WiFi-Pumpkin framework for Rogue Wi-Fi Access Point Attack It helps a hacker to create a free open fake wifi and as soon as victim connects to the fake open wifi, he gets trapped. However, the best feature is that if your internet connection is working, victim will get access to internet. Hence, more chances of him to get trapped(Nice, isn’t it?).

First, to install Wifi-Pumpkin we type on terminal:

git clone //github.com/P0cL4bs/WiFi-Pumpkin.git

Once the cloning is done, we need to install. Hence, go to the installed directory of WiFi-Pumpkin and open it in terminal and type the following command to install it:

./installer.sh –install

Now, open the installed directory of wifi-pumpkin in terminal and type:

Python wifi-pumpkin.py

It will load wifi pumpkin in GUI as you can see in the screenshot below.

Now, all you have to do is configure your settings and click on ‘Start Access Point’.

Wait for some devices to connect. They will be displayed as you can see below. A good thing is that devices are automatically assigned a class A IP address.

In the victim’s phone PumpAP is created and he/she is accessing the internet without even knowing that they have fallen into the sweet trap of free internet!

While the victim is acessing Wi-Fi like usual, we can see his/her activity. As you can see in the below screenshot that we are able to capture victim’s phone’s “Hike Contacts.”

As soon as victim opens anyone’s profile on hike, their number is being captured by us!

Many other notable features include cookie capturing. As n the below screenshot, we can see victim’s device’s cookies being visible. Which is great to know as it may have something interesting?

We are also able to capture any credentials/ login id and password on any http website.

As you can see below that victim has logged in into way2sms.com and their ID and password are being recorded.

For even better case scenarios, when many of victims will be connected to your fake Wireless Network thinking they are in luck, we will be recording everything in clear text. If we are unable to see everything on terminal, don’t worry, WiFi-Pumpkin has stored everything category wise.

Now, we go to the directory:

/WiFi-Pumpkin/logs/AccessPoint

In that directory many log files are present that have captured numerous items. One such text file is “credentials.log”

Here, we will see all the login details

Another notable file is the “urls.log”

We can see all the accessed urls on victim’s device, along with their IP address.

So, this is how you allure victims into free internet and steal data without even letting them know!

GERIX WIFI CRACKER is a GUI wireless 802.11 penetration tools which uses the aircrack-ng method behind its point and click method to crack the wifi password.

First of all clone the github repo with command:

git clone //github.com/J4r3tt/gerix-wifi-cracker-2.git

Now inside the installed directory give the gerix.py file permission to execute with command:

chmod +x gerix.py

and then start the gerix wifi cracker with command:

python gerix.py

Now a GUI window will appear, click on Reload the Wireless Interfaces and when the wireless interface appears click on it i.e. wlan0 in my case and then click on Enable/Disable Monitor Mode to enable the monitor mode from managed mode.

After enabling the monitor mode the wireless interface name will be changed to wlan0mon and the mode will be monitor .Now for scanning the wireless networks select the monitor mode interface (wlan0mon in my case) and then click on Rescan networks.

After scanning networks select you target by clicking on it as in my case i have selected tp link and then go to WPA tab (As the target AP is using WPA2 security).

After clicking on WPA tab, go to general functionalities and start sniffing and logging by clicking on it and a terminal window will appear capturing the packets of the target AP.

Now without closing the terminal windows got to WPA attack section and click on Autoload victim clients who will load victim client MAC address to deauthenticate and now click on Client Deauthentication to disconnect the victim so that we can capture the handshake.

Now as you can see WPA handshake is successfully captured and same can be seen in the top right corner of the terminal window. Now close the terminal window.

Now we have to crack the password from the captured file so got to Cracking tab and then to WPA bruteforce cracking section and give the dictionary path in the Add your dictionary field and then click on Aircrack-ng  -Crack WPA password .(you can also choose any other method for cracking like pyrite and rainbow tables)

As you can see it has successfully cracked the password.

Author: Himanshu Gupta is an InfoSec Researcher | Technical writer. You can follow him on LinkedIn .

This is the classical method of wireless password cracking .All the tools use this method in one way or other.

First start the monitor mode which will listen to all the wifi connections nearby with command:

airmon-ng start wlan0

In your lower right corner you will see written. monitor mode enabled for [phy1]wlan0mon

Now run the following command to confirm that our wifi adaptor is in monitor mode, so run command:

ifconfig

which will show you the wifi adaptor as wlan0mon meaning adaptor is in monitor mode.

Now run command:

airodump-ng wlan0mon

The above command will start listening to all the available wifi connections.

Now when your target appeas hit ctrl^c and then to capture the handshake type command:

airodump-ng -c 7 –bssid C8:XX:35:XX:FD:F0  –write 1 wlan0mon

Here,

 -c is the channel no. of the AP which will be listed in CH column in the output of above command as in my case it is 7.

–bssid is the MAC address of the target AP as in my case it is rajlab and bssid is  C8:3A:XX:44:XX:F0

–write is the capture file in which the capture packets will be saved as in my case i have named it as 1 . 

Now start the deauth attack to disconnect all the connected clients to that AP which will help in capturing the handshake with command:

aireplay-ng -0 100 –a XX:3A:35:XX:FD:F0  -e rajlab wlan0mon

Here,

-0 is used for deauth attack

100 is no. of deauth packets to be sent

-a is the target AP MAC address

-e is ESSID of the target AP i.e. name of the target AP 

After launching the deauth attack we will get the WPA handshake in the previous terminal window in the top right corner then hit ctrl^c.

Now we have to crack the password with aircrack-ng so type command :

aircrack-ng 1-01.cap –w /usr/share/nmap/nselib/data/passwords.lst

Here,

1-01.cap is the capture file we generated in the airodump-ng .

-w is the dictionary to be used to perform dictionary attack

In my case the key is found as KEY FOUND! [raj123987]

Author: Himanshu Gupta is a Information Security Researcher | Technical writer. You can follow him on LinkedIn .