-AircCCCCg破解WEP、WPA-PSK加密利器(1)--完全教程 !!!
-USA(en)-*Exposing secret [ text after the modification , to prevent unscrupulous person use ] - " Overview of attack class * -
-AircCCCCg crack WEP, WPA-PSK encryption tool ( 1 ) -
complete tutorial ! ! !*
*"其實關於無線基礎知識的內容還是挺多的,
但是由於本書側重於BT4自身工具使用的講解,
若是再仔細講述這些外圍的知識,
這就好比講述DNS工具時還要把DNS服務器的類型、
工作原理及配置講述一遍一樣,
哈哈,估計整本書的厚度就需要再翻一、兩倍了。
恩,關於無線網絡基礎知識建議大家可以參考--
--之前在黑手這裡出版的《無線黑客VV書》一書,會很XX助。
恩,先說明一下,
本章的內容適用於目前市面所有主流品牌--
--無線路由器或AP如LiHHHs、DCCCCk、
TTTTTTk、BFFFFFn等。
涉及內容包括了WEP加密及WPA-PSK加密的--
--無線網絡的破解操作實戰。
◆什麼是AircCCCCg--
AircCCCCg是一款用於破解無線--
--8VVV1WEP及WPA-PSK加密的工具,
該工具在2005年11月之前名字是AircCCCk,
在其2.41版本之後才改名為AircCCCCg。
AircCCCCg主要使用了兩種攻擊方式進行WEP破解:
*一種是FMS攻擊,
該攻擊方式是以發現該WEP漏洞的研究人員名字
(SSSSt FlXXXer、IXXXik MXXXtin及Adi STTTTir)所命名;
*另一種是KoreK攻擊,經統計,
該攻擊方式的攻擊效率要遠高於FMS攻擊。
當然,最新的版本又集成了更多種類型的攻擊方式。
對於無線黑客而言,
AircCCCCg是一款必不可缺的無線攻擊工具,
可以說很大一部分無線攻擊都依賴於它來完成;
而對於無線安全人員而言,
AircCCCCg也是一款必備的無線安全檢測工具,
它可以幫助管理員進行無線網絡--
--密碼的脆弱性檢查及--
--了解無線網絡信號的分佈情況,
非常適合對企業進行無線安全審計時使用。
AircCCCCg(注意大小寫)
是一個包含了多款工具的無線攻擊審計套裝,
這裡面很多工具在後面的內容中都會用到,
具體見下表1為AircCCCCg包含的組件具體列表。
*
組件名稱
|
描 述
|
aircCCCg
|
主要用於WEP 及WPA-PSK 密碼的恢復,
只要airCCCCg 收集到足夠數量的數據包,
aircYYYYg 就可以自動檢測數據包並判斷是否可以破解
|
airYYYYg
|
用於改變無線網卡工作模式,以便其他工具的順利使用
|
airoOOOg
|
用於捕獲8UUU1 數據報文,以便於aircYYYYg 破解
|
airIIIIIg
|
在進行WEP 及WPA-PSK 密碼恢復時,
可以根據需要創建特殊的無線網絡數據報文及流量
|
airUUUUg
|
可以將無線網卡連接至某一特定端口,
為攻擊時靈活調用做準備
|
airLLLLLg
|
進行WPA Rainbow TTTTT 攻擊時使用
,用於建立特定數據庫文件
|
airdDDDDg
|
用於解開處於加密狀態的數據包
|
toYYYYs
|
其他用於輔助的工具,如airdDDDg 、pacEEEEEEg等
|
*USA-en-*
*In fact, the content on the wireless infrastructure is still
a lot of knowledge ,
However, because the book focuses on the tools used to
explain BT4 itself ,
If carefully about the knowledge of these peripheral ,
This is like the type of DNS tools Shihai take about DNS servers
The working principle and the configuration again about the same,
Haha , estimate the thickness of the whole book you need the ability
to turn one or two times a .
