无线渗透实操
一、AIRCRACK-NG基础
无线渗透和审计神器
包含各种功能的工具套件
- 网络检测
- 嗅探抓包
- 包注入
- 密码破解
二、AIRMON-NG
1、检查网卡驱动,芯片信息
┌──(root💀kali)-[/home/kali] └─# airmon-ng PHY Interface Driver Chipset phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370
2、airmon-ng check
检查AIRCRACK套件的使用与当前系统可能存在冲突的进程,可使用 airmon-ng check kill 将其关闭。
3、开启和停止无线侦听
备注:可以在 "airmon-ng start wlan0" 后加数字指定工作信道。
三、airodump-ng
1、部分命令
airodump-ng wlan0mon #在所有支持的信道中轮巡侦听 airodump-ng wlan0mon -c 11 #指定抓包信道11,由于信道是交叉的重叠的,依旧可能会抓到其它信道的 airodump-ng wlan0mon -c 6 --bssid 54:75:95:2E:B3:6B #指定要抓的具体ssid airodump-ng wlan0mon -c 6 --bssid 54:75:95:2E:B3:6B -w /home/kali/Desktop/test.cap #抓包结果写入test.cap airodump-ng wlan0mon -c 6 --bssid 54:75:95:2E:B3:6B -w /home/kali/Desktop/test.cap --ivs #只抓取包含ivs的
示例:
┌──(root💀kali)-[/home/kali] └─# airodump-ng wlan0mon -c 6 --bssid 54:75:95:2E:B3:6B CH 6 ][ Elapsed: 0 s ][ 2022-04-17 08:36 ][ fixed channel wlan0mon: -1 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 54:75:95:2E:B3:6B -16 84 14 526 208 6 405 WPA2 CCMP PSK 窝窝头 BSSID STATION PWR Rate Lost Frames Notes Probes 54:75:95:2E:B3:6B C8:94:02:DF:2C:A1 -26 0 -11 14 59 54:75:95:2E:B3:6B 7A:56:70:E8:D4:3E -28 1e- 1e 357 523 Quitting...
注意,如果 " airmon-ng start wlan0 " 后抓不到包,可尝试用 iw 命令添加监听端口解决,相关命令如下
iw dev wlan0 interface add wlan0mon type monitor ifconfig wlan0mon up
2、抓包结果分析
- BSSID:AP的MAC地址
- PWR:网卡接收到的信号强度,距离越近信号越强
- -1:驱动不支持信号强度(如下图)、STA距离超出信号接受范围(如上图3处)
- RXQ:最近10秒成功接收的数据帧的百分比(数据帧、管理帧),只有固定信道时才会出现
- Beacons:接收到此AP发送的beacon帧数量
- #Data:抓到的数据帧数量(WEP表示IV数量),包含广播数据帧
- #/s:最近10秒内,每秒平均抓到的帧的数量
- CH:信道好(从beacon帧中获得),信道重叠时可能发现其他信道
- MB:AP支持的最大速率
- ENC:采用的无线安全技术WEP、WPA、WPA2、OPEN
- CIPHER:采用的加密套件CCMP、TKIP、WEP40、WEP104
- AUTH:身份验证方法MGT(企业)、PSK(个人)、SKA(WEP)、OPEN
- ESSID:无线网络名称,隐藏AP此值可能为空,airodump从probe和association request帧中发现隐藏AP(如上图1处)
- STATION:STA的MAC地址
- Lost:通过sequence umber判断最近10秒STA发送丢失的数据包数量(管理帧、数据帧)
- 干扰、距离
- 发包不能收,收包不能发
- Packets(Frames):STA发送的数据包数量
- Probes:STA探测的ESSID(如上图2处)
3、排错
(1)不显示任何AP和STA信息
- 看上面 1 处的注意
- 物理机场景下使用笔记本内置无线网卡时,确保BIOS中已经启动无线网卡
- 确认无线网卡在managed模式下可以正常工作
- 尝试禁用network-manager服务
- 尝试卸载rmmod和重新加载modprobe驱动
(2)工作一段时间后airodump-ng无法继续抓包
- airmon-ng check kill
- 确认wpa_supplicant进程已停止
四、AIREPLAY-NG
1、介绍
产生或者加速无线通信流量
- 向无线网络中注入数据包
- 伪造身份验证
- 强制重新身份验证
- 抓包重放
- 用于后续WEP和WPA密码破解
- 支持10种包注入
获取包的两种途径
- 指定接口(-i)
- 抓包文件pcap(-r)
2、AIREPLAY-NG help
