How to Hack Wi-Fi: Capturing WPA Passwords by Targeting Users with a Fluxion Attack

Capturing WPA Passwords by Targeting Users with a Fluxion Attack

With tools such as Reaver becoming less and less viable options for penetration testers as ISPs replace vulnerable routers, there becomes fewer certainties about which tools will work against a particular target. If you don't have time to crack the WPA password, or it is unusually strong, it can be hard to figure out your next step. Luckily, nearly all systems have one common vulnerability you can count on—users!

Social engineering goes beyond hardware and attacks the most vulnerable part of any system, and one tool that makes this super easy is Fluxion. Even the most antisocial hacker can hide behind a well-crafted login page, and Fluxion automates the process of creating a fake access point to capture WPA passwords.

Picking the Weakest Links to Attack

Users are almost always the weakest link of a system, and so attacks against them are often preferred because they are cheap and effective. Hardware concerns can often be ignored if the users are sufficiently inexperienced with technology to fall for a social engineering attack. While social engineering attacks may raise flags within more tech-savvy organizations, phishing and spoofing attacks against users are the tool of first choice for both nation states and criminal hackers.

One of the most vulnerable targets to this kind of attack is a small- or medium-sized business focused on an industry other than technology. These businesses usually have many vulnerable or unpatched systems with default credentials that are easy to exploit over their wireless network, and are not likely to know what an attack looks like.

How Fluxion Works Its Magic

Fluxion is the future—a blend of technical and social engineering automation that trick a user into handing over the Wi-Fi password in a matter of keystrokes. Specifically, it's a social engineering framework using an evil twin access point (AP), integrated jamming, and handshake capture functions to ignore hardware and focus on the "wetware." Tools such as Wifiphisher execute similar attacks, but lack the ability to verify the WPA passwords supplied.

Image via SADMIN

Fluxion evolved from an advanced social engineering attack named Lindset, where the original tool was written mostly in Spanish and suffered from a number of bugs. Fluxion is a rewritten attack to trick inexperienced users into divulging the password/passphrase of the network.

Fluxion is a unique tool in its use of a WPA handshake to not only control the behavior of the login page, but the behavior of the entire script. It jams the original network and creates a clone with the same name, enticing the disconnected user to join. This presents a fake login page indicating the router needs to restart or load firmware and requests the network password to proceed. Simple as that.

The tool uses a captured handshake to check the password entered and continues to jam the target AP until the correct password is entered. Fluxion uses Aircrack-ng to verify the results live as they are entered, and a successful result means the password is ours.

Checking WPA password capture confirming through Aircrack-ng. Image via SADMIN

Tactically, this attack is only as good as the fake login screen. Many have been added to Fluxion since it was created, and it is possible to create other screens with some research. In general, running this attack with default login screens will immediately call attention from a more experienced user or tech-savvy organization. This attack is most effective when targeted at whoever is the oldest or least tech-savvy in an organization. Sensitive APs with intrusion detection systems may detect and attempt to defend against this attack by blocking your IP in response to the integrated jamming.

System Compatibility & Requirements

Fluxion works on Kali Linux. Just make sure that you are fully updated, or that you're running Kali Rolling, to ensure system and dependencies are current. You may run it on your dedicated Kali install, in a virtual machine. If you're looking for a cheap, handy platform to get started on, check out our Kali Linux Raspberry Pi build using the $35 Raspberry Pi.

A perfect beginner Wi-Fi hacking kit. Image by SADMIN/Null Byte
Image via SADMIN

This tool will not work over SSH since it relies on opening other windows.

For this to work, we'll need to use a compatible wireless network adapter. Check out our 2017 list of Kali Linux and Backtrack compatible wireless network adapters in the link above, or you can grab our most popular adapter for beginners here.

Check out our list of Kali Linux compatible wireless network adapters. Image by SADMIN/Null Byte

Make sure that your wireless adapter capable of monitor mode is plugged in and recognized by Kali and seen when iwconfig or ifconfig is entered.

