Fluxion is a remake of linset by vk496 with enhanced functionality.

aircrack attack captive-portal capture evil-twin fakeap fluxion handshake kali linset social-engineering

Go to file

Matias Barcenas 5f589b4eef Rewrote fluxion for better extensibility. Most spaghetti code has be removed or replaced with better alternatives. Refactored most functionality into directory-based, load-on-demand, addon attack scripts. Changed the naming scheme of variables throughout for consistency (try to stick to one, guys). Changed color names (variable identifiers) for better consistency. Changed language file names to follow the scheme "Language.lang" Changed function naming scheme to better reflect their behavior, more under [ FLUXION V3 ] Added more comments in code, attempting to decrease the obfuscation of functionality. Minimized the usage of globals throughout the script, trying to leave absolute essentials, for safety. Multiple improvements in general to the visuals, the algorithms, and to methods used. [ FLUXION V3 ] * Custom attacks may now be developed and installed independently. * Custom portals may now be installed independently. * Globally changed functions' naming scheme to use snake-case, systematically prefixed with: * > set_: function will set/configure something. * > unset_: function will undo what set_ did. * > run_: function will execute a blocking command. * > halt_: function will abort a running command (possibly via signals [SIGABRT]) * > start_: function will start executing something in the background. * > stop_: function will stop background execution of something, undoing start_. [ Custom Attacks ] * Custom attacks must be bundled in a directory, with the name representing the attack. * Custom attacks must include a load-script "attack.sh" within the attack directory bundle. * Custom attacks' attack.sh script must implement the following boot functions: * > unprep_attack: fluxion will load attack.sh and call unprep_attack to reset attack parameters. * > prep_attack: fluxion will load attack.sh and call prep_attack to set attack parameters. * > start_attack: fluxion will load attack.sh and call start_attack to start a stopped/unstarted attack. * > stop_attack: fluxion will load attack.sh and call stop_attack to stop a started attack. * Custom attacks may signal fluxion to stop an attack when done, by sending it a SIGABRT signal. [ Custom Portals ] * Portal-containing directories must now follow the naming scheme "Some Brand_Language.portal" * Portal directories, after properly being named, must be stored at "attacks/Captive Portal/sites" Function return values are significant in the script, where anything other than 0 means go back.		2017-08-08 14:14:32 -05:00
.github	Remove useless banner.	2017-07-26 22:19:27 +03:00
attacks	Refactored fake AP attack as Captive Portal attack script.	2017-08-08 13:48:00 -05:00
docs	- Add telekom site	2017-05-01 19:21:23 +02:00
install	Introduce end-of-line normalization	2017-07-23 09:18:46 -04:00
language	Rewrote fluxion for better extensibility.	2017-08-08 14:14:32 -05:00
lib	Refactored functionality to independent library scripts.	2017-08-08 12:40:32 -05:00
locale	Introduce end-of-line normalization	2017-07-23 09:18:46 -04:00
logos	Fix encoding and permission issues	2017-06-28 15:51:34 +02:00
scripts	Introduce end-of-line normalization	2017-07-23 09:18:46 -04:00
sites@ff349e7e61	Remove dependencies, since wps slaughter isn't used anymore	2017-07-18 13:06:21 +02:00
.editorconfig	Create .editorconfig	2017-07-25 08:55:19 +02:00
.gitattributes	Introduce end-of-line normalization	2017-07-23 09:27:32 -04:00
.gitignore	Update .gitignore	2017-07-28 22:53:41 +02:00
.gitmodules	Remove dependencies, since wps slaughter isn't used anymore	2017-07-18 13:06:21 +02:00
README.md	Update README.md	2017-07-21 23:55:26 +02:00
fluxion.sh	Rewrote fluxion for better extensibility.	2017-08-08 14:14:32 -05:00
siteinstaller.py	update permissions for siteinstaller.py	2017-08-06 14:45:17 +03:00

README.md

Fluxion is the future of MITM WPA attacks

Fluxion is a remake of linset by vk496 with (hopefully) less bugs and more functionality. It's compatible with the latest release of Kali (rolling). The attack is mostly manual, but experimental versions will automatically handle most functionality from the stable releases.

Share your own router page with a simple script

cd scripts
sudo sh router.sh

🔱 FAQ

"Clients are not automatically connected to the fake access point"

This is a social engineering attack and it's pointless to drag clients in automatically. The script relies on the fact that a user should be present in order to enter the wireless credentials.

"There's no Internet connectivity in the fake access point"

There shouldn't be one. All of the traffic is being sinkholed to the built in captive portal via a fake DNS responder in order to capture the credentials.

"Fake sites don't work"

There might be a problem with lighttpd. The experimental version is tested on lighttpd 1.439-1, anything neweer may break functionality. If you have problems, please use the stable version.

In the experimental version it will automatically check the handshake. I will fix the menu shortly. If you need a GUI, use the stable version (which doesn't automatically control handshakes).

This is how the script works. The fake captive portal is set up by the script itself to collect the credentials. Don't freak, it's al okay.

"The MAC address of the fake access point differs from the original"

The MAC address of the fake access point differs by one octet from the original in order to prevent fluxion deauthenticating clients from itself during the session.

Installation

git clone --recursive https://github.com/FluxionNetwork/fluxion.git

Updates

If you want to submit a feature, do so by labeling your issue as an "enhancement" or submit a PR. I don't have enough time to make daily changes to fluxion, sorry.

✅ Included dependency versions

Aircrack : 1:1.2-0~rc4-0parrot0
Lighttpd : 1.439-1
Hostapd : 1:2.3-2.3 If you want to compare this type dpkg -l | grep "name"

📜 Changelog

Fluxion gets weekly updates with new features, improvements and bugfixes. Be sure to check out the changelog here.

:octocat: How to contribute

All contributions are welcome! Code, documentation, graphics or even design suggestions are welcome; use GitHub to its fullest. Submit pull requests, contribute tutorials or other wiki content -- whatever you have to offer, it would be appreciated!

📖 How it works

Scan the networks.
Capture a handshake (can't be used without a valid handshake, it's necessary to verify the password)
Use WEB Interface *
Launch a FakeAP instance to imitate the original access point
Spawns a MDK3 process, which deauthenticates all users connected to the target network, so they can be lured to connect to the FakeAP and enter the WPA password.
A fake DNS server is launched in order to capture all DNS requests and redirect them to the host running the script
A captive portal is launched in order to serve a page, which prompts the user to enter their WPA password
Each submitted password is verified by the handshake captured earlier
The attack will automatically terminate, as soon as a correct password is submitted

❗ Requirements

A Linux-based operating system. We recommend Kali Linux 2 or Kali 2016.1 rolling. Kali 2 & 2016 support the latest aircrack-ng versions. An external wifi card is recommended.

For development I use vim and tmux. Here are my dotfiles

:octocat: Credits

l3op - contributor
dlinkproto - contributor
vk496 - developer of linset
Derv82 - @Wifite/2
Princeofguilty - @webpages and @buteforce
Photos for wiki @http://www.kalitutorials.net
Ons Ali @wallpaper
PappleTec @sites

Disclaimer

Fluxion is intended to be used for legal security purposes only, and you should only use it to protect networks/hosts you own or have permission to test. Any other use is not the responsibility of the developer(s). Be sure that you understand and are complying with the Fluxion licenses and laws in your area. In other words, don't be stupid, don't be an asshole, and use this tool responsibly and legally.