First, a little background:
Wifiphisher is a WiFi social engineering tool that automates phishing attacks against WiFi networks. Wifiphisher is written in Python and was developed by Greek security researcher George Chatzisofroniou.
Wifiphisher made waves in the wireless security world because of its unconventional attack method. Unlike traditional WiFi attacks, it doesn’t involve any of the handshake capture or password brute-forcing that anyone who’s tested wireless networks has become accustomed to. Wifiphisher’s attack success relies on social engineering victims into handing you the wireless network key and more, as we’ll see below.
Wifiphisher’s operation can be summarized into a 3 stage attack:
- Start a fake wireless access point (AP) – also known as an “evil twin”
- Force victims to deauthenticate from the legitimate AP by sending deauthentication packets to them and to the access point they’re connected to.
- Get them to connect to your evil twin and serve them a web page that tricks them into giving you the wireless network password.
It may seem like a lot of work, but one of the best things about Wifiphisher is its automation. All of the above can be done with a minimum amount of interaction from the operator. Wifiphisher’s deauthentication attack is inspired by Dan McInerney’s Wifijammer, which you should definitely check out.
To run Wifiphisher you will need:
- A Linux system.
- 2 wireless network adapters; one capable of injection (for the deauthentication attack). I’m partial to Alfa cards, so I’d recommend one of those; like the Alfa AWUS036H or the Alfa AWUS051NH.
Playing with Wifiphisher:
Wifiphisher was initially built to capture wireless network credentials. At the time of writing, it has 3 phishing scenarios; its most popular being the “firmware-upgrade” page below.
Wifiphisher uses this web page to trick targets into giving up the wireless network password by convincing them that it is required for a router firmware upgrade. Once the user enters the passphrase, it will get displayed on the operator’s terminal and Wifiphisher will shutdown the fake access point, hopefully leaving the target none the wiser about what just happened.
Adding phishing scenarios:
After using Wifiphisher for a few weeks, I figured that it would be fun to add a few more phishing scenarios to its arsenal. Unfortunately, Wifiphisher can’t contain any third-party material (such as logos or proprietary templates) due to copyright reasons; so no phishing pages for popular social media sites 🙁
But since I have no intention of distributing this modified version on Github, I figured it would be okay to go ahead and mess around with it anyway.
Creating a phishing page is usually pretty straightforward; download the original phishing page onto your system and modify the page’s login form to collect credentials.
The only catch with Wifiphisher is that when the attack is being executed, BOTH its operator (you) and the target will lose internet connectivity, meaning all phishing pages need to be standalone i.e. they can’t rely on any online resources. Luckily, wget makes downloading web pages and all their requirements really simple:
$ wget -E -H -k -K -p <insert URL here>
Running this should get you all the files you’ll need to setup your phishing page. I’ll be using the LinkedIn sign-in page for this post.
Wifiphisher captures credentials by logging all POST requests that are prefixed with the string “wfphshr”, meaning we’ll have to edit the username/email and password fields in our web page and append them with “wfphshr”.
The prefix can be whatever you want it to be, so long as the prefix in Wifiphisher’s code and the web pages are uniform. The login form method also has to be POST, but this is almost always the case these days. Lastly, we add the new phishing option to Wifiphisher’s menu. That’s it, that’s all it takes to prep a phishing page for use. Now all I had to do is repeat the process for all the scenarios I wanted to add. After that I changed Wifiphisher’s phishing page menu to incorporate all the phishing options I added.
Testing it out:
1. Run Wifiphisher and select the strongest interface.
NOTE: I also modified Wifiphisher’s interface selection menu. If ran without any arguments, Wifiphisher will automatically select the most powerful Wireless interface as the jamming interface. It does this by scanning all WiFi networks in the area with all available wireless adapters, the interface that detects the most Wireless networks gets selected as the jamming interface. This is alright and works pretty well on most runs, but I’ve found that on some occasions, the wrong (weaker) interface will be selected. If the wrong card gets selected, the jamming stage of the attack might not even work because most laptop’s internal network adapters don’t support packet injection. You can still run Wifiphisher with arguments to manually specify the jamming interface, but I still wanted to change the default run option to use manual interface selection. The interface selection I used is inspired by Wifite.
