How to Hack Wi-Fi: Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher

Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher

How to Hack Wi-Fi: Get Anyone's Wi-Fi Password Without Cracking Using Wifiphisher

Welcome back, my tenderfoot hackers!

Do you need to get a Wi-Fi password but don't have the time to crack it? In previous tutorials, I have shown how to crack WEP, WPA2, and WPS, but some people have complained that cracking WPA2 takes too long and that not all access points have WPS enabled (even though quite a few do). To help out in these situations, I present to you an almost surefire way to get a Wi-Fi password without cracking—Wifiphisher.

Steps in the Wifiphisher Strategy

The idea here is to create an evil twin AP, then de-authenticate or DoS the user from their real AP. When they re-authenticate to your fake AP with the same SSID, they will see a legitimate-looking webpage that requests their password because of a "firmware upgrade." When they provide their password, you capture it and then allow them to use the evil twin as their AP, so they don't suspect a thing. Brilliant!

To sum up, Wifiphisher takes the following steps:

  1. De-authenticate the user from their legitimate AP.
  2. Allow the user to authenticate to your evil twin.
  3. Offer a webpage to the user on a proxy that notifies them that a "firmware upgrade" has taken place, and that they need to authenticate again.
  4. The Wi-Fi password is passed to the hacker and the user continues to the web oblivious to what just happened.

Similar scripts have been around for awhile, such as Airsnarf, but this new Wifiphisher script is more sophisticated. In addition, you could always do this all manually, but now we have a script that automates the entire process.

To do this hack, you will need Kali Linux and two wireless adapters, one of which must be capable of packet injection. Here, I used the tried and true, Alfa AWUS036H. You may use others, but before you do, make certain that it is compatible with Aircrack-ng (packet injection capable). Please do NOT post questions on why it doesn't work until you check if your wireless adapter can do packet injection. Most cannot.

Now let's take a look at Wifiphisher.

Step 1: Download Wifiphisher

To begin, fire up Kali and open a terminal. Then download Wifiphisher from GitHub and unpack the code.

kali > tar -xvzf /root/wifiphisher-1.1.tar.gz

As you can see below, I have unpacked the Wifiphisher source code.

Alternatively, you can clone the code from GitHub by typing:

kali > git clone https://github/sophron/wifiphisher

Step 2: Navigate to the Directory

Next, navigate to the directory that Wifiphisher created when it was unpacked. In my case, it is /wifiphisher-1.1.

kali > cd wifiphisher-.1.1

When listing the contents of that directory, you will see that the wifiphisher.py script is there.

kali > ls -l

Step 3: Run the Script

You can run the Wifiphisher script by typing:

kali > python wifiphisher.py

Note that I preceded the script with the name of the interpreter, python.

The first time you run the script, it will likely tell you that "hostapd" is not found and will prompt you to install it. Install by typing "y" for yes. It will then proceed to install hostapd.

When it has completed, once again, execute the Wifiphisher script.

kali > python wifiphisher.py

This time, it will start the web server on port 8080 and 443, then go about and discover the available Wi-Fi networks.

When it has completed, it will list all the Wi-Fi networks it has discovered. Notice at the bottom of my example that it has discovered the network "wonderhowto." That is the network we will be attacking.

Step 4: Send Your Attack & Get the Password

Go ahead and hit Ctrl + C on your keyboard and you will be prompted for the number of the AP that you would like to attack. In my case, it is 12.

When you hit Enter, Wifiphisher will display a screen like the one below that indicates the interface being used and the SSID of the AP being attacked and cloned.

The target user has been de-authenticated from their AP. When they re-authenticate, they will directed to the the cloned evil twin access point.

When they do, the proxy on the web server will catch their request and serve up an authentic-looking message that a firmware upgrade has taken place on their router and they must re-authenticate.

Notice that I have put in my password, nullbyte, and hit Submit.

When the user enters their password, it will be passed to you through the Wifiphisher open terminal, as seen below. The user will be passed through to the web through your system and out to the Internet, never suspecting anything awry has happened.

Now, my tenderfoot hackers, no Wi-Fi password is safe! Keep coming back as explore more of the world's most valuable skill set—hacking!

131 Comments

Hmmm interesting. I will try this when I get out of class. Maybe even be useful to have supported as an add on in my script I am working on.

