An evil twin attack does not require expensive hardware or advanced cryptography. A $30 USB adapter, a Raspberry Pi running hostapd-wpe, and five minutes in a parking garage is enough to intercept credentials from employees who connect automatically. Here is how these attacks work in 2026, what they leave behind in pcap, and how to build detection that actually catches them.
How Evil Twin Attacks Work in 2026
The core mechanic has not changed since 2004: broadcast a SSID that matches a legitimate network, convince a client device to associate, intercept or relay traffic. What has changed is the tooling, the scale of automation, and the way attackers handle WPA3 environments.
Captive-Portal Phishing
The most common variant in enterprise environments today does not attempt to crack WPA2 at all. Instead, the attacker broadcasts an open or WPA2-Personal twin of the corporate guest SSID, intercepts the association, and serves a convincing captive portal — frequently a pixel-perfect clone of the organization's SSO login page. Employees on mobile devices, conditioned to enter credentials on captive portals, comply. Tools like Wifiphisher and airgeddon automate the entire flow: deauth the client from the real AP, serve the fake portal, harvest credentials, and exfiltrate over LTE. The attacker is gone before anyone notices.
KARMA-Style Responders
KARMA exploits the 802.11 probe request mechanism. When a client has previously joined a network, it periodically broadcasts that SSID in probe requests. A KARMA responder — implemented in hostapd-wpe, the WiFi Pineapple Mark VII, and the Hak5 Signal Owl — answers every probe request, claiming to be whatever network the client is looking for. In a conference room or hotel lobby, a single KARMA device can harvest association attempts from dozens of client devices simultaneously. In enterprise environments, the threat is highest in common areas where employees use personal devices that carry home and coffee-shop SSIDs in their preferred network lists.
WPA3 Downgrade Attempts
WPA3-SAE (Dragonfly) eliminates the offline-crackable four-way handshake. Attackers have adapted: they broadcast a WPA2-only twin of the same SSID. If the AP is running WPA3 Transition Mode (mixed WPA2/WPA3) and the client's supplicant does not enforce WPA3, the client may associate with the WPA2 twin. The attacker captures a standard PMKID or EAPOL handshake and attacks it offline. The countermeasure — Transition Disable, specified in IEEE 802.11-2020 — instructs clients to stop connecting to WPA2 variants of the same SSID after successfully authenticating via WPA3 once. However, as of early 2026, fewer than 40% of enterprise APs have Transition Disable enabled in their default profiles.
WPA3 Transition Mode is not WPA3 security. If your APs advertise both WPA2 and WPA3 on the same SSID and you have not enabled Transition Disable, your clients can be downgraded by any attacker with a $30 USB adapter. Audit this before assuming WPA3 deployment equals WPA3 protection.
Detection Signals in PCAP
You do not need a dedicated WIDS sensor to find evil twin indicators. A 15-minute passive capture with a monitor-mode adapter gives you enough data to identify several high-confidence signals. Here is what to look for.
Duplicate BSSIDs on Multiple Channels
A legitimate AP has one BSSID per radio. If your capture shows the same BSSID appearing on channel 6 and channel 11 simultaneously — or the same BSSID advertising different capabilities in successive beacon frames — that is a near-certain evil twin. Legitimate channel changes involve disassociation and reassociation, not simultaneous multi-channel presence.
Beacon Timing Anomalies
802.11 beacons are transmitted at a fixed interval, typically 100 TUs (102.4 ms). A legitimate AP's beacon interval is consistent. An evil twin running on a laptop or Pi under load will show jitter — inter-beacon intervals varying by more than 5–10 ms — because the host OS is not a real-time system. Look for standard deviation in beacon intervals greater than 8 ms as a soft indicator, especially combined with other signals.
RSSI Discontinuities
If a BSSID your sensors have been tracking at a stable –65 dBm suddenly appears at –45 dBm from the same sensor, something physically moved closer or a second transmitter appeared. Cross-reference against the AP's known MAC OUI: a Cisco or Aruba OUI at –65 dBm and a Realtek or Ralink OUI at –45 dBm claiming the same BSSID is a clear compromise signal.
Probe Response KARMA Signature
A KARMA device responds to directed probe requests for any SSID. In pcap this appears as a single BSSID sending probe responses advertising dozens of different SSIDs within a short window — no legitimate AP does this. Filter on wlan.fc.type_subtype == 0x05 (probe response) grouped by BSSID and count distinct SSIDs per BSSID per minute. More than three is suspicious; more than ten is definitive.