2. Select a phishing scenario
3. Select a WiFi network to target and wait for Wifiphisher to start the fake AP.
4. Targets begin to connect to your evil twin
5. Target-side: Target is served the phishing page you selected, regardless of the site they browse to.
6. Harvest credentials 🙂
NOTE: I also had to modify Wifiphisher’s request handler. It’s configured to automatically shutdown after 1 user inputs credentials. However, because I want to be able to collect more than just 1 user’s credentials, I removed the automatic shutdown.
Taking it further:
If we can display any web page to a target that successfully connects to our evil AP, why not serve them a page which advises them to download and install some “helpful” software? How about everybody’s favorite, Adobe Flash Player?
1. First we download the Adobe Flash Player installation page
2. Next we change the download button to point to a file hosted on our system (adobe_update.exe). We’ll also reword the page’s text to convince our target to download the update file.
3. Prepare the payload. There are countless ways to do this, I can’t get into the various options available right now. So for this post, I’m just going to use Shellter to inject a Metasploit reverse shell payload into an executable, any Windows executable will do. You can change the executable’s icon to Adobe’s logo to make it more convincing.
4. Fire up Wifiphisher and select the payload download option. I added a payload selection prompt when the “Adobe Flash Update” scenario is selected. All we have to do here is give it the full path to the payload we just prepared.
5. Wait for a target to connect to us.
6. Target-side: Target is served the Adobe update page as they try to browse and is convinced to download and install the update. We’ll even have our target scan it with their AV first, just in case the update isn’t legit.
7. Target runs the update file and we get shell 🙂
NOTE: I suggest using a payload that connects to a public Metasploit listener, so when you shutdown your evil twin, regardless of what network the user connects to next, you’ll successfully get a shell.
Conclusion:
I had a lot of fun messing around with Wifiphisher. I wasn’t able to contribute any of the scenarios in this post to the official version because of all the potential copyright violations mentioned earlier, but I did contribute a generic copyright-free payload download scenario. You can check out the “browser plugin update” scenario in the official Wifiphisher if you want to try out the payload attack above for yourself. Happy hunting.
Update:
I won’t be distributing this custom version of Wifiphisher any more since the official version of Wifiphisher now supports custom templates and a lot more features than this old mod. You can get Wifiphisher here.
Can we add BeFF into this ??
Yeah, definitely. It’s a pretty great idea 🙂
It will work especially well when Wifiphisher is updated to provide internet connectivity to the target during the attack, there are plans to do so; https://github.com/sophron/wifiphisher/issues/270.
hi VIVI can I test your version of wifiphisher ?
Monahamburgle@gmail.com
👍
Is it possible to test your version of wifiphisher ?
Sure. I’ll send you a direct download link.
👍, excellent!
I would also like to test your version. Good Work!!!
No problem.
Can I try a copy of this version? Many thanks. 👍👍
Sure.
Hey Vivi, Can you please mail your version of wifiphisher. This article came just what i need at the moment. I am testing a new external wireless adaptor but unable to make it AP interface.
Hey, Pratham. Yeah, no problem.
Hello Vivi, great post i was just testing wifiphisher could i also test your version of wifiphisher? best regards 😀
Sure 👍
Oh, this would be much appreciated as well. I would love to make some modifications to yours as well.
👍
Please can you send me your version of wifiphisher i need thath option for router administration?Thanks!
Sure 👍
I download it and it is awesome but i thought router administration is when it asked about username and password http://prntscr.com/clid32.Please can you make this?
Can you share your version ?
👍
good work VIVI !
when i run wifiphisher i can’t see linkedin in my menu only default fonctions like “firmware upgrade, oauth-login ,plugin update etc..
can you send me your version please thanks!
👍
I would also like to test your version. Good Work!!!
👍
Hey vivi…seeing your post…you are master.but im confuse to add more schenario.its said error 404 not found.can you please share your wifiphisher version?lot thanks
👍
HI VIVI
Many thanks for for your hard work
Please can you send me your version of wifiphisher
👍
Nice write up, i really enjoyed reading it. Now i’m curios to try out all of this features! May I have a copy of your version me too? I’m still not so good on phyton but i believe that comparing the original version with this one will be a really good study!
Cheers
No problem.
Thanks man! It’s time to learn something. 🙂
Have a nice day!
Muy buen post, estoy estudiando estos métodos para aumentar mis conocimiento, me gustaria probar tu versión personal.
*******************************
Very good post, I am studying these methods to increase my knowledge, I would like to try your own version.
👍
Hello sir
Is it possible to test your version I respect you very much
👍
Good job man
I was trying to do that but i can´t, if you can send me your version for test it and learn how you do it, my python knowledges are a little poor and i wanna learn more.
