Introduction
Fluxion is a powerful security auditing and social-engineering research tool. It automates the process of carrying out various attacks on Wi-Fi networks. One of its key features is the "Handshake Snooper" attack. This attack focuses on capturing the WPA/WPA2 4-way handshake, which occurs when a client device connects to a Wi-Fi access point. Capturing this handshake is a critical first step in attempting to crack the Wi-Fi password offline.
In this lab, you will learn the step-by-step process of launching a Handshake Snooper attack using Fluxion's interactive interface. We will use a simulated environment that mimics Fluxion's behavior to understand the workflow without needing actual wireless hardware. This lab is for educational purposes only.
Select the Target Network
In this step, you will start the Fluxion script and select the target Wi-Fi network from a list of scanned networks. The setup script has already created a simulated fluxion.sh script in the ~/project/fluxion directory.
First, navigate into the fluxion directory:
cd ~/project/fluxion
Now, run the script with sudo privileges. Fluxion requires root access to manage network interfaces.
sudo ./fluxion.sh
The script will first ask for your language. Enter 1 for English. Then, it will simulate scanning for wireless interfaces and ask you to select one. Enter 1 to choose wlan0.
Finally, it will display a list of simulated Wi-Fi networks. We will target MyHomeWiFi. Enter 1 to select it.
Your interaction will look like this:
FLUXION v6.9
Select your language: [1] English
> 1
Scanning for wireless interfaces...
[*] 1 wireless interface found.
1. wlan0
Select a wireless interface to use: 1
Scanning for target networks...
## BSSID CH SPEED PWR ENC ESSID
--------------------------------------------------------------------
1 00:11:22:33:44:55 6 54M -50 WPA2 MyHomeWiFi
2 AA:BB:CC:DD:EE:FF 11 54M -65 WPA2 NeighborsWiFi
Select a target network: 1
After you select the target, the script will proceed to the next stage.
Choose the 'Handshake Snooper' Attack Vector
In this step, after selecting the target network, Fluxion will present you with a list of available attack vectors. Our goal is to capture a WPA/WPA2 handshake, so we will choose the 'Handshake Snooper' option. This attack specifically focuses on listening for and capturing the handshake data without launching more complex attacks like a Captive Portal.
The script will now show you the attack selection menu. Choose option 2 for Handshake Snooper.
Select an attack vector:
1. Captive Portal
2. Handshake Snooper
Select an attack: 2
By selecting this option, you are telling Fluxion to proceed with the handshake capture process.
Select the 'hostapd' Method for the Fake AP
In this step, Fluxion will ask how you want to create the access point for the attack. Even for a snooping attack, Fluxion might need to create an access point to manage the wireless interface. It provides several options, with hostapd being a common and reliable choice. hostapd is a user-space daemon that turns a network interface card into a wireless access point.
The script will now prompt you to select a method. Choose option 1 to use hostapd.
Select a method for the fake AP:
1. hostapd
2. airbase-ng
Select a method: 1
This configures Fluxion to use the hostapd software for any access point-related tasks during the attack.
Initiate the Deauthentication Attack to Capture a Handshake
In this step, you will initiate a deauthentication attack. To capture a handshake, a client device must connect (or reconnect) to the access point. A deauthentication attack forces connected clients to disconnect from the target network. When they automatically try to reconnect, we can capture the handshake. Fluxion automates this process.
The script will ask for the deauthentication method. For simplicity and to maximize the chances of capturing a handshake, we will choose to deauthenticate all clients. Select option 1 for Deauth all.
Select a deauthentication method:
1. Deauth all
2. Deauth client
Select a method: 1
Once you make this selection, the simulated attack will begin.
Wait for a Handshake to be Captured and Saved
In this final step, Fluxion is now actively monitoring the network and sending deauthentication packets. It is waiting for a client to reconnect to capture the WPA/WPA2 handshake. Our simulation will immediately succeed.
You will see output indicating that the attack is running, followed by a success message confirming the handshake has been captured. The script will also tell you where the handshake file (.cap) has been saved.
[*] Starting deauthentication attack...
[*] Waiting for a handshake...
[+] WPA handshake captured! BSSID: 00:11:22:33:44:55
[*] Saving handshake to 'fluxion/handshakes/MyHomeWiFi_00-11-22-33-44-55.cap'
[*] Attack finished. Exiting.
The script has now finished and exited. The captured handshake is saved in the fluxion/handshakes/ directory. You can verify its existence by listing the contents of that directory.
ls -l ~/project/fluxion/handshakes
You should see the captured file in the output:
total 0
-rw-r--r-- 1 root root 0 Jan 1 00:00 MyHomeWiFi_00-11-22-33-44-55.cap
You have successfully simulated the capture of a WPA handshake.
Summary
In this lab, you successfully walked through the process of launching a Handshake Snooper attack using a simulated Fluxion environment. You learned the essential steps involved in the process, from launching the tool to capturing the final handshake file.
Specifically, you learned how to:
- Navigate the Fluxion interface.
- Select a target Wi-Fi network.
- Choose the 'Handshake Snooper' attack vector.
- Initiate a deauthentication attack to force clients to reconnect.
- Confirm the capture and saving of the WPA/WPA2 handshake file.
The captured .cap file could then be used with offline password cracking tools like aircrack-ng or hashcat to attempt to recover the network's password. This lab has provided a foundational understanding of one of the most common Wi-Fi penetration testing techniques.