wifiphisher: automated WPA phishing (MitM) attacks

wifiphisher_compwifiphisher is a semi-automated python utility that tries to reveal the WPA password of a WiFi connection using social engineering. The technique is different from the brute-force attack used in tools like Pyrit. wifiphisher is installed by default on Kali Linux. In this article we will explain how to install and run it on Ubuntu.

wifiphisher uses a 3 stage procedure to retrieve passwords:

  1. Use DDoS (Denial of Service) methods to disconnect the victim. The tools sends de-authorization packets from the access point to the client and vice versa. It also sends the same to the broadcast address.
  2. Creates a rogue access point based on the target access point’s settings. It also fakes NAT/DHCP sesrver and does port-forwarding. Due to continuous attacks, the victim is forced to connect to the rogue access point. Hence, a Man in the Middle attack is initiated.
  3. Once the victim joins the rogue access point, he is served a router configuration page that looks authentic. It prompts for a router firmware upgrade and requests the password. If the victim enters the password, the tool reveals it in the console.

Installation

Besides software dependencies, wifiphisher needs two wireless network interfaces, one capable of injection (how to test).

To install wifiphisher on Ubuntu:

$ sudo apt-get install python-scapy tcpdump isc-dhcp-server hostapd
$ git clone https://github.com/sophron/wifiphisher.git

Usage

To run wifiphisher:

$ cd wifiphisher
$ sudo ./wifiphisher.py
OR
$ sudo python ./wifiphisher.py

The steps beyond this are self-explanatory. wifiphsher detects the accessible access points. You need to press <Ctrl-c> and enter the access point number of the victim’s WiFi. wifiphisher starts the attack. From here, everything is automatic and if it can lure the victim into entering his/her password, you get it in your console.

Detected Access Point list

A successful attack

wifiphisher options:

Short form Long form Explanation
-m maximum Choose the maximum number of clients to deauth. List of clients will be emptied and repopulated after hitting the limit. Example: -m 5
-n noupdate Do not clear the deauth list when the maximum (-m) number of client/AP combos is reached. Must be used in conjunction with -m. Example: -m 10 -n
-t timeinterval Choose the time interval between packets being sent. Default is as fast as possible. If you see scapy errors like ‘no buffer space’ try: -t .00001
-p packets Choose the number of packets to send in each deauth burst. Default value is 1; 1 packet to the client and 1 packet to the AP. Send 2 deauth packets to the client and 2 deauth packets to the AP: -p 2
-d directedonly Skip the deauthentication packets to the broadcast address of the access points and only send them to client/AP pairs
-a accesspoint Enter the MAC address of a specific access point to target
-jI jamminginterface Choose the interface for jamming. By default script will find the most powerful interface and starts monitor mode on it.
-aI apinterface Choose the interface for the fake AP. By default script will find the second most powerful interface and starts monitor mode on it.

Note that wifiphisher may not work under several circumstances – the victim may smell something fishy and back-off or he may not remember the access point password which is often saved and not memorized. In addition, secondary systems would likely trigger warnings when the target is redirected to the cloned login page, mainly because the ‘duped’ page is not created in a secure and authenticated environment.

On GitHub: wifiphisher

46 thoughts on “wifiphisher: automated WPA phishing (MitM) attacks”

      1. you might wanna add (sudo apt-get install git) cuz i don’t think ubuntu has git by default, i had to do it before continue and thanks for the useful post ..

        1. You are right. Ubuntu doesn’t come with git pre-installed. However, GitHub is extremely popular for hosting open source projects. I am hoping readers will catch-up and learn that if a tool is not available on Ubuntu the first thing to try is “sudo apt-get install”.
          This is the second time I got the same comment but I am consciously ignoring the git installation instruction. Another option is to wget the latest code as zip but I am not too inclined to switch to that. The reason is the project maintainers can switch the main branch anytime and the link will break.

