{"id":901,"date":"2018-10-19T00:35:40","date_gmt":"2018-10-19T00:35:40","guid":{"rendered":"https:\/\/www.appservgrid.com\/paw92\/?p=901"},"modified":"2018-10-22T22:40:54","modified_gmt":"2018-10-22T22:40:54","slug":"hacking-wpa-wpa2-without-dictionary-bruteforce-fluxion","status":"publish","type":"post","link":"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/19\/hacking-wpa-wpa2-without-dictionary-bruteforce-fluxion\/","title":{"rendered":"Hacking WPA\/WPA2 without dictionary\/bruteforce : Fluxion"},"content":{"rendered":"<h2>Fluxion (linset)<\/h2>\n<p>I hadn&#8217;t ventured into Hackforums since a while, and this time when I went there I saw a thread about a script called <a href=\"http:\/\/hackforums.net\/showthread.php?tid=5195575\" target=\"_blank\" rel=\"noopener\">Fluxion<\/a>. It&#8217;s based on another script called <a href=\"https:\/\/github.com\/vk496\/linset\" target=\"_blank\" rel=\"noopener\">linset<\/a> (actually it&#8217;s no much different from linset, think of it as an improvement, with some bug fixes and additional options). I did once think about (and was asked in a comment about) using something like a man in the middle attack\/ evil twin attack to get WPA password instead of going the bruteforce\/dictionary route, but never looked the idea up on the internet nor spent much time pondering over it. However, once I saw the thread about this cool script, I decided to give it a try. So in this post I&#8217;ll show you how I used Fluxion, and how you can too.<br \/>\nDisclaimer : Use this tool only on networks you own .Don&#8217;t do anything illegal.<\/p>\n<p>Contents<\/p>\n<ul>\n<li>Checking if tool is pre-installed, getting it via github if it isn&#8217;t.<\/li>\n<li>Running the script, installing dependencies if required.<\/li>\n<li>Quick overview of how to use Fluxion.<\/li>\n<li>Detailed walk-through and demonstration with text explanation and screenshots<\/li>\n<li>Video demonstration (not identical to the written demo, but almost the same)<\/li>\n<li>Troubleshooting section<\/li>\n<\/ul>\n<h2>Just double checking<\/h2>\n<p><a href=\"https:\/\/4.bp.blogspot.com\/-TBB-MJF83y4\/V77YL0AVVNI\/AAAAAAAABq0\/pPa9--sfoSIJo5jZxs2aSnflQI92ahFNQCLcB\/s1600\/Fluxion%2BGithub.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-TBB-MJF83y4\/V77YL0AVVNI\/AAAAAAAABq0\/pPa9--sfoSIJo5jZxs2aSnflQI92ahFNQCLcB\/s400\/Fluxion%2BGithub.png\" width=\"400\" height=\"211\" \/><\/a><\/p>\n<p>The first thing I did was make sure that Kali doesn&#8217;t already have this tool. Maybe if you are reading this post a long time after it was written, then you might have the tool pre-installed in Kali. In any case, try this out:<\/p>\n<blockquote><p>fluxion<\/p><\/blockquote>\n<p>I, personally tried to check if linset or fluxion came pre-installed in Kali (though I didn&#8217;t expect them to be there).<\/p>\n<p>&nbsp;<\/p>\n<h2>Getting the script<\/h2>\n<p>Getting the script is just a matter of cloning the github repository. Just use the git command line tool to do it.<\/p>\n<p>git clone https:\/\/github.com\/deltaxflux\/fluxion<\/p>\n<p>If you have any problems with this step, then you can just naviagate to the<\/p>\n<p><a href=\"https:\/\/github.com\/FluxionNetwork\/fluxion\" target=\"_blank\" rel=\"noopener\">repostitory<\/a><\/p>\n<p>(updated link) and manually download the stuff.<\/p>\n<p>Update : There seems to be some legal trouble with Fluxion. The creator of the script has removed the source code of the tool, and uploaded code that is supposed to delete fluxion from your computer. I don&#8217;t know the specifics of what is going on, but will provide updates ASAP.