How to Capture WPA Passwords with Fluxion

Our goal in this article will be to target an organization via its WPA encrypted Wi-Fi connection. We will launch an attack against users attached to the access point "Probe," capture a handshake, set up a cloned (evil twin) AP, jam the target AP, set up a fake login page, and confirm the captured password against the handshake.

Step 1: Install Fluxion

To get Fluxion running on our Kali Linux system, clone the git repository with:

git clone https://github.com/wi-fi-analyzer/fluxion

Note: The developer of Fluxion shut down the product recently, but you can get an older version of it using the command above instead (not the URL you see in the image below).

Then, let's check for missing dependencies by navigating to the folder and starting it up for the first time.

cd fluxion
sudo ./fluxion

You'll likely see the following, where some dependencies will be needed.

Run the installer to fetch dependencies and set your board to green with:

sudo ./Installer.sh

A window will open to handle installing the missing packages. Be patient and let it finish installing dependencies.

After all the dependencies are met, our board is green and we can proceed to the attack interface. Run the Fluxion command again with sudo ./fluxion to get hacking.

Step 2: Scan Wi-Fi Hotspots

The first option is to select the language. Select your language by typing the number next to it and press enter to proceed to the target identification stage. Then, if the channel of the network you wish to attack is known, you may enter 2 to narrow the scan to the desired channel. Otherwise, select 1 to scan all channels and allow the scan to collect wireless data for at least 20 seconds.

A window will open while this occurs. Press CTRL+C to stop the capture process whenever you spot the wireless network that you want. It is important to let the attack run for at least 30 seconds to reasonably verify if a client is connected to the network.

Step 3: Choose Your Target AP

Select a target with active clients for the attack to run on by entering the number next to it. Unless you intend to wait for a client to connect (possibly for a long time), this attack will not work on a network without any clients. Without anyone connected to the network, who would we trick into giving us the password?

Step 4: Select Your Attack

Once you've typed the number of the target network, press enter to load the network profile into the attack selector. For our purpose, we will use option 1 to make a "FakeAP" using Hostapd. This will create a fake hotspot using the captured information to clone the target access point. Type 1 and press enter.

Step 5: Get a Handshake

In order to verify that the password we receive is working, we will check it against a captured handshake. If we have a handshake, we can enter it at the next screen. If not, we can press enter to force the network to provide a handshake in the next step.

Using the Aircrack-ng method by selecting option 1 ("aircrack-ng"), Fluxion will send deauthentication packets to the target AP as the client and listen in on the resulting WPA handshake. When you see the handshake appear, as it does in the top right of the screenshot below, you have captured the handshake. Type 1 (for "Check handshake") and enter to load the handshake into our attack configuration.

Step 6: Create the Fake Login Page

Select option 1, "Web Interface," to use the social engineering tool.

You will be presented with a menu of different fake login pages you can present to the user. These are customizable with some work, but should match the device and language. The defaults should be tested before use, as some are not very convincing.

I chose an English language Netgear attack. This is the final step to arm the attack; At this point, you are ready to fire, so press enter to launch the attack. The attack spawns multiple windows to create a cloned version of their wireless network while simultaneously jamming the normal access point, enticing the user to join the identically named, but unencrypted, network.

Step 7: Capture the Password

The user is directed to a fake login page, which is either convincing or not, depending on which you chose.

Perhaps not the most elegant deception, but these files are configurable.

Entering the wrong password will fail the handshake verification, and the user is prompted to try again. Upon entering the correct password, Aircrack-ng verifies and saves the password to a text file while displaying it on the screen. The user is directed to a "thank you" screen as the jamming ceases and the fake access point shuts down.

You can verify your success by checking the readout of the Aircrack-ng screen.

Key captured and verified. The network is ours!

Congratulations, you've succeeded in obtaining and verifying a password, supplied by targeting the "wetware." We've tricked a user into entering the password rather than relying on a preexisting flaw with the security.