Interesting.

-Phoenix750

great trick

but the problem is that the evil twin doesn't have the same BSSID as the original so you can see two APs with same eSSID and devices won't connect automatically...

so if the script could be edited for that it would be perfect

You have to make sure the rogue AP's signal is stronger than the legit one. So you have to be close, or use a powerful antenna. Once you deauth your target pc, it will try to reconnect and will pick the strongest signal (yours).

Excellent point, TripHat. Check out the tutorials on increasing TX power here on Null Byte. Our trusty Alfa AWUSH can be amped up to 4x the legal limit.

A side note about the WiFi scrambler I am going to build in my Electricity/Electronics for Hackers series: My scrambler will be able to send out signals that reach 8 Watt, which is roughly 10-30 times higher than the legal limit. I haven't tested my design actually, because I'm afraid of legal consequences.

-Phoenix750

Very interesting... if that will fit in my poor hardware knowledge, I'd be glad to test it. Also, to find out your real position, someone would have to triangulate the signal... that is not so easy if you're just running a test.

With a well placed antenna, this jammer is capable of putting a small town without wifi. With even more power and a higher spot, this jammer may be capable of scrambling any wireless communication in an entire city like Chicago. Yes, an entire city!

The reason I am careful when working with the electromagnetic spectrum is because of something that happened to my dad when he was in his 20's. My dad was and still is, just like me, a passionated hardware hacker. One of the earliest things he did was build a radio transmitter for his town. This transmitter had the power of 100-200 Watt, and was placed on a high hill. My dad was successful in broadcasting his radio programs to our town (he was a hobby DJ back then), but it did have it's consequences. First of all, he never got the permission to broadcast on that wattage and on that frequency (which was 100.2 MHz, in case anyone is wondering), But he also caused disturbances at the airport of Amsterdam with his radio transmitter. Yes, the airport of Amsterdam, and we live near Brussels!

The reason this happened is because some of his radio waves reached Amsterdam, but not at the frequency he broadcasted at. These waves were just simple pulses that occurred every minute or so. But by crazy coincidence, these waves were at the same frequency the Amsterdam airport was using for it's control towers, and thus it caused disturbances in the communications of the pilots and the airport.

I am not only afraid that I will get fined or something, but also that I might cause an accident.

-Phoenix750

Wow, nice story ! Yeah, one should pay caution when playing with radio waves, still, it doesn't have to be a huge transmitter. While the potential to knock off an entire city is possible, a personal jamming device with 20-30 meter radius can be a fun toy to play with, with no harm to anyone. If device is portable, chances to getting caught are extremely low. Just don't use in sensitive areas..

I am already planning on testing it safely. The thing is, whether it's a wifi jammer of 2 or 2000 Watt, the design remains the same. All you need to do to get a higher wattage is increase the voltage.

The current design I have at the moment is a small jammer with a wattage of 8 watt and a 15cm long antenna. This should be enough to reach 50 meters under ideal circumstances. It utilizes a 9V battery as a source.

-Phoenix750

I can't wait till you release the details, very excited :)

Cheers,
Washu

Hi dude, you said what the higher wattage is only when increase the voltage, really?

Interesting.
My best regards.

Ohm's law tells us that when voltage goes up, so does current.

And wattage = voltage multiplied by current.

To increase the wattage you have 2 options: increase the voltage, or decrease the resistance. Since the resistance is a value that can't be changed easily, unlike voltage, we usually just change the voltage to get more power.

-Phoenix750

in your previous tutorial on evil twin a fake AP wwas created with the same BSSID and ESSID as the ap to be hacked and you could only see one AP because the fake one overwhelms the orginal... but in this tutorial the scritp or tool creates an AP with only the same ESSID as the original hence you see actually two APs one open and secured so it's suspicious and devices won't connect automatically so the user would actually have to choose to connect to the fake one

don't you think it's better to edit the python script to have the fake AP have the same BSSID as the original like in your previous evil twin tutorial ??

Yes, please feel free to edit the script and publish it here for us.

if someone with python skills would do that and publish it would be great

It isn't that hard to change small parts of the code, just look throught it until you see the part that you must change.

Hint Look at line ~480

You can also look into the -a switch, I think it should do what you want but don't quote me on that.

