下面以kali linux为例,带大家分别一起学习如何利用Aircrack 和 Cowpatty两种工具进行无线WPA/WPA-PSK的攻击与破解。如果大家是在vmware虚拟机上做破解攻击的话,你们需要先准备一个kali linux能够识别的外置无线网卡,然后再加载进虚拟的攻击机上,因为我是在自己本身的物理机上做的。详细步骤如下:
Step1:升级 Aircrack-ng
为了更好地识别出无线网络设备以及环境,我们现在先对Airodump-ng的OUI库进行升级,想进入到Aircrack-ng的安装目录下,然后输入一下命令:airodump-ng-oui-update ,然后回车,等待一段时间之后就升级成功了。
Step2:载入无线网卡
在进入kali linux之后,进入图形界面之后,插入之前准备好的USB无线网卡,(我这里用的是MECURY 的300M无线网卡,大家可以上网找一下kali linux系统所支持的网卡芯片类型,只要能识别出就可以)再查看一下无线网卡的载入情况,可以使用一下命令查看:ifconfig -a
如果载入识别成功之后,那么我们接下来便可以激活无线网卡了,输入下面命令便可激活:
ifconfig wlan0 up
其中,up用于启动网卡,这是我们可以再用ifconfg命令确认一下载入启用情况。
Step3:激活网卡至monitor模式,就是我们平时所说的监听模式。
这里要将网卡启动monitor模式,才能抓取无线数据包进行分析破解我们可以利用aircrack-ng套件里面的airmon-ng工具开启监听模式:airmon-ng start wlan0
root@kali:/opt/mydownload# airmon-ng start wlan0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2502 NetworkManager
2531 wpa_supplicant
Interface Chipset Driver
wlan0 Atheros AR9565 ath9k - [phy0]
(monitor mode enabled on mon0)
其中,上面的start后面是跟我们即将开启monitor模式的无线网卡设备名。
而,上面的绿色的标记是无线网卡的芯片型号(Atheros AR9565),默认驱动为ath9k,在监听模式下,适配器更改名称为mon0。
Step4:抓取目标信道的无线数据包
开启好,监听模式之后,我们便使用Aircrack-ng套件里面的airodump-ng套件进行无线数据包的抓取,在这一步骤是整个破解过程比较重要的阶段而其中我们要破解的关键点就是要获取AP与无线客户端的握手数据包(WPA/WPA2 shankhand)报文,然后对报文进行破解,从而提取出密钥,达到破解的木的。
首先,我们在对目的AP的攻击之前,我们要先要对无线网络信道进行探测,以便于确定攻击的目标信道和AP,再进行下一步的针对性的数据包抓取。
这是,我们可以使用下面的命令对信道数据进行侦查:airodump-ng wlan0
airodump-ng 工具是用于获取当前无线网络的概况,包括AP的SSID、MAC地址、工作频道、无线客户端的MAC以及数量等情况,后面跟上的是无线网卡的设备名。
BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
B0:D5:9D:3B:B7:84, 2015-09-22 17:26:52, 2015-09-22 17:27:13, 11, 54, WPA2, CCMP,PSK, -91, 4, 0, 0. 0. 0. 0, 29, 瀵..8涓6锛.甯.姣..浠ヨ.,
0C:84:DC:7B:BC:61, 2015-09-22 17:26:27, 2015-09-22 17:27:11, 1, 54, WPA2, CCMP,PSK, -86, 27, 0, 0. 0. 0. 0, 4, mini,
00:87:36:0F:50:2F, 2015-09-22 17:26:27, 2015-09-22 17:27:07, 1, 54, WPA2, CCMP,PSK, -86, 10, 0, 0. 0. 0. 0, 3, kfc,
60:36:DD:DD:D8:59, 2015-09-22 17:26:37, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -85, 15, 0, 0. 0. 0. 0, 3, zwz,
72:54:99:D1:73:D8, 2015-09-22 17:26:28, 2015-09-22 17:27:12, 2, 54, WPA2, CCMP,PSK, -83, 46, 0, 0. 0. 0. 0, 15, DreamBox_D173D8,
00:1F:64:E0:20:E9, 2015-09-22 17:26:27, 2015-09-22 17:27:13, 3, 54, OPN , , , -77, 58, 0, 0. 0. 0. 0, 8, CMCC-WEB,
00:1F:64:E1:20:E9, 2015-09-22 17:26:27, 2015-09-22 17:27:13, 3, 54, WPA2, CCMP, MGT, -77, 62, 0, 0. 0. 0. 0, 4, CMCC,