Thanks
👍
Can I get a copy?
Please email it to me at wynter.xyz@gmail.com
Thanks!
👍
That’s cool dude
good work!!!!!
could i get a copy?
🙂
👍
Do you have a video tutorial on this, if not can you make one. I real want to do a scenario of my own I found some screenshots missing (and I’m a noon in this field). Tell me if I can copy a webpage using “save as” on any browser or “wget” is compulsory!
I don’t have a video tutorial. Please note that the current version of Wifiphisher has changed significantly from the version in this post, you can go through its documentation to better understand the process of adding scenarios
‘Save as’ will work for some web pages, but for others you’ll be forced to use wget to download its dependencies, it all depends on the target page’s design.
HI VIVI
Many thanks for for your hard work, very good post.
Please can you send me your version of wifiphisher
Thanks
👍
great job vivi
Can I try a copy of this version? Many thanks.
this is my email adresse: nounimarochiokarito@gmail.com
👍
Thank You so much for your work, I really need the option to specify which card to jam, the official program always chooses the wrong one, Can I please test yours?
Wifiphisher allows you to manually pick which card to jam with using the ‘–jamminginterface’ or ‘-jI’ switch when you’re running it. Check out the usage examples on its Github page. I’ll also send you this modded version.
Hi VIVI,
It looks awesome!, I’m right now stucked with Wifiphisher trying to inject a reverse shell in an android device (and it’s not working). I’ls like to try your version, Can u provide it? tks my email: corugedo@yahoo.com
TKS & regards
👍
Hi Guys,
You made a absolutely beautiful modded version. And I want to test it, can you share me your modded version please.
Pleasure to read you !
S
👍
You did some really interesting things there! Personally I haven’t been that successful with the official WifiPhisher. But I would love to toy around with your version! A share would be greatly appreciated.
Keep it up!
Hello Dear. Admin page script language change Possible ?
Vivi ♥ You’re awesome !
Keep the good work !
i would love to use your version ♥ thanks for sharing ^^
👍
Is it possible to test your version .Script language change possible ?
👍
Hi Vivi. I use google translator. I would like to test your build. is it possible to change the language in the script? With respect Alex
👍
First let me thank you for this great Tutorial
Is it possible to get a copy of your version
Thanks
👍
thank you so much
Hello Vivi
Great tutorial, I love it! Can you email me your version of wifiphisher?
Thank you!
👍
Very interesting tool. Can I have a copy to play around please…
Questions: Have 2 USB adapter RTL8187 and RT2870. Are these adapters able to handle wifiphisher ?
Thanks
If at least one supports injection they should work with Wifiphisher. You can test injection support by running aireplay against the interface(s) e.g.
$ aireplay-ng -9 wlan0
Quickly test it with few runs…unfortunately with no luck at this point.
– Your version using one single interface only. Tried RTL8187, it does the injection okay but when target client actually connecting the fake AP, browser no responds at all however, it does able to obtain IP (10.0…), browser just stuck with nothing. Not sure if RTL8187 supports AP interface or not (iw info does shown it does support AP interface).
– Using RT2870 again, it does support injection (shown with aireplay-ng –test xxxxmon) even not as good as RTL8187. It react similar as RTL8187 with no responds.
– After play around with wifiphisher, Kali 2 Network Manager not running any more, must reboot… why ?
Will testing more when have time…Thanks
Just thought, for target router WPA/WPA2, the pop up should be simple as normal windows connection prompt withOUT any logo/details likely the best tactic approach. Simple pop windows asking for WPA/WPA2 pass key will do it becoz
– if the target user knows about modem/router, SH/E will likely not responds if they see something out of ordinary such as the logo does NOT what their modem/router brand. It will not just fail once but rather fail to target the same AP again forever…
– if the user not knowing much about it, firmware update/upgrade sounded too much for them to handle, so they would rather giveup and let other to take care of it. So you likely fail again.
– best effective approach is simple for them to handle and deal with.
cheers
Hi, could I get a copy of your version please? Also my WGET is missing pictures and other important parts, how can I help this?
👍
Hey Vivi, is it possible to try your version of wifiphisher? Nice work BTW
👍
How did you change wifiphisher to be not have it exit after stealing just a single user’s credentials? Thanks in advance.
