─ An IoT Integrated Fully Automatic WIreless PHIshing System by Şefik Efe Altınoluk ─
Do not try this software on the users/systems that you have no legal permission. Usage of
Wi-Phi for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. I assume no liability and are not responsible for any misuse or damage caused by this software, documentation and anything in this repository.
Wi-Phi can be used maliciously, I removed critical parts of the software. Contact me from LinkedIn for any business/academical/educational cases that you need the whole working code.
© 2022 Şefik Efe Altınoluk, All rights reserved.
This project is licensed under the Gnu General Public License Version 3.0
See LICENSE for more details.
About the Project
Wi-Phi is an automatic
system fully integrated to wireless
IoT (Internet of Things) boards.
Wi-Phi is able to phish users who run at least one of the following softwares:
Main components of
- An IoT board that supports
MicroPythonfirmware. I use
Deneyap Kartbased on
- The MicroPython firmware:
- And the software above
Obtain an ESP32 IoT device.
Connect ESP32 to your computer and get the serial port that the ESP32 is connected on.
- For Windows, it is
- For GNU/Linux, it is either
- For Windows, it is
Then run following commands for GNU/Linux.
[efe@lhost ~]$ git clone https://github.com/f4T1H21/Wi-Phi.git && cd Wi-Phi [efe@lhost Wi-Phi]$ pip3 install -r requirements.txt [efe@lhost Wi-Phi]$ sudo ./setup.sh <serial_port>
- Manually reboot ESP32 by pressing reset button on ESP32.
Now, the software should be working, check if you see a Wi-Fi network named
Google Free Wi-Fi.
Whenever you plug ESP32 to a power supply, the project runs automatically after the boot stage.
Nothing else matters.
All the software is implemented on MicroPython, and runs on ESP32.
ESP32 becomes a Wireless AP (Access Point); and runs three (3) independent sockets (on OSI Layer 4):
All binding is done on the gateway’s (AP) IP address, which is
The reason why I chose such an IP class is because for some reason, Samsung devices don’t consider short IP addresses as captive portals. Which was a problem for me.
The main idea is serving a static phishing website on an HTTP server and making this a
captive portal for devices (stations) from any vendor that are connected over Wi-Fi.
Overview in OSI model:
Static siteserved by HTTP server
- Layer 7:
- Layer 4:
UDPsockets for high-level protocols
- Layer 3:
- Layer 2:
- Layer 1:
Below shows the well-designed scenario that
Wi-Phi works under.
This is also a case study that I assigned to myself. So let’s dive into the case…
How a Captive Portal works?
Most of the device vendors sends HTTP requests to their vendor-specific captive portal detection servers’ certain endpoints and expects particular HTTP responses to understand if the Wi-Fi network has a captive portal or not.
Below table shows what to response for various device vendors, in order to make device suppose a captive portal exists in Wi-Fi network.
Note: Mozilla is an exception to ‘device vendors’. Firefox (as a browser) is able to make this decision itself according to its own captive portal detection server.
302 Found status code, also need to have a
Location: header so as to redirect browser (client) properly.
|Device Vendor||Endpoints||Status Code||Response Body|
The role of DNS Server
To be able to response the http requests that are done to above endpoints, these requests should be sent to ESP32’s HTTP server. In order to achieve this, ESP32 should answer particular domain lookups to its own IP address.
- For example, the ip address for
So there need to be a Domain Name System Server running on ESP32. From this point of view, the scenerio looks similar to DNS Hijacking attacks.
Static Phishing page
I think Google is the most popular and trusted technology company world wide. So I prepared a static phishing page, which looks almost same to Gmail’s old login page. And also named Wi-Fi network as
Google Free Wi-Fi.
As the scenerio continues, after redirecting browser (client) to static login page, user is intended to enter his/her credentials and press next button. And the credentials is stored in a local file. Then user gets IP banned until next reboot of ESP32. Otherwise the local database can be messed up by dummy/wrong credentials. After all theese, client gets redirected to
/ directory of static site.
Whenever an IP banned client tries to access any resource on HTTP server, same html file
hacklendin.html is being served regardless of HTTP request’s method, head, body, etc.
On the other side, local credential store can be viewed remotely by connecting to
2121/tcp and authenticating with the hardcoded password while connected to Wi-Fi.
Wi-Phi is a feature-rich system. Verbose logs created by
DNS services can be viewed real-time. Theese logs are not stored locally to save storage.
To be able to see verbose logs,
- Connect ESP32 to your computer using a USB cable.
boot.py‘s content to a local file named
boot.pyfrom ESP32 device.
You can use
ampy tool for file operations and running software on ESP32.
Proof of Concept
Let’s take a look at a case that we have multiple independent devices from various vendors connected to our
Google Free Wi-Fi at the same time.
When IOS devices encounter a captive portal, they automatically fire up the captive portal page, without prompting the user, Nice!
Samsung devices only show a notification. So here user needs to click either
Sign in to the network or the notification on the top of the screen.
Xiaomi devices show a notification too. They also sometimes open captive portal page automatically, without prompting the user again!
In Firefox, a prompt appears on the top of application window. After clicking
Open network login page, it opens captive portal page in a new tab.
And the other guy who doesn’t even let users to decide (like IOS). Always opens captive portal page automatically.
As I explained before,
The whole period of learning, implementing what I learned to real life, fixing bugs and writing this documentation was a lot fun for me! I hope you use these knowledge for the ethical! Contact me for additional questions and business/academical/educational cases.
─ Written by Şefik Efe Altınoluk ─