Fluxion 4使用指导
Fluxion 4 Usage Guide
声明:本文非原创,为避免别人随意转载,特地打上原创标签。
国内流传的大多数关于fluxion的教程都是老版本的,版本4的我都没找到过,所以特地从国外把这篇文章给搬过来了,如果有人需要可以参考,本打算自己写一篇的,但是由于这个工具的核心是社工,所以在实战过程中我从来就没成功过,所以也就懒得写。如果需要翻译的,或者实践过程中遇到什么问题,欢迎随时骚扰。
What is Fluxion for?
Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters.
The advantage of this approach is that it does not require a long-time brute-force on a powerful hardware. The downside is social engineering attacks work not every time.
How it works
- Scan for a target wireless network.
- Launch the Handshake Snooper attack.
- Capture a handshake (necessary for password verification).
- Launch Captive Portal attack.
- Spawns a rogue (fake) AP, imitating the original access point.
- Spawns a DNS server, redirecting all requests to the attacker's host running the captive portal.
- Spawns a web server, serving the captive portal which prompts users for their WPA/WPA2 key.
- Spawns a jammer, deauthenticating all clients from original AP and luring them to the rogue AP.
- All authentication attempts at the captive portal are checked against the handshake file captured earlier.
- The attack will automatically terminate once a correct key has been submitted. The key will be logged and clients will be allowed to reconnect to the target access point.
How to install Fluxion in Kali Linux
To install Fluxion in Kali Linux run the commands:
git clone https://github.com/FluxionNetwork/fluxion
cd fluxion/
sudo ./fluxion.sh
mark
Note that we did not manually install the dependencies of Fluxion, because the first time you run the program, it will check the missing dependencies and install them.
When downloading the program files, you can specify the --recursive flag and then the program will be downloaded, as well as additional skins for Captive Portals (those web pages that victims see on their devices during the attack):
git clone https://github.com/FluxionNetwork/fluxion --recursive
About installation in Ubuntu and its derived distributions, see the article ‘How to install Fluxion in Linux Mint or Ubuntu’.
New Fluxion 4 manual
The program has an automatic mode, but it is rather experimental. The program has interactive text menu.
Stop Network Manager and processes that can interfere:
sudo systemctl stop NetworkManager
sudo airmon-ng check kill
Typical launch of the program, go to its folder:
cd fluxion/
The program is updated very often, so to download the latest version, run the command:
git pull
And we start:
sudo ./fluxion.sh
Select language:
mark We need to grab a handshake. It will not be used for brut-force (there will not be brut-force at all). But it is necessary to check if the user entered the correct password. Therefore, we select item two:
[2] Handshake Snopper Acquires WPA/WPA2 encryption hashes.
mark Select a wireless interface for target searching:
mark Select the channel where you want to search for targets:
mark Five seconds after the target AP appears, close the FLUXION Scanner (ctrl+c).
mark When you see the desired target, close the new window, the list of access points will be displayed in the main program window:
mark When entering the number of an access point, which we will attack, DO NOT enter leading zeros.
Select an interface for target tracking.
mark
Select a method of handshake retrieval
[1] Monitor (passive)
[2] aireplay-ng deauthentication (aggressive)
[3] mdk3 deauthentication (aggressive)
mark A passive method of attack forces the radio to go completely silent, making the attack subtle (undetectable), and allowing for better listening. This method should work best for situations where the target is far away. The downside is the fact the radio must keep listening until someone connects to the target access point, which could take a very long time.
An aggressive method of attack uses a deauthenticator, either aireplay-ng or mdk3, and sends deauthentication packets to the target access point's clients. This method is considered aggressive because it is essentially jamming the connection between the target access point and its clients, effectively cutting the connection between the two. Once the connection has been broken, some devices will automatically attempt to reconnect, sending a 4-way handshake which fluxion's radio could catch. This method could be considered illegal. Make sure to follow governing laws applying to you. We're not liable for your irresponsibility.
Select a method of verification for the hash. Here we select the program with which help it will be determined whether enough frames have already been captured to verify the password or not:
mark How often should the verifier check for a handshake?
mark
How should verification occur?
[1] Asynchronously (fast systems only).
[2] Synchronously (recommended).
mark This sets how verification occurs in relation to capturing data, either simultaneously (asynchronously), or back-to-back (synchronously).
