How to Steal Wifi Passwords Using Social Engineering

-
It is possible to obtain a Wifi password without the need for a powerful processor or a lengthy brute-force attack. Do you know how thieves steal cars and jewelry? They can also steal your password in a comparable manner: this is what will be described in this post.

Meet social engineering, a fancy designation for "phishing". This type of attack is commonly used for stealing sensitive data, such as credit card details or account credentials. The popularity and spread of this method come down to one single characteristic: ease of use. Perpetrators don't need any background knowledge in coding, cyber security, or computer science, and the technique doesn't require advanced hardware.

Today's attack is the art of fooling the user into thinking you're the legitimate manufacturer of his router: you then pretend that a firmware update is required and prompt the user for his password. You thus gain access to the Wifi network effortlessly, without using any brute-forcing tool whatsoever. The demonstration below is based on a Wifi pentesting tool called Wifiphisher.

Requirements

  • Raspberry Pi 3 or later running Kali Linux (tutorial here)
  • Two standard network cards and one supporting monitor mode and packet injection
  • Your own Wifi network to perform the test (see legal disclaimer in the side menu of the website)
  • Laptop with a decent internet connection to control the Pi via VNC (tutorial here)

Installing Wifiphisher

Wifiphisher is an open-source tool available on Github but we can also install it directly from the Kali repository:
root@kali:~# apt-get install wifiphisher

Next, we need to install the file setup.py located in the wifiphisher/ directory:
root@kali:~# cd wifiphisher/python setup.py install

Initiating the attack

First, we need to put our network interface into monitor mode with the airmon-ng command. Then, we'll start wifiphisher with a specific flag (--force-hostapd) to avoid a bug in the Hostapd section of the script:
root@kali:~# wifiphisher -aI wlan1 -eI wlan0mon --force-hostapd

 The -aI flag sets the interface used to create the fake AP, and -eI sets the one used for the deauth attack (more on this later).


The script will start running, automatically selecting the network interface and listing all nearby wifi networks with basic info like their respective power, channel, and encryption. We then select the target and press enter to launch the attack.

Several "scenarios" are available, so we'll choose the first one (Firmware Upgrade Page):




Unfolding the attack

The first step in the automated process is deauthenticating all users from the target network, while creating in parallel a fake AP with the same SSID as the target, but without any encryption. The logic behind this is that the user, frustrated by the lack of Internet access, will head to his Wifi settings and see the new AP that we created. As he notices the absence of any password, he will connect to it and be greeted with a phishing page. Meanwhile, Wifiphisher will have already detected the model of the router (using its BSSID) to adapt the phishing page and make it look as realistic as possible. 
Unfortunately, I couldn't capture more images because my Pi overheated and shut down.

The page will inform the user that a firmware update is needed and that he needs to enter the WPA passphrase in order to proceed. To ensure that the user gives us the right passphrase and not some random garbage, Wifiphisher will capture during the deauth process a WPA handshake. If the given key doesn't match the handshake, it will result in an error and won't let the user continue. Once the right key is entered, a fake progress bar will appear and will slowly fill up in five minutes. And that's it, just like this, we see the target's passphrase appear in the Wifiphisher window on our screen. At that point, the fake AP will be shut down and the deauth attack will stop. All things should return to their normal state.

Wrapping up

This is a great opportunity to emphasize how careless users can be. Such tools would have never existed if they weren't successful, which proves that too many people are unaware of the security risks they are exposed to. Social engineering is by far the most effective attack method, with a success rate surpassing 90 percent.

Comments

Post a Comment

Share your thoughts! Leave a comment here

Popular posts from this blog

Pixie-Dust Wifi Attack: Theory & Practice

-
Image
In the series of wifi hacking, I have already covered WPA handshake capture and social engineering . In this post I present to you yet another attack using a novel approach for gaining access to a network: it is based on the WPS protocol and is known as the Pixie-Dust attack. You will find a step-by-step guide after a short explanation of the theory behind the security flaw hereby discussed.
Read more

Getting started in scripting

-
Image
Perhaps the most important skill a hacker should master is programming. This is what makes the true difference between "hackers" and "script kiddies". The latter lacks the knowledge to write his own script: he rather uses programs made by others to attack his target. In contrast, a worthy hacker builds his own program tailored to his needs in order to exploit a specific vulnerability. Does that mean that a hacker never uses material written by others? Of course not. As most of the exploits (i.e. scripts that exploit a flaw) written by/for the Linux community are open-source, hackers often reverse-engineer these programs to understand how they work and potentially modify them to suit their own needs. What's more, when building his own script, a hacker very often integrates some tool from a fellow hacker. This is precisely how malware evolves on a daily basis: a programmer uses his know-how to combine multiple exploits in an effective way. Writing your firs
Read more

How to capture a WPA handshake

-
Image
There are different methods for getting unauthorized access to a Wifi network. I will try to cover several ones, but in this post I will focus on capturing a WPA handshake for a subsequent dictionary or brute-force attack. Requirements Before getting started make sure you have the following: Raspberry Pi 3 running Kali Linux ( tutorial here ) Monitor-mode and Packet-injection capable wifi adapter PC Decent internet connection We'll be using the wifi adapter with the Raspberry Pi, controlling them with a PC via VNC ( tutorial here ). What is a WPA handshake? In simple words, a WPA handshake is used to authenticate a user with an AP (Access Point). To illustrate things, think of it as a literal handshake: if the client presents his hand but the AP doesn't, the handshake can't happen and authentication thus fails. Because the engineering behind a WPA handshake is not the main purpose of this guide, let's dive into our work. Discovering the target AP Th
Read more