wifiphishing wifiphisher in kali linux

[flok]

Hello,

Directly to the problem

Lets suppose somehow I have managed to connect 1 target in my fake AP (evil twin method). But I found the target should manually visit web page to enter wpa2 pass code. Is there any way to force the target or somehow force the device connected in my fake AP to visit the webpage automatically as ISP do with their hotspot user.

 

Thank you

[Cap_Sig]

I don't know about wifiphisher but this is how fluxion and airgeddon (evil captive portal) work with captive portal.  Once a target connects, they will be immediately redirected to the login page until the correct password is entered.  

Fluxion comes with a lot more portal options but airgeddon has more features.

[flok]

15 hours ago, trapman16 said:

I don't know about wifiphisher but this is how fluxion and airgeddon (evil captive portal) work with captive portal.  Once a target connects, they will be immediately redirected to the login page until the correct password is entered.  

Fluxion comes with a lot more portal options but airgeddon has more features.

Thank you trapman16. But I used fluxion 2, while using that also my target were not forced to visit the webpage. They needed to visit it manaully by browser. I know if they try to visit any website they would be redirected to my page but is there any way that browser itself opens after connecting my fake AP.

Also, google, facebook and some others site warns the user that they are being redirected and would not let them to visit my fake page.

Is there a solution?

Thank you

[digip]

You need to also poison DNS and redirect them to the portal page. I use Fruity WiFi on Kali to test at home and have redirected to my own fake portal page. You also need to have a web server running to serve them the page as well, or they won't be able to load it. Wifiphisher may run it's own, not sure. Many tools implement simple HTTP servers in python for attacks, but you can do this many different ways. 

Basically you need 3 things in place.

1 - fake AP/connection to your network

2 - poisoned/fake DNS responder

3 - Web server to host your payload for fake portal site that stores the entered inputs, which can post to a PHP script and dump to raw file or database storage. A simple output to CSV works fine in most cases.

If you're trying to redirect everything to the portal page, you may find it won't work for certain sites, like Google, which requires stripping HSTS and SSL, but most browsers now have hard coded stuff for certain HSTS sites like google and facebook. Site's like AOL for example, don't enforce and can be pushed to HTTP and injected or redirected completely, as where google, will more than likely fail with an error message.

An interesting thing I noticed when clients connect, if they are on a cell phone, most android phones will upload info on your wifi network or even request a ping to check if the connection is working. iPhones usually don't show to much automatic into on connect, but that depends on the apps they have running. You might see stuff that tries to automatically connect to a weather service or Snapchat for various phones when they go on wifi, which is also a big thing these days you see that any mobile device with those types of apps, automatically scan the network and connect to various services upon connect like ntp, weather and social networks.

[Cap_Sig]

@flok I must have misread your question.  I understand what your asking now.   I would recommend what @digip posted.  

 

I'm pretty sure Airgeddon does fake/poisoned dns by default but I'm not completely sure, haven't used it in a while.  I have noticed the same thing as @digip mentioned about cellphones.  I haven't tested many apple phones but it seems android phones can act in several different ways depending on version when using Airgeddon.

[flok]

Thank you

 digip and trapman16

I understood what you said and thank you for that.

Now what took my interest is

2 hours ago, digip said:

An interesting thing I noticed when clients connect, if they are on a cell phone, most android phones will upload info on your wifi network or even request a ping to check if the connection is working....

Can you please explain it more. Does this mean good or bad for my attack? If it is good than can you please show me the tut or give a hint ? I like to try it in android so anything that helps me is welcome.

 

Thank you

 

[PoSHMagiC0de]

Fluxion does this now.  It has a mode for you to capture the wpa handshake that you can then turn around and use for the evil AP.  The evil AP part will bring up an AP with same name as target AP but 1 MAC number off.  It will bring up dhcp and DNS sink-holing you to the capture portal.  It will then deauth the legit AP.  People are not forced to you but decide on their own to connect to you since they cannot connect to their own AP.  Your AP is open.

Once they connect, they will be greeted that they need to sign in (if on phone, believe on windows too) like at a hotel.  This is where fluxion shines.  It will ask you for your wifi password.  When you put it in, it will use aircrack or pyrit to check and see if it is correct.  If not, it will say it is incorrect and the attack will continue.  Once someone puts in the correct wifi password that checks with the handshake, it will say they connected successfully and stop the attack.

https://github.com/FluxionNetwork/fluxion

 

I know a lot of people have been requesting this on the wifi pineapple.  I completely agree.  It is one of the best wifi social engineering attacks i have seen, only one i seen that will do validation of credentials.

[flok]

Hello @PoSHMagiC0de

 

Thank you for your reply. I have done as you said before and it works fine. But I got one problem here.

4 minutes ago, PoSHMagiC0de said:

Once they connect, they will be greeted that they need to sign in (if on phone, believe on windows too) like at a hotel. 

Like you said my android were not greeted to sign in. It should be done manually. Like opening browser and entering some website than only they would be greeted by my fake page.