The asynchronous option will run the verifier while the computer is still capturing data. This could cause an issue in slow systems, because pyrit … stripLive might be interrupted by the captor overwriting data too early. The probability of encountering that problem increases over time, since more data needs to be examined by pyrit … stripLive. I suggest avoiding this if possible, or to limit its use to places were the handshake file will be caught relatively quickly.
The synchronous option will halt data capturing before attempting to check for a handshake, to prevent the issues described before. The downside of this method is the fact it'll stop listening while checking for handshakes, meaning it could miss a handshake while checking for one.
mark Three additional windows will appear periodically. If a handshake is captured, i.e. the attack succeeded, then one of the windows will have such an entry, and the other windows will be closed and the attack stopped:
mark Now go to the Captive Portal attack.
mark Many of the wireless adapters used in penetration testing support the addition of a virtual wireless interface. This interface can be in monitor mode or in AP mode. Due to this possibility, when creating a fake access point and simultaneously jamming a real access point, you can use one single Wi-Fi card. And Fluxion knows how to do it.
But since the fourth version, Fluxion has added one more function - to follow the attacked access point. The problem is that some access points, when a deauthentication attack is conducted against them, change the channel on which they operate. As a result, they become immune to our attack, you have to stop Fluxion, re-select the target and launch the attack again. The essence of the new function is that Fluxion regularly checks which channel the access point is operating on, and if it changes the channel, Fluxion automatically restarts the attack on the correct channel.
So, if you want to use the pursuit function, then you need a second wireless card, which supports monitor mode. If you do not have one, you can skip using this function.
We launch the another attack:
mark
[1] Captive Portal Creates an "evil twin" access point.
Fluxion is targetting the access point above. Agree:
mark Select an interface for target tracking. This is the new function, about which I spoke just above. If you have two wireless interfaces, select the one you want to use with this feature. If the interface is one, then select ‘Skip’:
mark Now choose the interface for jamming (choose a different one than the one chosen for the pursuit, otherwise there will be problems):
mark Select an interface for the access point. If you do not have a separate wireless card to create an access point, then select the same interface that is selected for jamming (this is normal and if the wireless card supports adding a virtual interface, everything will work fine):
mark elect the program that will create the access point. The authors recommend avoiding airbase-ng if you use the same Wi-Fi card both for creating an access point and for deauthentication (jamming):
mark If you have already captured a handshake, a message will appear that it has been found. You can use it or specify a path to another:
mark Again select a method of verification for the hash:
mark Next, we select the source of the SSL certificate for the captive portal. Options:
[1] Create an SSL certificate
[2] Detect SSL certificate (search again)
[3] None (disable SSL)
mark When prompted, select an SSL certificate source for the captive portal, or select to disable SSL.
SSL is a method of encryption used to establish a secure connection between two points. In this case, the two points are the captive portal’s web server, and the target client.
If you've got a personal certificate, you must save it at fluxion/attacks/Captive Portal/certificate/server.pem and the attack will automatically detect it and auto-select it.
If you don't have a personal certificate, you may select to automatically generate one. The downside is that the certificate, having been created by a random individual, will not be trusted by any device, which will likely trigger warnings for clients attempting a secure connection to the captive portal.
If you would rather not bother with SSL, you can choose to disable it. Once disabled, the captive portal’s web server will only accept unencrypted connections, which exposes the information clients send to fluxion. This can be particularly unsafe if someone’s spying on network traffic. This might also trigger warnings for some clients, since the browser will need to send forms over an unencrypted connection.
In my opinion, in nowadays realities it is better to use SSL, since majority of web sites using HTTPS, and more likely that a user selects using an unsafe protocol than wait for a chance that he will try to open a site using HTTP.
Select an internet connectivity type for the rogue network.
mark When prompted, select wheather the captive portal web server should attempt emulating an internet connection.
This option only affects iOS clients, and some Android clients.
This could be useful for people that don’t want to make the captive portal obvious. The clients will connect, but will be fooled into believing internet access is available. This will cause all iOS clients, and some Android clients to not show the captive portal immediately upon connecting to the rogue network, however, the captive portal will still show up once the clients try accessing any web site.
Warning: This could cause clients to hang while trying to load sites, including iOS clients. The issue occurs when this option is selected, and SSL is disabled. The cause is clients attempting to access an SSL capable site, such as google.com, but hanging while waiting for a connection from the captive portal’s web server. The hanging is caused by the clients believing there’s internet access, but no responses received for SSL enabled sites.
