Fluxion 5.6 ( testing )

Discussion in 'Scripts & Commands' started by r1sen, 24 Sep 2018.

  1. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    So a massive upgrade from the current TinyPaw default of Fluxion 0.23 modified and seems functional but would certainly appreciate any feedback.

    Changes made:

    -modified splash banner for ascii compatibility

    -commented out systemctl/systemd calls in regards to: NetworkManager, Network-Manager, etc

    Fluxion archived source folder:

    SourceForge:

    tp-fluxion-master.zip

    BitBucket:

    tp-fluxion-master.zip

    Required dependencies:

    SourceForge:

    bc.tcz
    p7zip-full.tcz
    tp_dns.tcz

    BitBucket:

    bc.tcz
    p7zip-full.tcz
    tp_dns.tcz

    Installation:

    1.) Download the archive fluxion source folder "tp-fluxion-master.zip" from either of the above repositories.

    2.) Open your terminal / command line and enter the following:

    cd /home/tc/Downloads/

    unzip tp-fluxion-master.zip

    *Now you will have the directory "/home/tc/Downloads/tp-fluxion-master/*

    3.) Download all three dependencies "bc.tcz, p7zip-full.tcz, tp_dns.tcz" from either of the above repositories.

    4.) Copy the three dependencies "bc.tcz, p7zip-full.tcz, tp_dns.tcz" into your (*/tce/optional/) directory.

    5.) Open your "onboot.lst" file located in your (*/tce/) directory and make the following changes:
    -Add line item: "bc.tcz"
    -Add line item: "p7zip-full.tcz"
    -Add line item: "tp_dns.tcz"
    -Be sure to include one extra line of empty(white) space at the bottom of your onboot.lst.

    6.) Save the changes you've made by either "file+save" or "cntl+s" and close your text editor.

    7.) Close all windows and restart your system.

    8.) Upon restart open your terminal and enter the following:

    cd /home/tc/Downloads/tp-fluxion-master/

    sudo bash fluxion.sh

    *this fluxion (testing) package will not start from the wbar fluxion icon - that is for the default fluxion 0.23 extension - this package must be init manually*

    Tested and was successful in capturing credentials, using those credentials to generate fakeAP and captive portal, connected with an android cellular device and dhcp leasing functioned.

    I would appreciate feedback from the "field"

    Screenshot_TinyPaw_v1.3_2018-09-23_17:14:55.png
     
    #1 r1sen, 24 Sep 2018
    Last edited: 26 Sep 2018
  2. Axis0fEvil

    Axis0fEvil Active Member

    Joined:
    29 Dec 2014
    Messages:
    16
    Likes Received:
    2
    from 0.23 to 5.6 good jump but what about the fake web pages ?! this is the most important area of interest for such tool.
    for example: using the phrase " enter your WPA/WPA2 pass phrases for firmware upgrade " is too technical and unless the user is at least an IT technician or hacker, he/she might go to panic mode XD ... I think: " enter your wifi password to continue updating your android device or (brand name) router " would be a more convincing phrase for the average victim.

    If only I know web programing I would have created genuine/professional/convincing fake web pages. Unfortunately most hackers don't have the patience to create a web page that is neat and convincing. a lucky H4x0r would have a web page designer GF XD
    --- Double Post Merged, 2 Oct 2018, Original Post Date: 2 Oct 2018 ---
    in my opinion, this tool and wifiphisher fall under the social engineering category rather than the wireless technical category because it's effectiveness relies first and foremost on convincing/tricking the user to fill in his wifi credentials rather than the tool communicating with the router or AP directly as in Reaver or Aircrack-ng as examples.
    --- Double Post Merged, 2 Oct 2018 ---

    look at this disaster for example @10:41 ... I laughed so much after seeing this.
    most probably the user will soft reset the router/AP or will buy a different router but he/she will never write anything inside this "unconvincing" form
    Watch this video on YouTube.
     
