Wireless Hacking with WifiPhisher
Suppose you need to get a Wi-Fi password but don’t have the time to crack it if you need to clone a wireless access point and trick users into connecting to your rogue network. Or, if you want an excuse to play with your new Raspberry Pi, then WifiPhisher might be the project for you!
WifiPhisher is a rogue access point system written in Python designed to intercept credentials using common IEEE 802.11 wireless unicast frames. It can be operated in different modes, including Managed, which will create a legitimate-looking access point with the same name(rogue access) as the target network. It also causes users to reconnect to your rogue access point instead of their intended access point(AP) in range.
Managed mode is excellent for capturing hand-offs between networks. Connecting to your rogue access point is quicker than reconnecting to the whole network, but only if the user doesn’t take notice of the captive portal screen displayed by WifiPhisher!
Another great feature of Managed mode is retaining any configuration applied to the target access point (for example, a specific VLAN or other firewall policy). This will allow you to clone the access point and have users connect to your WifiPhisher instead.
Raw mode is for those of us who want to operate our rogue wireless networks. No Wi-Fi encryption is applied by default in this mode, so be careful as you will be using an open network. But with that comes the opportunity to precisely craft your own 802.11 frames and inject them between access points to capture credentials.
To make it easier to start using WifiPhisher, we’ve added a couple of skins that make all of this functionality available through a web interface when run via a Raspberry Pi or BeagleBone Black!
You probably have learned how to crack WEP, WPA2, and WPS. But some people might find it harder to crack WPA2, and other might that it takes longer. Also, not every access point has WPS enabled. To solve these challenges, use Wifiphisher to get a Wi-Fi password without cracking it.
Steps in the Wifiphisher Technique
The approach here is to create an evil twin Access Point, then de-authenticate or DoS, the user from their actual AP. When they re-authenticate to your bogus AP with the same SSID, they will see a legitimate-looking webpage that requests their password because of some reason such as “firmware upgrade.” You capture their password when they give it to you, then allow them to use the lousy twin as their AP, so they don’t suspect anything. Splendid!
To summarize, Wifiphisher follows the following procedure:
- De-authenticate the user from their genuine and legitimate AP.
- Let the user authenticate to your evil twin.
- Provide a webpage to the user on a proxy that notifies them that a “firmware upgrade” has occurred and needs to be re-authenticated.
- The user continues to the web, unaware of what transpired, and the hacker gets the Wi-Fi password.
The Wifiphisher script is comparable to other tools such as Airsnarf. However, the Wifiphisher script is more sophisticated than other tools. Of course, you could also do the hacking manually, but now we have a script that automates the process entirely.
You’ll need Kali Linux and two wireless adapters, at least one of which must be capable of packet injection. I used the popular and reliableAlfa AWUS036H here. If you like, you may use others, but be sure they’re compatible with Aircrack-ng (packet injection supported).
Let’s take a look at Wifiphisher in action.
Step 1: Download and Install Wifiphisher
Here are the Wifiphisher requirements for getting the most out of it:
- The installation of Wifiphisher requires a functional Linux system. Wifiphisher has been successfully run on many distributions, but Kali Linux is the officially supported platform. Therefore all new features are primarily tested on this platform.
- Wifiphisher supports injection; therefore, at least one wireless card can packet injection (e.g., the Alfa AWUS036H).
- A wireless network adapter that can perform and supports AP & Monitor mode. Netlink support is necessary for drivers.
To begin, open a terminal in Kali. After that, get Wifiphisher from GitHub and unzip the package.
kali > tar -xvzf /root/wifiphisher-1.1.tar.gz
Step1: Installation of wifiphisher
To install the latest development version, type the following commands:
git clone https://github.com/wifiphisher/wifiphisher.git # Download the latest revision
cd wifiphisher # Switch to tool’s directory
sudo python setup.py install # Install any dependencies
Step2: Navigate to the Directory
Next, go to the directory that Wifiphisher created when it was unpacked. For me, it is /wifiphisher-1.1.
kali > cd wifiphisher-.1.1
The wifiphisher.py script is in the contents of that directory. Yp can list the content as follows:
kali > ls -l
Step3: Run the Script
Before running the script, you might want to install
Run the Wifiphisher script as follows:
kali > python wifiphisher.py
When you first run the script, it will prompt you to install “hostapd.” Install by typing “y” for yes. Next, it will proceed to install hostapd.
Once it finishes installing hostapd, proceed to execute the Wifiphisher script.
kali > python wifiphisher.py
It will start the webserver on ports 8080 and 443, then discover the available Wi-Fi networks.
When the scan is finished, it will show all of the Wi-Fi networks that it has discovered. In my case, it found the network “wetakootnet.” So that’s the network I used(not shown in this article).
Step 4: Launch Your attack & obtain the password.
Run Ctrl + C on your keyboard, and you will be prompted for the number of the AP you want to attack. In my case, it is 12.
Hit Enter and Wifiphisher will display a screen of the interface used and the SSID of the AP being attacked and cloned.
The target user has been de-authenticated from their AP. When they re-authenticate, they will be directed to the cloned evil twin access point.
When a user connects to the web, their request will be intercepted by the proxy on the server and sent back an authentic-looking message informing them that their router requires a firmware update and they need to re-authenticate.
When the user enters their password, it is sent to you through the open terminal of Wifiphisher. Thus, the user will be sent out to the Internet via your system without suspecting anything amiss.
Once you have obtained the credentials, proceed to exploit them.
Step 5: Manage Your Attack with Wifiphisher-GUI
I find the GUI very easy to use, and it is perfect for beginners. It also supports SSL Strip attacks. Type wifiphisher-gtk on your terminal to begin attacking the target.
Some people have indicated that they cannot find the networks. The following provides some troubleshooting for finding the networks.
As seen in the screenshot above, there is no network. When you run ifconfig wlano up. It returns “operation not possible due to RF-kill.” This means the network is blocked.
Let’s unblock it(see screenshot below)
Once you unblocked the card, do ifconfig again, and you should see the network.
The network manager is not working, so we have to check using the command nmcli n
If it is not running, turn it off and then restart it. But first, shut down the card before shutting down the network manager.
To turn the card off, use ifconfig wlano down.
RRestartnetwork manager and networking using the following command:
sudo service network-manager restart also restarts the networking using the following command:
sudo service networking restart
Run ifconfig now, and you should be able to see the networks!!
Warning: Always obtain permission/authorization before hacking any network that you do not own.