路由器登入賬號密碼忘了,撥號賬號密碼也忘了,費了點事總算是獲取到了
路由器共享上網,WAN口接ADSL貓,設定了PPPOE撥號使用者名稱和密碼。ADSL撥號密碼忘記了,想看怎麼辦?
我試了很久+GOOGLE,終於成功,不僅僅是抓包這麼簡單!
電腦的網絡卡與路由器的WAN口接上(現在的路由器一般支援埠自動翻轉,可以不用互換線,很方便)。用路由器撥號,電腦裡用ETHEREAL軟體抓包。
我試了半天,不行,抓不到密碼包,只有一個PPPOE包。
分析了一下,這是因為電腦裡沒有裝PPPOE伺服器,路由器無法與電腦進行協議通訊。
在路由器和modem之間加一個HUB,然後在HUB上抓包分析:試了一下,也不行。原因是現在的100M的HUB都是交換機了,原理不一樣了,是抓不到另外二個機子相互通訊的包的。如果用以前的10M的HUB應該是可以。
所以HUB不能用,只能電腦的網絡卡與路由器的WAN口直聯。這時,電腦裡一定要裝一個PPPOE伺服器,才能與路由器用PPP協議通訊,才能出現密碼包,ETHEREAL才抓得到。
架設PPPOE伺服器吧:
1. 安裝PPPOE驅動
下載RASPPPOE軟體(網上到處有),解壓,開啟“本地連線”的屬性,點選“安裝”,再選擇“協議”,然後再點選“新增”,再單擊“從磁碟安裝”,選擇好 RASPPPOE所在目錄,點選“確定”,新增協議的時候一定要選 WINPPPOE.INF!
這時會自動彈出一個選擇網路協議的對話方塊,將裡面的“ppp over Ethernet protocol”選中,一路裝下去,就會裝好PPPOE驅動了,在“本地連線”的屬性裡會多出一個 ppp over Ethernet protocol。
這時我抓包試了一下,仍不行!因為只是有了驅動,沒有服務軟體來提供服務!
2. XP中啟動RRAS服務
這個服務XP自帶了,就是RRAS。
在XP的服務中,啟動Routing and Remote Access服務,設成自動,並啟動服務。
我這樣抓包試了一下,還不行!因為只是有了驅動和服務,沒有設定接入點,因此無法接入!
3. XP中新增接入點
接入點就是“傳入的連線”。
在“網路連線”中,新建連線嚮導,“設定高階連線”,“接受傳入的連線”,再選網絡卡,一步步下去,就建好了一個“傳入的連線”。
“傳入的連線”的屬性裡,將各個使用者名稱都選上吧。
這時電腦的網絡卡就可以接受傳入了,可以接受路由器的PPPOE撥號了!!!
4. 可以用ETHEREAL抓包了!
用路由器撥號,電腦裡用ETHEREAL軟體抓包。成功抓到了PPP包,有一個是密碼包,含有使用者名稱和密碼!