D4:EE:07:20:0A:5A, 2015-09-22 17:26:27, 2015-09-22 17:27:11, 1, 54, WPA2, CCMP,PSK, -76, 49, 0, 0. 0. 0. 0, 6, WXWiFi,
3A:67:B0:71:FD:1D, 2015-09-22 17:26:30, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -75, 82, 0, 0. 0. 0. 0, 13, LieBaoWiFi819,
2C:D0:5A:FB:B5:28, 2015-09-22 17:26:29, 2015-09-22 17:27:14, 10, 54, WPA2, CCMP,PSK, -69, 65, 37, 0. 0. 0. 0, 24, ...澶х.峰氨缁.浣.,
48:5A:B6:D9:1F:11, 2015-09-22 17:26:29, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -65, 88, 0, 0. 0. 0. 0, 12, 360WiFi-8317,
00:36:76:36:EF:A7, 2015-09-22 17:26:27, 2015-09-22 17:27:13, 6, 54, WPA2, CCMP,PSK, -61, 95, 0, 0. 0. 0. 0, 13, 缁...~..韬,
D2:7E:35:A3:87:2A, 2015-09-22 17:26:30, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -50, 31, 0, 0. 0. 0. 0, 3, gun,
Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
D4:0B:1A:69:34:00, 2015-09-22 17:26:40, 2015-09-22 17:26:40, -90, 8, (not associated) ,
9C:65:B0:0F:9D:3A, 2015-09-22 17:27:01, 2015-09-22 17:27:01, -88, 4, (not associated) ,
60:36:DD:DD:D8:59, 2015-09-22 17:26:52, 2015-09-22 17:26:53, -87, 3, (not associated) ,
48:D2:24:1C:A1:B5, 2015-09-22 17:26:36, 2015-09-22 17:26:36, -85, 1, (not associated) ,
70:72:3C:ED:DE:1D, 2015-09-22 17:26:38, 2015-09-22 17:26:45, -84, 4, 0C:84:DC:7B:BC:61, mini
90:E7:C4:83:7E:66, 2015-09-22 17:26:37, 2015-09-22 17:27:08, -81, 6, 00:87:36:0F:50:2F,
38:BC:1A:21:D0:5B, 2015-09-22 17:26:30, 2015-09-22 17:27:01, -74, 18, 3A:67:B0:71:FD:1D,
BC:85:56:DD:84:54, 2015-09-22 17:27:02, 2015-09-22 17:27:02, -74, 9, (not associated) ,
48:5A:B6:D9:1F:11, 2015-09-22 17:26:55, 2015-09-22 17:27:03, -67, 13, 3A:67:B0:71:FD:1D,
60:D9:A0:A9:51:9C, 2015-09-22 17:26:34, 2015-09-22 17:26:48, -58, 23, 2C:D0:5A:FB:B5:28,
30:C7:AE:A5:F5:02, 2015-09-22 17:26:40, 2015-09-22 17:27:09, -51, 11, 2C:D0:5A:FB:B5:28,
上面是抓去无线环境的一个csv输出报文,可以从上面的信息中,清晰看到BSSID、信道、信道速率、认证方式、ESSID,还有红色部分的分别有station(无线客户端)MAC,packets的个数,BSSID(连接AP的MAC地址),ESSID等信息。
通过上面对无线网络环境的初步探测之后,我们便对其中的目标信道里面的特定AP进行数据包报文的探测分析,如11信道的ESSID为“gun”的AP进行分析。
kaili#airodump-ng -c 11 -w test2 mon0
-c:针对信道号
-w:输出的cap和csv报文名称
mon0:无线适配器的别名
以上便是利用aircrack-ng套件破解WPA/WPA2-PSK无线加密的破解过程,如有疑问请与本人交流,谢谢。
http://www.iyunv.com/thread-117445-1-1.html
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)