  3. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    @Axis0fEvil

    Thanks for the feedback - actual feedback, not entirely sure where the glitch is while starting "fluxion web services" but looking into it. As far as the rest - personally I don't care for it, not really, not at all. In comparison in my opinion Airgeddon has about a 10x advantage in performance and practicality. Fluxion was requested to be on the list of tools to be seen in the project but... Yeah, not the biggest fan. Right there to me on the list next to sending out a hundred million customer support emails of various types asking for login credentials and hoping no one notices the redirect or Url. Still under testing/development but definitely appreciate your feedback.
     
    • Like Like x 1
  4. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    @Axis0fEvil

    More on that, the thing in my opinion or one of them that raise the practicality of Airgeddon over is that you can operate AP interface, Jamming interface and active internet - giving way to full clone, full capture and eavesdropping as opposed to just blanketing with sup par skeptical login pages lol. To each is there own but in the erea and topic of device and systems auditing this tool is not high on my personal list. Just from my perspective.
     
    • Like Like x 1
  5. Axis0fEvil

    Axis0fEvil Active Member

    Joined:
    29 Dec 2014
    Messages:
    16
    Likes Received:
    2
    your perspective is correct but when a tool is released, it should be complete to be useful, else it will become obsolete like many other tools through the history of hacking since the 90s. fluxion is not bad but it's incomplete. in your own hacking lab you could create your own customized arsenal, but when you release it for public use, you should take into consideration the community too.

    I have not yet tried "Airgeddon" However, from what I read in your last post, I assume that you need some hardware rather than a single wifi card.
    Not all people have access to such options. Not from a buying point of view but from the availability of the hardware itself.
    After AWUS036H, the star of them all even in 2018, all wifi chips/cards that came out had their capabilities restricted.

    Unfortunately, the hacking community didn't develop the hardware arsenal e.g. PCB mods, EEPROM mods, driver mods, to try and remove the limitations put by the manufacturers. a small search on youtube or google about this topic yields no useful information.
    Nowadays a lot of advanced software security tools but no decent hardware available to help them realize their full potential.

    On top, small repeaters/wifi extenders are being offered as solutions for home users, slowly phasing out "HIGH GAIN" USB wifi adapters and replacing them with low power (USB stick like) wifi adapters that all it can do is connect to your closest wifi extender, solving the range problem.

    Fluxion / Airgeddon / Wifiphisher, should have more serious work put into them even more than reaver or aircrack-ng
     
  6. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    Right - as clearly stated to the public I specified quite specifically that this package is under testing/and development? Never proclaimed it to be completed, I specifically quite so asked for testing and feedback for that very reason.
     
    • Like Like x 1
  7. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    And quite certainly for Airgeddon to be most proficient you would need 2 wifi interfaces 1 that supports AP mode, and one hardwired eth for live internet, or a 3rd wireless interface for internet redirect
     
  8. Axis0fEvil

    Axis0fEvil Active Member

    Joined:
    29 Dec 2014
    Messages:
    16
    Likes Received:
    2
    I know, already read the OP post but I wrote this as a general opinion (not targeting you) because when this tool and others showed up on the internet for the first time, people quickly started doing youtube videos about them while in reality they were still incomplete. So don't take it to heart. I appreciate your hard work .. just sharing my thoughts
     
  9. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    Agreeably so, I don't take it entirely to heart I greatly appreciate the support and feedback. Also, yes the amount of scripts that I have worked on that were either broken/dead from the start or specifically tailored to only one distro was quite frustrating to say the least. ;p
     
  10. Axis0fEvil

    Axis0fEvil Active Member

    Joined:
    29 Dec 2014
    Messages:
    16
    Likes Received:
    2
    Watch this video on YouTube.

    Another pathetically unconvincing video, I didn't even bother to comment on it on youtube.This time it is wifiphisher !! I can't believe that after the feedback I gave maybe 1 year or 2 years ago on the development page of the project. Nothing has been taken into consideration.
    I won't get into a lot of details but honestly, I'll put myself in place of the potential victim and how he/she will behave.