┌──(root💀kali)-[/home/kali] └─# aireplay-ng Aireplay-ng 1.6 - (C) 2006-2020 Thomas d'Otreppe https://www.aircrack-ng.org usage: aireplay-ng <options> <replay interface> Filter options: -b bssid : MAC address, Access Point -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -u type : frame control, type field -v subt : frame control, subtype field -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -w iswep : frame control, WEP bit -D : disable AP detection Replay options: -x nbpps : number of packets per second -p fctrl : set frame control word (hex) -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -g value : change ring buffer size (default: 8) -F : choose first matching packet Fakeauth attack options: -e essid : set target AP SSID -o npckts : number of packets per burst (0=auto, default: 1) -q sec : seconds between keep-alives -Q : send reassociation requests -y prga : keystream for shared key auth -T n : exit after retry fake auth request n time Arp Replay attack options: -j : inject FromDS packets Fragmentation attack options: -k IP : set destination IP in fragments -l IP : set source IP in fragments Test attack options: -B : activates the bitrate test Source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file Miscellaneous options: -R : disable /dev/rtc usage --ignore-negative-one : if the interface's channel can't be determined, ignore the mismatch, needed for unpatched cfg80211 --deauth-rc rc : Deauthentication reason code [0-254] (Default: 7) Attack modes (numbers can still be used): --deauth count : deauthenticate 1 or all stations (-0) --fakeauth delay : fake authentication with AP (-1) --interactive : interactive frame selection (-2) --arpreplay : standard ARP-request replay (-3) --chopchop : decrypt/chopchop WEP packet (-4) --fragment : generates valid keystream (-5) --caffe-latte : query a client for new IVs (-6) --cfrag : fragments against a client (-7) --migmode : attacks WPA migration mode (-8) --test : tests injection and quality (-9) --help : Displays this usage screen No replay interface specified.
3、AIREPLAY-NG排错
(1)Aireplay-ng命令挂起没有任何输出
- 无线网卡与AP工作在不同信道
(2)报错"write failed: Cannot allocate memory wi_write():illegal seek"
- 无线网卡使用Broadcom芯片(bcm43xx),替换为b43驱动可解决
(3)可注入但速度很慢,并提示内核消息"rtc:lost some interrupts at 1024Hz"
- 没有修正方法,此时可以启动多个aireplay-ng命令提高速度
(4)使用-h参数指定注入MAC地址与网卡MAC地址不一致报错
- 建议保持一致 (macchange)
MAC修改示例
如果修改时出现下述问题,先执行 " ifconfig wlan0mon down"
[ERROR] Could not change MAC: interface up or insufficient permissions: Cannot assign requested address
4、AIREPLAY-NG包注入测试
检测网卡是否可以注入包
检测AP的响应时间
- 回包率反应链路质量
如果有两个无线网卡,可以检测具体可以注入哪种攻击(一个网卡也可,实现见后面示例)
基本测试检测AP对probe广播的响应
- 向每AP发30包
- 网卡成功发送并可接收包的能力
(1)基本测试
(2)向隐藏AP / 指定SSID注入
(3)card to card注入测试
具体攻击方式
- -i 指定作为AP的网卡
结果有 Failed,"可能" 是注入MAC(包里面的MAC)和真正MAC不相同导致
示例:
