In the last chapter, we have seen how to set up a rogue access point, which is part of the local wired network. An attacker can also set up a fake AP that appears to be legitimate to the client but is not connected to the local network. This kind of AP is called a honeypot AP, because it lures clients to associate with it. A honeypot AP that impersonates a genuine one, standing in its proximity, can be used to conduct the so-called Evil Twin attack. Indeed, the honeypot AP spoofs the SSID (and eventually the MAC address) of the real AP, advertising it in the beacon frames it sends. The operating system of a wireless client typically keeps track of the networks to which the client has already connected in the past. The client can be configured to automatically connect to such networks when it is in their range and the signal is strong enough. So, if the fake AP is closer to the client than the legitimate one, and therefore its signal is stronger...