This is a write-up on how I performed an Evil Twin attack to "phish" the WPA password from an access point using nothing but the gullability of the average comsumer and an OpenWRT router.

I will not get into how to reprogram the router to OpenWRT as that is beyond the scope of this write-up. !!!DO NOT ASK!!!
This may or may not be specific to the setup I am using and there are probably better ways of doing this, this is just how I did it.
Also, this is not a n00b write-up and will require that you have some basic understandings of how OpenWRT works.

With that said...

This will start with an OpenWRT router factory default settings.

Firstly, we need to change the ESSID to the target:

Network -> Wifi -> Edit -> ESSID

Change to the target ESSID then click Save & Apply.

Next you must ssh to the device. (get used to it, a good portion of this is done in a shell).
Type this into the shell.

nvram set il0macaddr=[TARGET MAC]
nvram commit
Now we have the router set up as an evil-twin, but we still need to configure the captive portal.

Install PHP(the router needs to be connected to internet for this step):

opkg update
opkg install php5
opkg install php5-cgi
Open /etc/config/uhttpd and reconfigure LuCI to a different port, say port 88(or whatever).
Change the listen line in the "main":

list listen_http
Next step is we need to set up the uhttp server on port 80 to serve the pages we want(the captive portal).
I have my own pre-made pages for Xfinity and Verizon(poorly done, i don't care, they have worked for me), I will pust a link to an upload for any who are interested.
What I did was alter the router config pages so that any input into the password field is dumped into a text file on /tmp/data.txt via a php script.
Add this to the bottom to start the captive portal server

config uhttpd evilap

        list listen_http  
        option home             /www2
        list interpreter        ".php=/usr/bin/php-cgi"
Note now you must type whatever port you chose) to connect to LuCI now.

Create a directory called /www2 and place all files to be served in it.

Now for making the captive portal captive: making EVERY address resolve to a single IP... our router.


echo "address=/#/" >> /etc/dnsmasq.conf
Reboot the device.

Now, if you use the files i made, all inputed passwords will be dumped into /tmp/data.txt

Here is the directory i made:

This may need some cleanup, let me know if this works for anyone else.