Cheers,
Washu

Did anyone updated the script to copy APs BSSID?
Share please??

Is it possible to create an EvilTwin AP with username and password, but when the victim enters the username and password doesnt compares to nothing, just stores the given user and password.

Good post btw

Not really, here we are redirecting to a fake web firmware update, which for someone in IT business would not trust very well.

What im talking about is reauth in windows connecting to wifi system

You could create another proxy authentication page and have them authorize there.

Let's be clear, this will not likely work against someone who is IT security savvy. The other 99.9% of the world, it will work.

But when you auth in windows for example, you get the form, usually just password or username and password, those are sent to AP right?

cant we catch that in plain text since is our controlled AP right?

Yes, but those are router credentials, not the actual wifi password. They come into use later, but without the wifi password, they are of no use.

And as I already suggested in a similar post, you can build a custom phishing page that looks credible. The first 3 bytes of the MAC will tell the manufacturer, so you can insert its logo and make it more similar to an authentic one.

Router credentials are for the router web based configurations, im talking about wifi ofc

I think there is some confusion here. This hack is for the WPA2-PSK password. No username, just password.

PSK passwords are sent as hashes and not in the clear. We can capture the capture the hash, but it never appears in the clear.

Ok ty OTW, can we launch our own fake web form?
and if yes is it easy to change the web file

hmmm.. so you want to catch the wifi password that the user types in windows network manager? No that's not possible, at best you can get the WPA handshake, but you'll still have to crack it. Passwords won't be in plain text. The advantage of this over the classic deauth is you can spawn a network that is not active nearby, but the target is probing, it doesn't help in cracking the pass.

All I wanna know is what's in TheDragonLair ? Treasures? Grimm fates? Quests? ;-P

What if you have a school chromebook that does not let you get the proper chrome extensions and dev mode is blocked, is it possible to get the source code running at all on a chromebook or should I try another computer?

Thanks
-sam

p.s
I HATE GOOGLE CHROME OS IT IS A CRAPPY LINUX WANNABE!

After that, do I still have to crack the password or do I already have it uncrypted?

No, it's unencrypted. The user entered their password into OUR website and we captured it.

What happens if the user introduce whatever password, will this password is kept? and give us a false positive, or there is way to verified a valid password?

Thanks OTW!!

If they enter the wrong password then it will not work but quite honestly I don't think its worth trying to verify it since everyone on the network will see this webpage and the odd that they all enter the wrong password is slim.

Cheers,
Washu

do I need to be connected to internet when doing this attack or my Kali can be offline?

You should theoretically be able to use this when offline since the victim never actually connects to the internet.

Cheers,
Washu

Well if you not online the target won't get internet but they will still go to the fake upgrade page which will allow you to steal their password.

Cheers,
Washu

Being online should not be mandatory... after you got the password you can simply stop the fake AP, victim will disconnect and reconnect to real one automatically. Or you could automate it by adding a small script to stop the attack as soon as the victim inputs the password.

Password validation can be added as well, either trying to authenticate with the just gotten password, or using aircrack against a previously captured wpa handshake. Again, this can all be scripted and executed when victim types his password. This way attacker might know in real time if password is correct, and eventually output the result in the phishing page before stopping the attack. So in case a suspecting user types some gibberish in the password field, it won't be greeted with 'YAYYY Password is correct' !!. Personally, I don't always type my passwords when they try to phish me, but when I do, I type some gibberish password that ends with ' OR 1=1

very nice tool, and when i was troubleshooting i found that by using only one network adaptor you can use this tool to block any wifi from using internet...very interesting..wish y'all can try it..

Mr_Nakup3nda

OTW you have mentioned that their are guide on how to increase the tx power on wireless adapters. But are there any that are updated for Kali 2.0 because the old methods are not working anymore?

Did you ever figure out how? Quite lost myself. Been searching for days now.

In the firmware upgrade page, is there an option to notify the user in the first attempt that the credentials provided were wrong so that people who hesitate to put usernames and passwords in suspicious looking pages could be tricked. Doing this on the first login attempt could fool the people who might insert wrong credentials intentionally in the first attempt to see how page responds. Others might think that they might have mistyped. Both in most cases should provide the correct credentials on the second attempt.

