WiFiphisher is a framework for conducting Wi-Fi security testing or red team engagements. Penetration testers can use Wifiphisher to perform targeted Wi-Fi association attacks against wireless clients, allowing them to gain a man-in-the-middle position. Moreover, WiFiphisher can be used to mount victim-customized web phishing attacks against connected clients to capture credentials (e.g. from third-party login pages or WPA/WPA2 Pre-Shared Keys) or infect the stations with malware.
According to the victim, the attack consists of three phases:
The victim is being unauthenticated from her access point
A WiFiphisher continuously jams all of the target access point's wifi devices within range by sending death packets both to the client and to the access point, as well as to the broadcast address.
The victim joins a rogue access point
The WiFiphisher sniffs the area and copies the settings of the target access point. A rogue wireless access point is then created based on the target. Also, it sets up a NAT/DHCP server and forwards the right ports. Due to the jamming, clients will start connecting to the rogue access point. When this phase is complete, the victim has been MiTMed.
The client is served a realistic router configuration-looking page
Wifiphisher uses a minimal web server that responds to HTTP and HTTPS requests. When the victim requests an Internet page, wifi phisher will respond with a believable fake page that asks for credentials, such as one asking for confirmation of the WPA password due to an upgrade on the router.
Features of WiFiphisher APK
- A powerful tool: An operating system like Raspberry Pi can run WiFiphisher for hours, executing all modern Wi-Fi association techniques (such as "Evil Twin", "KARMA" and "Known Beacons").
- Flexible: Comes with a number of community-driven phishing templates for various deployment scenarios.
- Modularity: Python modules can be written to extend the functionality of the tool or to create custom phishing scenarios to conduct specific attacks against specific targets.
- Simple to use: Wifiphisher offers a wealth of features to advanced users, but beginners can get started with "./bin/wifiphisher" instead. In the interactive Text User Interface, the tester is guided through the attack-building process.
- Based on extensive research: Our developers disclosed attacks like "Known Beacons" and "Lure10," along with state-of-the-art phishing techniques, and Wifiphisher was the first to incorporate them.
- No charge: Under the terms of the GPLv3 license, WiFiphisher comes with full source code that you can study, change, or distribute for free.
A great community of developers and users supports the project.
How does it work?
A Wi-Fi phishing attack consists of two steps:
The first step involves associating with Wi-Fi clients unknowingly or obtaining a man-in-the-middle (MITM) position. A number of techniques are used by WiFiphisher to accomplish this, including:
- Wifiphisher creates a fake wireless network that appears to be legitimate.
- Wifiphisher masquerades as a public network that nearby Wi-Fi clients search for.
- Wifiphisher broadcasts a dictionary of common ESSIDs that nearby wireless stations have likely connected to in the past.
The Wifiphisher keeps forging "Deauthenticate" or "Disassociate" packets to disrupt existing associations and eventually lure victims.
The penetration tester can carry out a variety of attacks once WiFiphisher grants him a man-in-the-middle position (optionally). The tester may perform data sniffing or vulnerability scanning on the victim stations.
With Wifiphisher, advanced web phishing techniques can be performed by gathering information from the target environment and the victim. In one of our scenarios, Wifiphisher will extract information from the broadcasted beacon frames and the HTTP User-Agent header to display an imitation of Windows Network Manager.
Wifiphisher v1.4 is out!
After more than nine months since the release of Wifiphisher 1.3, I am excited to announce a new release for you! Our biggest release to date includes many improvements, performance enhancements, and bug fixes.
In Wifiphisher v1.4, the following changes have been made:
- A known beacon attack: Different Wi-Fi automatic association attacks (including KARMA and Lure10) are already available in WiFiphisher. Wireless clients are forced to connect to an attacker-controlled Access Point by unknowingly receiving dozens of known beacon frames using our new technique, Known Beacons. Most modern network managers are affected. You can find more information on this attack on the Research page and in the 34C3 lightning talk video.
- Roguehostapd: As a result, we forked Hostapd and patched it against more sophisticated attacks. The Roguehostapd project is hosted on Github and provides Python bindings for easy interaction with WiFiphisher.
- Wiphisher extensions: As a result of the modular design we followed, developers can hack Wifiphisher by writing simple extensions in Python that interact with the core of the tool. Extensions are executed in parallel with speed and efficiency. For the impatient, you can check out our first five extensions under the "wifiphisher/extensions" directory.
If you want to try the new release, go straight to the Download page. You can see all the changes on the Changelog page.
Without the amazing contributions of the Wifiphisher community, this release would not be possible. I would like to thank everyone who helped, especially Wifiphisher core developers Brian Smith and Anakin Tung.
What's New?
- Added dissociation frame to the DEAUTH attack
- RSSI output fix
- Code quality fixes.
- Introduced MAC address randomization
- Refactoring of interface management module
- Introduced tox.
- Added support for providing Internet to victim users via a wireless interface
- Tool now kills any interfering processes on startup
- Use curses everywhere for TUI
- Show the encryption type during AP discovery.
- Introduced Wifiphisher Extensions
- Introduced roguehostapd, a patched version of hostapd.
- Introduced WPA/WPA2 captured passphrase validation.
- Added WPS info during AP discovery.
- Added the option to perform DEAUTH attack based on ESSID
- Added operation moded
- Increased performance of modules
- Made the tool run with only one physical interface
- Introduced --logging option
- Introduced channel monitoring to check if target AP switches channel
- Introduced Known Beacons attack
- Introduced WPS PBC phishing attack
