Capturing WPA Passwords by Targeting Users with a Fluxion Attack

With tools such as Reaver becoming less and less viable options for penetration testers as ISPs replace vulnerable routers, there becomes fewer certainties about which tools will work against a particular target. If you don't have time to crack the WPA password, or it is unusually strong, it can be hard to figure out your next step. Luckily, nearly all systems have one common vulnerability you can count on—users!

Social engineering goes beyond hardware and attacks the most vulnerable part of any system, and one tool that makes this super easy is Fluxion. Even the most antisocial hacker can hide behind a well-crafted login page, and Fluxion automates the process of creating a fake access point to capture WPA passwords.

Picking the Weakest Links to Attack

Users are almost always the weakest link of a system, and so attacks against them are often preferred because they are cheap and effective. Hardware concerns can often be ignored if the users are sufficiently inexperienced with technology to fall for a social engineering attack. While social engineering attacks may raise flags within more tech-savvy organizations, phishing and spoofing attacks against users are the tool of first choice for both nation states and criminal hackers.

One of the most vulnerable targets to this kind of attack is a small- or medium-sized business focused on an industry other than technology. These businesses usually have many vulnerable or unpatched systems with default credentials that are easy to exploit over their wireless network, and are not likely to know what an attack looks like.

How Fluxion Works Its Magic

Fluxion is the future—a blend of technical and social engineering automation that trick a user into handing over the Wi-Fi password in a matter of keystrokes. Specifically, it's a social engineering framework using an evil twin access point (AP), integrated jamming, and handshake capture functions to ignore hardware and focus on the "wetware." Tools such as Wifiphisher execute similar attacks, but lack the ability to verify the WPA passwords supplied.

Fluxion evolved from an advanced social engineering attack named Lindset, where the original tool was written mostly in Spanish and suffered from a number of bugs. Fluxion is a rewritten attack to trick inexperienced users into divulging the password/passphrase of the network.

Fluxion is a unique tool in its use of a WPA handshake to not only control the behavior of the login page, but the behavior of the entire script. It jams the original network and creates a clone with the same name, enticing the disconnected user to join. This presents a fake login page indicating the router needs to restart or load firmware and requests the network password to proceed. Simple as that.

The tool uses a captured handshake to check the password entered and continues to jam the target AP until the correct password is entered. Fluxion uses Aircrack-ng to verify the results live as they are entered, and a successful result means the password is ours.

Checking WPA password capture confirming through Aircrack-ng.

Tactically, this attack is only as good as the fake login screen. Many have been added to Fluxion since it was created, and it is possible to create other screens with some research. In general, running this attack with default login screens will immediately call attention from a more experienced user or tech-savvy organization. This attack is most effective when targeted at whoever is the oldest or least tech-savvy in an organization. Sensitive APs with intrusion detection systems may detect and attempt to defend against this attack by blocking your IP in response to the integrated jamming.

System Compatibility & Requirements

Fluxion works on Kali Linux. Just make sure that you are fully updated, or that you're running Kali Rolling, to ensure system and dependencies are current. You may run it on your dedicated Kali install, in a virtual machine. If you're looking for a cheap, handy platform to get started on, check out our Kali Linux Raspberry Pi build using the $35 Raspberry Pi.

A perfect beginner Wi-Fi hacking kit.

This tool will not work over SSH since it relies on opening other windows.

For this to work, we'll need to use a compatible wireless network adapter. Check out our 2017 list of Kali Linux and Backtrack compatible wireless network adapters in the link above, or you can grab our most popular adapter for beginners here.

Check out list of Kali Linux compatible wireless network adapters.

Make sure that your wireless adapter capable of monitor mode is plugged in and recognized by Kali and seen when iwconfig or ifconfig is entered.

How to Capture WPA Passwords with Fluxion

Our goal in this article will be to target an organization via its WPA encrypted Wi-Fi connection. We will launch an attack against users attached to the access point "Probe," capture a handshake, set up a cloned (evil twin) AP, jam the target AP, set up a fake login page, and confirm the captured password against the handshake.

Step 1Install Fluxion

To get Fluxion running on our Kali Linux system, clone the git repository with:

git clone https://github.com/wi-fi-analyzer/fluxion

Note: The developer of Fluxion shut down the product recently, but you can get an older version of it using the command above instead (not the URL you see in the image below).

Then, let's check for missing dependencies by navigating to the folder and starting it up for the first time.

cd fluxion
sudo ./fluxion

You'll likely see the following, where some dependencies will be needed.