<\/p>\n<p><a href=\"https:\/\/1.bp.blogspot.com\/-oS7AQJ54-XA\/WLxcOlE6UMI\/AAAAAAAACSM\/SBqUlHYAweAe_CHfQMESlwKo5-o20QWgwCLcB\/s1600\/Screen%2BShot%2B2017-03-06%2Bat%2B12.12.35%2BAM.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-oS7AQJ54-XA\/WLxcOlE6UMI\/AAAAAAAACSM\/SBqUlHYAweAe_CHfQMESlwKo5-o20QWgwCLcB\/s320\/Screen%2BShot%2B2017-03-06%2Bat%2B12.12.35%2BAM.png\" width=\"320\" height=\"200\" \/><\/a><\/p>\n<p>Update 2: Now the repository is gone altogether!<\/p>\n<p>What this means : As of now, this tutorial is useless. If you can find the source code for Fluxion, then you can use it and continue with the tutorial. Otherwise, not much can be done without the tool.<a href=\"https:\/\/2.bp.blogspot.com\/-Ssy3W18DXOc\/WLxu3pTXBmI\/AAAAAAAACSc\/iexXh8nESOEhLLzJuUUJNZGTejIYSTKQgCLcB\/s1600\/Screen%2BShot%2B2017-03-06%2Bat%2B1.31.55%2BAM.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/2.bp.blogspot.com\/-Ssy3W18DXOc\/WLxu3pTXBmI\/AAAAAAAACSc\/iexXh8nESOEhLLzJuUUJNZGTejIYSTKQgCLcB\/s320\/Screen%2BShot%2B2017-03-06%2Bat%2B1.31.55%2BAM.png\" width=\"304\" height=\"320\" \/><\/a><\/p>\n<p>Update 3!You can try this repo &#8211; <a href=\"https:\/\/github.com\/wi-fi-analyzer\/fluxion\">https:\/\/github.com\/wi-fi-analyzer\/fluxion<\/a>. It&#8217;s an old version, might or might not work.<\/p>\n<blockquote><p>git clone https:\/\/github.com\/wi-fi-analyzer\/fluxion<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h3>Update 4<\/h3>\n<p>&lt;!&#8211;Update_begins&#8211;&gt;<\/p>\n<p>Now you can find the latest version of Fluxion<\/p>\n<p><a href=\"https:\/\/github.com\/FluxionNetwork\/fluxion\" target=\"_blank\" rel=\"noopener\">here<\/a><\/p>\n<p>. There shouldn&#8217;t be any further issues at all.-<\/p>\n<blockquote><p>git clone https:\/\/github.com\/FluxionNetwork\/fluxion<\/p><\/blockquote>\n<p><a href=\"https:\/\/1.bp.blogspot.com\/-TsrqhMGQ_6g\/WR3A5xkjuUI\/AAAAAAAACYw\/fMQ-5gaU9TAS_ygZDmxcDrZ-TYUzKwYAwCLcB\/s1600\/Screen%2BShot%2B2017-05-18%2Bat%2B9.11.41%2BPM.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-TsrqhMGQ_6g\/WR3A5xkjuUI\/AAAAAAAACYw\/fMQ-5gaU9TAS_ygZDmxcDrZ-TYUzKwYAwCLcB\/s400\/Screen%2BShot%2B2017-05-18%2Bat%2B9.11.41%2BPM.png\" width=\"400\" height=\"228\" \/><\/a><\/p>\n<p>At the time of updating this post, the latest version was v2 rev 8. Make sure you also have the same or later revision if one has been released. In case any new issues arise with the repository, I&#8217;ll update you guys again! Meanwhile, I have tested the installation part and written the updated instructions for it below the instructions for older version. However, I haven&#8217;t got the opportunity to test the application. If any of the steps in the new version have changed compared to old version, please comment and I&#8217;ll update the tutorial ahead at the earliest possible. Thanks \ud83d\ude42<\/p>\n<p>&lt;!&#8211;Update_ends&#8211;&gt;<\/p>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/1.bp.blogspot.com\/-PjZLzG7rVAU\/V77X-ZHFZGI\/AAAAAAAABqw\/HZxQn0P5qO87buKUgKfkRPxOExTN65wCwCLcB\/s1600\/Fluxion%2Bcheck%2Bdependencies.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-PjZLzG7rVAU\/V77X-ZHFZGI\/AAAAAAAABqw\/HZxQn0P5qO87buKUgKfkRPxOExTN65wCwCLcB\/s320\/Fluxion%2Bcheck%2Bdependencies.png\" width=\"294\" height=\"320\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>There are 4 dependencies that need to be installed<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Running the script<\/h2>\n<p>Just navigate to the fluxion directory or the directory containing the scripts in case you downloaded them manually. If you are following the terminal commands I&#8217;m using, then it&#8217;s just a simple change directory command for you:<\/p>\n<blockquote><p>cd fluxion<\/p><\/blockquote>\n<p>Now, run the script.