Get AI summaries of any video or article — Sign up free
Hacking (redacted) PUBLIC WiFi with a Raspberry Pi and Kali Linux thumbnail

Hacking (redacted) PUBLIC WiFi with a Raspberry Pi and Kali Linux

NetworkChuck·
5 min read

Based on NetworkChuck's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

An evil twin attack can be built by broadcasting a fake SSID, using DHCP to assign IPs, and using DNS spoofing to redirect domains to an attacker-controlled server.

Briefing

A credit-card-sized Raspberry Pi running Kali Linux can impersonate a public Wi‑Fi network and then manipulate victims’ web traffic—making “free Wi‑Fi” at places like coffee shops and airports a direct privacy risk. The core technique is an “evil twin” attack: the attacker broadcasts a fake access point with the same or similar network name (SSID) as the legitimate hotspot, lures devices to connect, and then uses DNS spoofing to reroute popular domains to attacker-controlled pages.

The walkthrough begins with the attacker setting up a wireless interface in monitor mode using a tool from the Aircrack suite (Aerodyump) to identify nearby networks and clients. With that information, the attacker turns the Raspberry Pi into a rogue access point using Host APD, while DHCP assigns victims IP addresses on the attacker’s network. DNS Chef then performs DNS spoofing—so when a victim tries to reach sites such as Starbucks.com (or other targeted domains), the DNS responses point to a web server hosted on the Pi instead. The result is that the victim believes they’re browsing the real site, while the attacker can observe browsing activity and potentially harvest sensitive information.

To demonstrate impact, the attacker sets the fake SSID to “Starbucks,” then runs a web server and shows that DNS visibility reveals the exact websites being visited. The DNS spoofing is shown working in practice: starbox.com (a spoofed Starbucks domain) no longer routes to the real Starbucks site but to the attacker’s server. The same approach is described as reusable for other brands and domains, since the mechanism depends on DNS control after the victim connects to the rogue network.

The defense portion centers on VPN use. A victim who installs and launches NordVPN while still connected to the attacker’s fake Wi‑Fi sees the attacker’s DNS view collapse into “ghost town,” because encrypted traffic prevents the attacker from reading or altering the victim’s browsing in the same way. The demonstration also claims that once the VPN is active, DNS spoofing attempts no longer succeed for targeted sites.

The attack playbook expands beyond evil twins. A second scenario uses a deauthorization attack to force a device off the legitimate Wi‑Fi and onto a stronger fake network broadcasting the same SSID and channel. By sending deauthentication frames, the attacker triggers automatic roaming to the rogue access point, after which DHCP and DNS spoofing again enable domain impersonation.

Finally, the transcript describes ARP spoofing (via Ettercap) as a different route to interception on an existing network. Instead of running a fake Wi‑Fi, the attacker positions the Pi as a man-in-the-middle by poisoning ARP tables so the victim and the router misidentify each other’s MAC addresses. With traffic routed through the attacker, DNS spoofing and content redirection can again be applied. The VPN is presented as the consistent countermeasure: once NordVPN is connected, the attacker can’t see or manipulate the victim’s traffic as before.

Overall, the message is blunt: connecting to public Wi‑Fi without a VPN leaves devices exposed to network impersonation, DNS redirection, and man-in-the-middle interception—attacks that can be executed with commodity hardware and common security tools.

Cornell Notes

A Raspberry Pi with Kali Linux can carry out “evil twin” Wi‑Fi attacks by broadcasting a fake SSID, handing out IP addresses via DHCP, and redirecting websites through DNS spoofing (using tools like Aerodyump, Host APD, and DNS Chef). Once a victim connects, the attacker can observe browsing and impersonate domains such as Starbucks.com by routing them to an attacker-hosted web server. The transcript then shows that NordVPN blocks these outcomes: DNS visibility drops and spoofed sites load correctly when the VPN is active. It also adds deauthorization attacks to force reconnection to the rogue AP and ARP spoofing (Ettercap) to intercept traffic on a real network via man-in-the-middle positioning. The practical takeaway is that VPN encryption is the main protection when Wi‑Fi trust is misplaced.

How does an “evil twin” attack lure a victim onto an attacker-controlled network?

The attacker sets up a rogue access point on a Raspberry Pi using Host APD and broadcasts an SSID designed to match or resemble the real hotspot (e.g., “Starbucks”). After the victim connects to this fake network, the attacker uses DHCP to assign the victim an IP address on the attacker’s LAN. Because the victim believes the Wi‑Fi name is legitimate and still receives internet access, the connection appears normal long enough for the attacker to take control of subsequent traffic handling.