# Detect KARMA: BSSIDs responding to many distinct SSIDs
tshark -r capture.pcapng \
-Y "wlan.fc.type_subtype == 0x05" \
-T fields \
-e wlan.ta \
-e wlan_mgt.ssid \
| sort | uniq | awk '{count[$1]++} END {for (b in count) if (count[b]>3) print b, count[b], "SSIDs — possible KARMA"}'
# Detect duplicate BSSID on multiple channels
tshark -r capture.pcapng \
-Y "wlan.fc.type_subtype == 0x08" \
-T fields \
-e wlan.bssid \
-e wlan_radio.channel \
| sort | uniq | awk '{ch[$1]=ch[$1]" "$2} END {for (b in ch) {n=split(ch[b],a," "); if (n>1) print b, "on channels:", ch[b]}}'WIDS Platform Options
Purpose-built Wireless Intrusion Detection Systems give you continuous monitoring rather than point-in-time captures. Here is how the main options compare for enterprise deployments.
| Platform | Detection model | Rogue AP detection | Approx. cost |
|---|---|---|---|
| Aruba AirWave | Dedicated sensor + AP scanning | BSSID spoofing, channel conflict, RSSI triangulation | $15k–$50k+ (on-prem) |
| Cisco CMX / Catalyst Center | Integrated AP scanning | Rogue AP classification, containment, location | Included with Catalyst license |
| Zebra / Extreme AirDefense | Dedicated overlay sensors | Evil twin, KARMA, deauth flood detection | $20k–$80k+ depending on scale |
| Kismet (open source) | Passive sensor-based | BSSID conflict, probe anomaly, OUI mismatch | Free (hardware + ops cost) |
| wifiaudit.io API | Point-in-time pcap analysis | Duplicate BSSID, beacon jitter, KARMA signature, downgrade indicators | From $0 (3 audits free) |
Kismet for Budget-Constrained Teams
Kismet is the strongest open-source option for teams who cannot justify a $30k WIDS budget. A Raspberry Pi 4 with an Alfa AWUS036AXML adapter makes a capable passive sensor. Kismet logs to JSON and SQLite, which you can query directly or feed into a SIEM. Its default alert set covers BSSIDSPOOFED, CHANNELCHANGE, APSPOOF, and PROBENOJOIN — all relevant to evil twin detection. The operational cost is sensor management and alert tuning; in a noisy RF environment expect to spend time filtering false positives from co-channel neighbors.
# Start Kismet with a monitor-mode interface and log to /data
kismet -c wlan0mon \
--log-prefix /data/kismet/site-$(date +%F) \
--log-types kismet,pcapng,alerts
# Query Kismet SQLite log for BSSID spoof alerts
sqlite3 /data/kismet/site-2026-04-14.kismet \
"SELECT ts_sec, header, text FROM alerts WHERE header LIKE '%SPOOF%' OR header LIKE '%KARMA%' ORDER BY ts_sec DESC LIMIT 20;"Aruba AirWave and Cisco CMX
Both platforms use your existing AP infrastructure as distributed sensors. Aruba AirWave's Rogue AP Detection classifies every detected BSSID as Authorized, Rogue, or Interfering based on OUI whitelists, wired-side MAC correlation, and RF fingerprinting. Cisco Catalyst Center's Rogue Management adds automatic containment — sending deauth frames to clients of confirmed rogues — which is aggressive but effective in controlled environments. Both platforms cost significantly more than open-source alternatives but integrate directly into existing change-management workflows and generate audit-ready reports.
Containment requires careful scoping. Aruba and Cisco's automatic deauth-based rogue containment is effective but can interfere with neighboring networks operating on the same channel. Verify your legal authorization covers containment actions before enabling it, particularly in multi-tenant buildings.