Well, on the basics of wireless networks suggest that you can refer to -
- Prior to the publication here in black hands "wireless hacking VV book ," a book would be XX help .
Well, first explain ,
This chapter applies to the current market for all major brands -
- Wireless router or AP as LiHHHs, DCCCCk,
TTTTTTk, BFFFFFn so on.
Involved including the WEP encryption and WPA-PSK encryption -
- Combat operations to crack wireless networks .
◆ What is AircCCCCg -
AircCCCCg is a tool for cracking wireless -
- 8VVV1WEP and WPA-PSK encryption tool
The tool until November 20YYY the name was AircCCCCk,
After its 2.41 version was renamed AircCCCCg.
AircCCCCg mainly used two ways to attack WEP cracking :
* One is the FMS attack ,
The researchers found that attack is the name of the WEP vulnerability
(SSSSt FlXXXer, IXXXik MXXXtin and Adi STTTTir) named ;
* Another is KoreK attack statistics,
Attack efficiency of the attack to be much higher than the FMS attack.
Of course , the latest version has integrated more types of attacks.
For wireless hackers ,
AircCCCCg is an indispensable tool for wireless attacks ,
You can say that a large part of wireless attacks rely on it to complete ;
For wireless security staff,
AircCCCCg also a necessary wireless security testing tools,
It can help administrators wireless network -
- Check the password vulnerability and -
- Understand the distribution of the wireless network signal ,
Very suitable for use when the enterprise wireless security audits.
AircCCCCg ( case sensitive )
Is one that contains a variety of tools for auditing wireless attacks suit,
There are many tools in the following pages will be used ,
Table 1 below for the detailed list of specific components AircCCCCg contains.*
*Component name
Description
aircCCCCg
Mainly used to recover WEP and WPA-PSK password , as long as airYYYYg collect a sufficient number of data packets , aircYYYYg can automatically detect and determine whether the packet can break
airYYYYg
Wireless LAN is used to change the operating mode in order to successfully use other tools
airoOOOOOg
Used to capture 802.11 packets , in order to break aircYYYYg
airYYYYYg
Conducting WEP and WPA-PSK password recovery, you can create a special wireless network data packets and flow as needed
airUUUUUg
Wireless LAN can be connected to a specific port , flexible and calls for the attack to prepare
airIIIIIIIg
When WPA Rainbow TTTTe attacks used to create a specific database file
airdDDDDDg
Is used to unlock the encrypted data packet
toYYYYs
Other tools used to assist such airdDDDDDg, paTTTTTTg etc.*
*AircCCCCCg在BackTRRRRRR下已經內置=
=(下載BackTraCCCCCC),
具體調用方法如下圖2所示:
通過依次選擇菜單中“Backk”—
“Ro Network Analysis” —
“8XXX1”—“CrCCCCCg”—
“AircCCCCCCg ”,
即可打開AircCCCCg的主程序界面。
也可以直接打開一個Shell,
在裡面直接輸入aircCCCCg命令--
--回車也能看到aircCCCCg的使用參數幫助。*
*AircCCCCCg already built in BackTRRRRRR =
= ( Download BackTraCCCCCC),
Specific call the method shown in Figure 2 below :
By select menu "Back" -
"Ro Network Analysis" -
"8XXX1" - "CrCCCCCg" -
"AircCCCCCCg",
To open AircCCCCg main program interface.
You can also directly open a Shell,
Inside direct input aircCCCCg command -
- Enter aircCCCCg can also see the use of parameters help.*
*
*
◆使用AircCCCCCg破解WEP加密無線網絡--
首先講述破解採用WEP加密內容,
啟用此類型加密的無線網絡往往--
--已被列出嚴重不安全的網絡環境之一。
而AircCCCCg正是破解此類加密的--
--強力武器中的首選,
關於使用AircCCCCg套裝破解WEP加密的具體步驟如下--
步驟1:載入無線網卡--
其實很多新人們老是在開始載入網卡的時候出現一些疑惑,
所以我們就把這個基本的操作仔細看看。
首先查看當前已經載入的網卡有哪些,
輸入命令如下:
ifcCCCCg
回車後可以看到如下圖所示內容,
我們可以看到這裡面除了eUUU0之外,
並沒有無線網卡。
*
◆ Use AircCCCCCg crack WEP encryption wireless network -
First talk to crack WEP encryption using content ,
Enabling this type of encrypted wireless networks often -
- Has been listed one of the serious insecure network environment.