(用wireshark就對了,當然,下面還有點工作要做,因為傳輸的是挑戰)1.當用戶有上網需求時開啟802.1X客戶端程式,輸入使用者名稱和口令,發起連線請求。此時客戶端程式將發出請求認證的報文給交換機,啟動一次認證過程。
如下:
Frame 90 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:33.446030000
Time delta from previous packet: 3.105345000 seconds
Time since reference or first frame: 5.082965000 seconds
Frame Number: 90
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0xcc6d5b40)
802.1x Authentication
Version: 1
Type: Start (1)
Length: 0
2.交換機在收到請求認證的資料幀後,將發出一個EAP-Request/Identitybaowe請求幀要求客戶端程式傳送使用者輸入的使用者名稱。
Frame 91 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:33.447236000
Time delta from previous packet: 0.001206000 seconds
Time since reference or first frame: 5.084171000 seconds
Frame Number: 91
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x7d263869)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 5
Extensible Authentication Protocol
Code: Request (1)
Id: 1
Length: 5
Type: Identity [RFC3748] (1)
3.客戶端程式響應交換機的請求,將包含使用者名稱資訊的一個EAP-Response/Identity送給交換機,交換機將客戶端送來的資料幀經過封包處理後生成RADIUS Access-Request報文送給認證伺服器進行處理。
Frame 148 (77 bytes on wire, 77 bytes captured)
Arrival Time: Nov 27, 2006 16:27:36.446199000
Time delta from previous packet: 2.998963000 seconds
Time since reference or first frame: 8.083134000 seconds
Frame Number: 148
Packet Length: 77 bytes
Capture Length: 77 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 59
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 13
Type: Identity [RFC3748] (1)
Identity (8 bytes): 03051020
4.認證伺服器收到交換機轉發上來的使用者名稱資訊後,將該資訊與資料庫中的使用者名錶相比對,找到該使用者名稱對應的口令資訊,用隨機生成的一個加密字Challenge對它進行加密處理(MD5),通過接入裝置將RADIUS Access-Challenge報文傳送給客戶端,其中包含有EAP-Request/MD5-Challenge。
Frame 154 (64 bytes on wire, 64 bytes captured)
Arrival Time: Nov 27, 2006 16:27:36.567003000
Time delta from previous packet: 0.120804000 seconds
Time since reference or first frame: 8.203938000 seconds
Frame Number: 154
Packet Length: 64 bytes
Capture Length: 64 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
Trailer: A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5...
Frame check sequence: 0xa5a5a5a5 (incorrect, should be 0x4ec1ac73)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 22
Extensible Authentication Protocol
Code: Request (1)
Id: 2
Length: 22
Type: MD5-Challenge [RFC3748] (4)
Value-Size: 16
Value: 1CBFEE2149E38D2928DABB4772D285EB
5.客戶端收到EAP-Request/MD5-Challenge報文後,用該加密字對口令部分進行加密處理(MD5)給交換機發送在EAP-Response/MD5-Challenge迴應,交換機將Challenge,Challenged Password和使用者名稱一起送到RADIUS 伺服器進行認證。
Frame 199 (94 bytes on wire, 94 bytes captured)
Arrival Time: Nov 27, 2006 16:27:39.446161000
Time delta from previous packet: 2.879158000 seconds
Time since reference or first frame: 11.083096000 seconds
Frame Number: 199
Packet Length: 94 bytes
Capture Length: 94 bytes
Ethernet II, Src: 00:e0:4c:d7:65:cd, Dst: 01:80:c2:00:00:03
Destination: 01:80:c2:00:00:03 (Spanning-tree-(for-bridges)_03)
Source: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 76
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 30
Type: MD5-Challenge [RFC3748] (4)
Value-Size: 16
Value: CBAC378ABB609123D2BB412840AEC614 Extra data (8 bytes): 3033303531303230
6.認證伺服器將送上來的加密後的口令資訊和其自己經過加密運算後的口令資訊進行對比,判斷使用者是否合法,然後迴應認證成功/失敗報文到接入裝置。如果認證成功,則向交換機發出開啟埠的指令,允許使用者的業務流通過埠訪問網路。否則,保持交換機埠的關閉狀態,只允許認證資訊資料通過。
Frame 205 (243 bytes on wire, 243 bytes captured)
Arrival Time: Nov 27, 2006 16:27:39.632706000
Time delta from previous packet: 0.186545000 seconds
Time since reference or first frame: 11.269641000 seconds
Frame Number: 205
Packet Length: 243 bytes
Capture Length: 243 bytes
Ethernet II, Src: 00:03:0f:01:3a:5a, Dst: 00:e0:4c:d7:65:cd
Destination: 00:e0:4c:d7:65:cd (RealtekS_d7:65:cd)
Source: 00:03:0f:01:3a:5a (DigitalC_01:3a:5a)
Type: 802.1X Authentication (0x888e)
802.1x Authentication
Version: 1
Type: EAP Packet (0)
Length: 225
Extensible Authentication Protocol
Code: Success (3)
Id: 0
Length: 4