FAQ
If you want to set up an Evil Twin attack with a custom site template (i.e. Google login), you can. WEF allows custom templates, you only have to select it when it asks to use pre-built or custom templates. Then you type the path to the template where it is stored and it should work. Just make sure the template works by its own before doing anything. You will obviously have to verify manually if the clients introduced any kind of information.
WEF also is designed to work on a headless setup. To configure this you will need to set airmon_check_kill to false in the configuration file (/usr/share/wef/wef.cnf). This will prevent from executing airmon check kill when enabling monitor mode so that wpa_supplicant and NetworkManager processes are not killed in order to maintain the connection to the headless setup. Essentially, this will change how the attacks and scans are done. For example, the APs scan will not launch a new window and instead will launch airodump-ng in the background and keep refreshing the results on the terminal.
To run WEF on Docker you will need to build and use the Dockerfile. Once the Dockerfile is on the current directory, it can be built using the following command:
docker build --tag 'wef' .Then you run the container by sharing the network adapter:
docker run --rm -it --privileged --net=host wefAfterwards, you should be able to use WEF.
As long as your network adapter supports 5 GHz, WEF is fully compatible with 2.4 GHz and 5 GHz. Once you select an attack to perform, the tool will scan the nearby APs based on your configuration file (/usr/share/wef/wef.cnf), especifically based on the frequency_band value which accepts as value 2.4 for 2.4 GHz, 5 for 5 GHz and auto to detect automatically the frequencies your network adapter supports (recommended).
If you choose the wrong attack or you just want to go back to the main menu you can simply type "back" and press [Enter]. If the attack is running press Ctrl+C and it will ask to you to exit the tool, type "n" or "no" and the attack will stop and return you to the menu.
While doing attacks and scans, some files are created. However, they are removed when you exit the tool except files stored on /usr/share/wef/cache as they may be useful after using the tool (anyway they are deleted when the tools is executed again) so you don't have to worry about them. Only the files generated by airodump-ng (when capturing WPA handshakes) and hcxdumptool (when capturing PMKID handshakes) are saved under /usr/share/wef/output/ESSID_BSSID/ for later handshake cracking or using them on other tools like wireshark or kismet.
Informative reports in HTML format (convertible to PDF) are also created under /usr/share/wef/reports/ when an attack finishes. It contains useful information like the attack date, the channel, the target, the result and more in a pretty good template. It is just done locally on user side.
As mentioned, this HTML reports can easily be converted to PDF by using wkhtmltopdf. It is as easy as providing the input and output file like this:
wkhtmltopdf /usr/share/wef/reports/ESSID_BSSID_DATE.html report.pdfhcxtools output is a bit confusing if you are not acquainted with it so you should know what everything means before launching the attack, this is the legend:
real time display:
R = + AP display: AP is in TX range or under attack
S = + AP display: AUTHENTICATION KEY MANAGEMENT PSK
P = + AP display: got PMKID
1 = + AP display: got EAPOL M1 (CHALLENGE)
3 = + AP display: got EAPOL M1M2M3 (AUTHORIZATION)
E = + CLIENT display: got EAP-START MESSAGE
2 = + CLIENT display: got EAPOL M1M2 (ROGUE CHALLENGE)
This attack may break and not work after some time as the project hcxtools is still in continuous development and the tools parameters may change leading to potential errors. If this happens, open an issue and I will try to re-implement it as soon as possible.
If you have experimented errors during the EvilTwin attack, and deauthentication is not working that could be due to a VIF problem. During the EvilTwin, the physical card is divided into 2 logical cards so if your adapter does not support this, it will cause errors.
This is often due to hardware limitations, mostly caused by the chipset. If you want to get a good Wi-Fi adapter you should probably buy some of the newest Alfa adapters which usually use Mediatek chipsets and generally work fine without major problems.
However, if you want to manually check if your network adapter supports it, execute sudo iw list | grep "Supported interface modes" -A 8 and if you see "AP/VLAN" in output it means your network adapter allows VIF. You must see "AP/VLAN" not only "AP".
WEF supports online cracking with WPA-SEC. You can use crack_online <file.cap> to upload a network capture which contains a handshake to WPA-SEC. To do this you will need a private API key which you can easily get for free by signing up, once you have the key you just have to add it to the configuration file /usr/share/wef/wef.cnf.
After some time you should check if the submitted handshakes have been cracked or not, and for that you simply have to use check_online and it will retrieve the cracked handshakes (if at least one was cracked).
WPA-SEC is a distributed WPA PSK auditor so please have in mind that all the work is done by volunteers so it is likely to be slow.
This mode performs multiple attacks in order to catch the handshake or directly discover the WPA key of the targeted access point. How is this done? It starts by checking if the target has WPS enabled, if so then it will proceed with the WPS attacks as they would directly lead to obtaining the password in case the attacks success. Obviously, if any of the WPS attacks success then the process will stop.
Afterwards, it will try to catch the PMKID handshake as it is much less noiser than deauthenticating a whole AP. And finally if none of the other techniques worked, then it tries to deauthenticate the AP in order to catch the handshake.
Think of this mode like an automatic way of auditing a network but with minimum effort.
Note that the Evil Twin attack is not included as it requires much more configuration and the attacker should always know what is happening exactly.
WEF launches multiple windows when scanning, attacking or doing other tasks. To do so it uses xterm, but when using bspwm as the Windows Manager, those windows will be launched in floating state to enhance working with multiple windows at a time.
In not using BSPWM as your Windows Manager, then nothing different will happen and the windows will be launched as always.