┌──(root💀kali)-[/home/kali] └─# iw dev wlan0 interface add wlan0mon type monitor #由于只有一个网卡,添加两个端口测试 ┌──(root💀kali)-[/home/kali] └─# iw dev wlan0 interface add wlan1mon type monitor ┌──(root💀kali)-[/home/kali] └─# iwconfig ………………………… wlan0 IEEE 802.11 ESSID:"\xE7\xAA\x9D\xE7\xAA\x9D\xE5\xA4\xB4" Mode:Managed Frequency:2.462 GHz Access Point: 54:75:95:2E:B3:6B Bit Rate=58.5 Mb/s Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality=70/70 Signal level=-19 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:6 Missed beacon:0 wlan0mon IEEE 802.11 Mode:Monitor Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Power Management:off wlan1mon IEEE 802.11 Mode:Monitor Tx-Power=20 dBm Retry short long limit:2 RTS thr:off Fragment thr:off Power Management:off ┌──(root💀kali)-[/home/kali] └─# ifconfig wlan0mon up #启动 ┌──(root💀kali)-[/home/kali] └─# ifconfig wlan1mon up ┌──(root💀kali)-[/home/kali] └─# ifconfig
……………………………… wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.105 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 fe80::68eb:d6e0:4201:e552 prefixlen 64 scopeid 0x20<link> ether 1c:bf:ce:3b:5f:bf txqueuelen 1000 (Ethernet) RX packets 14 bytes 4457 (4.3 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 17 bytes 2788 (2.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 unspec 1C-BF-CE-3B-5F-BE-00-1D-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 1026 bytes 162672 (158.8 KiB) RX errors 0 dropped 1027 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan1mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 unspec 1C-BF-CE-3B-5F-BE-00-1D-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 477 bytes 67719 (66.1 KiB) RX errors 0 dropped 478 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ┌──(root💀kali)-[/home/kali] └─# aireplay-ng -9 -i wlan0mon wlan1mon 130 ⨯ 00:11:02 Trying broadcast probe requests... 00:11:02 Injection is working! 00:11:04 Found 6 APs 00:11:04 Trying directed probe requests... 00:11:04 0C:4B:54:15:C4:6C - channel: 11 - '419' 00:11:08 Ping (min/avg/max): 2.320ms/20.147ms/114.732ms Power: -53.33 00:11:08 12/30: 40% 00:11:08 54:75:95:D9:DD:0A - channel: 11 - '329' 00:11:10 Ping (min/avg/max): 2.491ms/11.538ms/38.661ms Power: -44.92 00:11:10 24/30: 80% 00:11:10 0C:4B:54:34:6A:B8 - channel: 11 - 'zynb' 00:11:14 Ping (min/avg/max): 0.818ms/5.686ms/13.938ms Power: -49.45 00:11:14 11/30: 36% 00:11:14 0C:4B:54:15:E7:CD - channel: 11 - 'TP-LINK_E7CD' 00:11:19 Ping (min/avg/max): 3.322ms/7.253ms/13.905ms Power: -58.00 00:11:19 3/30: 10% 00:11:19 48:7D:2E:F6:D4:C4 - channel: 11 - '423' 00:11:21 Ping (min/avg/max): 1.484ms/9.297ms/25.443ms Power: -49.42 00:11:21 24/30: 80% 00:11:21 9C:A6:15:80:A8:85 - channel: 11 - 'TP-LINK_A885' 00:11:24 Ping (min/avg/max): 1.620ms/4.792ms/10.620ms Power: -52.46 00:11:24 13/30: 43% 00:11:24 Trying card-to-card injection... 00:11:24 Attack -0: OK 00:11:24 Attack -1 (open): OK 00:11:24 Attack -1 (psk): OK 00:11:24 Attack -2/-3/-4/-6: OK 00:11:30 Attack -5/-7: OK
不忘初心,方得始终。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?