And also can the firmware page be modified? The page template could raise suspicion if the router page they are used to looks completely different.

Both these things can be done with a bit of javascript, html and css. So where does the fake firmware page exist?

Great article as always!

This can be added, and actually improved. Read my comment above.

Yes, the firmware pages can be modified, check em.

In the firmware upgrade page, is there an option to notify the user in the first attempt that the credentials provided were wrong so that people who hesitate to put usernames and passwords in suspicious looking pages could be tricked. Doing this on the first login attempt could fool the people who might insert wrong credentials intentionally in the first attempt to see how page responds. Others might think that they might have mistyped. Both in most cases should provide the correct credentials on the second attempt.

And also can the firmware page be modified? The page template could raise suspicion if the router page they are used to looks completely different.

Both these things can be done with a bit of javascript, html and css. So where does the fake firmware page exist?

Great article as always!

No, that option does not exist, but you could definitely add it. This is all just a Python script.

Ok thanks. I looked up the project and found the html page in
phishing-scenarios/minimal/ directory.

Ok i'll look into it then. Thanks.

once again, i cant install anything

So i tried to - run apt-get update.
And this happened:

-HELP
how can I fix this error?
I would appreciate your help a lot!

Black Cat

The 2 things I can think of is firstly, make sure that your source.list is properly configured. Secondly make sure that you have a good internet connection. If it takes more than a couple of minutes to install hostapd its probably because of your internet.

If your on a vm you could always revert to an earlier snapshot?

Cheers,
Washu

Hello can you talk through Facebook

your in root so if nothing has worked try sudo apt-get rather than just apt-get

I HATE LINUX!!! Why don't you make something like this for Mac and Windows users?

It's python, its exactly the same on any OS, also Mac is UNIX based just like Linux

If you hate Linux, don't even consider becoming a hacker...

-Phoenix750

Why do you need 2 WIFI Adapters? Can 1 work?

You need two because one injects deauth packets to the victim, the other one creates the fake AP.

Injection requires the adapter to be in monitor mode, spawning the AP requires the adapter to be in master mode, and you can't be in both modes simultaneously.

You need 2. One serves as the AP and the other connects to the Internet.

I'm thinking about the security issue. Is it safe to do so?

Do people REALLY do this? Why? Isn't it kinda, sorta "illegal", and if not illegal, just plain wrong.

I'm posting it on Facebook so people can watch out for lowlife bottom feeders such as y'all.

Yes, people do this, but you're misdirecting your comment. This blog is geared towards white hacks interested in becoming security professionals, so they need to know how these types of things works to spot them in their field.

So with the wireless adapters, will this configuration work: 1 internal Intel Centrino Advanced-N 6235 and 1 Alfa AWUS036NH adapter.

As long as one can do packet injection, you are good. The Alfa is capable of packet injection.

phoenix 750 ,could you please make tutorial how to on using wifiphisher in parrot sec please.......

unable to access 'https://github/sophron/wifiphisher/ ': Could not resolve host: github

help me guru

This is isn't really ideal right because you can't really choose which device gets attacked....?

By device, do you mean AP? Yes, of course, you can. We are attacking the AP, not an individual computer. Once we have the password, we can use the AP at will.

I thought only one target user would get disconnected and reconnected... does this mean all (wireless) connected devices on the targets AP will?

Also how long does this process take?

Yes, everyone would be disconnected, but that really isn't the point. In a WPA2-PSK AP, the PSK stands for Pre-Shared Key. Everyone's password is the same. Get one password and you get everyone's.

Yeah you are absolutely right. I just tried it out on my laptop with a TL-WN722N in combination with my desktop using another dongle. But without success it just keeps jamming and jamming devices...... not sure if that is normal?

Hi. I'm looking for a good solid adapter for kali that can do all the things a expensive one can but for half the price. I know alfa adapters are good but they range from $30 - $40 . I'm looking for something priced about $15 (give or take). Any suggestions?

@JO

I recommend the TL-WN722N it's relatively cheap and has decent results. You can start with that atleast, and later maybe upgrade to one of the alfa's.

Right from the beginning, It says
Canot open: no such file or directory
Error is not recoverable:exiting now
Child returned status 2
Error is not recoverable:exiting now

What seems to be the problem?