    1 - when regular people connect to the fake AP they won't go and open google chrome!! most likely they will open whatsapp,facebook,skype,viber,appstore applications...etc and when they discover that nothing happened, most probably their next move will be to soft reset the router .. taking you (the hacker) back to square one

    2 - and in case of "no internet connection", If the apps (whatapp etc .. ) are nice enough to automatically launch google search(chrome) and refer you to the mobile/router upgrade page (which is what he hope) .. the structure of the "fake upgrade page" is too technical for regular people (victims) to understand anything. first the use of "WPA/WPA2 passphrase" and the use of the word "upgrade" and "the disclaimer" which adds more confusion to a graphic designer, or a fashion designer or a secretary who sends neat emails as her daily job.

    instead why not remove the disclaimer all together, put a "logo" of the victims mobile brand, use the word "wireless password" instead of wpa/wpa2 passphrase and lastly replace the word upgrade with "update" ... trust me, most people don't know the difference between the words upgrade and update. UPDATE is very popular,even my grandmother knows what UPDATE means

    Here, now I feel better !!

    "In order for a social engineering tool to be successful and not obsolete on the day of its release, the developer(s) should always put themselves in the victim's shoes "

     
    • Like Like x 1
  11. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    The thing of it all is, one reason I do not care for this approach is pretty straight forward. In all the years I've used cable or high speed internet I have never been prompted with any type of browser re-login or authentication page. Only time I have seen that is perhaps a public hotspot such as a hotel, McDonalds, etc where the credentials are publicly available anyhow. So I would entirely agree that the typical home user would just walk up to their router, jam a pen in the back hole for 15 seconds and reset lol. So never gave a high percentage of practicality to this approach in my book :p
     
    #11 r1sen, 4 Oct 2018
    Last edited: 4 Oct 2018
  12. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    The reason I gave mention to Airgeddon - and yes as you stated, you would need a few wireless devices and dongles to make the most effective use of it - however providing a fakeAP with live web, dns, etc and capitalizing on the fact that just about everyone configures their device - whether cellular or otherwise that regularly uses WiFi to auto-reconnect in the event of signal drop. And testing this myself cloning my AP and using an android cellular device the switch from AP to fakeAP was almost instant and barely to not noticeable at all? and service continued as normal - this to me is far more effective and useful. Well, my opinions though - what do I know lol :p
     
  13. r1sen

    r1sen Well-Known Member
    Dev Team VIP

    Joined:
    22 Nov 2017
    Messages:
    133
    Likes Received:
    9
    Upon thinking I think that perhaps I should clarify - There is certainly nothing wrong with someones preferred method or tool-sets, I am not criticizing the art or tools of social engineering nor someones choice between using automated scripts or the core tools that said scripts automate. I am only speaking from my perspective and taste in the particular tools that I use. Therefore I only meant that out of the range of tools and techniques out there and ones included in TinyPaw that I did not evaluate this type of "attack" high on the list of practical uses and/or deployment. Never would I discourage anyone, I did after all included S.E.T. scripts regardless of my opinion to offer a better coverage of the spectrum of tools and techniques one might prefer to use. lol - now that my disclaimer is off my chest :p
     
Loading...
  • About Us

    We are a community mixed with professionals and beginners with an interest in wireless security, auditing and pentesting. Feel free to check out and upload resources.


    You can also find us on: Twitter and Facebook

  • Donate to Us

    Did you find our forums useful? Feel free to donate Bitcoin to us using the form below. Those who donate the equivlent of $10 USD or more will be upgraded to VIP membership. Don't have Bitcoin? Use your credit card to GO VIP here. Don't want to fork out some coin? There are other ways to GO VIP. Bitcoin: 1LMTGSoTyJWXuy2mQkHfgMzD7ez74x1Z8K