Good job on this Vivi, I would like to contribute to your work on this tool. Kindly share a link to the file. Thanks and keep up with the fantastic work
👍
Could you send me a link of your version of wifiphisher to test?
Thank you!
👍
Hey Vivi, is it possible to try your version of wifiphisher?
Thank’s Man
👍
Hey Vivi, nice work, can i also get a version of your wifiphisher?
Thank’s
👍
Hello Vivi,
great work on the wifiphisher modifications, any chance to give your version a Try?
👍
Hi, can I get a copy of your version please , really good work ? I would really love to try ……thanks …
👍
Hello bro Vivi, I am looking for a few months so good work. Can I get your excellent work? Thanks.
👍
Thanks, It Works !
amazing work on all these scenarios, can I have your version try, please?
Good work, well done.
👍
Hello please share your wifiphisher version with me too 🙂 I would LOVE to try yours. Thank you very much and good work!
👍
Could you explain how to keep it running after 1 person enters credentials? I’m altering the phishing page to simply capture an email, no password, and I’d like to be able to see how many people enter legit emails. I will later confront them to discuss additional security training. Thank you.
The latest version keeps running after collecting info, so it does what I need for now. You can delete my question/comment if you’d like.
That’s great. I was going to mention that the Wifiphisher version used in this article is pretty old. I had to modify the class that manages the web server and remove the shutdown statement after a POST request is logged. I haven’t gotten around to looking through the updated version’s code yet but I can already tell that a lot has changed.
I would like to use your version of wifiphisher. If you can share it, would be perfect.
👍
Thank you. Very, very interesting. Can you explain how did you do that in details?
And… may I have your version either?
Sorry ) Wrong e-mail…
👍
I would like to use your version of wifiphisher..I send me one
👍
but it doesn’t jam the devices …. although i have two wireless adapters that can injection…. any help i am using live wifislax
Hi vivi
May I have your version please ?
Many thanks.
👍
I see url in browser 10.0.0.7, I dont know how to make spoof for example https://login.blabla.com or whatever. Maybe I need your version too for education, thank you.
👍
can you make one that create ap that looks like a normal one that ask for the wifi password at wifi manager
Greetings from Montenegro! 🙂
Can you please send me the download link for your version of wifiphisher?
👍
can you modfiy linset pleease
Great work. Love it could I please get a copy also at mgiles6229@gmail.com
👍
can i have one copy please? thank you
👍
Good work on the blog and *pentesting can I have dl for your version of wifiphisher? thanks
Thanks. Yeah, no problem 👍
Dude congrats for your best version, may I have a copy for educational pourpose? Thanks
👍
I love your work, you are excellent doing this tutorial and sharing your knowledge, can i try your Wifiphisher version? Thanks from Mexico
👍
Can I get one too
Vivi a huge fan of your work… I am really looking forward to test your version of wifiphisher…plz send me your version of wifiphisher on harsaxena@gmail.com
👍
Not able to connect to fake ap
Could you please share your version for personal use? Much appreciated.
👍
Hi,
Can i get a copy, want to test it with my own wifi and pc. Thanks in advance
Hi Vivi,
Hope you are doing fine. Can you share your version for testing purposes/ personal use. I will appreciate it very much. Thanks again
Kind Regards,
George
👍
Hie VIVI, May l please try that super modded version of yours please 🙂
👍
Can I try a copy of this version? Many thanks
👍
Hi VIVI, a very interesting material, I wanted to ask you for a copy of the script for studying phishing attacks.
👍
Hello Sir!
greetings from PH. can I use your version, the latest version is very different from the one above.
Thank you in advance.
👍
Hello VIVI, wow what a great tutorial. I’ve already tried flu*ion & wifiphisher. But your wifiphisher version looks much better. Way better. May i get copy of your version by email? I already play with wifiphisher and the official one seems not “legit” with all available scenarios. Thank you so much. And thank God i found this website 😀
👍
Hey VIVI. Can you send me your version please? Thanks
👍
Thanks a lot VIVI!!
hey man ! that was pretty amazing ! I always wondered if I can add my own phishing pages to fluxion or wifiphisher , but I couldnt figure it out ! can you please send me your version that that maybe I can find the pattern in the script and play a little bit with it !
