Introduction
In this lab, you will learn how to launch a Captive Portal attack using Fluxion. Fluxion is a security auditing and social-engineering research tool. It is a remake of linset by vk496 with a less-buggy and more-functional interface.
The Captive Portal attack is a social engineering technique that creates a fake Wi-Fi network (a "rogue" Access Point) that mimics a legitimate one. When users connect to this fake network, they are redirected to a fraudulent web page (the "captive portal") that prompts them to enter their Wi-Fi password.
This lab will guide you through the interactive menu of Fluxion to configure and launch this attack. We will assume that you have already completed a previous step of scanning for networks and capturing a WPA/WPA2 handshake for your target.
Select a Target Network with a Captured Handshake
In this step, we will begin the process by selecting our target network from the list of networks that Fluxion has detected. For the Captive Portal attack to work, we must have previously captured a WPA/WPA2 handshake from the target network. Fluxion clearly marks which networks have a captured handshake.
Imagine you have just launched Fluxion. After selecting your language and wireless adapter, you are presented with the target selection screen. Below is a representation of what you would see. The asterisk * indicates that a handshake has been captured for the LabEx_WiFi network.
FLUXION - Select a target
─────────────────────────────────────────────────────────────────────────────────────────
## BSSID ESSID CH ENCR POWER CLIENTS HANDSHAKE
1 XX:XX:XX:XX:XX:A1 LabEx_WiFi 6 WPA2 95% 3 *
2 XX:XX:XX:XX:XX:B2 GuestNet 1 WPA2 80% 1
3 XX:XX:XX:XX:XX:C3 CorpNet 11 WPA2 75% 8
─────────────────────────────────────────────────────────────────────────────────────────
[<] Rescan for networks [>] Select a target with a handshake and skip to attacks
[fluxion] Select an option:
We will choose the first network, LabEx_WiFi, which is our intended target and has the required handshake. In a real Fluxion session, you would type 1 and press Enter. For this lab, we will simulate this choice by recording it in a log file.
Execute the following command to record your choice:
echo "Target: 1" >> ~/project/fluxion_choices.log
Choose the 'Captive Portal' Attack Vector
In this step, after selecting the target network, Fluxion will present you with a menu of available attack vectors. The two primary options are typically the Handshake Snooper and the Captive Portal.
- Handshake Snooper: This attack passively waits to capture a new handshake. It's useful if you don't have one already.
- Captive Portal: This is an active attack that creates a fake access point to trick users into entering their password on a fake login page.
Since our goal is to perform a Captive Portal attack, we will select that option. Here is a representation of the Fluxion menu at this stage:
FLUXION - Select an attack
─────────────────────────────────────────────────────────────────────────────────────────
## ATTACK
1 Captive Portal
2 Handshake Snooper
─────────────────────────────────────────────────────────────────────────────────────────
[<] Return to network selection
[fluxion] Select an option:
We will select option 1 to proceed with the Captive Portal attack. To log this choice for our simulation, run the following command:
echo "Attack: 1" >> ~/project/fluxion_choices.log
Select the 'hostapd' Method for the Rogue AP
In this step, we need to choose the software that will create our rogue (fake) Access Point. The rogue AP is a critical component of the attack, as it's the network that unsuspecting users will connect to.
Fluxion offers several methods for creating a software-based AP. The most common and reliable option is hostapd. hostapd is a standard user-space daemon for access point and authentication servers on Linux. It's well-supported and robust, making it the ideal choice for this attack.
The Fluxion menu will look similar to this:
FLUXION - Select a rogue AP creation method
─────────────────────────────────────────────────────────────────────────────────────────
## METHOD
1 hostapd
2 Airbase-ng
─────────────────────────────────────────────────────────────────────────────────────────
[<] Return to attack selection
[fluxion] Select an option:
We will choose option 1 to use hostapd. Record this selection by executing the command below:
echo "RogueAP: 1" >> ~/project/fluxion_choices.log
Choose the 'aircrack-ng' Deauthentication Method
In this step, we will configure the deauthentication part of the attack. To encourage users to connect to our rogue AP, we first need to disconnect them from the legitimate LabEx_WiFi network. This is done by sending specially crafted "deauthentication packets" that spoof the real access point.
Fluxion leverages other well-known tools for this task. The aircrack-ng suite contains a tool called aireplay-ng, which is the industry standard for injecting wireless frames, including deauthentication packets. It is highly effective at forcing clients to disconnect.
The selection menu in Fluxion will be presented as follows:
FLUXION - Select a deauthentication method
─────────────────────────────────────────────────────────────────────────────────────────
## METHOD
1 aircrack-ng (aireplay-ng)
2 mdk4
─────────────────────────────────────────────────────────────────────────────────────────
[<] Return to rogue AP method selection
[fluxion] Select an option:
We will select option 1 to use the powerful and reliable aircrack-ng method. Log this choice with the following command:
echo "Deauth: 1" >> ~/project/fluxion_choices.log
Start the Full Captive Portal Attack Sequence
In this final step, we have configured all the necessary components for our attack. Fluxion has all the information it needs: the target, the attack vector, the rogue AP method, and the deauthentication method.
At this point, Fluxion is ready to launch the attack. It will typically open several new terminal windows to manage the different processes concurrently:
- Rogue AP: A window running
hostapdto broadcast the fakeLabEx_WiFinetwork. - Deauthenticator: A window running
aireplay-ngto continuously disconnect clients from the real network. - DNS Server: A window managing DNS requests to redirect all traffic to our captive portal.
- Web Server: A window hosting the fake login page.
- Credential Catcher: The main window, which will display any passwords that are captured.
Before launching, Fluxion will ask for a final confirmation. The menu will look something like this:
FLUXION - Attack Ready
─────────────────────────────────────────────────────────────────────────────────────────
All parameters are set. Fluxion is ready to launch the attack.
Multiple terminal windows will be spawned to handle each process.
## ACTION
1 Start Attack
─────────────────────────────────────────────────────────────────────────────────────────
[<] Return to deauthentication method selection
[fluxion] Select an option:
To start the attack, you would select 1. Let's log this final action to complete our simulated setup.
echo "Start: 1" >> ~/project/fluxion_choices.log
Once started, you would monitor the windows for activity, waiting for a user to connect to your rogue AP and enter their credentials into the captive portal.
Summary
In this lab, you have successfully walked through the configuration steps to launch a Captive Portal attack using Fluxion. While we simulated the interactions, you have learned the complete logical flow of the attack.
You learned how to:
- Select a target network that has a pre-captured handshake.
- Choose the
Captive Portalas the desired attack vector. - Select
hostapdas the reliable method for creating the rogue Access Point. - Choose
aircrack-ngto perform the deauthentication attack, forcing clients off the legitimate network. - Launch the full attack sequence.
This knowledge provides a fundamental understanding of how Wi-Fi social engineering attacks are constructed and executed. Please remember to use this knowledge responsibly and only for ethical and educational purposes.