WifiPhisher

Description

Wifiphisher is a security tool that mounts automated phishing attacks against WiFi networks in order to obtain secret passphrases or other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

How it works

After achieving a man-in-the-middle position using the Evil Twin attack, wifiphisher redirects all HTTP requests to an attacker-controlled look-alike web site.

From the victim’s perspective, the attack makes use in three phases:

  1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point’s wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations.

  2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will start connecting to the rogue access point. After this phase, the victim is MiTMed.

  3. Victim is being served a realistic router config-looking page. wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials. The tool supports community-built templates for different phishing scenarios, such as:

    • Router configuration pages that ask for the WPA/WPA2 passphrase due to a router firmware upgrade.

    • 3rd party login pages (for example, login pages similar to those of popular social networking or e-mail access sites and products)

    • Captive portals, like the ones that are being used by hotels and airports.

Usage

Syntax

wifiphisher.py [-h] [-c CHANNEL] [-s SKIP] [-jI JAMMINGINTERFACE]
                      [-aI APINTERFACE] [-m MAXIMUM] [-n] [-t TIMEINTERVAL]
                      [-p PACKETS] [-d] [-a ACCESSPOINT]

Options

optional arguments:
  -h, --help            show this help message and exit
  -c CHANNEL, --channel CHANNEL
                        Choose the channel for monitoring. Default is channel
                        1
  -s SKIP, --skip SKIP  Skip deauthing this MAC address. Example: -s
                        00:11:BB:33:44:AA
  -jI JAMMINGINTERFACE, --jamminginterface JAMMINGINTERFACE
                        Choose monitor mode interface. By default script will
                        find the most powerful interface and starts monitor
                        mode on it. Example: -jI mon5
  -aI APINTERFACE, --apinterface APINTERFACE
                        Choose monitor mode interface. By default script will
                        find the second most powerful interface and starts
                        monitor mode on it. Example: -aI mon5
  -m MAXIMUM, --maximum MAXIMUM
                        Choose the maximum number of clients to deauth. List
                        of clients will be emptied and repopulated after
                        hitting the limit. Example: -m 5
  -n, --noupdate        Do not clear the deauth list when the maximum (-m)
                        number of client/AP combos is reached. Must be used in
                        conjunction with -m. Example: -m 10 -n
  -t TIMEINTERVAL, --timeinterval TIMEINTERVAL
                        Choose the time interval between packets being sent.
                        Default is as fast as possible. If you see scapy
                        errors like 'no buffer space' try: -t .00001
  -p PACKETS, --packets PACKETS
                        Choose the number of packets to send in each deauth
                        burst. Default value is 1; 1 packet to the client and
                        1 packet to the AP. Send 2 deauth packets to the
                        client and 2 deauth packets to the AP: -p 2
  -d, --directedonly    Skip the deauthentication packets to the broadcast
                        address of the access points and only send them to
                        client/AP pairs
  -a ACCESSPOINT, --accesspoint ACCESSPOINT
                        Enter the MAC address of a specific access point to
                        target

Example

cyborg@cyborg:~$ sudo wifiphisher
[*] Starting HTTP server at port 8080
[*] Starting HTTPS server at port 443
[+] Networks discovered by wlan0: 0
[+] Starting monitor mode off wlan0
[*] Cleared leases, started DHCP, set up iptables

[+] Ctrl-C at any time to copy an access point from below
num  ch   ESSID
---------------
1  - 1  - tempztrela
^C
[+] Choose the [num] of the AP you wish to copy: 1
[*] Starting the fake access point...
[*] tempztrela set up on channel 1 via wlan0 on False
[*] Monitor mode: wlan0 -
Jamming devices: 
[*] 10:fe:ed:b7:a5:42 - d8:3c:69:76:09:96 - 1



DHCP Leases: 



HTTP requests: 
Jamming devices: [*] 10:fe:ed:b7:a5:42 - d8:3c:69:76:09:96 - 1 


DHCP Leases: 



HTTP requests: 


Jamming devices: 
[*] 10:fe:ed:b7:a5:42 - d8:3c:69:76:09:96 - 1



DHCP Leases: 
120415412 d8:3c:69:76:09:96  192.168.1.18 windows -af54e8d4898ecba486be

HTTP requests: 
[*] GET 192.168.1.18
[*] GET 192.168.1.18
[*]POST 192.168.1.18 password=trendztrela
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?