wifiphisher is a semi-automated python utility that tries to reveal the WPA password of a WiFi connection using social engineering. The technique is different from the brute-force attack used in tools like Pyrit. wifiphisher is installed by default on Kali Linux. In this article we will explain how to install and run it on Ubuntu.
wifiphisher uses a 3 stage procedure to retrieve passwords:
- Use DDoS (Denial of Service) methods to disconnect the victim. The tools sends de-authorization packets from the access point to the client and vice versa. It also sends the same to the broadcast address.
- Creates a rogue access point based on the target access point’s settings. It also fakes NAT/DHCP sesrver and does port-forwarding. Due to continuous attacks, the victim is forced to connect to the rogue access point. Hence, a Man in the Middle attack is initiated.
- Once the victim joins the rogue access point, he is served a router configuration page that looks authentic. It prompts for a router firmware upgrade and requests the password. If the victim enters the password, the tool reveals it in the console.
Besides software dependencies, wifiphisher needs two wireless network interfaces, one capable of injection (how to test).
To install wifiphisher on Ubuntu:
$ sudo apt-get install python-scapy tcpdump isc-dhcp-server hostapd $ git clone https://github.com/sophron/wifiphisher.git
To run wifiphisher:
$ cd wifiphisher $ sudo ./wifiphisher.py OR $ sudo python ./wifiphisher.py
The steps beyond this are self-explanatory. wifiphsher detects the accessible access points. You need to press
<Ctrl-c> and enter the access point number of the victim’s WiFi. wifiphisher starts the attack. From here, everything is automatic and if it can lure the victim into entering his/her password, you get it in your console.
Detected Access Point list
A successful attack
|Short form||Long form||Explanation|
|-m||maximum||Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5|
|-n||noupdate||Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n|
|-t||timeinterval||Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like ‘no buffer space’ try: -t .00001|
|-p||packets||Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2|
|-d||directedonly||Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs|
|-a||accesspoint||Enter the MAC address of a specific access point to target|
|-jI||jamminginterface||Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.|
|-aI||apinterface||Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.|
Note that wifiphisher may not work under several circumstances – the victim may smell something fishy and back-off or he may not remember the access point password which is often saved and not memorized. In addition, secondary systems would likely trigger warnings when the target is redirected to the cloned login page, mainly because the ‘duped’ page is not created in a secure and authenticated environment.
On GitHub: wifiphisher