Fluxion repo taken off GitHub

[jeffmcjunkin]

This affects https://github.com/trustedsec/ptf/blob/f3b9902a25cbfdc8de992d61222ac0bc80570dd2/modules/wireless/fluxion.py.

Looks like some copies exist on GitHub, but A) I'm not sure if they're actually legit copies and B) I'm not sure if you want to switch to one of them.

The author mentioned more info in one of those copies:
https://github.com/wi-fi-analyzer/fluxion/issues/3

And kinda-sorta complained about another copy:
MuhammadOmar125/fluxion#1

[deltaxflux]

yep switched to fluxion.tk

[BustedSec]

thanks - I'll fix the installer

[deltaxflux]

your welcome

[BustedSec]

installer fixed. new pull request initiated.

[BustedSec]

resubmitted fix in new pull request

[trustedsec]

Thanks for the fix! Closing this one.

[strasharo]

The repository is available here:
https://github.com/FluxionNetwork/fluxion

[TheLuther123]

I'd be careful with that MuhammadOmar125/fluxion#1 repo...he has interesting stuff in the index files in Sites.zip...

<SCRIPT Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A900003000000040000....snip....

[BustedSec]

nice find Luthor - we're using the .tgz from the authors website for now

[YoshiiShinoZaki]

regarding TheLuther123 comment ("DropFileName"): this is known Ramnit trojan behavior (capabiliities: backdoor, banking trojan, credential theft). Indicators: destination port 447 and destination TCP port 443 (not HTTPS, but a custom proto).

• dport 443: magic header (layer 7) x00ff layer 7 offset 0 > x00ff + packet size (right limit of packet size delimited by first "command" (0x01, 0x11, 0x13, 0x15, 0x21, 0x15, 0x23, 0x51, 0xe2, 0xe8)

• C2 responds, port "443" (layer 7) with 00ff0100000001; malware responds (infected system), destination port 443, with "00ff51" (hex)

1. REF: https://www.hybrid-analysis.com/sample/f9e59cffc6269c7a73831002bb1f8bbb5d4fdb78c616cce40fa3f481a917d8a2?environmentId=100

2. REF: https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/