A computer programmer in Greece has made available a stable version of a new tool that uses semi-automated social engineering to attempt to steal passwords on WPA networks. Wifiphisher, available on GitHub, seeks to elicit the password to the target router by disconnecting them and then presenting them with a faked router login page which claims that a router firmware upgrade necessitates the entry of the password.
The disconnection takes place when Wifiphisher sends de-authentication packets to the target router in an ‘Evil Twin’ attack configuration, coordinating a Denial of Service (DoS) flood against the Access Point (AP), or generates RF interference to the same end; in either case the disconnected user’s machine will automatically seek to re-establish the connection with its AP, which by now has been cloned, albeit insecurely, by Wifiphisher, which is intercepting all network traffic from the target at this stage. The password, once entered, is sent to the attacking agent.
The software runs on Kali Linux and is the work of Greek security research scientist George Chatzisofroniou, who explains: “Wifiphisher employs a minimal web server that responds to HTTP & HTTPS requests […] As soon as the victim requests a page from the Internet, Wifiphisher will respond with a realistic fake page that asks for WPA password confirmation due to a router firmware upgrade.”
The new software has similar functionality to previous packages or package configurations including Wifi Pineapple and KARMA Wireless Client Security Assessment Tools, but is seeking a greater level of automation, a wider range of attacks, and to actually intercept and steal router passwords rather than simply engaging in a Man in the Middle (MitM) attack, wherein the actor has access to the victim’s network activity but has not appropriated a password (an act usually motivated by theft, such as stealing WiFi connectivity in the vicinity, or online anonymity, wherein the actor is creating a species of unauthorised VPN from a vulnerable router, which will be held accountable for its own network activity).
The tool is not perfect; it relies on the credulity of the target as much as any other phishing technique, since a number of warnings from secondary systems are likely to be triggered when the target is redirected to the cloned login page, chiefly because the ‘duped’ page is not created in a secure and authenticated environment.
The Karma toolset includes similar functionality, but is aimed more towards capturing and (later) decrypting the hardware handshake made by the target router, rather than seeking to inveigle a password from an end-user.
Chatzisofroniou says of his creation: “It’s a social engineering attack that does not use brute forcing in contrast to other methods. It’s an easy way to get WPA passwords.”
Perhaps chief among the obstacles faced by this method is the extraordinary infrequency with which anyone ever types in a router password – likely the least-memorised of any password. A thread on Reddit also notes that the software is effectively only adding a stage to a standard MitM attack by seeking the WPA password.
Wifiphisher is released under an MiT licence.