Full Report
Fluxion is an automated EvilAP attack tool for carrying out MiTM attacks on WPA Wireless networks written in a mix of Bash and Python. Fluxion is heavily based off Linset the Evil Twin Attack Bash Script, with some improvements and bug-fixes. How it Works Scan the networks. Capture a handshake (can’t be used without a […]
Analysis Summary
# Tool/Technique: Fluxion
## Overview
Fluxion is an automated Evil Access Point (EvilAP) attack tool designed to execute Man-in-the-Middle (MiTM) attacks against WPA Wireless networks. It is written in a combination of Bash and Python and is an updated iteration based on the Linset Evil Twin Attack Bash Script.
## Technical Details
- Type: Attack Tool
- Platform: Wireless systems (Likely Linux-based operating systems required, given dependencies like Aircrack, Lighttpd, and Hostapd)
- Capabilities: Scanning Wi-Fi networks, capturing WPA handshakes, spoofing target APs (Evil Twin), deauthenticating legitimate clients, running captive portals for credential capture, and verifying captured passwords against the handshake.
- First Seen: The article is dated January 10, 2017.
## MITRE ATT&CK Mapping
Fluxion primarily focuses on gaining initial access and reconnaissance against wireless networks.
- **TA0011 - Command and Control** (Indirectly, via controlling network traffic flow)
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy (If pivoting through the compromised connection)
- **TA0003 - Compromise**
- T1557 - Man-in-the-Middle
- T1557.001 - Passive Scan (Initial network discovery)
- **TA0001 - Initial Access**
- T1483 - Replay Attacks (Targeting deauthentication to force reconnection)
## Functionality
### Core Capabilities
* **Network Scanning:** Scans the environment for available wireless networks.
* **Handshake Capture:** Captures the WPA handshake necessary for later password verification.
* **Evil Twin Setup:** Launches a Fake AP instance to imitate the legitimate target access point.
* **Deauthentication:** Spawns an `MDK3` process to forcefully disconnect users from the legitimate network, luring them to connect to the attacker's FakeAP.
* **Credential Harvesting:** Launches a captive portal (using Lighttpd) designed to prompt users to enter their WPA password.
### Advanced Features
* **Automated Password Verification:** Automatically verifies any submitted password against the previously captured WPA handshake.
* **Automated Termination:** The attack script automatically stops once a correct password has been successfully submitted.
* **DNS Redirection:** Launches a fake DNS server to capture and redirect all DNS requests to the host running Fluxion.
## Indicators of Compromise
*Note: As Fluxion is a client-side attack tool, IoCs are primarily related to the required dependencies and network activity rather than persistent malware artifacts.*
- File Hashes: N/A (Tool distribution links provided only)
- File Names: `fluxion-0.22.zip`, `fluxion-0.23.zip`
- Registry Keys: N/A
- Network Indicators: The tool relies on local processes like `hostapd` and `mdk3` to establish malicious network infrastructure. Malicious activity involves creating an unauthorized access point impersonating a legitimate one.
- Behavioral Indicators: Unsolicited deauthentication packets targeting the victim network; creation of a new, unauthorized access point broadcasting the target SSID; redirection of DNS requests to the attacker's IP.
## Associated Threat Actors
The provided context does not list specific APT groups known to use Fluxion. It is primarily categorized as a widely available penetration testing or hacking tool.
## Detection Methods
- Signature-based detection: Signatures for the distribution files (`.zip` archives) or specific scripts (Bash/Python components).
- Behavioral detection: Monitoring for the execution of required dependent tools (`aircrack-ng`, `hostapd`, `mdk3`, `lighttpd`) in tandem with Wi-Fi interface manipulation (switching to monitor mode) and creation of unauthorized access points. Specifically, looking for forced deauthentication traffic.
- YARA rules: Not available in the context.
## Mitigation Strategies
- Prevention measures: Ensure all WPA handshakes are robustly protected (though Fluxion targets WPA passphrases, not encryption strength itself).
- Hardening recommendations: Disable the creation of unauthorized access points on critical networks if possible; use network monitoring tools to detect unexpected APs broadcasting known SSIDs; employ WPA3 where available.
## Related Tools/Techniques
- Linset (The tool Fluxion is heavily based upon)
- Evil Twin Attack methodology
- Kali Linux distribution tools (Aircrack-ng suite, MDK3)