Is there any thing that I can do to notify them to sign in on browser. Because some dummy just dont know how to check internet they just use apps but not a browser. So how can I force my page to be viewed by them when the browser is not opened in first place.

 

Thank you

[PoSHMagiC0de]

I hadn't install Fluxion on my new ParrotOS system in a bit.  i would say a few months ago it didn't even work.  Before then I used it heavily on Kali and it worked fine then.  Recently like within the month I downloaded it and it worked with my cards again as far as even starting up without complain about unsupported devices even though I ran the same cards on the same machine I ran it before when I had Kali.  Issue I ran into for a day was people would connect but not get the Capture Portal page.  Was driving me nuts until I realized I was having a doh moment.

Maybe my doh moment is yours too.  Check your firewall.  Yelp, I forgot I run with aggressive iptable rules but I have a master rule I run when pentesting to drop them all.  So, i did that and there was my capture portal and the message telling me I needed to sign in.

So, if you are on Linux, check your iptables.

sudo iptables -L

if on Mac..well, someone else may be able to help you there.

 

[flok]

Thank you PoSHMagiC0de

So, what should I do with my firewall? Can you please help me out here. What should I do for this...

11 hours ago, PoSHMagiC0de said:

Check your firewall.  Yelp, I forgot I run with aggressive iptable rules but I have a master rule I run when pentesting to drop them all.  So, i did that and there was my capture portal and the message telling me I needed to sign in.

 

Thank you

[PoSHMagiC0de]

if you are running Fluxion I suspect you are on Linux or Mac.

Since I only know Linux when it comes to Fluxion and run on a Debian distro (which should not matter much) the command above I gave should list your tables.

Your IP tables should be empty with the input, output and forward to accept by default.  This means there are not rules blocking anything from your computer.

If in doubt, the below command will wipe the tables clean.  If they are autopopulated, they should come back after reboot (simplest way without going into discovering how your iptables are set since there are several firewall things out there with Ubuntu having one other than iptables too that I normally just dump.)

sudo iptables -F
sudo iptables -X

Pretty much, if you have their latest pull from github and make sure it is from deltaflux (there are a lot of forks out there, the real one was buried in the noise for awhile before they ended up on top again), and if you run it and it says all dependencies are checked...and you make sure before you run it you kill apache, nginx and any web services that maybe running, and for safe measure I would do:

sudo airmon-ng check kill

Though I have ran it without doing this but only did it once cause I am lazy, I would still kill competing services to be sure with above command.

 

So, flush tables, kill web services that maybe running (Kali sometimes have packages running web services in the background if you messed with the tools any you may have inadvertently got one going on autostart), use aircrack to kill any network services that may interfere with fluxion.

At the end, do a sudo netstat -tulnp and see if anything is using 80 or 443 (those would be most likely web services still running).  If it is all clear, try running fluxion and do not forget sudo.  it needs admin priviledges.

Test and see if you get the portal.  If not, test and see if you can ping the gateway from victim or see if anything resolves an IP address if pinged, should resolve back to attacker.  If it does, try browsing by hand to IP and see if you get portal.  You may can run wireshark on attacker too to see if the packets are getting to the page.  I have not tried but you probably can browse from the attacker machine to portal on same machine to see if it pops up to determine if it is even running the portal.

What you are trying to find out is if the portal is running, if the dns services are pointing you to it and if victims are not blocked from it.  Steps I went through but didn't have to get to the part to see if the portal was running.  netstat told me that.  I didn't even have to go into wireshark.  I just had an epiphany that I have custom firewall rules that i would need to remove to allow users to portal.

[flok]

Thank you PoSHMagiC0de,

I am using kali linux 2.0. sorry I have not mentioned it earlier.

The thing is I can access captive portal from client side if I visit any other sites (but not google and facebook and some other) manaully. what I want to do is , to open captive portal automaticlly without bothering to open browser and enter ip or any site manaully. and also sites like google, facebook are not redirecting into my portal as they are warning the link is not secure. 

Does your process of flushing the iptables helps me to block all traffics to go to internet from my hotspot i.e. my pc.  I want my target to visit my captive portal automatically i.e. upto my pc. and to block them to reach internet while conmecting to my hotspot.

I think doing so will help me to block google and facebook to show warning message.

 

Thank you

[PoSHMagiC0de]

I am not online when using fluxion since its use is to trick the user into thinking their router is having issues and need their wifi password again.  Internet access is not required.

The iptables flush is to make sure I am not blocking any of my ports from the victim so they can resolve DNS and get redirected properly to the fake router page.

 

I believe captive portal is pretty standard.  Your phone when it gets online on wifi it tries and hit some of its sites.  The redirected response and not their site tells them they might need to sign in to get access to the internet.  If DNS goes nowhere, it will make the phone think there is no internet.  If it is able to get to its service then internet is on.

