Now that we have a better understanding of what an evil twin is, we can now discuss how to detect them. One of the best evil twin detection tools is called EvilAP_Defender. This tool helps cyber security teams detect and prevent evil twins from attacking users of the wireless network. When EvilAP_Defender detects an evil twin, a notification is sent to your e-mail. When a rogue access point is discovered EvilAP_Defender can execute a DoS attack on users to prevent them from connecting to the rogue access point. The DoS attacks allows for more time to plan a more calculated response to end the evil twin attack. The DoS attack will only target SSIDs with the same name as the real access point. To detect evil twins, EvilAP_Defender uses specific criteria. EvilAP_Defender will scan for access points with the same BSSID as the real access point. Next, the attributes of both access points will be compared. The tool will look at the channel, authentication protocol, and the type of ciphers being used. If one of the attributes do not match the known configuration, a notification is sent via e-mail to the cyber security team. The e-mail will alert the team of a possible evil twin attack. EvilAP_Defender has three main modes. The first mode is called learning mode. This mode scans for available wireless networks. Next, a list will be presented with all the wireless networks in range. Whitelists can be used to organize trusted access points with confirmed attributes. Before the next mode can be used, the real access point must be added to the whitelist. The next step is to configure the preventive mode. The first option that must be set is the deauthenication time. It should be set to a number bigger than zero. Setting the deauthenication time to zero will disable preventive mode. This tool will also attack the first evil twin set in the deauthenication time. Once the time expires, it will move onto the second evil twin access point detected and continue until it stops detecting evil twins. It is recommended to set the deauthenication time to ten seconds. The third mode is called normal mode. This mode scans for evil twins that do not have the same attributes as the legitimate access point. Once an evil twin is found, a notification is sent to the cyber security team. EvilAP_Defender is a highly-supported tool, updated regularly with new features to enhance its effectiveness. This tool works great with Kali Linux and can be cloned from GitHub for an easy install. Being able to use evil twin detection tools is an excellent skill to have as a cyber security professional.