This guide provides solutions to common issues encountered when using the Evil Twin attack feature in wifite2.
- Interface and Hardware Issues
- Network Service Issues
- Client Connection Issues
- Credential Validation Issues
- Performance Issues
- Error Messages
- Advanced Debugging
Error Message:
[!] Error: Interface wlan0 does not support AP mode
[!] Evil Twin attack requires an interface with AP mode support
Cause: Your wireless adapter doesn't support Access Point (AP) mode.
Solution:
-
Check interface capabilities:
iw list | grep -A 10 "Supported interface modes"
Look for "AP" in the output.
-
Try a different interface:
# List all wireless interfaces iw dev # Check each interface for AP mode support iw list
-
Use a compatible adapter:
Recommended adapters with AP mode support:
- Alfa AWUS036ACH (dual-band, excellent)
- TP-Link TL-WN722N v1 (budget option, v1 only!)
- Panda PAU09
- Alfa AWUS036NHA (2.4GHz only)
⚠️ Warning: Many newer USB adapters (v2/v3) do NOT support AP mode! -
Update drivers:
# Update system sudo apt update && sudo apt upgrade # Install firmware packages sudo apt install firmware-linux firmware-atheros firmware-realtek
Error Message:
[!] Warning: Only one wireless interface detected
[!] Evil Twin requires two interfaces (one for AP, one for deauth)
Cause: Evil Twin needs two wireless interfaces - one for the rogue AP and one for deauthentication.
Solution:
Option 1: Use two physical adapters (Recommended)
# Plug in a second USB wireless adapter
# Verify both are detected
iw devOption 2: Use virtual interface (Advanced)
Some adapters support creating virtual interfaces:
# Create virtual interface
iw dev wlan0 interface add wlan0mon type monitor
# Verify both interfaces exist
iw devOption 3: Single interface mode (Limited)
Some adapters can do both AP and monitor mode simultaneously, but this is rare and not officially supported.
Symptoms:
- Interface disappears during attack
- "Network is down" errors
- Attack stops unexpectedly
Solution:
-
Kill conflicting processes:
sudo wifite --kill
This stops NetworkManager and other services that interfere.
-
Manually stop services:
sudo systemctl stop NetworkManager sudo systemctl stop wpa_supplicant
-
Disable power management:
# Check current power management iwconfig wlan0 | grep "Power Management" # Disable power management sudo iwconfig wlan0 power off
-
Use a powered USB hub:
- USB wireless adapters can draw significant power
- Underpowered USB ports may cause instability
- Use a powered USB 3.0 hub
Error Message:
[!] Error: Cannot bind to port 80
[!] Another service is using port 80
Cause: Another web server or service is using port 80.
Solution:
-
Find what's using port 80:
sudo lsof -i :80 sudo netstat -tulpn | grep :80 -
Stop the conflicting service:
# Common services sudo systemctl stop apache2 sudo systemctl stop nginx sudo systemctl stop lighttpd # Or kill the process directly sudo kill <PID>
-
Use an alternate port:
sudo wifite --eviltwin --eviltwin-port 8080
Note: Port 80 works best for captive portals, but 8080 can work.
Error Message:
[!] Error: hostapd failed to start
[!] Check logs for details
Cause: Multiple possible causes - conflicting processes, driver issues, or configuration problems.
Solution:
-
Check hostapd logs:
# View recent hostapd errors sudo journalctl -u hostapd -n 50 # Or check wifite logs tail -f ~/.wifite/logs/wifite.log
-
Kill conflicting processes:
sudo killall hostapd wpa_supplicant dhclient NetworkManager
-
Verify hostapd installation:
hostapd -v which hostapd
-
Test hostapd manually:
# Create test config cat > /tmp/test_hostapd.conf << EOF interface=wlan0 driver=nl80211 ssid=TestAP channel=6 hw_mode=g EOF # Try to start hostapd sudo hostapd /tmp/test_hostapd.conf
-
Check for driver issues:
# Some drivers don't work well with hostapd # Try updating drivers or using a different adapter dmesg | grep -i firmware
Error Message:
[!] Error: dnsmasq failed to start
[!] DHCP/DNS services unavailable
Cause: Port conflicts or configuration issues.
Solution:
-
Check for port conflicts:
# DNS uses port 53, DHCP uses port 67 sudo lsof -i :53 sudo lsof -i :67 -
Stop conflicting services:
sudo systemctl stop systemd-resolved sudo systemctl stop dnsmasq
-
Kill existing dnsmasq:
sudo killall dnsmasq
-
Check dnsmasq logs:
sudo journalctl -u dnsmasq -n 50
-
Verify dnsmasq installation:
dnsmasq --version which dnsmasq
Error Message:
[!] Warning: Failed to configure iptables
[!] Traffic redirection may not work
Cause: Permission issues or conflicting firewall rules.