Also, after my terminal or screen left idle a while, i'm prompted to log-in, with the user id 'root'. I've dont even set up user id before, cant log-in as dont hv the password, just keep on reboot the system everytime i come to that.

Help please... I seem to be unable to install hostapd... kali timed out trying to connect to server and/or couldn't find the hostapd on the kali servers

In this program it ask for wpa password ,not everyone knows what is a wpa . So is there any possibilities that i can that into wifi password

Is here someone who can help me?

I have an internet connection in kali linux ( i can normlally go to google or null byte.com ) but when I run setoolkit ( site cloner) or wifiphisher it is saying to me that i need an persistnet internet connection. How can i Fox this? pls help

this is why you need 2 adapters. 1 for keeping you online, and another one is for creating evil twin AP. Once you set your only adapter to monitor mode - you lose internet connection.

How long does this process normally take? Because for me it will just only jam and not actually force the user to the proxy webserver. What I believe is happening is users get kicked out of network (deauth is working). But then the fake AP isn't setup properly because it wont connect to the fake AP instead my computer is trying to connect the the real AP but gets instantly kicked out of it and this will just loop (Yes I am using two wifi adapters, AWUS036NHA and the TL-WN722N).

this is not a error, please enter "y" and go fwd

I tried this on my own network but the fake page for entering the wpa code doesn't show up.
Does anyone know why this isn't show up?

I'm having a bit of a problem starting the fake AP. Hoping you guys can help!

I'm running the newest (to this date) version of Kali Linux in Virtualbox 5, using an Alfa AWUS036NHA for the deauth and a D-Link DWA-140 as the second wireless adapter.

According to everything that happens on the screen, it should be working just fine. I do get deauth'd on my devices, but the fake AP doesn't show up on the list of available networks (checked on Samsung Galaxy S3 running CyanogenMod 13). I even went as far as to get WiFi Analyzer for my phone, which is an app that searches for nearby WiFi signals. It could not find the fake AP either, which leads me to think the AP was never created in the first place. However, no errors show up on screen in Kali.

I've even tried manually setting the deauth adapter by using the -jI switch; python wifiphisher.py -jI wlan0.
What could be the cause?

It seems network manager was the problem. If anyone else experiences this problem, you might wanna try and kill the service.

You can do so by using the command "service network-manager stop" without the quotes, of course.

Hi, guys
i have some questions about wifiphisher and evil twin.

if you have some free time please explain,

i didn't understand when i run wifiphiser it runs and only deauth me from my AP but didn't create another one without passwd.

you said that we will need 2 wireless card but you didn't specify how we use the second one.

So i tried to go fwd on this article https://null-byte.wonderhowto.com/how-to/hack-wi-fi-creating-evil-twin-wireless-access-point-eavesdrop-data-0147919/

but here airbase-ng create de fake AP without passwd but i can't connect to this AP,
and how to config malicious web page.
mby i need to learn more about proxy ?
and what you mean to config proxy so he will redirect users to web page ?
thanks allot

-papanireal

Please provide more info and screenshots.

Hello! Having the same issues as these guys. I have attempted to best explain my (possibly/hopefully theirs as well) situation.

I am running Kali on a Live USB stick and using the -jI selector to use my Alfa (AWUS036H) on monitor mode and using my built in adapter (PCI Adapter) for Internet access. I then select my network and the script goes into a loop (Im assuming that is causing the issue?) where it continually repeats this screen.

Image via wonderhowto.com

I am presuming this is continually booting off all users (as this is whats happening) thus, disallowing anyone to connect and even reach the fake webpage.

Hopefully I have given you enough to work off of. If not, I will be happy to add more. Thanks.

-Edit- Also, dont know if it matters, but BOTH my adapters are running at txpower: 20. (Due to having several issues with changing TX power) I dont beleive this is an issue as I have selected wlan2 (my Alfa adapter) to be in monitor mode manually using: python wifiphisher.py -jI wlan2

i hope someone coult answer this one, i am facing the same here ??

Sorry didnt notice your comment till now. But if your still interested or havnt figured it out, checkout my guide! You can find it by going to my profile.

What do you type to download wifiphisher from github? You say you are attacking the winderhowto network #11 on your screen.

