Fluxion 4使用指导

Fluxion 4 Usage Guide

声明：本文非原创，为避免别人随意转载，特地打上原创标签。

国内流传的大多数关于fluxion的教程都是老版本的，版本4的我都没找到过，所以特地从国外把这篇文章给搬过来了，如果有人需要可以参考，本打算自己写一篇的，但是由于这个工具的核心是社工，所以在实战过程中我从来就没成功过，所以也就懒得写。如果需要翻译的，或者实践过程中遇到什么问题，欢迎随时骚扰。

What is Fluxion for?

Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with (hopefully) less bugs and more functionality. The script attempts to retrieve the WPA/WPA2 key from a target access point by means of a social engineering (phishing) attack. It's compatible with the latest release of Kali (rolling). Fluxion's attacks' setup is mostly manual, but experimental auto-mode handles some of the attacks' setup parameters.

The advantage of this approach is that it does not require a long-time brute-force on a powerful hardware. The downside is social engineering attacks work not every time.

How it works

• Scan for a target wireless network.
• Launch the Handshake Snooper attack.
• Capture a handshake (necessary for password verification).
• Launch Captive Portal attack.
• Spawns a rogue (fake) AP, imitating the original access point.
• Spawns a DNS server, redirecting all requests to the attacker's host running the captive portal.
• Spawns a web server, serving the captive portal which prompts users for their WPA/WPA2 key.
• Spawns a jammer, deauthenticating all clients from original AP and luring them to the rogue AP.
• All authentication attempts at the captive portal are checked against the handshake file captured earlier.
• The attack will automatically terminate once a correct key has been submitted. The key will be logged and clients will be allowed to reconnect to the target access point.

How to install Fluxion in Kali Linux

To install Fluxion in Kali Linux run the commands:

git clone https://github.com/FluxionNetwork/fluxion
cd fluxion/
sudo ./fluxion.sh

mark

Note that we did not manually install the dependencies of Fluxion, because the first time you run the program, it will check the missing dependencies and install them.

When downloading the program files, you can specify the --recursive flag and then the program will be downloaded, as well as additional skins for Captive Portals (those web pages that victims see on their devices during the attack):

git clone https://github.com/FluxionNetwork/fluxion --recursive

About installation in Ubuntu and its derived distributions, see the article ‘How to install Fluxion in Linux Mint or Ubuntu’.

New Fluxion 4 manual

The program has an automatic mode, but it is rather experimental. The program has interactive text menu.

Stop Network Manager and processes that can interfere:

sudo systemctl stop NetworkManager
sudo airmon-ng check kill

Typical launch of the program, go to its folder:

cd fluxion/

The program is updated very often, so to download the latest version, run the command:

git pull

And we start:

sudo ./fluxion.sh

Select language:

mark We need to grab a handshake. It will not be used for brut-force (there will not be brut-force at all). But it is necessary to check if the user entered the correct password. Therefore, we select item two:

[2] Handshake Snopper Acquires WPA/WPA2 encryption hashes.

mark Select a wireless interface for target searching:

mark Select the channel where you want to search for targets:

mark Five seconds after the target AP appears, close the FLUXION Scanner (ctrl+c).

mark When you see the desired target, close the new window, the list of access points will be displayed in the main program window:

mark When entering the number of an access point, which we will attack, DO NOT enter leading zeros.

Select an interface for target tracking.

mark

Select a method of handshake retrieval

    [1] Monitor (passive)
    [2] aireplay-ng deauthentication (aggressive)
    [3] mdk3 deauthentication (aggressive)

mark A passive method of attack forces the radio to go completely silent, making the attack subtle (undetectable), and allowing for better listening. This method should work best for situations where the target is far away. The downside is the fact the radio must keep listening until someone connects to the target access point, which could take a very long time.

An aggressive method of attack uses a deauthenticator, either aireplay-ng or mdk3, and sends deauthentication packets to the target access point's clients. This method is considered aggressive because it is essentially jamming the connection between the target access point and its clients, effectively cutting the connection between the two. Once the connection has been broken, some devices will automatically attempt to reconnect, sending a 4-way handshake which fluxion's radio could catch. This method could be considered illegal. Make sure to follow governing laws applying to you. We're not liable for your irresponsibility.

Select a method of verification for the hash. Here we select the program with which help it will be determined whether enough frames have already been captured to verify the password or not:

mark How often should the verifier check for a handshake?

mark

How should verification occur?

    [1] Asynchronously (fast systems only).
    [2] Synchronously (recommended).

mark This sets how verification occurs in relation to capturing data, either simultaneously (asynchronously), or back-to-back (synchronously).

The asynchronous option will run the verifier while the computer is still capturing data. This could cause an issue in slow systems, because pyrit … stripLive might be interrupted by the captor overwriting data too early. The probability of encountering that problem increases over time, since more data needs to be examined by pyrit … stripLive. I suggest avoiding this if possible, or to limit its use to places were the handshake file will be caught relatively quickly.