<\/p>\n<blockquote><p>sudo .\/fluxion<\/p><\/blockquote>\n<p>&nbsp;<\/p>\n<h2>Dependencies (for older version)<\/h2>\n<p>If you have any unmet dependencies, then run the installer script.<\/p>\n<p>&nbsp;<\/p>\n<blockquote><p>sudo .\/Installer.sh<\/p><\/blockquote>\n<p><a href=\"https:\/\/3.bp.blogspot.com\/-B6GDjT01kyw\/V77Ynm9CHEI\/AAAAAAAABq8\/lqfMj5SXF8UMXa7UO6t5E8DHbijdkJbxQCLcB\/s1600\/Fluxion%2Bbugs.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3.bp.blogspot.com\/-B6GDjT01kyw\/V77Ynm9CHEI\/AAAAAAAABq8\/lqfMj5SXF8UMXa7UO6t5E8DHbijdkJbxQCLcB\/s320\/Fluxion%2Bbugs.png\" width=\"320\" height=\"188\" \/><\/a>I had 4 unmet dependencies, and the installer script run was a buggy experience for me (though it might be becuase I have completely screwed up my system, editing files I wasn&#8217;t supposed to and now I can&#8217;t get them back in order) .It got stuck multiple times during the process, and I had to ctrl+c my way out of it many times (though ctrl+c didn&#8217;t terminate the whole installer, just the little update popup). Also, I ran the installer script twice and that messed up with some of the apt-get settings. I suggest that after installation is complete, you restore your \/etc\/apt\/sources.list to it&#8217;s original state, and remove the bleeding edge repositories (unless you know what you&#8217;re doing). To know what your repository should look like, <a href=\"http:\/\/docs.kali.org\/general-use\/kali-linux-sources-list-repositories\" target=\"_blank\" rel=\"noopener\">take a look here<\/a>.<\/p>\n<p><a href=\"https:\/\/1.bp.blogspot.com\/-9ExXP-gd4xs\/V77Yni9eJGI\/AAAAAAAABrA\/-_flApJhfFcVg9GFNJcTEmqa576WI5xRQCLcB\/s1600\/Fluxion%2BBuggy%2Bapt-get%2B2.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-9ExXP-gd4xs\/V77Yni9eJGI\/AAAAAAAABrA\/-_flApJhfFcVg9GFNJcTEmqa576WI5xRQCLcB\/s320\/Fluxion%2BBuggy%2Bapt-get%2B2.png\" width=\"320\" height=\"156\" \/><\/a><\/p>\n<p>Anyways, one way or the other, your unmet dependencies will be resolved, and then you can use Flexion.<br \/>\nPS: For those trying to use apt-get to install the missing stuff &#8211; some of the dependencies aren&#8217;t available in the default Kali repos, so you&#8217;ll have to let the script do the installation for you, or manually add the repos to \/etc\/apt\/sources.list (look at the script to find out which repos you need to add)<\/p>\n<p><a href=\"https:\/\/3.bp.blogspot.com\/-DN_85_Tqa98\/V77YnuvlNKI\/AAAAAAAABrE\/dFdRBXif7KoDX3epKz9p0wu5PSgvsMAogCLcB\/s1600\/Fluxion%2Bbuggy%2Bapt-get.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3.bp.blogspot.com\/-DN_85_Tqa98\/V77YnuvlNKI\/AAAAAAAABrE\/dFdRBXif7KoDX3epKz9p0wu5PSgvsMAogCLcB\/s320\/Fluxion%2Bbuggy%2Bapt-get.png\" width=\"264\" height=\"320\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2>Dependencies (for newer version)<\/h2>\n<p>The only difference lies in the directory structure and name of script. The install.sh script is in the fluxion\/install\/ directory and not fluxion\/ (and is called install.sh instead of Installer.sh) . Basically you just have to change one line. Run the below command on terminal and wait for it to finish executing. Then proceed.<\/p>\n<blockquote><p>sudo .\/install\/install.sh<\/p><\/blockquote>\n<p>Fluxion<\/p>\n<p>Once again, type the following:<\/p>\n<blockquote><p>sudo .\/fluxion<\/p><\/blockquote>\n<p>This time it should run just fine, and you would be asked a few very simple questions.