What the wifiaudit.io Report Flags
When you upload a pcap from a site survey or continuous sensor to the wifiaudit.io API, the analysis engine runs a dedicated rogue AP detection module in addition to the standard credential-security checks. Specifically, the report surfaces:
- Duplicate BSSID alert — any BSSID observed on more than one channel within the capture window, with the channel pair and timestamps logged
- Beacon interval jitter — inter-beacon standard deviation exceeding 8 ms, reported per BSSID with a severity rating
- KARMA signature — BSSIDs responding to more than three distinct SSIDs in probe responses, with a full list of SSIDs claimed
- OUI mismatch — where a BSSID's OUI does not match any registered AP vendor (Cisco, Aruba, Ubiquiti, Ruckus, etc.), flagged as an unmanaged transmitter
- WPA3 downgrade indicator — cases where the same SSID appears with both WPA3-SAE and WPA2-PSK capability advertisements from different BSSIDs, indicating a possible downgrade twin
- Management frame anomalies — deauth storms (more than 20 deauth frames to the broadcast address within 60 seconds) that commonly precede evil twin association attempts
Each finding maps to a remediation recommendation and a severity score. The PDF output is structured to satisfy NIS2 Article 21(2)(i) requirements for network security monitoring documentation and maps to ISO 27001:2022 Annex A 8.20 (network security).
# Upload a site survey pcap for evil twin / rogue AP analysis
curl -X POST https://api.wifiaudit.io/api/v1/jobs \
-H "X-API-Key: wai_YOUR_KEY" \
-F "file=@site-survey-2026-04-14.pcapng" \
-F "ssid=CorpWifi" \
-F "organization=Acme Corp HQ" \
-F "checks=rogue_ap,evil_twin,karma,downgrade"
# Retrieve report PDF once status == "completed"
curl https://api.wifiaudit.io/api/v1/jobs/JOB_ID/report \
-H "X-API-Key: wai_YOUR_KEY" \
-o "AcmeCorp-RogueAP-Report-2026-04-14.pdf"Hardening Recommendations
Detection is necessary but not sufficient. These controls reduce the attack surface before an evil twin can operate effectively:
- Enable WPA3-only mode and Transition Disable on all corporate SSIDs. Force clients to forget legacy WPA2 profiles via MDM policy push.
- Deploy 802.1X (EAP-TLS) on corporate SSIDs rather than PSK. A RADIUS-backed network cannot be cloned without the RADIUS infrastructure — an evil twin gets only an association attempt, not usable credentials.
- Purge guest SSIDs from corporate device preferred network lists via MDM. Employees should never auto-join open or PSK guest networks on managed devices.
- Schedule quarterly pcap-based audits to catch new rogue devices that were added after the last WIDS baseline was set.
- Alert on new BSSIDs advertising your corporate SSID — most enterprise WIDS platforms support this as a built-in rule. If yours does not, a Kismet alert configuration or a weekly API-based scan achieves the same result at lower cost.
FAQ
What is the difference between a rogue AP and an evil twin?
A rogue AP is any unauthorized access point connected to or broadcasting near your network — could be an employee's mobile hotspot or a forgotten device in a conference room. An evil twin is a deliberate attack: an adversary broadcasts the same SSID and a cloned or spoofed BSSID as a legitimate AP to lure clients into associating with attacker-controlled hardware and interposing on their traffic.
Can WPA3 networks be evil-twinned?
WPA3-only networks are significantly harder to evil-twin because SAE (Dragonfly) does not expose an offline-crackable handshake. However, attackers in 2026 commonly use downgrade attacks: they broadcast a WPA2-only evil twin of the same SSID. Legacy clients or misconfigured supplicants may associate with the weaker network. The fix is to enforce WPA3-only in client profiles and enable Transition Disable on APs that support it.
Does Kismet detect evil twins out of the box?
Kismet detects SSID/BSSID conflicts and logs beacon anomalies by default. It will alert on a BSSID seen on two channels simultaneously and on new APs advertising a known SSID from an unexpected OUI. However, Kismet requires dedicated sensor hardware and tuning to reduce false positives in dense RF environments. For point-in-time audits, uploading a pcap to the wifiaudit.io API gives you a structured, reportable result without maintaining persistent sensor infrastructure.
How does KARMA differ from a classic evil twin attack?
A classic evil twin targets a specific known SSID. KARMA-style attacks exploit the 802.11 probe request mechanism: clients broadcast the SSIDs of networks they have previously joined. A KARMA responder answers every probe request, claiming to be whatever network the client is looking for. Tools like hostapd-wpe and the built-in KARMA mode in WiFi Pineapple automate this. Detection focuses on an AP responding to probe requests for many different SSIDs simultaneously — a strong anomaly signal clearly visible in pcap.
Find Rogue APs Before Attackers Use Them
Upload a pcap from your next site survey and get a structured rogue AP and evil twin detection report in minutes. No WIDS infrastructure required.
Get API Key — 3 Audits Free