Run the installer to fetch dependencies and set your board to green with:

sudo ./Installer.sh

A window will open to handle installing the missing packages. Be patient and let it finish installing dependencies.

After all the dependencies are met, our board is green and we can proceed to the attack interface. Run the Fluxion command again with sudo ./fluxion to get hacking.

Step 2Scan Wi-Fi Hotspots

The first option is to select the language. Select your language by typing the number next to it and press enter to proceed to the target identification stage. Then, if the channel of the network you wish to attack is known, you may enter 2 to narrow the scan to the desired channel. Otherwise, select 1 to scan all channels and allow the scan to collect wireless data for at least 20 seconds.

A window will open while this occurs. Press CTRL+C to stop the capture process whenever you spot the wireless network that you want. It is important to let the attack run for at least 30 seconds to reasonably verify if a client is connected to the network.

Step 3Choose Your Target AP

Select a target with active clients for the attack to run on by entering the number next to it. Unless you intend to wait for a client to connect (possibly for a long time), this attack will not work on a network without any clients. Without anyone connected to the network, who would we trick into giving us the password?

Step 4Select Your Attack

Once you've typed the number of the target network, press enter to load the network profile into the attack selector. For our purpose, we will use option 1 to make a "FakeAP" using Hostapd. This will create a fake hotspot using the captured information to clone the target access point. Type 1 and press enter.

Step 5Get a Handshake

In order to verify that the password we receive is working, we will check it against a captured handshake. If we have a handshake, we can enter it at the next screen. If not, we can press enter to force the network to provide a handshake in the next step.

Using the Aircrack-ng method by selecting option 1 ("aircrack-ng"), Fluxion will send deauthentication packets to the target AP as the client and listen in on the resulting WPA handshake. When you see the handshake appear, as it does in the top right of the screenshot below, you have captured the handshake. Type 1 (for "Check handshake") and enter to load the handshake into our attack configuration.

Step 6Create the Fake Login Page

Select option 1, "Web Interface," to use the social engineering tool.

You will be presented with a menu of different fake login pages you can present to the user. These are customizable with some work, but should match the device and language. The defaults should be tested before use, as some are not very convincing.

I chose an English language Netgear attack. This is the final step to arm the attack; At this point, you are ready to fire, so press enter to launch the attack. The attack spawns multiple windows to create a cloned version of their wireless network while simultaneously jamming the normal access point, enticing the user to join the identically named, but unencrypted, network.

Step 7Capture the Password

The user is directed to a fake login page, which is either convincing or not, depending on which you chose.

Perhaps not the most elegant deception, but these files are configurable.

Entering the wrong password will fail the handshake verification, and the user is prompted to try again. Upon entering the correct password, Aircrack-ng verifies and saves the password to a text file while displaying it on the screen. The user is directed to a "thank you" screen as the jamming ceases and the fake access point shuts down.

You can verify your success by checking the readout of the Aircrack-ng screen.

Key captured and verified. The network is ours!

Congratulations, you've succeeded in obtaining and verifying a password, supplied by targeting the "wetware." We've tricked a user into entering the password rather than relying on a preexisting flaw with the security.

Warning: This Technique Could Be Illegal Without Permission

Legally, Fluxion combines scanning, cloning, creating a fake AP, creating a phishing login screen, and using the Aircrack-ng script to obtain and crack WPA handshakes. As such, it leaves signatures in router logs consistent with using these techniques. Most of these practices are illegal and unwelcome on any system you don't have permission to audit.

Read More

Set Up a Headless Raspberry Pi Hacking Platform Running Kali Linux

The Raspberry Pi is a credit card-sized computer that can crack Wi-Fi, clone key cards, break into laptops, and even clone an existing Wi-Fi network to trick users into connecting to the Pi instead. It can jam Wi-Fi for blocks, track cell phones, listen in on police scanners, broadcast an FM radio signal, and apparently even fly a goddamn missile into a helicopter.

The key to this power is a massive community of developers and builders who contribute thousands of builds for the Kali Linux and Raspberry Pi platforms. For less than a tank of gas, a Raspberry Pi 3 buys you a low-cost, flexible cyberweapon.

A cyberweapon that fits anywhere? Name something else in your pocket that creates a fake AP in Czech.

Of course, it's important to compartmentalize your hacking and avoid using systems that uniquely identify you, like customized hardware. Not everyone has access to a supercomputer or gaming tower, but fortunately one is not needed to have a solid Kali Linux platform.