Select a captive portal interface for the rogue network. By default, Generic Portal are available, suitable for all cases in different languages:
mark Now the attack starts, many windows will open.
mark Clients will be disconnected, and they will not be able to connect to the true network during the entire duration of the attack. But for them there will be another network, it is without a password, to which you can connect with one tap:
mark If the client does this, then when he tries to open any site, he will be redirected to the Captive Portal:
mark All the data entered is transmitted to Fluxion, which checks in real-time whether the password is correct or not. If the password is not correct, then such a window is displayed, and the attack continues:
mark If the password is correct, then it is shown to the attacker, and the attack ceases immediately. After that, the client (victim) device will automatically connect to the original access point and he will receive his normal Internet connection.
Additional skins for Captive Portals
mark There are variants of the Portals simulating different models of routers in different languages, they are in this repository: https://github.com/FluxionNetwork/sites
When you are in the Fluxion folder, you can install them all with the command:
git clone https://github.com/FluxionNetwork/sites ./attacks/Captive Portal/sites/
OR with this command:
git submodule update --init --recursive
OR initially download Fluxion with the --recursive flag:
git clone https://github.com/FluxionNetwork/fluxion --recursive
It is not necessary to download them all, you can download some manually, after that place them in the fluxion/attacks/Captive Portal/sites/ folder.
- 分钟学会正则表达式(译)
- TensorFlow从0到1 | 第十一章 74行Python实现手写体数字识别
- 让浏览器不再显示 https 页面中的 http 请求警报
- 跨域访问和防盗链基本原理
- 【翻译】MongoDB指南/CRUD操作(一)
- 【直播】我的基因组50:从测序深度和位点间距来看SNV分布情况
- 【翻译】MongoDB指南/CRUD操作(二)
- 【翻译】MongoDB指南/CRUD操作(三)
- 为什么 Laravel 会成为最成功的 PHP 框架?
- 【生信菜鸟经】如何系统入门Perl
- 【翻译】MongoDB指南/CRUD操作(四)
- R包终极解决方案
- Table被web编程弃用的原因
- Web安全实战
- JavaScript 教程
- JavaScript 编辑工具
- JavaScript 与HTML
- JavaScript 与Java
- JavaScript 数据结构
- JavaScript 基本数据类型
- JavaScript 特殊数据类型
- JavaScript 运算符
- JavaScript typeof 运算符
- JavaScript 表达式
- JavaScript 类型转换
- JavaScript 基本语法
- JavaScript 注释
- Javascript 基本处理流程
- Javascript 选择结构
- Javascript if 语句
- Javascript if 语句的嵌套
- Javascript switch 语句
- Javascript 循环结构
- Javascript 循环结构实例
- Javascript 跳转语句
- Javascript 控制语句总结
- Javascript 函数介绍
- Javascript 函数的定义
- Javascript 函数调用
- Javascript 几种特殊的函数
- JavaScript 内置函数简介
- Javascript eval() 函数
- Javascript isFinite() 函数
- Javascript isNaN() 函数
- parseInt() 与 parseFloat()
- escape() 与 unescape()
- Javascript 字符串介绍
- Javascript length属性
- javascript 字符串函数
- Javascript 日期对象简介
- Javascript 日期对象用途
- Date 对象属性和方法
- Javascript 数组是什么
- Javascript 创建数组
- Javascript 数组赋值与取值
- Javascript 数组属性和方法
- 基于 Generator 和 Iterator 的惰性列表
- 【Centos8】安装docker的坎坷历程
- 你不知道的Virtual DOM(一):Virtual Dom介绍
- Under the Hood: NaN of JS
- 带上问题来学redis,看到不吃亏(什么是redis?缓存问题、数据一致性、redis配置文件汉化版)
- 基于weex的有赞无线开发框架
- 搭建简易的物联网服务端和客户端-第四次增补(二十六)
- 实习第十一周,第十二周
- Cordova安装
- django-ckeditor本地图片上传功能
- ESP32 windows下编译环境搭建
- Android hex十六进制转String
- “Ajax请求后台,后台两次session不一致”问题解决
- Angularjs动态加载ECharts(一)
- NodeMCU连接wifi语句报错:“stdin:1: bad argument #1 to 'config' (config table not found!)”