Fluxion To Hacking WPA/WPA2 Without Dictionary / bruteforce

Hacking WPA/WPA2 Without Dictionary Using Fluxion

Getting the script

Getting the script is just a matter of cloning the github repository. Just use the git command line tool to do it.

git clone https://github.com/deltaxflux/fluxion

If you have any problems with this step, then you can just naviagate to the repostitory and manually download the stuff.

There are 4 dependencies that need to be installed

Running the script

Just navigate to the fluxion directory or the directory containing the scripts in case you downloaded them manually. If you are following the terminal commands I’m using, then it’s just a simple change directory command for you:

cd fluxion

Now, run the script.

sudo ./fluxion

Dependencies

If you have any unmet dependencies, then run the installer script.

sudo ./Installer.sh

PS: For those trying to use apt-get to install the missing stuff – some of the dependencies aren’t available in the default Kali repos, so you’ll have to let the script do the installation for you, or manually add the repos to /etc/apt/sources.list (look at the script to find out which repos you need to add)

Fluxion

Once again, type the following:

sudo ./fluxion

For the wireless adapter, choose whichever one you want to monitor on. For the channels question, choose all, unless you have a specific channel in mind, which you know has the target AP.

Then you will see an airodump-ng window (named Wifi Monitor). Let it run while it looks for APs and clients. Once you think you have what you need, use the close button to stop the monitoring.

You’ll then be prompted to select target.

Then you’ll be prompted to select attack.

Then you’ll be prompted to provide handshake.

If you don’t have a handshake captured already, the script will help you capture one. It will send deauth packets to achieve that. Handshake is required further to verify the password.

Getting my wireless network’s password by fooling my smartphone into connecting to a fake AP

So, in this example run, I will try to find out the password of my wireless network by making my smartphone connect to a fake AP, and then type out the password in the smartphone, and then see if my Fluxion instance on my Kali machine (laptop) gets the password. Also, for the handshake, I will de-authenticate the same smartphone.

The real stuff begins!

This section is going to be a set of pictures with captions below them explaining stuff. It should be easy to follow I hope.

After selecting language, this step shows up. Note how I am not using any
external wireless card, but my laptop’s internal card. However, some internal cards may
cause problems, so it’s better to use an external card (and if you are on a virtual machine
you will have to use an external card).

The scanning process starts, using airodump-ng.

You get to choose a target. I’m going after network number 21, the one my smartphone
is connected to.

You choose an attack. I am going to choose the Hostapd (first one) attack.

If you had already captured a 4-way handshake, then you can specify the location
to that handshake and the script will use it. Otherwise, it will capture a handshake
in the next step for you.

If you didn’t capture a handshake beforehand, then you get to choose which
tool to use to do that. I’m go with aircrack-ng.

Once you have a handshake captured (see the WPA Handshake: [MAC Address] on top, if it’s
there, then you have the handhake), then type 1 and enter to check the handshake. If everything’s fine,

you’ll go to the next step.

Use the Web Interface method. I didn’t try the bruteforce thing, but I guess it’s just
the usual bruteforce attack that most tools use (and thus no use to us, since that’s
not what we are using this script for).

This offers a variety of login pages that you can use to get (phish) the
WPA network’s password. I went with the first choice.

After making your decision, you’ll see multiple windows. DHCP and DNS requests are being handled in

left two windows, while the right two are status reporting window and deauth window (to get users
off the actual AP and lure them to our fake AP)

In my smartphone, I see two network of the same name. Note that while the original network is WPA-2 protected, the fake AP we have created is an open network (which is a huge giveaway stopping most people from making the mistake of connecting to it). Anyways, I connected to the fake AP, and the DNS and DHCP windows (left ones), reacted accordingly.

After connecting to the network, I got a notification saying that I need to login to the wireless network.

On clicking that, I found this page. For some people, you’ll have to open your browser and try to open a website (say facebook.com) to get this page to show up. After I entered the password, and pressed submit, the script ran the password against the handshake we had captured earlier to verify if it is indeed correct. Note how the handshake is a luxury, not a necessity in this method. It just ensures that we can verify if the password submitted by the fake AP client is correct or not. If we don’t have the handshake, then we lose this ability, but assuming the client will type the correct password, we can still make the attack work.

Aircrack-ng tried the password again the handshake, and as expected, it worked.
We successfully obtained the password to a WPA-2 protected network in a matter of minutes.

Troubleshooting

Since fluxion and Kali both are constantly evolving (you might be using a different rolling release of Kali, as well as a different version of Fluxion. There are times when the tool break, and there’s an interval of time for which it stays broken. Look at the issues page, and you will most probably find a fix for your problem. Note that the issue may as well be in closed issues (it would most probably be in closed issue).

For those who are able to follow the guide to the second last step, but don’t get any Login page on their device, this issue suggests a solution.