<\/p>\n<ul>\n<li style=\"list-style-type: none\">\n<ul>\n<li>For the wireless adapter, choose whichever one you want to monitor on. For the channels question, choose all, unless you have a specific channel in mind, which you know has the target AP.<\/li>\n<li>Then you will see an airodump-ng window (named Wifi Monitor). Let it run while it looks for APs and clients. Once you think you have what you need, use the close button to stop the monitoring.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-U2MMckM2OUM\/V77ZlKDlJhI\/AAAAAAAABrY\/xdnYHWPd5jQdicthT7R45Coq-IHMWrkNgCLcB\/s1600\/Wifi%2Bmonitor%2Bwith%2Bairodump%2Bblurred.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-U2MMckM2OUM\/V77ZlKDlJhI\/AAAAAAAABrY\/xdnYHWPd5jQdicthT7R45Coq-IHMWrkNgCLcB\/s320\/Wifi%2Bmonitor%2Bwith%2Bairodump%2Bblurred.png\" width=\"320\" height=\"240\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>Fluxion using airodump-ng<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li>You&#8217;ll then be prompted to select target.<\/li>\n<li>Then you&#8217;ll be prompted to select attack.<\/li>\n<li>Then you&#8217;ll be prompted to provide handshake.<\/li>\n<li>If you don&#8217;t have a handshake captured already, the script will help you capture one. It will send deauth packets to achieve that.<\/li>\n<li>After that, I quit the procedure (I was using the script in my college hostel and didn&#8217;t want to cause any troubles to other students).<\/li>\n<\/ul>\n<p>If you are with me so far, then you can either just close this website, and try to use the tool on your own (it look intuitive enough to me), or you can read through the test run that I&#8217;m going to be doing now.<\/p>\n<h2>Getting my wireless network&#8217;s password by fooling my smartphone into connecting to a fake AP<\/h2>\n<p>So, in this example run, I will try to find out the password of my wireless network by making my smartphone connect to a fake AP, and then type out the password in the smartphone, and then see if my Fluxion instance on my Kali machine (laptop) gets the password. Also, for the handshake, I will de-authenticate the same smartphone.<\/p>\n<p>PS: You can probably follow this guide without having any clue how WPA works, what handshake is, what is actually going on, etc., but I suggest you do read up about these things. Here are a few links to other tutorials on this website itself that would prove useful (the first two are theoretical, yet nice, the third one is a pretty fun attack, which I suggest you try out, now or later):<\/p>\n<p>Anyways, with the recommended reading material covered, you can comfortably move on to the actual hacking now:<\/p>\n<h2>The real stuff begins!<\/h2>\n<p>This section is going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.<\/p>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-0cnGAJBfiQ4\/V77Zf9FWAEI\/AAAAAAAABrQ\/6q0e8EtF4IIi3Xq68AJTIa_Z92RX-hqrQCLcB\/s1600\/Fluxion%2Bchoices.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-0cnGAJBfiQ4\/V77Zf9FWAEI\/AAAAAAAABrQ\/6q0e8EtF4IIi3Xq68AJTIa_Z92RX-hqrQCLcB\/s320\/Fluxion%2Bchoices.png\" width=\"214\" height=\"320\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>Select language<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-anYtvoSWZDU\/V77tys1o7tI\/AAAAAAAABrw\/l84atx87oO4lWBcjptmcvKL5giGKybJTQCLcB\/s1600\/1%2B-%2BChoose%2Bnetwork%2BAdapter.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-anYtvoSWZDU\/V77tys1o7tI\/AAAAAAAABrw\/l84atx87oO4lWBcjptmcvKL5giGKybJTQCLcB\/s400\/1%2B-%2BChoose%2Bnetwork%2BAdapter.png\" width=\"400\" height=\"178\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>After selecting language, this step shows up.