Warning: This Technique Could Be Illegal Without Permission

Legally, Fluxion combines scanning, cloning, creating a fake AP, creating a phishing login screen, and using the Aircrack-ng script to obtain and crack WPA handshakes. As such, it leaves signatures in router logs consistent with using these techniques. Most of these practices are illegal and unwelcome on any system you don't have permission to audit.

Cover photo and screenshots by SADMIN/Null Byte

65 Comments

+1 very descriptive.

When i broadcast the fake ap there no password protection on in (assuming we're checking on our smartphone) . Am I doing something wrong here. Help is appreciated thank you

No, this is correct. The fake AP does not have a password. If you were to put a password on it, it would need to match the one they are already using in order for them to connect to it. Since we don't know the password yet (that's what we're trying for) the fake AP appears the same, but has no encryption.

Thank you for clarifying it. I had fault impression that the fakeAP would create exact copy of the existence one and not prompting the victim go through Web browser instead to enter the password.

My bad, I'll be more clear!

Thanks for the excellent tutorial!
Can you shed some light on how to edit or perhaps make custom web interfaces?

It can be done, but DeltaFlux has been less than forthcoming about how. This spanish-language video was the first example I saw of modifying a page. Sorry for the rude spanish lemon.

No speak Spanish! LOL I can develop web pages np, just need to know what additional code to add, where the pages are kept, etc. =)

Hello, does this attack work if the person performing the attack is offline. Thanks.

Hi Harry,

No, both the attacker and the target must be online for this attack to work. Thus, you must target a network with a client connected.

i cant download fluxion plz can u tell where to find it?or do u have any direct link to downloadable file?
download page ask for "username & password" huh
pllzzz help

try: sudo apt-get install fluxion

So an attack like this is tracable?
And if so tracable back to a terminal or something other than that?
Thank you,in advance.

Hello,
great article, however I have some problems.

When I get the handshake it says my certificate is invalid or not present and then goes on to do the same thing however it does not show the one using the network any of the login screens therefore not making it able for me to get the password at all.

Any help would be appreciated :)

Hello everyone,

I found the following explanation from the creator of fluxion.

For now, refer to this fluxion repo. It's a slightly older version, but I'm hearing reports that it works.

When im sudo ./installer.sh it remove anything.then my laptop got freeze.what should i do?

Acer Aspire F15 (F5-573G-59V4) ( Intel Core i5 / 7th Gen / 4 GB RAM / 1 TB HDD / 2 GB Nvidia Dedicated graphics

getting error:

wc: /tmp/TMPflux/dump-01.csv: No such file or directory
./fluxion: line 1218: : -le: unary operator expected
cat: /tmp/TMPflux/dump-01.csv: No such file or directory
expr: syntax error
WIFI LIST

ID MAC CHAN SECU PWR ESSID

grep: invalid: No such file or directory
grep: number: No such file or directory
grep: of: No such file or directory
grep: lines:: No such file or directory
grep: '/tmp/TMPflux/dump-01.csv': No such file or directory
1) head: invalid number of lines: '/tmp/TMPflux/dump-01.csv' 100%

(*)Active clients

Select target. For rescan type r
#>

You're running fully updated kali rolling?

hi there iam new around here :) i was wondering if someone could help me after typing first command, git clone hhtps://github.com/deltaxflux/fluxion.git, it then puts me on the next part which is (cloning into 'fluxion'...) it then asks for a user name/password. which i thought would be user: root/password: toor, which is root backwards anyways user works fine but password then says , fatal: Authentication failed for 'github.com/deltaxflux/fluxion.git/' any hep on this matter would be very much appreciated :) also im running kali via live USB persistence.

My DHCP server will not start a fake AP. Everytime I try it will either freeze at server service starting or it will send a few requests and packs and nothing will happen. It won't show clients online and I make sure there is plenty to test. I am pretty sure I do everything write. Is there something else I can do to improve this?