Thank you so much ! greetings and appreaciation from Belgium
👍
hey man sorry I messed up my email its a “.” instead of an “-” (H*****.hatim@gmail.com) ! sorry about that and thank you so much <3
good post and great work VIVI
i always wanted to play with wifiphisher script add my own phishing pages and modifying the request handler to capture more than one user credentials , can you please send me your virsion !! lo learn more tricks about that
👍
Wow, great work, can I have a copy please to play with :0)
👍
pls send the file to me 🙂 want to try it
👍
Great work, can I have a copy please. thx man.
👍
Hello VIVI!
Can I try a copy of your version i will be very thankful !
👍
Great stuff! May I try your version, please? I teach Tech/Math/Physics at a high school. 🙂
👍
hai vivi, i have question. how if i only have 1 wireless card? it still run right? i mean what is the effect if we only use 1 wifi card?
Hi. The tool will still run, but you won’t be able to use the deauthentication attack. Run Wifiphisher with the –nojamming option.
Hi VIVI. can i give the version you created a go please. it was interesting to read your step-by-step procedures. thank you in advance. also what are best security practices to prevent wifi phishing attacks ?
Sure. A few general tips are switch your WiFi off when you’re not using it, avoid using public WiFi without additional security measures e.g. a VPN and just be aware of what’s going on with your browser/network connection. A little paranoia never hurt anyone.
Hi,
first of all, great work! I ended up on your website as I was reading some issues on the Wifiphisher github and Sophron told somebody to take a look here.
Your version is pretty neat, can you send a copy for my email so I can test it?
Greetings from Brazil
👍
Hello VIVI, your tutorial is very good, I learned a lot of things, can you send a copy of this version to me?thank you very much!
👍
Hi,
really good job
can we speak trough mail or here?
Very hard for me to get it works this tool.
Thanks in advance.
You gotta be tired of people asking this by now haha,
But could you send me a copy of your upgraded version ?
I think you did amazing work here, I love the what you did with the Interface, along with all the other templates added, I am very curious to see how you implemented the new templates into wifiphisher along with the new interface, i tried to figure it out on my own at first, as i m sure others did too, it seemed fairly extensive and i commend you for it, haha
(p.s. have you seen the “new” facebook-wifi, buisnesses use it, you have to sign in to facebook and check in at a place in order to use their wifi, i think it would fit really good into Wifiphisher, makes for a little more convincing phishing attack than a regular facebook login portal that wifiphisher came with, I mean what kind of wifi spot just asks someone to log into facebook for no good reason)
Hehe. Just a little tired.
I should clarify that this ISN’T an upgraded version. It’s just a mod of a very old version (> 1 year) of Wifiphisher.
Wifiphisher has evolved a lot since then and the code base has changed significantly. The most recent version has a lot more features and improvements. I’ve sent you this old mod, but I’d advise you to use the most recent version of the tool. It now has an in-built template engine and a lot more phishing scenarios than it did when I wrote this blog-post.
Hi!
great job vivi
Can I try a copy of this version? Many thanks.
this is my email adresse: kysitrang@gmail.com
👍
VIVI
would you please send me the link of your version to test it ??
dear VIVI
i tryed the steps to add the new pages to the directory ( wifiphisher–> data–> phishing pages)
and i got the default page, so would you please tell how can i use your new pages??
Hi, Mohamed. You should check out the “Creating a custom phishing scenario” in the Wifiphisher documentation.
There are a few other steps such as creating a config.ini file that you need to do as well. The steps in this blogpost are for a much older version of Wifiphisher.
can you make it run on one wifi adapter and support channel hopping like in this article https://github.com/wifiphisher/wifiphisher/issues/652 ….. and can you have a look at this https://github.com/wifiphisher/wifiphisher/issues/494
Hi, Mina.
I’m not actually on the development team, I just really liked the tool and decided to put up a blogpost about it.
From what I can tell, Sophron and the rest of the team have plans to implement some of those recommendations.
I really liked this post and would love to test your version of wifiphiser, can you email me the link ?
Hi Viv,
Thanks for the insights. Can you please send me a direct download link of your version of wifiphisher to my email address : anishmi123@gmail.com.
Thank you.
Regards,
Anish
ok .. but i was talking about your version . to put these futures in them
.. it will be great if you join the development team ☺️☺️
*to put these Features in it
Can i test your version?
excellent idea, I’d like to try your version: lusitosaro12@gmail.com
Hello,
Can I try a copy of your version i will be very thankful !
Very interesting tool, just recently discovered your version/modifications. I would be very grateful if you could provide a link of your version to test. Please Keep up the great articles, it would also be great if your site had an option to donate some crypto-currency.