<br \/>\nNote how I am not using any external wireless card, but my laptop&#8217;s internal card.<br \/>\nHowever, some internal cards may cause problems, so it&#8217;s better to use an<br \/>\nexternal card (and if you are on a virtual machine you will <i>have to<\/i> use an external card).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/3.bp.blogspot.com\/-ScBt-J03k6A\/V77tzb-BHyI\/AAAAAAAABr8\/KRZ8Fy5HAOIV_rNf75dumQqioVPlFI-1QCLcB\/s1600\/2%2B-Airodump-ng%2BCapture.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3.bp.blogspot.com\/-ScBt-J03k6A\/V77tzb-BHyI\/AAAAAAAABr8\/KRZ8Fy5HAOIV_rNf75dumQqioVPlFI-1QCLcB\/s400\/2%2B-Airodump-ng%2BCapture.png\" width=\"400\" height=\"253\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>The scanning process starts, using airodump-ng.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/2.bp.blogspot.com\/-cxPWLF1BVcU\/V77tzUvVPfI\/AAAAAAAABr0\/bikNatfybCoRkn00I3Dj7cIR6L-dwCiRwCLcB\/s1600\/3%2B-%2BChoose%2Bthe%2Btarget.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/2.bp.blogspot.com\/-cxPWLF1BVcU\/V77tzUvVPfI\/AAAAAAAABr0\/bikNatfybCoRkn00I3Dj7cIR6L-dwCiRwCLcB\/s400\/3%2B-%2BChoose%2Bthe%2Btarget.png\" width=\"400\" height=\"332\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>You get to choose a target. I&#8217;m going after network number 21, the one my smartphone<br \/>\nis connected to.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/2.bp.blogspot.com\/-rbaoEsmIJP0\/V77t0D4F5TI\/AAAAAAAABsA\/4PeqlITZwTg-G-3jyHcP53k4h3h_ARorACLcB\/s1600\/4-Select%2Battack.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/2.bp.blogspot.com\/-rbaoEsmIJP0\/V77t0D4F5TI\/AAAAAAAABsA\/4PeqlITZwTg-G-3jyHcP53k4h3h_ARorACLcB\/s400\/4-Select%2Battack.png\" width=\"400\" height=\"321\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>You choose an attack. I am going to choose the Hostapd (first one) attack.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/3.bp.blogspot.com\/-yJRwuYx_EJw\/V77t0PBnIII\/AAAAAAAABsI\/JDJwFXbJoLgyUbyqUFlAj78mQ3KAjqKrACLcB\/s1600\/5-Handshake%2BStep.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3.bp.blogspot.com\/-yJRwuYx_EJw\/V77t0PBnIII\/AAAAAAAABsI\/JDJwFXbJoLgyUbyqUFlAj78mQ3KAjqKrACLcB\/s400\/5-Handshake%2BStep.png\" width=\"400\" height=\"293\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>If you had already captured a 4-way handshake, then you can specify the location<br \/>\nto that handshake and the script will use it. Otherwise, it will capture a handshake<br \/>\nin the next step for you. (<a href=\"http:\/\/www.kalitutorials.net\/2014\/06\/hack-wpa-2-psk-capturing-handshake.html\" target=\"_blank\" rel=\"noopener\">A tutorial on capturing the handshake separately<\/a>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-UNTmKjr-J5M\/V77t0GRwZ4I\/AAAAAAAABsE\/Ik6H0o0lBYYjfNUz3vVSXgJA5MCKd0B6gCLcB\/s1600\/6%2B-%2BSelect%2Btool%2Baircrack-ng.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-UNTmKjr-J5M\/V77t0GRwZ4I\/AAAAAAAABsE\/Ik6H0o0lBYYjfNUz3vVSXgJA5MCKd0B6gCLcB\/s400\/6%2B-%2BSelect%2Btool%2Baircrack-ng.png\" width=\"400\" height=\"197\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>If you didn&#8217;t capture a handshake beforehand, then you get to choose which<br \/>\ntool to use to do that. I&#8217;m go with aircrack-ng.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-g5CutmP6q7U\/V77t0ghUDXI\/AAAAAAAABsM\/T5y5w4RhypARj4zdIx4lTjz0t275Zl8bACLcB\/s1600\/7%2B-%2BHandshake%2Bcaptured%252C%2Bchoose%2Bcheck%2Bhandshake.