With over 10 million units sold, the Raspberry Pi can be purchased in cash by anyone with $35 to spare. This makes it more difficult to determine who is behind an attack launched from a Raspberry Pi, as it could just as likely be a state-sponsored attack flying under the radar or a hyperactive teenager in high school coding class.

Thinking Like an Attacker

The Raspberry Pi has several unique characteristics that make it a powerful and easily accessible tool in a penetration tester's kit. In particular, the Pi is cheap and the components cost as little as a Lego set. Also, the Raspberry Pi is discreet; It's small, thin, and easy to hide. And thanks to running Kali Linux OS natively, it is flexible and able to run a broad range of hacking tools from badge cloners to Wi-Fi cracking scripts. By swapping the SD card and adding or removing components from marketplaces like Adafruit, the Raspberry Pi can be customized to suit any situation.

Raspberry Pi + projector = Kali on a huge screen.

The Raspberry Pi on Offense

First, it's important to manage your expectations and remain reasonable when selecting a Raspberry Pi as a hacking platform. The Raspberry Pi is not a super computer and doesn't have a tremendous amount of processing power. It's not well-suited to processor intensive tasks like brute-force WPA password cracking, or acting as a network attack as the connection is too slow to fool users. That being said, the Raspberry Pi is perfectly suited to many attack environments. We simply offload these tasks to bigger computers and use the Pi as a data collector.

An active Raspberry Pi Wi-Fi jamming setup.

In my experience, the Raspberry Pi works exceptionally well as a Wi-Fi attack platform. Due to its small size and large library of Kali Linux-based attack tools, it's ideal for reconnaissance and attacking Wi-Fi networks. Our offensive Kali Linux build will be geared towards anonymous field auditing of wired and wireless networks.

The Basic Components of Our Attack System

Here are the basic components needed to build our Pi attack system, and why we need them. If you're just starting out, this excellent Raspberry Pi Kit from CanaKit includes most of what you need to get your Pi set up.

• Raspberry Pi: The Raspberry Pi 3 is the platform of these builds, coordinating and controlling all other components. Its low power consumption and flexible capabilities allow it to serve as a platform for running Linux-based operating systems besides Kali.

Raspberry Pi 3.

• Command and control (C2) wireless card: The purpose of the C2 wireless card is to automatically connect the Pi to the command AP (access point) such as your phone hotspot or home network. This allows remote control of the Pi discreetly or from a great distance via SSH (Secure Shell) or VNC (Virtual Network Computing). Fortunately for us, the Raspberry Pi 3 has a Wi-Fi card internally, but a wireless network adapter can also be added to a Raspberry Pi 2.
• Wireless attack card:: Our attack wireless card will be a Kali Linux-compatible Wi-Fi adapter capable of packet injection. This will be our attack surface and can be a long-range, short-range, or directional antenna depending on attack requirements.

• OS build cards: The micro SD card hosts the OS and brain of the computer and can be precisely configured for any desired environment. By creating customized cards, it is possible to rapidly change the configuration and function of a Raspberry Pi by simply swapping the card and components.
• Computer: You will also need a computer to download the firmware to load onto the micro SD card.
• Power supply: The Raspberry Pi uses a standard Micro-USB power supply, and nearly any android phone charger or battery pack will work to power a Pi. This allows for a number of different battery configurations to suit long-endurance reconnaissance or continuiously powered operations.

My Raspberry Pi hacking kit.

• Ethernet cable (optional): An Ethernet cable allows you to bypass wireless authentication by directly interfacing with local networks to which you have physical access. Specialized attacks like PoisonTap can also take advantage of ethernet interfaces to infiltrate computers.
• Bluetooth keyboard (optional): A Bluetooth keyboard is helpful for interfacing when you have an HDMI connection.
• Case (optional): Every Pi needs a case to protect it.

Build Considerations

In designing this tutorial, I considered two primary modes in which you would be operating the Raspberry Pi. In our open configuration, the Raspberry Pi is connected to a display via HDMI cord with inputs running through a wireless mouse and keyboard. In our tactical configuration, you will use a laptop or smartphone to access the Raspberry Pi remotely via SSH. By connecting the Pi to our phone's hotspot or a nearby friendly AP, we can access the Raspberry Pi while still being able to use cellular data in the field.

(Top) Lab configuration: Output over HDMI, input via Bluetooth keyboard. (Bottom) Tactical Configuration: Kali Linux via SSH.

