WIFI-EVIL-TWINInitial Access

Evil Twin / Rogue AP

Spoof the corporate SSID with a stronger signal, present a captive portal — capture credentials from auto-connecting clients.

§ Where this technique fits

WIFI-EVIL-TWIN is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

IMSI catcher → force 2G downgrade → SMS / call intercept
Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.
step 2 / 5
Evil twin + captive portal → credential harvest
Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page.
step 2 / 5

§ What commonly comes next

01
Deauthentication DoS
WIFI-DEAUTH · Impact
seen 1×
02
IMSI Catcher / Stingray
5G-IMSI-CATCHER · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

IMSI catcher → force 2G downgrade → SMS / call intercept

Evil twin + captive portal → credential harvest

§ What commonly comes next