Solution:
-
Ensure running as root:
# Always use sudo sudo wifite --eviltwin -
Clear existing iptables rules:
sudo iptables -F sudo iptables -X sudo iptables -t nat -F sudo iptables -t nat -X sudo iptables -t mangle -F sudo iptables -t mangle -X
-
Check for firewall conflicts:
# Temporarily disable firewall sudo ufw disable sudo systemctl stop firewalld -
Verify iptables installation:
sudo iptables -L
Symptoms:
- Rogue AP starts successfully
- Deauth packets are being sent
- No clients connect after several minutes
Solution:
-
Verify deauth is working:
# Run with verbose mode sudo wifite --eviltwin -vv # Look for "Sending deauth" messages
-
Check signal strength:
# Your rogue AP needs stronger signal than legitimate AP # Move closer to target clients # Move away from legitimate AP # Check signal levels sudo airodump-ng wlan0mon
-
Verify channel:
# Ensure rogue AP is on same channel as target iwconfig wlan1 | grep Channel
-
Increase deauth interval:
# Send deauth packets more frequently sudo wifite --eviltwin --eviltwin-deauth-interval 3 -
Check for PMF (Protected Management Frames):
# If target uses 802.11w (PMF), deauth won't work # Look for "PMF: Required" in scan results # PMF prevents deauth attacks - no workaround # Try a different target without PMF
-
Try broadcast deauth:
# Deauth all clients instead of targeted # This is more aggressive but may work better # (This is the default behavior)
Symptoms:
- Clients connect to rogue AP
- Clients get IP address
- No captive portal appears
Solution:
-
Check DNS redirection:
# From a connected client, try: nslookup google.com # Should resolve to rogue AP IP (e.g., 192.168.100.1)
-
Verify iptables rules:
sudo iptables -t nat -L -n -v # Should see DNAT rules redirecting port 80 -
Test portal manually:
# From connected client, browse to: http://192.168.100.1 # Should show captive portal
-
Check web server:
# Verify web server is running sudo netstat -tulpn | grep :80
-
Disable HTTPS:
- Some devices only check HTTPS URLs
- Try browsing to http://example.com (not https://)
- Or http://1.1.1.1
-
Clear client DNS cache:
# On client device # Windows: ipconfig /flushdns # Mac: sudo dscacheutil -flushcache # Linux: sudo systemd-resolve --flush-caches
Symptoms:
- Clients connect briefly
- Disconnect within seconds
- Repeat connection attempts
Solution:
-
Stop deauth when clients connect:
- Wifite should automatically pause deauth
- Check logs to verify this is happening
-
Check DHCP:
# Verify DHCP is assigning addresses sudo tail -f /var/log/syslog | grep dnsmasq
-
Verify IP configuration:
# Check interface has correct IP ip addr show wlan1 # Should show 192.168.100.1/24 or similar
-
Check for IP conflicts:
# Ensure no other device has same IP # Change DHCP range if needed
-
Increase DHCP lease time:
- Wifite uses 12-hour leases by default
- This should be sufficient
Error Message:
[!] Error: Failed to validate credentials
[!] Cannot connect to legitimate AP
Cause: Cannot reach the legitimate AP for validation.
Solution:
-
Verify legitimate AP is reachable:
# Scan for target AP sudo airodump-ng wlan0mon # Should see target AP in list
-
Check validation interface:
- Validation requires a third interface OR
- Temporarily pausing the rogue AP
- Ensure you have enough interfaces
-
Check wpa_supplicant:
wpa_supplicant -v which wpa_supplicant
-
Test validation manually:
# Create test config cat > /tmp/test_wpa.conf << EOF network={ ssid="TargetNetwork" psk="testpassword" } EOF # Try to connect sudo wpa_supplicant -i wlan2 -c /tmp/test_wpa.conf
-
Check validation logs:
tail -f ~/.wifite/logs/wifite.log | grep -i valid
Symptoms:
- Each password takes 30+ seconds to validate
- Attack progress is very slow
Solution:
-
This is normal:
- WPA authentication takes 10-30 seconds
- This is a limitation of the protocol
- Cannot be significantly improved
-
Ensure good signal:
- Weak signal increases validation time
- Move closer to legitimate AP
-
Check for interference:
- Other networks on same channel
- Microwave ovens, Bluetooth devices
- Change channel if possible
Symptoms:
- Clients submit passwords
- All marked as invalid
- Even correct password fails
Solution:
-
Verify target AP is correct:
# Double-check BSSID and ESSID sudo airodump-ng wlan0mon -
Check validation is actually running:
# Look for wpa_supplicant processes ps aux | grep wpa_supplicant
-
Test with known password:
- If you know the password, test it
- Verify validation is working correctly
-
Check for AP rate limiting:
- Some APs rate-limit authentication attempts
- Wait a few minutes between attempts
- Wifite includes automatic rate limiting
-
Disable validation for testing:
# Test portal without validation sudo wifite --eviltwin --eviltwin-no-validate # Check if passwords are being captured
Symptoms:
- System becomes slow
- CPU at 100%
- Attack becomes unstable
Solution:
-
This is somewhat normal:
- hostapd, dnsmasq, and deauth use CPU
- Especially on older systems
-
Reduce deauth frequency:
# Increase interval between deauth bursts sudo wifite --eviltwin --eviltwin-deauth-interval 10 -
Close unnecessary programs:
- Stop other applications
- Close browser tabs
- Disable desktop effects
-
Use a more powerful system:
- Evil Twin is resource-intensive
- Consider using a dedicated machine
Symptoms:
- System runs out of memory
- Swap usage increases
- System becomes unresponsive
Solution:
-
Monitor memory:
free -h htop
-
This shouldn't happen:
- Evil Twin uses minimal memory
- If memory usage is high, there may be a bug
- Report issue on GitHub
-
Restart attack:
# Stop and restart wifite # This clears any memory leaks
Symptoms:
- Clients connect successfully
- Network is very slow
- Pages take long to load
Solution:
-
This is expected:
- All traffic is redirected to captive portal
- No actual internet access
- This is by design
-
Portal should load quickly:
- If portal itself is slow, check web server
- Verify iptables rules are correct
Cause: Orphaned processes from previous attack.