The synchronous option will halt data capturing before attempting to check for a handshake, to prevent the issues described before. The downside of this method is the fact it'll stop listening while checking for handshakes, meaning it could miss a handshake while checking for one.

mark Three additional windows will appear periodically. If a handshake is captured, i.e. the attack succeeded, then one of the windows will have such an entry, and the other windows will be closed and the attack stopped:

mark Now go to the Captive Portal attack.

mark Many of the wireless adapters used in penetration testing support the addition of a virtual wireless interface. This interface can be in monitor mode or in AP mode. Due to this possibility, when creating a fake access point and simultaneously jamming a real access point, you can use one single Wi-Fi card. And Fluxion knows how to do it.

But since the fourth version, Fluxion has added one more function - to follow the attacked access point. The problem is that some access points, when a deauthentication attack is conducted against them, change the channel on which they operate. As a result, they become immune to our attack, you have to stop Fluxion, re-select the target and launch the attack again. The essence of the new function is that Fluxion regularly checks which channel the access point is operating on, and if it changes the channel, Fluxion automatically restarts the attack on the correct channel.

So, if you want to use the pursuit function, then you need a second wireless card, which supports monitor mode. If you do not have one, you can skip using this function.

We launch the another attack:

mark

[1] Captive Portal Creates an "evil twin" access point.

Fluxion is targetting the access point above. Agree:

mark Select an interface for target tracking. This is the new function, about which I spoke just above. If you have two wireless interfaces, select the one you want to use with this feature. If the interface is one, then select ‘Skip’:

mark Now choose the interface for jamming (choose a different one than the one chosen for the pursuit, otherwise there will be problems):

mark Select an interface for the access point. If you do not have a separate wireless card to create an access point, then select the same interface that is selected for jamming (this is normal and if the wireless card supports adding a virtual interface, everything will work fine):

mark elect the program that will create the access point. The authors recommend avoiding airbase-ng if you use the same Wi-Fi card both for creating an access point and for deauthentication (jamming):

mark If you have already captured a handshake, a message will appear that it has been found. You can use it or specify a path to another:

mark Again select a method of verification for the hash:

mark Next, we select the source of the SSL certificate for the captive portal. Options:

[1] Create an SSL certificate
[2] Detect SSL certificate (search again)
[3] None (disable SSL)

mark When prompted, select an SSL certificate source for the captive portal, or select to disable SSL.

SSL is a method of encryption used to establish a secure connection between two points. In this case, the two points are the captive portal’s web server, and the target client.

If you've got a personal certificate, you must save it at fluxion/attacks/Captive Portal/certificate/server.pem and the attack will automatically detect it and auto-select it.

If you don't have a personal certificate, you may select to automatically generate one. The downside is that the certificate, having been created by a random individual, will not be trusted by any device, which will likely trigger warnings for clients attempting a secure connection to the captive portal.

If you would rather not bother with SSL, you can choose to disable it. Once disabled, the captive portal’s web server will only accept unencrypted connections, which exposes the information clients send to fluxion. This can be particularly unsafe if someone’s spying on network traffic. This might also trigger warnings for some clients, since the browser will need to send forms over an unencrypted connection.

In my opinion, in nowadays realities it is better to use SSL, since majority of web sites using HTTPS, and more likely that a user selects using an unsafe protocol than wait for a chance that he will try to open a site using HTTP.

Select an internet connectivity type for the rogue network.

mark When prompted, select wheather the captive portal web server should attempt emulating an internet connection.

This option only affects iOS clients, and some Android clients.

This could be useful for people that don’t want to make the captive portal obvious. The clients will connect, but will be fooled into believing internet access is available. This will cause all iOS clients, and some Android clients to not show the captive portal immediately upon connecting to the rogue network, however, the captive portal will still show up once the clients try accessing any web site.

Warning: This could cause clients to hang while trying to load sites, including iOS clients. The issue occurs when this option is selected, and SSL is disabled. The cause is clients attempting to access an SSL capable site, such as google.com, but hanging while waiting for a connection from the captive portal’s web server. The hanging is caused by the clients believing there’s internet access, but no responses received for SSL enabled sites.

Select a captive portal interface for the rogue network. By default, Generic Portal are available, suitable for all cases in different languages:

mark Now the attack starts, many windows will open.

mark Clients will be disconnected, and they will not be able to connect to the true network during the entire duration of the attack. But for them there will be another network, it is without a password, to which you can connect with one tap:

mark If the client does this, then when he tries to open any site, he will be redirected to the Captive Portal:

mark All the data entered is transmitted to Fluxion, which checks in real-time whether the password is correct or not. If the password is not correct, then such a window is displayed, and the attack continues:

mark If the password is correct, then it is shown to the attacker, and the attack ceases immediately. After that, the client (victim) device will automatically connect to the original access point and he will receive his normal Internet connection.

Additional skins for Captive Portals

mark There are variants of the Portals simulating different models of routers in different languages, they are in this repository: https://github.com/FluxionNetwork/sites

When you are in the Fluxion folder, you can install them all with the command:

git clone https://github.com/FluxionNetwork/sites ./attacks/Captive\ Portal/sites/

OR with this command:

git submodule update --init --recursive

OR initially download Fluxion with the --recursive flag:

git clone https://github.com/FluxionNetwork/fluxion --recursive

It is not necessary to download them all, you can download some manually, after that place them in the fluxion/attacks/Captive Portal/sites/ folder.