WiFi Exploitation with WifiPhisher
Hello friends! Today we are going to demonstrate WIFI- Phishing attack by using the very great tool “WIFIphisher”, please read its description for more details.
Wifiphisher is a security tool that mounts automated victim-customized phishing attacks against WiFi clients in order to obtain credentials or infect the victims with malware. It is primarily a social engineering attack that unlike other methods it does not include any brute forcing. It is an easy way for obtaining credentials from captive portals and third-party login pages (e.g. in social networks) or WPA/WPA2 pre-shared keys.
- Kali Linux.
- Two WiFi adapter; one that supports AP mode and another that supports monitor mode.
After achieving a man-in-the-middle position using the Evil Twin or KARMA attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.
From the victim’s perspective, the attack makes use in three phases:
- The victim is being deauthenticated from her access point. Wifiphisher continuously jams all of the target access point’s WiFi devices within range by forging “De-authenticate” or “Disassociate” packets to disrupt existing associations.
- Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point’s settings. It then creates a rogue wireless access point that is modeled by the target. It also sets up a NAT/DHCP server and forwards the right ports. Consequently, because of the jamming, clients will eventually start connecting to the rogue access point. After this phase, the victim is MiTMed. Furthermore, Wifiphisher listens to probe request frames and spoofs “known” open networks to cause automatic association.
- The victim is being served a realistic specially customized phishing page. Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests. As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for credentials or serves malware. This page will be specifically crafted for the victim. For example, a router config-looking page will contain logos of the victim’s vendor. The tool supports community-built templates for different phishing scenarios.
Open the terminal in your Kali Linux and type the following command to download wifiphisher from GitHub.
git clone https://github.com/wifiphisher/wifiphisher.git
Once it gets downloaded, run the python file to install its setup and dependencies as shown below:
python setup.py install
Now run the script by typing wifiphisher on the terminal to launch a wifi-phishing attack which as similar as social engineering.
Here it will fetch all interfaces as shown in the given image and let an attacker choose any one ESSID/BSSID of the target network and try to trap victim by performing phishing. It will also perform both Evil Twin and KARMA attacks.
From the list of the interface, I had targeted “iball-baton” to trap the victim connect from it.
After that you will get 4 phishing scenarios to trap your target as given below:
- Firmware Upgrade page
- Network Manager connect
- Browser plugin update
- Oauth login Page
Now let’s go through each phishing scenario one by one starting from the 1st option.
Firmware Upgrade page: A router configuration page without logos or brands asking for WPA/WPA2 password due to a Firmware Upgrade page.
Now when the victim will open his browser Firefox he will get a phishing page to upgrade the firmware that needs WPA/WPA2 password for installing a new version of firmware.
The victim may consider it as an official notification and go for upgrading by submitting his WIFI password. As the victim enter the password for WPA/WPA2 and click on start upgrade, he will get trap into a fake upgrade process.
Following image is pretending to the victim that firmware is being upgraded don’t close the process until it completed while at the background the attacker has captured the WPA/WPA2 password.
Great!! You can confirm the WPA/WPA2 password as shown in given below image, it is showing WPA –password: ram123456ram
Once again repeat the same step to select ESSID.
Now let us go through another phishing scenario from the 2nd option.
Network Manager Connect: Imitates the behavior of the network manager. This templates show’s chrome “connection Failed” page and displays a network manager window through the page asking for the pre=shared key. Currently, the network managers of windows and Mac Os are supported.
Now when the victim will open browser he will get a fake page for “connection failed” and moreover a fake window for the network manager.
Here target will click on “connect” to reconnect with the interface.
It asks to enter the password for connection with the selected interface while at the background the attacker will capture the WPA/WPA2 password.
Great!! Again you can confirm the WPA/WPA2 password as shown in given below image, it has captured WPA –password: ram123456ram
Repeat the same step to choose ESSID for the attack.
Browser plugin update: A generic browser plugin update page that can be used to serve payloads to the victims.
It will create a .exe payload and run multi handler in the background for reverse connection of the victim system.
Now when the victim opens browser he will get another fake page for Update plugins as shown in the given image. here is recommended to update the flash player which is outdated.
Now when the victim will click on Update Now, it will start downloading an update.exe file into a victim’s system which is nothing but an exe backdoor file for making unauthorized access in his system.
Awesome!! The attacker will get the reverse connection of the target’s system, from given below image you can see it has open meterpreter session 1.
Repeat the same step to choose ESSID for the attack.
Now move forward with its last option i.e. 4th option.
OAuth Login Page: A free WIFI service asking for a Facebook credential to authenticate using OAuth.
At this time when the victim will open a browser, he may get trap into phishing page set as “Get Connect to the Internet For free” as shown in the given image.
So when the victim will enter his Facebook credential for accessing free internet he will get trap in that phishing attack.
Here you can see a victim enters a username with password and click on the login for the Facebook connection he got an error message meanwhile attacker has capture victim’s Facebook credentials.
Wonderful!! An attacker successfully traps the victim and fetched his Facebook account credential.
Author: Sanjeet Kumar is an Information Security Analyst | Pentester | Researcher Contact Here