Not all hardware are vulnearable, but all systems have one thing in common- they are operated by users. Social engineering targets the users since many times they are the most vulnearable part of any system.
We learned about a man-in-the-middle social engineering attack called Fluxion. Fluxion is a remake of an attack called Linset. This attack is based on getting a hold of the four way handshake and then creating a fake access as bait for the target. This is based on de-authorizing access point users from their current access point and then to lure users to our fake access point that is named the same as the original access point. We cloned Fluxion to our laptop from GitHub and it had a user friendly UI inside the terminal.
Using Fluxion is mostly just choosing the right numbers, so there is no need to write any complicated commands, at any point.
First it needs you to choose a language.
After that it needs to know which network interface it should use. Choose wlan1 where we have the adapter capable of injecting and sniffing.
After this, it scans the nearby networks if you choose to scan all.
After your find your own network, stop the scan with ctrl + c, and choose your network by the ID.
After this we choose the recommended attack called FakeAP – Hostapd. It might ask the handshake location, but you can just press ENTER to skip it.
Next continue choosing recommended alternatives, Pyrit.
Next, we de-authorize everyone from the chosen access point, by choosing deauth all, the first option.
Then it’s time to get the handshake. Few pop-up windows will appear, and once you notice the handshake, press check handshake.
Then we’ll create a SSL-certificate,
After choosing the earlier option, we’ll create a web interface.
Tthe next step is interesting. Fluxion has a vast number of login screens to show its victims. Assuming that someone would fall to this scam. Different login screens include well known mobile phone companies and and router producers. We noticed that there was an option that matched our router so we chose that.
After you choose the wanted interface, many windows will again pop in your screen.
So earlier we acquired the handshake from the de-authorized user trying to reconnect, but we are still de-authorizing. There is now a merged new access point to choose, that is called exactly the same as the original was, but it is a open Wi-Fi. If our target chooses this very familiar looking network the target will receive a web interface login screen of our choosing. Here the target is supposed to rewrite passwords for the original network and thus giving them up to our hands.
After someone actually writes their router password to the web pop-up, it’ll look like this in your screen:
Ta-dah! Now we have the password for the original access point. After they write the password to the fake web interface, the fake access point will disappear.
Even though it was good on a paper, we don’t really believe this to fly. The login screens that we are offering to targets are clumsy at best even though there is a vast number of languages and companies. The scam shouldn’t work unless the target is below the average users knowledge on security measures.