When you hit control C you say you enter #12.
Why? Wouldn't it be #11? I'm confused

Lastly thank you for the great article.

Sweetcorn;

The command to download is right in the article.

git clone https://github/sophron/wifiphisher

You are confusing the channels with the number of the AP. Wonderhowto is on channel 11 but is #12 AP.

OTW

I see it now. I was reading off my phone and couldn't see the channels before. Thanks.

Can you use two external wifi adapters for this attack?
like two tp-link TL -wn722n?
It's because, my laptop's internal wireless card is a broadcom one, and it doesn't support monitor mode.

Yes, you can use two external wireless adapters.

What is the solution

Where is the wifiphisher file?

I did not find

Did you download it? It's not on Kali unless you download it.

I have a lot of problems in the kali will re-inauguration thank you

Can you help me please? i get this error whenever i try to run it... + Choose the num of the scenario you wish to use: 1

  • Selecting Browser Connection Reset template

Starting the fake access point...

  • Driver initialization failed! (hostapd error)
  • Try a different wireless interface using -aI option.

! Closing

Do you have two wireless cards?

I have an ALFA wireless and the built in one for mac. When I type ifconfig it shows wlan0 and wlan1.

The error message implies that one of the wireless cards is not compatible. My guess is that it is the one built into the Mac.

dang... Well I have some money might buy another... Thanks.

Hey. I read few of ur hacking tips of wifi. But I am more intrested in wifiphiser , I have few douths on it. When we send that authentication to the user , can he suspect and see our mac address. Is it safe to use this method. Does this method work on all type of wifi protected routers. And why do we need 2 adapters . Can we do this method with one adapter. Pls if there is a video for this , then can u send the address. Thanku and waiting for ur reply.

And ya does it work on Windows 8.1

Jinesh:

You don't seem to have this article.

First, you need Linux. Second, it will work on any wifi protected router. Third, you have two wireless cards because one is used to deauth the AP and the second creates a fake AP.

Does any type of less cost adapter work??

Only those on the aircrack-ng compatibility list.

Hi

i'm getting this error on the last step !! any help ? please

  • Choose the num of the AP you wish to copy: 1

Traceback (most recent call last):
File "bin/wifiphisher", line 12, in <module>
run()
File "/root/wifiphisher-master/wifiphisher/pywifiphisher.py", line 1079, in run
template = selecttemplate(args.template)
File "/root/wifiphisher-master/wifiphisher/pywifiphisher.py", line 486, in select
template
templatemanager = phishingpage.TemplateManager()
File "/root/wifiphisher-master/wifiphisher/phishingpage.py", line 132, in _init_
self.
templates = {"connectionreset": connection, "office365": office,
NameError: global name 'office' is not defined

Please give us a screen shot so we can help you.

i tired to start the virtual

machine now got another problem !

Is your wireless adapter in monitor mode?

And can u pls upload the entire video from tip to toe, the requirements, procedure, softwares to be installed before starting , and the end how it happened, it is request from all the beginer hackers, thanku

I bought 2adapters (TP link tl wn722n )and one more is (wavlink wl wn687ni) will these two work, I have an hp Windows 8.1laptoplaptop .

Are you running Kali Linux? Did you check for compatibility on the aircrack-ng website?

I installed and it runs with no Errors with one Alpha AWSU036H connected. It stays blinking and my iPhone doesn't get rerouted to my evil twin. What to do with the second USB Wifi adapter? Just plug in or configure?

Hi i followed all of your steps but after jamming devices nothing happens or no device appears

This is fake image but as u can see everything is blank.And im using 2 wlan cards

Hello i ran into this problem whilr trying to unpack, when i got the error thats when i tried yo update and i tried again but im still getting error

uhmm can i do this w/out internet in my laptop?

can i turn on only the fake ap without the jammer? poor man mode, i only have 1 usb wifi. because my internal card is not detected in kali.

The big problem is HSTS detect on chrome an firefox

is this work for ubuntu?? i have a scapy error when use it
please reply

does we need two wifi adapters for it to make it work If yes then I am sick of googling how to set my new TL-WN727N on linux :/

You Are A Genius. That's Why I Love Visiting This Site More Often. Keep Up The Good Work.

Share Your Thoughts

  • Hot
  • Latest