Airgeddon 8.11 ( captive portals )

Discussion in 'Scripts & Commands' started by r1sen, 20 Oct 2018.

  1. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    22 Nov 2017
    Likes Received:
    Firstly this is documenting the creation of rogueAP / captive portal with airgeddon 8.11

    Secondly, this script has been modified accordingly for dhcpd leasing - please check my previous thread on this if you have not:

    Thirdly, due to how potentially powerful this script is and it's functionality I will probably be discontinuing dev/testing with Fluxion for the TinyPaw environment - or at least as an included default tool.

    So what is airgeddon?

    This is a multi-use bash script for Linux systems to audit wireless networks.

    Quoted and to the point from the project github:

    Wireless devices / chipsets used:

    *Multiple wireless devices required*

    Alfa AWUS036H *Most likely a knock off*

    - Ralink RT2870 / RT3070

    TP-Link TL-WN822N

    - Realtek RTL8192CU

    Eth0 for live internet

    Simple steps to recreate:


    Step 1.) Select your primary wlan# device - in my case wlan0 - Ralink RT2870 / RT3070

    Step 2.) On the following screen select option# 2. in order to place your wlan# device you've selected into MONITOR mode.


    Step 3.) Select option# 7. "Evil Twin attacks menu"


    Step 4.) Select option# 9. "Evil Twin AP attack with captive portal" - from the list of Evil Twin attacks options.


    Step 5.) Select your secondary wlan# device - in my case wlan1 - Realtek RTL8192CU

    Step 6.) Press [Enter] to allow airgeddon to place your secondary wlan# device into MONITOR mode.


    Step 7.) You will be prompted to use an interface with internet access - in this case you will select "Y" for yes since 'dnsspoof' is not included at this time.


    Step 8.) You will be prompted to select the interface with live internet access - in my case this is eth0.


    Step 9.) Will all options / arguments in place thus far press [Enter] for airgeddon to "search" for available networks within range. Up to your preference how long you allow for "searching" I generally give between 30sec to 1min.


    Step 10.) Once you feel you've allowed enough time for "searching" press "cntl+c" to halt network "searching" and generate the list of available "target" networks.

    Step 11.) Select the network that you wish to test against - in my case my wireless AP is option# 9.


    Step 12.) The next options menu for our attack prompts you to select the method of deauth you'd like to deploy - in my case I generally use and have the most success with "Deauth aireplay attack" or option# 2. from the options menu.


    Step 13.) Once your preferred deauth method is selected - as stated above i've selected option# 2. you will be prompted whether or not to enable "DoS pursuit mode" I do - so I enter "y"


    Step 14.) Next you will be prompted as to whether or not spoof your MAC address - again I do so I enter "y"


    Step 15.) Next you will be prompted as to whether or not you've obtained a usable handshake for the "target" AP that you've selected - for sake of this being even longer or going into the optional ways you may have obtained it - I have entered "n"


    Step 16.) Since we've entered "n" airgeddon will deploy the deauth method previous selected to capture a usable handshake - in my case I selected to use the "Deauth aireplay attack" method.

    Step 17.) As you can see in the upper right of my "capture handshake" window there was a successful WPA handshake captured.


    Step 18.) Next you will be prompted with "Congratulations!" on your capture followed by where you should store your handshake capture *.cap file - press [Enter] for default unless you know what you are doing.


    Step 19.) Next you will be prompted with the language settings airegeddon will use for your captive portal - in my case English - so i've selected option# 1.


    Step 20.) Airgeddon will now launch your captive portal attack along with every necessary service window such as AP, DHCP, Webserver, etc..

    Step 21.) As you can see from within the "control" window in the upper right on my screen it has captured "1" attempt for login - password "toofakeforyou"

    *Please view following images to see the "rogue" android system alert / login generated - up to you to determine how "fake" it looks - they all do but whatever*


    #1 r1sen, 20 Oct 2018
    Last edited: 20 Oct 2018
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.

    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K