Solution:
# Kill all related processes
sudo killall hostapd dnsmasq wpa_supplicant
# Or let wifite clean up
sudo wifite --eviltwin
# Answer 'y' when prompted to kill processesCause: Interface is in wrong mode or busy.
Solution:
# Reset interface
sudo ip link set wlan0 down
sudo iw dev wlan0 set type managed
sudo ip link set wlan0 up
# Or use airmon-ng
sudo airmon-ng stop wlan0mon
sudo airmon-ng start wlan0Cause: Not running as root.
Solution:
# Always use sudo
sudo wifite --eviltwinCause: No networks in range or scanning issue.
Solution:
# Verify interface is in monitor mode
iwconfig
# Try manual scan
sudo airodump-ng wlan0mon
# Check for hardware issues
sudo dmesg | tail -20# Level 1: Basic info
sudo wifite --eviltwin -v
# Level 2: Detailed info
sudo wifite --eviltwin -vv
# Level 3: Full debug output
sudo wifite --eviltwin -vvv# Wifite logs
tail -f ~/.wifite/logs/wifite.log
# System logs
sudo journalctl -f
# Hostapd logs
sudo journalctl -u hostapd -f
# Dnsmasq logs
sudo journalctl -u dnsmasq -fTest each component individually:
-
Test hostapd:
# Create minimal config cat > /tmp/hostapd.conf << EOF interface=wlan1 driver=nl80211 ssid=TestAP channel=6 hw_mode=g EOF # Start hostapd sudo hostapd /tmp/hostapd.conf # Try to connect with phone/laptop
-
Test dnsmasq:
# Create minimal config cat > /tmp/dnsmasq.conf << EOF interface=wlan1 dhcp-range=192.168.100.10,192.168.100.100,12h EOF # Start dnsmasq sudo dnsmasq -C /tmp/dnsmasq.conf -d
-
Test web server:
# Start simple web server cd /tmp echo "Test Page" > index.html sudo python3 -m http.server 80 # Browse to http://localhost
-
Test deauth:
# Manual deauth sudo aireplay-ng --deauth 10 -a <AP_BSSID> wlan0mon
# Capture all traffic on interface
sudo tcpdump -i wlan1 -w /tmp/capture.pcap
# Analyze with wireshark
wireshark /tmp/capture.pcap# Detailed interface info
iw dev wlan0 info
iw dev wlan0 link
# Check for errors
dmesg | grep wlan0
# Check driver info
ethtool -i wlan0If you've tried everything and still have issues:
-
Gather information:
# System info uname -a lsb_release -a # Wireless info iw list > /tmp/iw_list.txt lsusb | grep -i wireless # Tool versions hostapd -v dnsmasq -v wpa_supplicant -v # Logs tail -100 ~/.wifite/logs/wifite.log > /tmp/wifite_log.txt
-
Create GitHub issue:
- Go to https://github.com/kimocoder/wifite2/issues
- Include all information gathered above
- Describe what you tried
- Include full error messages
-
Provide details:
- Operating system and version
- Wireless adapter model and chipset
- Full command used
- Complete error output with
-vvvflag - What you've already tried
-
Verify authorization:
- Ensure you have written permission
- Document authorization
- Understand legal implications
-
Check hardware:
- Verify AP mode support
- Ensure two interfaces available
- Test interfaces beforehand
-
Check dependencies:
- Install all required tools
- Verify versions are correct
- Test each tool individually
-
Plan the attack:
- Choose appropriate time
- Minimize disruption
- Have backup plan
-
Monitor progress:
- Watch for errors
- Check client connections
- Verify validation is working
-
Be ready to stop:
- If issues arise
- If unauthorized activity detected
- If excessive disruption occurs
-
Document everything:
- Take screenshots
- Save logs
- Record observations
-
Clean up:
- Verify all processes stopped
- Check interfaces restored
- Remove temporary files
-
Secure data:
- Encrypt captured credentials
- Store securely
- Delete when no longer needed
-
Report findings:
- Document vulnerabilities
- Provide recommendations
- Follow responsible disclosure
- Evil Twin Attack Guide - Complete usage guide
- Main README - General wifite2 documentation
- WPA3 Troubleshooting - WPA3-specific issues
Last Updated: 2025-10-27