When selecting the interface to use (using an ALFA 2w usb wireless device) I get a complete hardware lock up requiring a reset of the VM.

Can anyone advise how to debug this issue? Can I get it to spit out information to the terminal so I can see which step it is occuring at? I might try putting some more comments in the script

So after selecting my language, I pressed 1 to scan all surrounding networks and I was given this error message:
head: invalid number of lines: '/tmp/TMPflux/dump-01.csv'

I looked online and for everyone having an issue with Fluxion at that point, they get an error that says "TMPlinset" instead of "TMPflux" so I don't really know what to do here.... and my internet works fine and I haven't had an issue with any other programs so this is a first.

linset is what fluxion used to be called. if you can find a solution to their errors where it says TMPlinset I can almost guarantee the same solution will work for you

It actually worked! I tried it on my wifi network having two apple devices connected, it all worked out: the fake AP was created, the handshake was captured with aircrack-ng and having selected the Huawei web interface, upon connecting I was greeted with a captive.apple.com screen asking for my key. I put it in and it was transmitted to my hacking laptop and voila: key found! Now wondering where I can test this out, probably a shopping mall in my city. Great and helpful article! Thanks!

Happy it worked!

I found out about Lindset when it was used on a business I was working for, it's a pretty awesome tool and I'm happy it's been evolving

hello guys i know it is out the subject,but can someone teach us about SS7 attack & how to do it ?

Does it need two wireless cards, like wifiphisher?

sorry. its working. i passed all the installer. but there's no language option showing. after i type sudo ./fluxion, nothing happen

Hello,i see you have bruteforce option but here it doesn't show up,how i can use bruteforce method?

Hi ,I have had a problem installing these unmet dependencies and packages while installing fluxion,now after manually installing those i have damaged my default ubuntu which is 14.04 LTS,now i want to get back my ubuntu in its original form so please suggest how to uninstall fluxion and other packages that i tried to install along with it.Please now i am not able to install any tool or software due to this so please provide a solution.

Really descriptive.
Thanks

I got an ideea for a project, If u have a PC and it's locked, u can make up a simple device to crack any password u can put in a wordlist, u only need a raspberry pi and a way to make it input the passwords in any place, (ex: fb pass box, admin box ANY BOX THAT NEEDS A PASS) but u need to unplug the keyboard and connect the raspberry pi instead. Then find a way to make the pi repeat some simple comands, select pass length , input, and click Back If the pass is incorrect to start over. And add more than one type of cables ex: for bypassing anything in your way, like security doors, PC, phones...... Now I got u guys thinking ... :) :)

Nice guide!
Also for anyone wondering,
Tried it with Net-hunter, many issues: (Rev 6)
1) After running ./fluxion
Error: Need a graphical session (X)
Fix: Use VNC

2) After installation(s) and then running ./fluxion
Error: line 615: /lib/airmon/airmon
Fix: Create a directory /root/fluxion/lib/airmon/ and move airmon.sh into it

3) After installation(s) and then running ./fluxion
Error: line %random%: /dev/fd/62
Fix: Delete fd folder in root/fluxion/dev/ and copy link from /dev/fd paste into /root/fluxion/dev/

4) Cant see any labels of choices
Temp Solu: It will still work, refer the images in the guide while selecting options

5) After choosing the router login webpage

Error: Directory not found (example) /root/fluxion/sites/netgear_eng/ and 403-Forbidden-ed instead of login page on victim's side.

Fix: Rename the "Sites" to "site" and the following lowercase and underscore ("NETGEAR-ENG" to "netgear_eng")

Damn, way to power through! Thank you

Hi

I follow the guide all through but it freezes after opening four new windows, the one with green text says starting the service but never advances, please help.I am using Ralink external wireless adapter with monitor mode enabled.Could it be possibly because my adapter is unable to create a hotspot? Please advice

Thanks in advance

Hey I Used Deltaflux Version Of Fluxion It Work Great Now I Want to Know That I Have seen So many Video Tutorial Every1 Sign In to Network From Their phone .....could this attack be done on a Laptop WiFi User ....Please send Me A Private Message Or Here Thanks In Advance

Fluxion on Raspberry Pi.

