Introduction
In this lab, you will explore a fundamental technique used in Wi-Fi security assessments: creating a rogue Access Point (AP). A rogue AP is an unauthorized access point installed on a network. A common type of rogue AP is an "Evil Twin," which mimics a legitimate AP by copying its name (ESSID) to trick users into connecting to it.
We will use Fluxion, a popular security auditing tool, to automate this process. You will learn how to launch an attack that creates a rogue AP, see how Fluxion automatically clones the target's ESSID, and then use other tools to verify the properties of your newly created rogue AP, specifically its BSSID (MAC address).
This lab operates in a simulated Wi-Fi environment. You will interact with pre-configured virtual wireless networks for educational purposes.
Start any Fluxion Attack that Creates an AP
In this step, you will begin by launching the Fluxion tool. Fluxion is a script-based tool, so you'll need to navigate to its directory and execute it with the correct permissions.
First, open a terminal and navigate to the fluxion directory that was cloned for you in the ~/project directory.
cd ~/fluxion
Next, run the Fluxion script using sudo. This is required because Fluxion needs to control your wireless interfaces and perform low-level network operations.
sudo ./fluxion.sh
Upon running the script, Fluxion will first check for missing dependencies. If everything is in order, it will ask you to choose a language. Press 1 for English and then press Enter.
[+]========================================================================[+]
[+] F L U X I O N [+]
[+]========================================================================[+]
[+] By: Delta(Δ) [+]
[+]========================================================================[+]
[+] Version: 6.9 [+]
[+]========================================================================[+]
[*] Checking for dependencies...
[+] All dependencies are installed.
[+]========================================================================[+]
[+] Select a language.
[+]========================================================================[+]
[1] English
...
[#] Please select your language: 1
After selecting the language, you will be presented with a list of available attacks. For this lab, we will use the Captive Portal attack, as it involves creating a fake Access Point. Type 1 and press Enter to select it.
Ensure the Target Network is Selected
In this step, Fluxion will scan for available wireless networks and you will need to select the one you wish to target. This is a critical step because all subsequent actions, including cloning the ESSID, will be based on this selection.
After you chose the Captive Portal attack in the previous step, Fluxion will ask you to select a wireless adapter to scan for targets. You should see a virtual adapter listed, likely wlan1. Select it by typing its number and pressing Enter.
Fluxion will then start scanning for networks on all channels. After a few moments, it will display a list of detected networks. In our simulated environment, you should see a network named TargetNetwork.
[+]========================================================================[+]
[+] Select a target network. [+]
[+]========================================================================[+]
[#] BSSID CH PWR ENC ESSID
--- ----------------- -- --- ------ --------------------
[1] 00:11:22:33:44:55 6 -20 WPA2 TargetNetwork
...
[+]========================================================================[+]
[+] Stop scan (s) Rescan (r) Select (1-...) Exit (x)
[+]========================================================================[+]
[#] Awaiting input...
To select the target, type the corresponding number (in this case, 1) and press Enter. Fluxion will then lock onto this target for the remainder of the attack.
Proceed to the Access Point Creation Step
In this step, you will continue through the Fluxion menu to reach the point where it creates the rogue Access Point.
After selecting the target network, Fluxion will ask you to choose an attack method against it. We will use the FakeAP - Hostapd method, which is generally reliable. Select this option by typing its number and pressing Enter.
Next, Fluxion will ask for a path to store handshakes. You can simply press Enter to accept the default location.
Then, you will be asked to choose a method for verification. Select pyrit.
After that, you'll be prompted to choose how often to check for a handshake. Select checked on-the-go.
Finally, you will choose a method for creating the rogue AP. Select Hostapd again.
You will then be asked to select a Captive Portal page. Any option will work for this lab's purpose. Select the first option, Generic (Default).
After these selections, Fluxion will have all the information it needs and will be ready to launch the rogue AP.
Verify Fluxion Automatically Clones the ESSID
In this step, you will observe that Fluxion has automatically used the target's name (ESSID) for the rogue AP it is about to create. You will then use an external tool to confirm its presence.
At this point, Fluxion will display a summary of the attack parameters. Notice that the ESSID is automatically set to TargetNetwork, the name of the network you selected earlier. This confirms that Fluxion clones the ESSID by default.
Now, let's verify this from an outside perspective. The Fluxion attack is running in your current terminal. You need to open a new terminal to perform the next command. You can do this by using the terminal's menu (File -> Open Tab) or a keyboard shortcut.
In the new terminal tab, use airodump-ng to scan for wireless networks. You will need to specify the monitor mode interface, which is likely wlan1mon or a similar name created by Fluxion.
sudo airodump-ng wlan1mon
Look at the output. You should now see two networks with the ESSID TargetNetwork. One is the original simulated AP, and the other is the rogue AP you just created with Fluxion. This confirms the ESSID has been successfully cloned.
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:22:33:44:55 -25 10 0 0 6 54e WPA2 CCMP PSK TargetNetwork
XX:XX:XX:XX:XX:XX -30 8 0 0 6 54e. OPN TargetNetwork
(Note: The XX:XX:XX:XX:XX:XX is a placeholder for the MAC address of your rogue AP.)
You can leave this scan running for the next step.
Use an External Tool to Confirm the Rogue AP's BSSID is Different
In this step, you will analyze the output from airodump-ng to check the BSSID of the rogue AP. The BSSID is the unique MAC address of an access point's radio.
Look at the airodump-ng output in your second terminal. Focus on the BSSID column for the two networks named TargetNetwork.
You will notice:
- The original
TargetNetworkhas its original BSSID (00:11:22:33:44:55). - Your new rogue
TargetNetworkhas a different, randomly generated BSSID.
This demonstrates a key point: by default, Fluxion clones the human-readable ESSID but does not clone the hardware BSSID. While this is often effective enough to trick unsuspecting users, it's also a way for security tools and savvy users to distinguish a real network from a fake one.
Once you have observed this difference, you can stop the tools.
- In the second terminal (running
airodump-ng), pressCtrl+Cto stop the scan. - Switch back to the first terminal (running
fluxion) and pressCtrl+Cto stop the attack and exit Fluxion.
You have successfully created a rogue AP and verified its properties.
Summary
In this lab, you gained hands-on experience with the Fluxion tool to create a rogue Access Point. You walked through the process of selecting a target network and launching a Captive Portal attack, which automatically creates a fake AP.
You learned two key concepts:
- Fluxion automatically clones the ESSID (the network name) of the target to make the rogue AP appear legitimate to users.
- By default, Fluxion does not clone the BSSID (the hardware MAC address), assigning a new, random one to the rogue AP.
You used airodump-ng as an external verification tool to observe both of these facts in a simulated environment. This knowledge is fundamental to understanding how "Evil Twin" attacks work and how they can be detected.