How to Set Everything Up

In this guide, I'll show the steps needed to set up a Raspberry Pi 3 as a basic hacking platform with Kali Linux. I'll go over how to select a build to install, writing the disc image to a micro SD card, and the steps to run after first setting up your Pi. We'll update Kali Linux to the latest version to ensure everything works correctly, change the default SSH keys, and take care of some housekeeping like changing the admin password.

Raspberry Pi in action connected to an HDMI output.

As a note, there are many ways to configure Kali on a Raspberry Pi 3. Some include touchscreens, some are completely headless (accessed via network connections without a keyboard or display), and others use the internal Wi-Fi card to create a hotspot for remote control of the Pi. In selecting this build, I discounted any designs that included a power-hungry and fragile touchscreen or additional hardware, and settled a version optimized for our two different C2 scenarios.

Step 1Download Kali Linux Image for the Raspberry Pi

Head to Offensive Security and download the latest Kali Linux image for the Raspberry Pi. As of this writing, it is "RaspberryPi 2 / 3" on version 2.1.2.

Step 2Flash the Image to the Micro SD Card

You can use a tool like ApplePiBaker for Mac or Etcher to load your Kali image onto your SD card, but sometimes these can result in errors. To prevent that, we'll cover how to do this via Terminal on a Mac. If you use Windows, you can use Win32 Disk Imager to put your image on the card.

On a Mac, before plugging in your SD card, run the following in Terminal:

df -h

This will display a list of all the disks attached to your system. Attach your SD card and run the command again, and note the filesystem name of your SD card (it's the one that wasn't there before). It should look like "/dev/disk2s1" and you should be very careful not to mix this up in the next steps, since doing so could overwrite your hard drive.

The available drives.

Now, we'll use the dd command to load the Kali image onto the card.

Use "man dd" to see the rest of the operands for dd.

First, let's unmount the partition so you can write to it with the following command, with "x" being the correct disk number:

sudo diskutil unmount /dev/diskX

Now we're ready to load Kali. Type, but don't run the command, sudo dd bs=1m if=and enter the location of the Kali Linux image we want to load onto the card. You can drag and drop the disk image into the window to show the file path. After that, type a space, then of=/dev/rdisk and the number of the disk from before.

If there is an "s" after the initial disk number (like rdisk2s1), do not include the "s" or following number. So, "rdisk2s1" should look like "rdisk2." Here's what it should look like altogether:

sudo dd bs=1m if=LocationOfKaliImage of=/dev/rdiskX

Press enter to begin the process, and note that dd does not provide any on-screen information unless there is an error or it finishes. To view the progress during the transfer, you can type Ctrl T. Wait for the process to complete. You'll know the process is complete when you see a readout of bytes transferred over the time the process ran.

It will look like the screenshot below (if you press Ctrl T a few times during the transfer) when complete.

Mashing Ctrl T to see the status—took 1,131 seconds to transfer!

Step 3Boot into Kali Linux

When finished, your SD card is ready to go! Insert the SD card into your Pi, connect it to HDMI, and attach your Bluetooth keyboard. Plug in the power source to boot into Kali Linux for the first time. To get to the desktop, your default login is "root" with "toor" being the password.

Kali Pi with power, HDMI, Ethernet, Bluetooth receiver, and secondary wireless adapter attached.

The login process is a problem for autonomous control, and we will need to disable it later. This will let us plug our Pi in and immediately connect to it remotely without a screen.

First boot of Kali.

Step 4Update Kali Linux

Kali Linux is a special flavor of Debian Linux meant for penetration testing, and a favorite here on Null Byte. It's compatible with some of the best and most advanced tools available for wireless hacking, and flexible enough to support a large number of hacking builds. It's maintained by Offensive Security, and you'll need to update it to the latest version to make sure all the tools work properly.

Before running, now is a good time to expand your installation to the size of the partition. To do so, run the following:

resize2fs /dev/mmcblk0p2

At the top right of the desktop, you'll see an option to connect to a nearby wireless network. Connect to your phone's hotspot or a friendly AP to fetch the update. Run the update by opening a terminal window and typing the following:

apt-get update
apt-get upgrade
apt-get dist-upgrade

Your Kali install is now up to date. Update the root password to something more secure than "toor" by typing:

passwd root

Then enter a new password for your Kali Linux system.