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-g5CutmP6q7U\/V77t0ghUDXI\/AAAAAAAABsM\/T5y5w4RhypARj4zdIx4lTjz0t275Zl8bACLcB\/s640\/7%2B-%2BHandshake%2Bcaptured%252C%2Bchoose%2Bcheck%2Bhandshake.png\" width=\"640\" height=\"177\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>Once you have a handshake captured (see the <b>WPA Handshake: [MAC Address]<\/b> on top, if it&#8217;s<br \/>\nthere, then you have the handhake), then type 1 and enter to check the handshake. If everything&#8217;s fine,<br \/>\nyou&#8217;ll go to the next step.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-_oOpcDEA81Y\/V77t07BVFAI\/AAAAAAAABsQ\/COCyT1Z-WKgxr5IPSHXESmAM11uQmbfzwCLcB\/s1600\/8%2B-%2BAfter%2Bhandshake%252C%2Bchoose%2Battack.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-_oOpcDEA81Y\/V77t07BVFAI\/AAAAAAAABsQ\/COCyT1Z-WKgxr5IPSHXESmAM11uQmbfzwCLcB\/s400\/8%2B-%2BAfter%2Bhandshake%252C%2Bchoose%2Battack.png\" width=\"400\" height=\"211\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>Use the Web Interface method. I didn&#8217;t try the bruteforce thing, but I guess it&#8217;s just<br \/>\nthe usual bruteforce attack that most tools use (and thus no use to us, since that&#8217;s<br \/>\nnot what we are using this script for).<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/2.bp.blogspot.com\/-eq9GhwPh-5I\/V77t097UnoI\/AAAAAAAABsU\/-JbYAIK3e_kIkEz-yV324QnSbRYm3wXWgCLcB\/s1600\/9%2B-%2BI%2Bchose%2Bfirst%2Boption.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/2.bp.blogspot.com\/-eq9GhwPh-5I\/V77t097UnoI\/AAAAAAAABsU\/-JbYAIK3e_kIkEz-yV324QnSbRYm3wXWgCLcB\/s400\/9%2B-%2BI%2Bchose%2Bfirst%2Boption.png\" width=\"367\" height=\"400\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>This offers a variety of login pages that you can use to get (phish) the<br \/>\nWPA network&#8217;s password. I went with the first choice.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/3.bp.blogspot.com\/-xqEZq1uGKQA\/V77tygq4n-I\/AAAAAAAABrs\/ualtJkIKDvsICIYdy4YFughhBnhf1HUvgCLcB\/s1600\/10%2B-%2BFake%2BAP%2Bcreated%2B%253A%2BMultiple%2Bprocesses%2Bat%2Bwork.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3.bp.blogspot.com\/-xqEZq1uGKQA\/V77tygq4n-I\/AAAAAAAABrs\/ualtJkIKDvsICIYdy4YFughhBnhf1HUvgCLcB\/s640\/10%2B-%2BFake%2BAP%2Bcreated%2B%253A%2BMultiple%2Bprocesses%2Bat%2Bwork.png\" width=\"640\" height=\"356\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>After making your decision, you&#8217;ll see multiple windows. DHCP and DNS requests are being handled in<br \/>\nleft two windows, while the right two are status reporting window and deauth window (to get users<br \/>\noff the actual AP and lure them to our fake AP)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/4.bp.blogspot.com\/-B0sL_E2nsDI\/V77tyv6Wc-I\/AAAAAAAABro\/nGHMNMdWygs8J5wZJXzmfcSlen20Yj-4wCLcB\/s1600\/11%2B-%2BClient%2Bconnected%2Bto%2Bfake%2BAP.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/4.bp.blogspot.com\/-B0sL_E2nsDI\/V77tyv6Wc-I\/AAAAAAAABro\/nGHMNMdWygs8J5wZJXzmfcSlen20Yj-4wCLcB\/s400\/11%2B-%2BClient%2Bconnected%2Bto%2Bfake%2BAP.png\" width=\"400\" height=\"223\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>In my smartphone, I see two network of the same name. Note that while the original network is WPA-2<br \/>\nprotected, the fake AP we have created is an open network (which is a huge giveaway stopping most people<br \/>\nfrom making the mistake of connecting to it). Anyways, I connected to the fake AP, and the DNS and DHCP windows<br \/>\n(left ones), reacted accordingly.