by hash3liZer . 22 June 2018
In this tutorial, we will use WiFi-Phisher, a phishing utility for rogue networks to sneak passphrases of nearby wireless networks by presenting users a forged document. Tough, using it is never considered a good practice but is recommended sometimes whilst there is a shortage of time. And there's almost no assurity that it's always gonna work. But as it will help you grasp the basics of Phishing over the air, we will see it's usage.
Evolving of WPA has greatly enchanced the wireless security over the air and almost made it impossible to crack these security protocols. Phishing has always been a reliable means of compromising personal details but a bit nasty. WiFi-Phisher will help us simplify this task.
WiFi-Phisher make use of two interfaces, one for Access Point and other to perform DoS attacks and optionally a third interface to forward traffic from. By default, it redirects all the traffic to forged document location. Hence, we have required two adapters here and optionally an internet connection on another interface. Tough, you can skip the DoS step, but it's maybe two time to consume to get the attention of the nearby users.
Clone the latest WiFi-Phisher version from GitHub and install it...
git clone https://github.com/wifiphisher/wifiphisher.git cd wifiphisher sudo python setup.py install
As already told, WiFi-Phisher makes use of two interfaces, one for Access Point and the other for DoS attack. But you can skip the DoS attack if you want to. Launch the script by one of the suitable ways:
wifiphisher -aI wlan1 -eI wlan0 -iI eth0 --essid "WiFiPhisher"
Note the arguments above in the directive:
If you don't want to provide internet access nor want to perform dissociation step:
wifiphisher -aI wlan0 --nodeauth --essid "WiFiPhisher"
If you want to scan the area first:
wifiphisher -aI wlan0 --nodeauth --noextensions
Choose one of the attacking scenarios. Currently given are:
Now, we will dissociate the clients from the access point. If you have already provided an extension interface at the first place, then doing this is not necassery. WiFiphisher will handle rest of the task itself. All you have to do is wait and see. But sometimes it takes a lot of time for it to dissociate all the clients perfectly as required.
If this is the case, manually performing dissociation will be helpful. We will use mdk3 for this purpose. Create a new blacklist file and add BSSID's of all nearby access points:
touch /tmp/blacklist.txt echo 34:BF:90:4A:BB:57 >> /tmp/blacklist.txt echo 00:0E:F4:DE:D9:61 >> /tmp/blacklist.txt ...
Then kick-start mdk3:
mdk3 wlan0 d -b /tmp/blacklist.txt -c
Note the paramters above:
Now, when a client connects to the Rogue AP. Captive Portal will work and she will be prompted to our forged document. Whatever happens in the network, all incoming and ongoing requests, they will be printed on the terminal. When the client post the request along server containing the pre-shared key. It will be printed all sent data too. So,
The password is: p@ssword123
So, we saw how we could use WiFi-Phisher utility to automate all the Rogue AP stuff for us. It provides us the basic CLI interface and various command line options to deal with the script. Moreover, it also has the support of captive portal which make it more coercive for the clients and have built in four different phishing scenarios that could be used as required.