Step 5Install OpenSSH Server

To communicate with our Raspberry Pi from a computer or phone, we'll need to be able to log in. To do so, we can use SSH to connect via any Wi-Fi connection we share with the Pi. SSH, or the Secure Shell, is a network protocol that allows us to run commands remotely on a device. This means we don't need to plug in a screen to interact with our Pi.

In a terminal, run the following to install openSSH server and update the runlevels to allow SSH to start on boot:

apt-get install openssh-server
update-rc.d -f ssh remove
update-rc.d -f ssh defaults

The default keys represent a huge vulnerability since anyone can guess them. Let's change them immediately by running the following commands:

cd /etc/ssh/
mkdir insecure_old
mv ssh_host* insecure_old
dpkg-reconfigure openssh-server

This backs up the old SSH keys in another folder and generates new keys. Problem solved! Now let's make sure we can log in via root by typing:

nano /etc/ssh/sshd_config

This will open your SSH configuration folder. Change this line:

PermitRootLogin without-password

To this line instead:

PermitRootLogin yes

And type Ctrl O to save the changes. If it already is correct, you don't need to change anything.

Configuring sshd_config.

Great! Let's restart the SSH service by typing:

sudo service ssh restart
update-rc.d -f ssh enable 2 3 4 5

Finally, to test that we've got SSH working, use the following to see if SSH is currently running.

sudo service ssh status

We should see something like this if we are successful.

If it's not, run this to get it going:

sudo service ssh start

If you find SSH doesn't work, you can use raspi-config as a workaround. It's meant for Jessie, but it'll work on Kali, too. To use it, first clone from GitHub, type sudo mount /dev/mmcblk0p1 /boot to mount the boot partition, cd to the directory, and run sudo bash raspi-config.

Step 6Create a Custom MOTD

Of course, the speed and power of your hacking computer is directly related to how cool your message of the day (MOTD) banner is. You will be greeted with this upon successful login, and traditionally is used with some ASCII art to spice things up.

Create your own by typing:

Nano /etc/motd

Delete the contents and paste whatever you want to show up each time you log in.

Save and exit nano by hitting Ctrl O, then Ctrl X.

Step 7Test Login via SSH

Let's try logging in from your home computer or laptop. Connect the Pi to the same wireless network your home or work computer is on. Run the command ifconfig on your Pi in terminal to learn your IP address.

ifconfig

In the comments, some people mentioned getting an error here. If so, try running
sudo apt-get install net-tools to determine if you don't have net-tools installed. Run ifconfig again and see if it works.

Here, our IP is seen as 10.11.1.144.

On your personal computer, type:

ssh root@(your IP address)

You should see your MOTD screen!

A simple MOTD on successful SSH login.

If not, you can run an arp-scan on a Mac to see a list of all available devices on the network if you need to find your Pi's IP address from personal computer.

Step 8Configure Autologin for Headless Operation

Sometimes, we will want to be able to log into an account other than root. Let's create a new user named WHT (or whatever you like) with root permission by running:

useradd -m WHT -G sudo -s /bin/bash

Change WHT's (or whatever you named it) password to something more secure than "toor":

passwd WHT

Great! Now let's disable that login from before so we can boot directly into Kali, and our wireless cards will start up and connect to allow us remote control. To do so, type:

nano /etc/lightdm/lightdm.conf

And delete the # before these lines:

autologin-user=root
autologin-user-timeout=0

Save and exit with Ctrl X. Next, type:

nano /etc/pam.d/lightdm-autologin

And you'll need to change this starting on line 11:

# Allow access without authentication
auth required pam_succeed_if.so user != root quiet_success
auth required pam_permit.so

To this:

# Allow access without authentication
###auth required pam_succeed_if.so user != root quiet_success
auth required pam_permit.so

Save and exit, and type "reboot" into terminal to restart your Pi to test.

Test Your Build Against This Checklist

In order to be considered field ready, your device must pass this checklist:

1. The device starts up, logs on without prompting for a password, and starts SSH at boot allowing remote access.
2. The device connects to the command AP to enable remote control (does this by default after connecting the first time).
3. Run besside-ng script on attack antenna to test packet injection.
4. The Pi can be shutdown without corruption to the data on the micro SD card (boots normally after shutdown).

Pass all the requirements? Then your Raspberry Pi is ready to hit the road. I'll be writing a series of Pi-based builds, so keep up with me by building your own Raspberry Pi-based Kali Linux computer.

Using Fluxion with a Raspberry Pi and projector.

Read More