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/1.bp.blogspot.com\/-voQjwf9sJpM\/V77xyMYRoRI\/AAAAAAAABsk\/iqwJEGsPuxEezL6nZ-_bm_GCb2_B14GIwCLcB\/s1600\/Smartphone%2Bstep.jpeg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/1.bp.blogspot.com\/-voQjwf9sJpM\/V77xyMYRoRI\/AAAAAAAABsk\/iqwJEGsPuxEezL6nZ-_bm_GCb2_B14GIwCLcB\/s320\/Smartphone%2Bstep.jpeg\" width=\"180\" height=\"320\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>After connecting to the network, I got a notification saying that I need to login to the wireless network.<br \/>\nOn clicking that, I found this page. For some people, you&#8217;ll have to open your browser and try to open a website (say facebook.com) to get this page to show up. After I entered the password, and pressed submit, the script ran the<br \/>\npassword against the handshake we had captured earlier to verify if it is indeed correct. Note how the<br \/>\nhandshake is a luxury, not a necessity in this method. It just ensures that we can verify if the password<br \/>\nsubmitted by the fake AP client is correct or not. If we don&#8217;t have the handshake, then we lose this ability,<br \/>\nbut assuming the client will type the correct password, we can still make the attack work.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<table>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/3.bp.blogspot.com\/-Rac_1uOCf_M\/V77tzRGRNtI\/AAAAAAAABr4\/5TwYH7xCtMcqcRHUtQZ4v6f2TAWPT6GjQCLcB\/s1600\/12%2B-%2BDone.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/3.bp.blogspot.com\/-Rac_1uOCf_M\/V77tzRGRNtI\/AAAAAAAABr4\/5TwYH7xCtMcqcRHUtQZ4v6f2TAWPT6GjQCLcB\/s400\/12%2B-%2BDone.png\" width=\"400\" height=\"223\" \/><\/a><\/td>\n<\/tr>\n<tr>\n<td>Aircrack-ng tried the password again the handshake, and as expected, it worked.<br \/>\nWe successfully obtained the password to a WPA-2 protected network in a matter of minutes.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Video Demonstration<\/h2>\n<p>PS: The creator of the video has forked the Fluxion repository, and in the video he cloned from it instead. You may choose to fork from either of those. The original repository being more updated, and forked one being more stable (but less frequently updated). As of the time of creation of the video, both the repositories were the same, so it doesn&#8217;t make a different which one you clone,<\/p>\n<p><a href=\"https:\/\/github.com\/deltaxflux\/fluxion\/compare\/master...patidarayush11:master\" target=\"_blank\" rel=\"noopener\">but this may not always be the case<\/a><\/p>\n<p>. In case of any issues, you can probably try cloning both and see which one works for you.<\/p>\n<h2>Troubleshooting<\/h2>\n<p>Since fluxion and Kali both are constantly evolving (you might be using a different rolling release of Kali, as well as a different version of Fluxion. There are times when the tool break, and there&#8217;s an interval of time for which it stays broken. Look at the<\/p>\n<p><a href=\"https:\/\/github.com\/deltaxflux\/fluxion\/issues\" target=\"_blank\" rel=\"noopener\">issues page<\/a><\/p>\n<p>, and you will most probably find a fix for your problem. Note that the issue may as well be in closed issues (it would most probably be in closed issue).<\/p>\n<p>For those who are able to follow the guide to the second last step, but don&#8217;t get any Login page on their device,<\/p>\n<p><a href=\"https:\/\/github.com\/deltaxflux\/fluxion\/issues\/119\" target=\"_blank\" rel=\"noopener\">this issue suggests a solution<\/a><\/p>\n<p>. [Dated : 17th September 2016, if you&#8217;re reading this much later then this might not be relevant, and some other issue would be]<\/p>\n<p>Update : There are some important things mentioned in the README.file on the github repository. See if that helps.