What role does DNS spoofing play after the victim connects to the fake Wi‑Fi?

DNS spoofing determines where domain names resolve. Using DNS Chef, the attacker manipulates DNS responses so that requests for domains like Starbucks.com (and other targeted sites) are redirected to the attacker’s own web server running on the Raspberry Pi. The transcript emphasizes that this can make victims land on attacker-controlled pages while thinking they’re visiting the real site.

Why does the transcript claim NordVPN stops the attack even when the victim stays connected to the rogue network?

With NordVPN active, the victim’s browsing traffic is encrypted and routed through the VPN tunnel, reducing what the attacker can observe or alter at the local DNS/traffic level. In the demonstrations, the attacker’s DNS view changes from showing populated browsing activity to a “ghost town,” and spoofed DNS redirection no longer works for targeted sites once the VPN connection is established.

How does a deauthorization attack change the dynamics of an evil twin?

Instead of waiting for the victim to voluntarily connect to the fake AP, the attacker sends deauthentication/deauthorization frames so the victim disconnects from the legitimate router. The fake AP broadcasts with the same SSID and a stronger signal (and matching channel), so the device automatically reconnects to the rogue network without noticing. After reconnection, DHCP and DNS spoofing can resume under the attacker’s control.

What is ARP spoofing (man-in-the-middle) in this context, and how is it different from an evil twin?

ARP spoofing (via Ettercap) targets the victim’s local network routing rather than creating a fake Wi‑Fi. The attacker poisons ARP tables so the victim thinks the attacker is the router and the router thinks the attacker is the victim. This places the attacker in the middle of the conversation: traffic from the victim to the internet and responses back to the victim flow through the attacker, enabling interception and DNS/content manipulation. The transcript contrasts this with evil twin attacks, which require the victim to connect to a rogue access point.

What scanning step is used before launching the attacks on a real network?

On the real “Conversations Wi‑Fi” scenario, the attacker uses Nmap to scan the local network and identify devices and IP addresses. The transcript notes that it targets an iPad-like device by selecting the known IP address, then uses Ettercap to perform ARP poisoning and DNS spoofing together.

Review Questions

  1. What chain of components (SSID, DHCP, DNS spoofing, and web server hosting) must be in place for an evil twin to redirect a victim’s browsing?
  2. How do deauthorization frames and signal strength work together to force a victim onto a rogue access point?
  3. In what way does ARP spoofing create a man-in-the-middle position without running a fake Wi‑Fi network?

Key Points

  1. 1

    An evil twin attack can be built by broadcasting a fake SSID, using DHCP to assign IPs, and using DNS spoofing to redirect domains to an attacker-controlled server.

  2. 2

    Monitor-mode wireless scanning (e.g., Aerodyump) helps identify nearby networks and clients before setting up the rogue access point.

  3. 3

    Deauthorization attacks can force devices off legitimate Wi‑Fi so they automatically roam to a stronger rogue AP with the same SSID and channel.

  4. 4

    ARP spoofing (Ettercap) enables man-in-the-middle interception on an existing network by poisoning ARP so the victim and router misidentify each other’s MAC addresses.

  5. 5

    NordVPN is presented as a practical defense because VPN encryption prevents attackers from reading or successfully spoofing DNS-driven browsing outcomes once the VPN is connected.

  6. 6

    Public Wi‑Fi risk is framed as systemic: attacks can target coffee shops, airports, and other locations where network trust is assumed without verification.

Highlights

The transcript demonstrates that after a victim connects to a rogue SSID, DNS Chef can redirect Starbucks.com to an attacker-hosted site, making impersonation appear legitimate.
NordVPN is shown as breaking the attacker’s visibility: DNS spoofing and browsing interception stop working as expected once the VPN connection is active.
A deauthorization attack can kick a device off real Wi‑Fi and trigger automatic reconnection to a fake AP broadcasting the same SSID with a stronger signal.
ARP spoofing via Ettercap can intercept traffic on a real network without creating a fake Wi‑Fi, by poisoning ARP tables to route all traffic through the attacker.

Topics

  • Evil Twin Wi‑Fi
  • DNS Spoofing
  • Deauthorization Attack
  • ARP Spoofing
  • VPN Protection

Mentioned

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library