My browser doesn't open manually but it does give a notification that I have to sign in to get internet access.  if you as a victim get the portal when you try and browse anywhere then it is working.  Your phone should prompt, if it tries and reach out on its own to get to the internet, as I understand it.  Have not seen a phone fire off a browser automatically, unless I click on the notification.  Seen a windows machine do it though.

From that point if nothing is blocking DNS nor the portal from the victim talking to them on your machine then the above should work.

[flok]

Thank you PoSHMagiC0de

I have done as you said every thing works perfectly. But still I am not getting prompt to sign in. I have 3 devices and neither one of them is getting prompt to sign. We have to do it manually. I have searched some other places too. Some of them say I need to redirect all the requests to my captive portal ip.  Can you tell how can I forward all the requests in to my captive portal IP ?

Thank  you

[digip]

You need to spoof the DNS to redirect them to the local portal, and don't point it to 127.0.0.1, point to the local machine running the web server's IP address. Helps to have a DHCP server respond to all queries when they connect to the network and you can set yourself as the DNS server. When I've used Fruity Wifi, it handles all the scripting of the other tools like dns poisoning and redirects, but if you want to try doing it yourself you need to setup dnsmasq or some other DNS setup along with answering the DHCP call and then providing the clients with the intended info. When they make the request, they get the info directly from the attacker machine and they would then connect to the captive portal. Trying to remember if I've tried wifiphisher directly, but I think it's also used in FruityWifi which automates a lot of it, such as the IP forwarding, fake AP, etc.

[PoSHMagiC0de]

@digip

He is trying use a project called Fluxion which does this too for the purpose of social engineering the wifi password from someone.  It is a batch of scripts with one script to run them all type of project too.  Been using the project for a bit.  Have had issues in the past with it and recently but was able to resolve them or the dev resolved it.  It prompts me that I need to sign in when I connect to rogue ap like it suppose to but flok seems to be having issues with this part.

@flok

 

You may have to post your issue to the developer's github issues section.  Like what digip mentions above, if all your DNS queries end up resolving to your machine running fluxion and you can open the portal from the victim then all should be good.  Beyond that, I do not have a clue why you aren't getting the same results. 

[flok]

Thank you PoSHMagiC0de and digip

 for your help. I got much help and ideas from you. I will try it and do further research. I will message you if I need any help.

Thank you

 

 

[digip]

Have a look at FruityWifi if you can't get wifiphisher or whatever working. It's in the kali repo from what I remember but worked for me. I had to use aircrack suite to get the fake AP working on my end, but Fruity gives you the option to pick which for the fake AP with hostapd not working for me with my card. It will do nearly everything for you. It takes care of the DNS side too. All I did was start apache and use my own custom web page and PHP for the fake portal page vs the default one, which you can configure to redirect to any page or site, including one on the web if you really wanted to.

Edited September 16, 2017 by digip

[PoSHMagiC0de]

Actually, that is not a bad idea.  Try FruityWifi to see if its captive portal works.

Reason is when I had issues with Fluxion back when I first switched to Parrot, I also had issues with wifiphisher, reaver and wash.  It turned out to be an issue in the Parrot distro that was resolved soon after.  One thing that did work that I tried out was FruityWifi with captive portal.  It gave me no issue and worked fine.  So, it would be a good comparison test for the sign in prompt for captive portal.

For that flok is trying to do it will take him some custom coding to accomplish what Fluxion does.  I like FruityWifi because it was my PineAP before I got a wifipineapple nano.

Just some info on wifiphisher and Fluxion in case you do not know.

wifiphisher is a wifi social engineering tool.  It doesn't beacon probes it receives like mana/pineap/karma.  You target an ap, it duplicates its name (not it's bssid) and then brings up a false ap with same name while jamming the real one by bssid.  It requires the victim to actually still connect to the open ap of same name where they will be prompted they need to sign in by captive portal.  Captive portal has several templates, one to try and coax wifi password or one to try to get user to download and run an app.  After the password one, it displays it to the attacker and drops the attack on ap.  Of course you have to trust the victim put in the correct password since there is no verification.

Fluxion is the same thing but has 2 different modes.  It has fake ap mode like wifiphisher but for it to run it needs a capture file with handshake from the victim ap to use for comparison.  It will not run without it.  The second mode is to assist you in getting that capture file by either doing a monitor only or intrusive(deauth) to get handshake.  It even checks for the handshake while working to get it and stops when it knows it got it.  With the handshake you can go back to the fake ap to do the attack.  It does the same attack as wifiphisher with the fake ap of same name but deauth bssid of real ap and a template for a captive portal trying to coax the user's wpa password.  Difference is when the user puts it in, Fluxion uses aircrack or pyrit to verify it with the hash, if it doesn't match, it tells them the password is wrong and attack continues.  Only if the attacker manually stops it or the correct password is entered on the captive portal does the attack cease.  So it is wifiphisher with verification so to speak.

I actually think both these projects can come together (wifiphisher and fluxion) as they are almost identical in what they do just one added verification.

[flok]

Thanks guys,

 

Lets see if FruityWifi does my work. :)

I will let you know.