无线渗透(八)AIRRACK-NG SUITE
AIRDECAP-NG
去除802.11头
airdecap-ng -b <AP MAC> 1.pcap
解密WEP加密数据
airdecap-ng -w <WEP key>-b <AP MAC> 1.pcap
必须有与AP建立关联关系
解密WPA加密数据
airdecap-ng -e kifi -p <PSK> -b <AP MAC> 1.pcap
抓包文件中必须包含4步握手信息,否则无解
root@kali:~# service network-manager stop
root@kali:~# airmon-ng check kill
Killing these processes:
PID Name
875 wpa_supplicant
1580 dhclient
root@kali:~# airmon-ng start wlan2
No interfering processes found
PHY Interface Dirver Chipset
phy0 wlan2 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
root@kali:~# airodump-ng wlan0mon
CH 1 ][ Elapsed: 18 s ][ 2019-03-09 05:20
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
D8:B0:4C:C3:25:E0 -68 7 0 0 11 65 WPA2 CCMP PSK <length
D4:EE:07:67:22:90 -75 9 2 0 8 270 WPA2 CCMP PSK ziroom4
D0:76:E7:51:2A:78 -83 7 0 0 1 270 WPA2 CCMP PSK ziroom5
40:31:3C:FD:BE:D2 -86 5 0 0 1 130 WPA2 CCMP PSK Xiaomi_
BSSID STATION PWR Rate Lost Frames Probe
D4:EE:07:67:22:90 20:16:B9:33:38:F3 -1 2e- 0 0 2
root@kali:~# airodump-ng wlan0mon –bssid D4:EE:07:67:22:90 -c 8 -w TP-01
CH 8 ][ Elapsed: 2 mins ][ 2019-03-09 05:25 ][ WPA handshake: D4:EE:07:67:22:90
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESS
D4:EE:07:67:22:90 -69 2 1123 13256 172 8 270 WPA2 CCMP PSK zir
BSSID STATION PWR Rate Lost Frames Probe
D4:EE:07:67:22:90 70:8A:09:9A:01:C4 -1 2e- 0 0 6
D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -28 0e- 1e 2 13189
D4:EE:07:67:22:90 20:16:B9:33:38:F3 -32 2e- 6e 0 196
D4:EE:07:67:22:90 DC:F0:90:8B:A1:A6 -62 0e- 6 0 31
D4:EE:07:67:22:90 D4:A1:48:4B:96:F6 -84 2e- 6 0 17
D4:EE:07:67:22:90 5C:F5:DA:E2:35:A6 -90 2e- 1 0 5
root@kali:~# wireshark tp-01.cap
将数据包过滤出来
root@kali:~# airdecap-ng -e ziroom401 -b D4:EE:07:67:22:90 -p ziroomer TP-01-02.cap
Total number of stations seen 7
Total number of packets read 42483
Total number of WEP data packets 0
Total number of WPA data packets 12119
Number of plaintext data packets 0
Number of decrypted WEP packets 0
Number of corrupted WEP packets 0
Number of decrypted WPA packets 12019
Number of bad TKIP (WPA) packets 0
Number of bad CCMP (WPA) packets 0
# 解包在当前目录下生成dec.cap 文件
TP-01-02-dec.cap
root@kali:~# wireshark TP-01-02-dec.cap
802.11数据包被成功解密,可以查看明文信息
AIRSERV-NG
通过网络提供无线网卡服务器
某些网卡不支持客户点/服务器模式
启动无线侦听
服务器端
airserv-ng -p 3333 -d wlan2mon
客户端
airodump-ng 192.168.1.1:3333
某些防火墙会影响C/S间的通信
root@kali:~# airserv-ng -p 3333 -d wlan0mon
Opening card wlan0mon
Setting chan 1
Opening sock port 3333
Serving wlan0mon chan 1 on port 3333
root@kali:~# netstat -pantu | grep 3333
tcp 0 0 0.0.0.0:3333 0.0.0.0:* LISTEN 16702/airserv-ng
root@kali:~# airodump-ng 127.0.0.1:3333
AIRTUN-NG
无线入侵检测wIDS
无线密码和BSSID
需要获取握手信息
中继和重放
Repeate/Replay
AIRTUN-NG
wIDS
WEP: airtun-ng -a <AP MAC> -w SKA wlan2mon
WPA: airtun-ng -a <AP MAC> -p PSK -e kifi wlan2mon
ifconfig at0 up
四步握手
理论上支持多AP的wIDS,但2个AP以上时可靠性会下降
WPA: airtun-ng -a <AP MAC> -p PSK -e kifi1 wlan2mon
ifconfig at1 up
多AP不同信道时airodump -c 1,11 wlan2mon
root@kali:~# airtun-ng -a D4:EE:07:67:22:90 -p ziroomer002 -e ziroom401 wlan0mon
created tap interface at0
WPA encryption specified. Sending and receiving frames through wlan0mon.
FromDS bit set in all frames.
root@kali:~# ifconfig -a //at0
root@kali:~# ifcongif at0 up
root@kali:~# airodump-ng wlan0mon –bssid 14:75:90:21:4F:56 -c 6
root@kali:~# driftnet -i at0 //抓取图片信息
root@kali:~# dsniff -i at0 //抓取账号密码信息
root@VB:~# tcpreplay -ieth1 -M1000 ids.pcap
Sending out eth1
processing file: ids.pcap
Actual: 8497 packets (4090599 bytes) sent in 1.87 seconds
Rated: 2187486.0 bps, 16.96 Mbps, 4543.85 pps
Statistics for network device: eth1
Attempted packets: 8487
Successful packets: 8497
Failed packets: 0
Retried packets (ENOBUFS): 0
Retried packets (EAGAIN): 0