I have install Fluxion on raspberry pi3 with kali linux, and i am controlling my pi with vino-vnc, i have created a hotspot on wlan0 and i have attached an external wifi card i.e, wlan1, for security auditing of my wifi network, after getting handshake, when i going to launch web interface, it reset my both Cards parameters and i lost connection of my vnc?

Is it possible that program only reset my wlan1 interface not wlan0??

What is the difference between these??
Capture Handshake
1) Deauth all
2) Deauth all {mdk3}
3) Deauth target

And normally, how long does it take to capture handshake??
Thanks

as soon as someone connects to your evil twin you get the handshake.

All - kill everything.
Mdk3 is just a version of a DOS tool to kill all
Target- just kill one machine

Please help me. When I reach the point where I have to select an attack option I only se two options. The one that is missing is the brute force attack. I've installed fluxion from the official repo in GitHub and nothing. I've uninstalled and reinstalled it again and it didn't worked. Please help me.

Hello, Ive done it successfully on my wifi.
you mentioned leaving signatures in the routers log.
which steps create the signatures?
is there any way to delete the signatures?

can this wifi-hack work on a virtual machine running kali linux?

I don't think that a virtual machine can recognize a connected wireless adapter

What wifi adapter are you using?

In your VM is the network set to bridged? If not unplug the adapater. Bridge the network with your own. Put your adapter back in (male sure you have installed the drivers for it). Then open a terminal and type ifconfig...it should now appear. If not post a picture of your terminal output.

I've encountered a problem. Everything works up to the point that i connect to the FakeAP. When i open up a browser en type a random adress, i dont get send to the ''router inlog page''. e.a. when i put in google.com it just tries to load it and says that google.com can't be reached.

What am i doing wrong here? Thanks!

Are you trying to access the fake AP on a computer or a mobile device?

I tested in my own tplink router with a Dell laptop with inbuilt network adaptor. Every lines of command worked fine but in the end when i started deauthniciate, my mobile disconnected from my original AP. After that it tried to re-connect to the same AP(may be fake AP) and asked me to enter WiFi password. When I entered the wifi password nothing happened.

My question is , Why I did not promt for firmware upgrade page?
Does external wireless adapter is necessary ?
I m stuck at four windows opened. Any idea ? Thanks in advance.

Hi, really nice guide !
I have just a question :My AV blocks the Fake Login Page, is there a way to bypass it ?
Thanks

I don't know how I would go about coding this, but might it be possible to set up the fake IP with its own encryption, just so that the network would appear to be locked -- to me this seems to be the biggest flaw in a fluxion attack.

Airgeddon allows this

What? why would you want that?

Fluxion:

The victim isn't even aware that he has been kicked from his own network and connected to the fake one (by his own system/device)

And once he starts browsing the net, he is greeted with a good router firmware update webpage asking for the WPA/2 key. My router actually does that often (but it asks for router login credentials ofc). I've had 49% success using this attack.

If we apply your strat, the victim's device wouldn't even try to connect to the hosted evil AP (cuz of encryption) and thus the device will just keep reconnecting to the 'original' network (due to the continuous de-auths).But IF the user gets disturbed due to the disconnections from WLAN, he might try to connect to the evil network manually and type/give-in the WPA.

Success probability: 20% IMO

Well, you're just doing a MITM attack at that point. If you want to attack an AP and you crack the password, you just create an encrypted evil AP that looks identical and deauth the legit one

Use a secondary adapter to launch the fake ap. With your normal connection, connect to a vpn that keeps no logs. Edit hostapd.conf and change adapter to wlan1. There your chances of being caught are slim

Share Your Thoughts

  • Hot
  • Latest