM‑32 module).

Password reuse is alarmingly common. A recent survey found that 78 % of individuals use the same password on more than one account, with 52 % reusing it across at least three services, and even 4 % stretching one password across eleven or more sites. Analysis of over 200 breaches discovered that 94 % of leaked passwords had been reused on multiple platforms.

What this means in practice is that capturing credentials once via a rogue AP can grant attackers access to a far wider range of services (email, social media, banking sites), simply because many people never change or diversify their passwords.

What Is Credential Harvesting?

Credential harvesting is the practice of coercing or deceiving users into providing their login information (usernames, passwords, tokens, or other secrets) to an interface controlled by an attacker. In the wireless domain, this typically takes the form of a captive portal or fake login page that looks legitimate, prompting users to "authenticate" before granting network access. Once the user submits their details, those credentials are captured and stored by the attacker rather than used for any genuine authentication.

Key techniques:

• Form‑based Phishing
  Presenting a login or registration form styled to mimic a trusted service. Common fields requested are email/username and password, but more elaborate schemes may also ask for two‑factor codes, security questions, or personal details.
• DNS Hijacking / Redirection
  Redirecting all HTTP or DNS requests to the attacker's portal ensures that any attempt to browse (even to a news site) lands the user on the fake login page.
• Data Storage + Retrieval
  Harvested credentials must be stored in such a way that the attacker can later retrieve and use them. In our this project, I keep them in RAM in a simple array and render them on an admin dashboard.

What Is an Evil Twin?

An evil twin is a rogue Wi‑Fi access point configured to act as a legitimate network by broadcasting the same (or a very similar) SSID. When users have previously connected to a legitimate hotspot (for example, "CoffeeShop_WiFi"), their devices will automatically prioritize reconnecting to that SSID if the signal appears stronger or if the network is open. The attacker leverages this behaviour to silently intercept connections, inject malicious content, or present phishing portals.

Core aspects:

• SSID Spoofing
  Configuring the rogue AP to broadcast exactly the same SSID (and optionally BSSID) so client devices cannot distinguish it from the real network.
• Signal Strength Manipulation
  Placing the evil twin physically closer to victims, using higher‑gain antennas, or jamming the original network to force clients to roam to the rogue AP.
• Open vs. Secured Networks
  An open evil twin (no WPA/WPA2) lowers the barrier to entry for victims. Even if the real network is secured, many users will connect to an open network with the same name.
• MitM and Traffic Inspection
  Once clients connect, the attacker can perform a full man‑in‑the‑middle attack, routing traffic through packet sniffers, SSL‑stripping, and injecting payloads.

Conceptual Workflow of an Evil Twin Attack

Here's what an attacker's workflow might look like:

1. Scan the airwaves: Identify nearby Wi-Fi networks.
2. Choose a target SSID: Often the strongest or most familiar to nearby users.
3. Broadcast a fake AP: Set up a new hotspot using that SSID.
4. Redirect all traffic: Send DNS/HTTP requests to a local webserver.
5. Present a portal: Display a deceptive login or registration page. Combined with DNS redirection, this ensures the page appears automatically when users attempt to browse.
6. Capture inputs: Store usernames/passwords submitted.
7. View results locally: Attacker checks harvested data.

Notice how each stage doesn't require sophisticated tools. It's the chaining together that makes it powerful.

Example Evil Twin Workflow (Pseudocode)

function main():
    initialise storage and network stack
    create Wi-Fi interfaces (station + access point)
    start in station mode to scan for networks

    results = perform_scan()
    if networks found:
        pick strongest SSID
    else:
        fallback to default SSID ("FreeWiFi")

    stop station mode
    start access point with chosen SSID
    enable DHCP + DNS redirection
    launch captive portal webserver

    while running:
        capture submitted credentials
        show connected clients + stored creds on admin dashboard

Supporting Tasks

dns_hijack_task():
    listen for DNS requests on port 53
    for each query:
        reply with captive portal IP (192.168.4.1)

portal_task():
    serve login/registration page
    on submission:
        record username/password into memory
        confirm with “success” page

Defensive Awareness

So, what can defenders and end-users do?

• Use WPA3 or enterprise authentication: Evil twin attacks are far less effective when certificates or mutual authentication are required.
• Be suspicious of open Wi-Fi: Avoid joining "Free WiFi" or duplicated SSIDs.
• Educate staff: Training employees not to enter credentials into unexpected captive portals is critical.
• Network monitoring: Wireless intrusion detection systems can flag duplicate SSIDs or unusual AP behaviour.
• Multi-factor authentication: Even if credentials are stolen, MFA can block reuse elsewhere.

Conclusion

The evil twin remains one of the most persistent Wi-Fi attack techniques because it exploits human trust and device convenience. The technical flow is simple (scan, clone, redirect, capture), but the defensive takeaways are just as clear:

• Secure Wi-Fi with modern authentication (WPA3/Enterprise).
• Educate users to challenge unexpected login prompts.
• Monitor networks for duplicates and rogue APs.

Every offensive technique teaches us how to build stronger defences.

Always use these techniques responsibly and on systems you own or have permission to test.