wifiphisher: automated WPA phishing (MitM) attacks

wifiphisher_compwifiphisher is a semi-automated python utility that tries to reveal the WPA password of a WiFi connection using social engineering. The technique is different from the brute-force attack used in tools like Pyrit. wifiphisher is installed by default on Kali Linux. In this article we will explain how to install and run it on Ubuntu.

wifiphisher uses a 3 stage procedure to retrieve passwords:

  1. Use DDoS (Denial of Service) methods to disconnect the victim. The tools sends de-authorization packets from the access point to the client and vice versa. It also sends the same to the broadcast address.
  2. Creates a rogue access point based on the target access point’s settings. It also fakes NAT/DHCP sesrver and does port-forwarding. Due to continuous attacks, the victim is forced to connect to the rogue access point. Hence, a Man in the Middle attack is initiated.
  3. Once the victim joins the rogue access point, he is served a router configuration page that looks authentic. It prompts for a router firmware upgrade and requests the password. If the victim enters the password, the tool reveals it in the console.

Installation

Besides software dependencies, wifiphisher needs two wireless network interfaces, one capable of injection (how to test).

To install wifiphisher on Ubuntu:

$ sudo apt-get install python-scapy tcpdump isc-dhcp-server hostapd
$ git clone https://github.com/sophron/wifiphisher.git

Usage

To run wifiphisher:

$ cd wifiphisher
$ sudo ./wifiphisher.py
OR
$ sudo python ./wifiphisher.py

The steps beyond this are self-explanatory. wifiphsher detects the accessible access points. You need to press <Ctrl-c> and enter the access point number of the victim’s WiFi. wifiphisher starts the attack. From here, everything is automatic and if it can lure the victim into entering his/her password, you get it in your console.

Detected Access Point list

A successful attack

wifiphisher options:

Short form Long form Explanation
-m maximum Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5
-n noupdate Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
-t timeinterval Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like ‘no buffer space’ try: -t .00001
-p packets Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2
-d directedonly Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
-a accesspoint Enter the MAC address of a specific access point to target
-jI jamminginterface Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.
-aI apinterface Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.

Note that wifiphisher may not work under several circumstances – the victim may smell something fishy and back-off or he may not remember the access point password which is often saved and not memorized. In addition, secondary systems would likely trigger warnings when the target is redirected to the cloned login page, mainly because the ‘duped’ page is not created in a secure and authenticated environment.

On GitHub: wifiphisher

46 thoughts on “wifiphisher: automated WPA phishing (MitM) attacks”

      1. i m using unbuntu
        its says starting fake access point but i only see original access point from other device
        and i m not able to connect to it because of jamming
        is it not creating fake access point ?help..
        i m using 2 wireless card.

  1. Hi there
    I am using netgear D500 and I think it has DOS protection. I am wondering if the router can be hackable by Wifiphisher or not…
    I am thinking of buying TP-Link w722N will you recommend it for Wifiphisher or other hacking works..?

  2. I have a pc …. And have two wifi adapter …. One of adapter has ap mode bt other does’nt have…. Do i have to select adapter or it will select adapter by itself….. Tell me to attack with phishing….

  3. Whenever I try and run this, it loads the screen but then the screen just starts to flash every 5 seconds or so. Not sure if that is normal or not? but no information seems to be displayed etc…

  4. [-] Unable to start HTTP server!
    [-] Another process is running on port 8080.
    [!] Closing

    I use ubuntu 14.1 !!help please

    1. Here’s a way to check which process is using port 8118:

      $ sudo netstat -tulpn | grep :8118
      tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 2238/privoxy
      $ sudo ls -l /proc/2238/exe
      lrwxrwxrwx 1 root root 0 Jul 14 21:27 /proc/2238/exe -> /usr/sbin/privoxy

      1. Hi, I have this problem too, in Kali And ubuntu 15, I changed the port in “wifiphisher.py” File from 8080 to other ports and it always says that Port (8282, 8585, 50000 …) is used by another process

  5. sir when I tried the apt-get install python command on Kali Linux
    It shows –
    Unable to locate package tcdump
    unable to locate package hostpad

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s