密钥交换
无线网络设计用于一组无线设备通信
关联到同一AP的设备共享无线信道
单播、广播、组播
安全特性要求不同
单播通信需要单独密钥加密通信双方流量
pairwise key: 对偶密钥 (PTK)
组播通信需要信任域内所有成员共享的同一密钥
group key: 组密钥(GTK)
PMK
安全上下的顶级密钥
MK进行TLS-PRF加密得出PMK—–PTK
基于服务密钥
由上层身份验证方法服务器生成
从服务器通过radius传给AP
从AP通过EAP消息传给所有STA
基于PSK共享密钥
Essid + PSK + 迭代次数4096—–Hash计算生成—–PMK—–PTK
STA和AP分别计算得出PMK,并不在网络中传递交换
256位即32字节
密钥交换
PTK的生成过程
HMAC-SHA1散列算法
PRF-X散列算法
密钥交换
四步握手过程生成PTK
AP发送Anonce给STA
STA生成Snonce计算出PTK
Snonce加PTK的MIC发给AP
AP拿到Snonce计算出PTK
AP计算MIC与接收的MIC比对
MIC一致说明确定STA知道PMK
AP发GTK给STA
STA回复ACK并使用密钥加密
数据加密和完整性
三种算法
Temporal Key Integrity Protocol (TKIP) 4
Counter Mode with CBC-MAC (CCMP) 5
Wireless Robust Authenticated Protocol (WRAP) 6
无线渗透实操
AIRCRACK-NG基础
无线渗透和审计神器
包含各种功能的工具套件
网络检测
嗅探抓包
包注入
密码破解
AIRCRACK-NG
检查完卡驱动
开启和停止无线侦听
airmon check
airmon check
airmon start wlan2 3
iwlist wlan2mon channel
airmon stop wlan2mon
root@kali:~# iwconfig
wlan0 IEEE 802.11 ESSID:off/any
Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
lo no wireless extensions.
eth0 no wireless extensions.
# 关闭network-manager功能
root@kali:~# service network-manager stop
# 检查网卡信息
root@kali:~# airmon-ng
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
# 检测可能导致aircrack运行过程中可能出现问题的进程
root@kali:~# airmon-ng check
Found 1 processes that could cause trouble.
Kill them using ‘airmon-ng check kill’ before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
982 wpa_supplicant
# 杀死检测出的进程
root@kali:~# airmon-ng check kill
Killing these processes:
PID Name
982 wpa_supplicant
# 启动侦听
root@kali:~# airmon-ng start wlan0
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
root@kali:~# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wlan0mon IEEE 802.11 Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short long limit:2 RTS thr:off Fragment thr:off
Power Management:off
# 查看当前网卡所在信道
root@kali:~# iwlist wlan0mon channel
wlan0mon 14 channels in total; available frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Channel 14 : 2.484 GHz
Current Frequency:2.457 GHz (Channel 10)
# 激活wlan0mon网卡
root@kali:~# ifconfig wlan0mon up
无线抓包
airodump-ng wlan2mon
airodump wlan2mon -c 1 –bssid 00:11:22:33:44:55 -w file.cap
aireplay -9 wlan2mon
airreplay
# 关闭wlan0mon
root@kali:~# airmon-ng stop wlan0mon
PHY Interface Driver Chipset
phy0 wlan0mon rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 station mode vif enabled on [phy0]wlan0)
(mac80211 monitor mode vif disabled for [phy0]wlan0mon)
# 将wlan0 网卡置于信道1
root@kali:~# airmon-ng start wlan0 1
PHY Interface Driver Chipset
phy0 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
(mac80211 station mode vif disabled for [phy0]wlan0)
# 查看网络所在信道
root@kali:~# iwlist wlan0mon channel
wlan0mon 14 channels in total; available frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Channel 14 : 2.484 GHz
Current Frequency:2.412 GHz (Channel 1)
# 抓包
root@kali:~# airodump-ng wlan0mon
# 只侦听1信道的信息
root@kali:~# airodump-ng wlan0mon -c 1
AIRCRACK-NG
airodump-ng wlan2mon
airodump wlan2mon -c 1 –bssid 00:11:22:33:44:55 -w file.cap # 抓取某个AP的数据包
airodump wlan2mon -c 1 –bssid 00:11:22:33:44:55 -w file.cap –lvs # 只抓取WEP加密数据包中存有ivs的信息
root@kali:~# airodump-ng wlan0mon -c 1 –bssid D4:EE:07:54:4F:A8 -w file.cap
# 查看抓到的数据包
root@kali:~# ls file.cap-01.*
file.cap-01.cap file.cap-01.kismet.csv file.cap-01.log.csv
file.cap-01.csv file.cap-01.kismet.netxml
root@kali:~# wireshark file.cap-01.cap
BSSID: AP的MAC地址
PWR: 网卡接收到的信号强度,距离越近信号越强
-1: 驱动不支持信号强度、STA距离超出信号接受范围
RXQ: 最近10秒成功接收的数据帧的百分比(数据帧、管理帧),只有固定信道时才会出现
Beacons: 接收到此AP发送的beacon帧数量
#Data: 抓到的数据帧数量(WEP表示IV数量),包含广播数据帧
#/s: 最近10秒内,每秒平均抓到的帧的数量
CH: 信道好(从beacon帧中获得),信道重叠时可能发现其他信道
MB: AP支持的最大速率
ENC: 采用的无线安全技术WEP、WPA、WPA2、OPEN
CIPHER: 采用的加密套件CCMP、TKIP、WEP40、WEP104
AUTH: 身份验证方法MGT、PSK、SKA、OPEN
ESSID: 无线网络名称,隐藏AP此值可能为空,airodump从probe和association request帧
中发现隐藏AP
STATION: STA的MAC地址
Lost: 通过sequence umber判断最近10秒STA发送丢失的数据包数量(管理帧、数据帧)
干扰、距离
发包不能收,收包不能发
Packets: STA发送的数据包数量
Probes: STA探测的ESSID
AIRCRACK-NG
不显示任何AP和STA信息
物理机场景下使用笔记本内置无线网卡时,确保BIOS中已经启动无线网卡
确认无线网卡在managed模式下可以正常工作
尝试禁用network-manager服务
尝试卸载rmmod和重新加载modprobe驱动
工作一段时间后airodump-ng无法继续抓包
airmon-ng check kill
确认wpa_supplicant进程已停止
# 卸载驱动
root@kali:~# rmmod
rmmod: ERROR: missing module name
root@kali:~# airmon-ng
PHY Interface Dirver Chipset
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
# 重新加载驱动
root@kali:~# modprobe ath9k_htc
root@kali:~# iwconfig
eth0 no wireless extensions
wlan2 IEEE 802.11nbgn ESSID:off/any
Mode:Managed Access Point: No-Associated Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
lo no wireless extensions.