  1. It does not work completely for.
    When I launch the attack, I do get disconnected from my router as it is being DDoSed.
    I do see a new “unprotected” network with the same name as mine.
    I am able to connect to that network.
    But that is it. I am not able to access any page. Nor the 10.0.0.1

    1. As mentioned above “wifiphisher needs two wireless network interfaces, one capable of injection”. If your setup has these, then the best approach would be to raise a new issue in GitHub.

      1. I checked what is wrong. Instead of using my second adapter (another alfa) it chooses the crappy wifi card of my notebook…
        If I deactivate that one (wlan0) in the setting, I get the “RF-KILL” warning.
        I need to find a way to use only wlan1 and wlan2

        I will try using the command :
        -m 5 -t .00001 -p 1 -jl wlan1 -al wlan2 -a XX:XX:XX:XX:XX

  2. Hi! Good guide!
    I normally use various automathed tools on a raspberry-PI with Khali Linux ARM on it. Most of those tools preferr to use dnsmasq instead of isc-dhcp-server for DHCP services…Normally, I can install both, but in my Raspberry project amount of MB free is really important. I’m not a good pythonist, do you think it’s hard to change te program?

      1. I have some python knowledge, gained with the guide “Invent your own computer games with python”, but I’m not an expert so I ‘ve thinked to search if someone have always made this changes to wifipisher! PS SOrry 4 my bad english

        1. No problem! I didn’t make any such changes but if someone reading this article has made he might reply. However, I would suggest trying it out.

  3. do i need an external wifi adaptator (external usb wireless card)? or i can share mine when i search for interfaces because it says there is none while i have many .
    thanks

  4. hello
    I have an error after detected access point list.That’s “OSError: [Errno 2] No such file or directory.How to solve problem?I am using Ubuntu 14.04 server and TP-link(TL-WN8200ND wireless adapter.What am i wrong?Please give me advice.Thank you so much.

  5. wifiphisher requires 2 network adaptors to work…I have one that’s capable if injections and I’m about to get a 2nd USB adapter cause I’m running kali in VirtualBox but I need to know how to incorporate the 2nd adapter for the purpose of running wifiphisher. Is it as simple as plugging it in and letting kali take over after I set it up in the USB setting of the virtualbox? Or is there a series of commands I need to enter in the terminal before wifiphisher is able to use both in harmony? Sorry for my lack of knowledge…I’m new to this world (don’t beat me up to bad lol)

  6. sir when I tried the apt-get install python command on Kali Linux
    It shows –
    Unable to locate package tcdump
    unable to locate package hostpad

  7. [-] Unable to start HTTP server!
    [-] Another process is running on port 8080.
    [!] Closing

    I use ubuntu 14.1 !!help please

    1. Here’s a way to check which process is using port 8118:

      $ sudo netstat -tulpn | grep :8118
      tcp 0 0 127.0.0.1:8118 0.0.0.0:* LISTEN 2238/privoxy
      $ sudo ls -l /proc/2238/exe
      lrwxrwxrwx 1 root root 0 Jul 14 21:27 /proc/2238/exe -> /usr/sbin/privoxy

      1. Hi, I have this problem too, in Kali And ubuntu 15, I changed the port in “wifiphisher.py” File from 8080 to other ports and it always says that Port (8282, 8585, 50000 …) is used by another process

  8. Whenever I try and run this, it loads the screen but then the screen just starts to flash every 5 seconds or so. Not sure if that is normal or not? but no information seems to be displayed etc…

  9. I have a pc …. And have two wifi adapter …. One of adapter has ap mode bt other does’nt have…. Do i have to select adapter or it will select adapter by itself….. Tell me to attack with phishing….

  10. Hi there
    I am using netgear D500 and I think it has DOS protection. I am wondering if the router can be hackable by Wifiphisher or not…
    I am thinking of buying TP-Link w722N will you recommend it for Wifiphisher or other hacking works..?

      1. i m using unbuntu
        its says starting fake access point but i only see original access point from other device
        and i m not able to connect to it because of jamming
        is it not creating fake access point ?help..
        i m using 2 wireless card.

Leave a Reply

Your email address will not be published. Required fields are marked *