<\/p>\n<p><a href=\"https:\/\/github.com\/deltaxflux\/fluxion\/blob\/master\/README.md\">https:\/\/github.com\/deltaxflux\/fluxion\/blob\/master\/README.md<\/a><\/p>\n<p>As of 1st November, 2016 (again, might not be relevant if you read this much later), the README suggested this for the no fake login page problem (which seems quite common)-<\/p>\n<blockquote><p><u>FakeSites don&#8217;t work<\/u><br \/>\nThere might be a problem with lighttpd. The experimental version is tested on lighttpd 1.439-1. There are some problems with newer versions of lighttpd. If you problems use the stable version. Check the fix out.<\/p><\/blockquote>\n<p>Again, as I said, it all breaks down to one of two things-<\/p>\n<ol>\n<li>You are doing some step wrong (easy to fix, follow the tutorial again).<\/li>\n<li>There is a dependency issue somewhere (some tool has it&#8217;s wrong version installed). This can be a pain to fix, and there&#8217;s no guidance I can provide for it really. You&#8217;ll have to filter through all the issues on the github page of the tool. Hopefully, as the tool grows popular, it&#8217;ll get more full time developers, and then get integrated in the Kali repository, till then, these problems will continue.<\/li>\n<\/ol>\n<h2>What now?<\/h2>\n<p>I illustrated one possible scenario. This script can work with other devices (laptops for example) too as the fooled clients (not just smartphones). One possible short-coming to this attack is that most smartphones\/laptops these days don&#8217;t automatically connect to open networks (unless they have before), and hence the user has to do it manually. If your fake AP has more signal strength than the real one, then a person who doesn&#8217;t know about WPA and open networks could very easily end up connecting to your network instead. So, overall this attack has a fair chance of succeeding.<\/p>\n<p>Have any problems\/comments\/suggestions, leave them in the comments below.<\/p>\n<p><a href=\"https:\/\/www.kalitutorials.net\/2016\/08\/hacking-wpawpa-2-without.html\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Fluxion (linset) I hadn&#8217;t ventured into Hackforums since a while, and this time when I went there I saw a thread about a script called Fluxion. It&#8217;s based on another script called linset (actually it&#8217;s no much different from linset, think of it as an improvement, with some bug fixes and additional options). I did &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.appservgrid.com\/paw92\/index.php\/2018\/10\/19\/hacking-wpa-wpa2-without-dictionary-bruteforce-fluxion\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hacking WPA\/WPA2 without dictionary\/bruteforce : Fluxion&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-901","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/901","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/comments?post=901"}],"version-history":[{"count":1,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/901\/revisions"}],"predecessor-version":[{"id":1185,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/posts\/901\/revisions\/1185"}],"wp:attachment":[{"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/media?parent=901"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/categories?post=901"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appservgrid.com\/paw92\/index.php\/wp-json\/wp\/v2\/tags?post=901"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}