What is Fluxion?
Fluxion is a wireless security auditing framework that performs evil twin and MITM attacks against WPA/WPA2 networks. It works by creating a rogue access point that mimics a target network, deauthenticating connected clients to force them onto the fake AP, and then presenting a captive portal that captures the Wi-Fi password when the victim re-enters it. Unlike brute-force tools, Fluxion requires no wordlist — it relies on social engineering instead.
Only use on networks you own or have explicit written permission to test. Unauthorized use violates Pakistan's PECA 2016 and international cybercrime laws. This tool performs active attacks — use in isolated lab environments only.
Requirements
- A wireless adapter that supports monitor mode and packet injection
- A second wireless adapter (recommended) to host the rogue AP simultaneously
- Kali Linux or a Debian-based distro with aircrack-ng suite installed
Installation
# Update packages sudo apt update # Install dependencies sudo apt install aircrack-ng hostapd dnsmasq -y # Clone Fluxion from GitHub (not in apt repos) git clone https://github.com/FluxionNetwork/fluxion.git cd fluxion # Run the installer (installs remaining dependencies) sudo bash fluxion.sh --install # Launch Fluxion sudo bash fluxion.sh
Basic Workflow
# 1. Launch Fluxion sudo bash fluxion.sh # 2. Select option: Captive Portal attack # 3. Scan for nearby Wi-Fi networks # Fluxion will open a scan window — press Ctrl+C when target appears # 4. Select your target network from the list # 5. Choose handshake capture method: # - Check for existing handshakes # - aircrack-ng (capture new handshake via deauth) # 6. Select Rogue AP creation method: # - hostapd (recommended) # 7. Select captive portal (language/template) # 8. Fluxion deauths clients, spins up fake AP, # and waits for victim to enter the password # 9. Captured credentials are saved to: # /root/attacks/Captured/
How the Attack Works
- Scans for nearby WPA/WPA2 networks and captures a handshake
- Creates a rogue AP cloning the target SSID and BSSID
- Sends deauthentication frames to disconnect clients from the real AP
- Clients reconnect to the fake AP and are shown a captive portal
- Entered passwords are verified against the captured handshake in real time
Common Use Cases
- Authorized wireless penetration testing engagements
- Testing employee susceptibility to evil twin attacks
- Wi-Fi security audits on owned networks
- Advanced CTF wireless challenges
Further Reading
Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs. Always read the official documentation before using in a live engagement.