How To Make A Fake Access Point To Harvest Login Credentials

The whole idea was to create a free wifi point, without any password. Grant access to anyone who gets connected to it. Now that it doesn’t ask for any password anyone whose wifi is turned on will automatically get connected to the fake wifi point and all the freebies will definitely be attracted to it.

So, the first thing I had to do was to create the fake access point. To carry that out I used the tool called as wifi-pumpkin. The best thing about this tool is that it lets you set up a fake access point with incredible simplicity. Once, you clone the tool from the Github repository into your Kali machine, just make sure you have installed hostapd as well in your Kali machine, as it requires that.

The GUI version of WiFi-Pumpkin looks something like the picture in the side. You can easily set up the whole network features according to your needs.

Everything you need to setup the fake access point is available under the “Settings” tab.

Here you can configure the name of the wifi, provide it with a BSSID, which channel do you want it to work on, choose the network adapter and many more features. You can go ahead and also assign the IP range, the activities you want to monitor etc.

So after all the configuration is done you can go ahead and start the fake wifi. It is preferred to setup the fake wifi point with a common name, like “Free -Wifi” or “Jio-Net” or the name of a nearby shop or something like that. It helps to establish trust with the users, so that they will use your fake wifi point without any hesitance. Once you boot up your wifi point, the devices starts to get connected and all of them will be listed in the “Home” tab.


You can view all the logs in the “Activity-Monitor” tab, it has all the logins the user made on any of the http websites, it has the logs of every website the user visited while he was connected to your fake access point.

Logs of websites & login credentials

You can enhance the level of the hack by using different plugins present under the “Plugins” tab, it has many advanced tools one of them is key-logger. Under the “Images-Cap” you can view all the images that is being loaded on the website that the user is visiting.

This gives you complete access to all the details of the user who is utilising your WiFi point. You can’t perform a better attack than this on a network ( that’s my opinion ).


So, the most basic thing here is never ever use a free wifi point until and unless you have complete trust over it. Anyone on that network could be sniffing your traffic and you will never know, till it’s too late.

Whenever logging into banking websites or your social network accounts always make sure that you are using a trusted network or even better use your own data on your mobile phones. That will keep you secure to a huge extent and unwanted leak of your data won’t take place.


NOTE: The only problem with this attack is it’s not guaranteed to work all the time, as the dictionary attack won’t work.


Thanks for the info :100::+1:

1 Like

Nice share.

1 Like