Objective

Use Fluxion to create a evil twin access point to steal WiFi login credentials, demonstrating the need for user education.

Distributions

Kali Linux is preferred, but this can be done with any Linux distribution.

Requirements

A working Linux install with root privileges and two wireless network adapters.

Difficulty

Easy

Conventions

  • # - requires given command to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given command to be executed as a regular non-privileged user

Introduction

Users are always the least secure part of a network. Anyone who has any experience as an admin will tell you that most users know absolutely nothing about security. That's why they're by far the easiest way for an attacker to gain access to your network.

Fluxion is a social engineering tool designed to trick users into connecting to an evil twin network and giving away your wireless network's password. The purpose of this guide is to illustrate the importance of having measures in place to counteract user error and educating your users to the very real security risks that they face.

Using Fluxion and tools like it on a network that you don't own is illegal. This is for educational purposes only.

Clone Fluxion From Git

Fluxion doesn't come pre-installed on any distro, and you won't find it in repositories just yet. Since it's really just a series of scripts, you can clone it from Github and use it right away.

cd into the directory where you want to install Fluxion. Then, use Git to clone the repository.
$ git clone https://github.com/FluxionNetwork/fluxion.git
Beware of fake Fluxion repositories. They are more common than you think.

Fluxion Initial Startup

Once the clone finishes, cd into the fluxion folder. Inside, you'll find an install script. Run it.
# ./fluxion.sh
Fluxion will check for all of the tools that it needs to carry out the attack and install them. On Kali, most of them will already be installed, so it will move faster.

After it finishes, you can run Fluxion with the regular script.
# ./fluxion.sh
It will start up with a nice logo and will ask you for your language. Then, it'll ask which interface it should use. Make sure that the wireless adapter that you choose supports packet injection. This is important for the attack to work.

Scanning For The Target

The next screen will ask you what channel your target network is on. If you know, you can select it. If not, just tell Fluxion to look on all channels.

A new window will pop up running aircrack-ng to scan all of the networks in your area. When you see your network appear on the list, you can press Ctrl+C in the window to stop it.

Fluxion will grab the information from the scan and display it in the main window. Select your network from the list.

Launch The Fake Access Point

Now that Fluxion has a target, it will display the information that it was able to gather about your network and ask you what you want to do. The first option is to launch a fake access point. The second one lets you capture a handshake. You need that first.

Fluxion will ask you how you want it to capture the handshake. Choose to capture one passively. It will take longer, but in a real world scenario, an attacker wouldn't want to raise suspicion. The only way to ensure that they're undetected is to not do anything to interfere. Select pyrit for verification.

It will spawn a new airodump-ng window. If you see a handshake appear in the top line of the airodump-ng window, you'll have what you need, and you can stop it.

The Web Interface

Fluxion will then ask you to create or use an existing SSL certificate. This adds an additional layer of authenticity to your fake access point.

Next, Fluxion will ask you if you want to use that handshake to set up the AP or use it for a brutefoce attack. Start the web interface.

On the following screen, there will be a list of possible web pages to set up. There are generic ones for multiple languages and several specific to router models. Certainly, if there is one that matches your router, that's probably the best and most believable. Otherwise, just choose the generic one for your language. In the future, there is a directory in your fluxion folder where you can place a custom web interface, if you want to make one.

By selecting the page you want to load, you'll be starting the attack. Fluxion will simultaneously jam the real access point with deauthentication requests and launch a seemingly identical one.

People connected to the network will see that they were disconnected. They will then see two networks with the same name. One will be available. The other won't. Most users will try the available one, which is actually your evil twin.

After they connect, they'll see the page that you set, asking them for their login information. Once they enter it, Fluxion will capture the information and immediately shut down the malicious AP, returning everything to normal.

With the user-provided credentials, you can now freely access the network.

Closing Thoughts

Educate your users. Even if you only run your own home network, let your friends and family know what to look out for. After all, it's much more common for people to make mistakes than for computers to, and attackers know that.