A new Wi-Fi attack tool has been made available on GitHub that automates phishing attacks over WPA networks, putting credentials and other supposedly secret data at risk.
The tool, called wifiphisher, jams Wi-Fi access points with deauthentication packets and then mimics the target access point before presenting the wireless device with a phony WPA log-in page.
Researcher George Chatzisofroniou of Greece made the tool public yesterday.
“It is a social engineering attack that unlike other methods it does not include any brute forcing,” Chatzisofroniou wrote in the ReadMe accompanying wifiphisher. “It is an easy way for obtaining WPA credentials.”
Wifiphisher runs on Kali Linux and requires two wireless network interfaces, one capable of injections, Chatzisofroniou said.
The deauth packets, Chatzisofroniou said, are sent to the client from the access point, to the access point to the client, and to the broadcast address. The jamming tool then copies settings from access points in the area and presents the victim with a phony access point. Chatzisofroniou said wifiphisher also sets up a NAT and DHCP server in order to forward the right ports to the clients.
“Consequently, because of the jamming, clients will start connecting to the rogue access point,” Chatzisofroniou said. An attacker, or pen-tester, would then conduct a man-in-the middle attack using the rogue access point in order to sniff traffic.
Users, however, won’t likely automatically connect to a rogue access point. Some Windows systems, if configured to do so, will warn users of a network change. At that point, a user will have to ignore warnings and manually connect to a network.
“Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests,” Chatzisofroniou said. “As soon as the victim requests a page from the Internet, wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.”
Using deauthentication packets is a staple of Wi-Fi hacking an pen-testing. Most, however, repeatedly send packets to a client and never allow it to get past the authentication process.