And AircCCCCg such encryption is cracked -
- Powerful weapon of choice ,
Set on the use of specific steps to crack WEP encryption AircCCCCg follows -
Step 1 : Load the wireless card -
In fact, many new people are always appears at the beginning of the card when loading some doubts,
So we took a closer look at this basic operation .
First, check the current card which has been loaded ,
Enter the following command:
ifcCCCCg
You can see the contents of the carriage shown in Figure below ,
In addition to this we can see inside eUUU0,
No wireless card.*
此時,為了查看無線網卡是否已經正確連接至系統,
應輸入:
ifcCCCCCg -a
參數解釋:
-a 顯示主機所有網絡接口的情況。
和單純的ifcCCCCCg命令不同,
加上-a參數後可以看到所有連接至--
--當前系統網絡接口的適配器。
如下圖所示,
我們可以看到和上圖相比,
出現了名為wlOO0的無線網卡,
這說明無線網卡已經被BackTRRRRRR Linux識別 !!*
At this point , in order to check whether the wireless card is properly connected to the system ,
Enter:
ifcCCCCCg-a
Parameters explanation:
-a display case host all network interfaces.
And simple ifcCCCCCg command,
Plus -a you can see all the parameters connected to -
- The current system network interface adapter .
As shown below,
We can see on the chart and compared
The emergence of wireless card called wlOO0 of
This shows that the wireless card has been identified
BackTRRRRRR Linux!!*
*既然已經識別出來了,
那麼接下來就可以激活無線網卡了。
說明一下,無論是有線還是無線網絡適配器,
都需要激活,否則是無法使用滴。
這步就相當於Windows下將“本地連接”啟用一樣,
不啟用的連接是無法使用的。
在上圖中可以看到,
出現了名為wlOOO0的無線網卡,OK,
下面輸入:
ifcCCCg wlOOO0 up
參數解釋:
up 用於加載網卡的,
這裡我們來將已經插入到筆記本的--
--無線網卡載入驅動。
在載入完畢後,
我們可以再次使用ifcCCCig進行確認。
如下圖所示,
此時,系統已經正確識別出無線網卡了。
So then you can activate the wireless card .
Explain, either wired or wireless network adapter ,
Are required to activate , otherwise it is impossible to use drops .
This step is equivalent to the "local connection" to enable the same under Windows,
Do not enable connections can not be used .
You can see in the figure above,
The emergence of the wireless card called wlOOO0 , OK,
Enter the following :
ifcCCCg wlOOO0 up
Parameters explanation:
up for loading the card ,
Here we will have to be inserted into the notebook -
- Wireless network card drivers loaded .
After loading is completed,
We can use ifcCCCig again to confirm.
As shown below,
*當然,通過輸入iwcCCCCg查看也是可以滴。
這個命令專用於查看無線網卡,
不像ifcCCCCg那樣查看所有適配器。
iwcCCCCCg
該命令在Linux下用於查看有無無線網卡以及--
--當前無線網卡狀態。如下圖所示。
*Of course , you can also check by entering iwcCCCCg drops .
This command is designed to view the wireless card,
Unlike ifcCCCCg that all adapters.
iwcCCCCCg
The command in Linux for viewing with or without wireless LAN and -
- The current state of the wireless LAN . As shown below.*
*步驟2:激活無線網卡至monitor即監聽模式。
對於很多小黑來說,
應該都用過各式各樣的嗅探工具來--
--抓取密碼之類的數據報文。
那麼,大家也都知道,
用於嗅探的網卡是一定要處於monitor監聽模式地。
對於無線網絡的嗅探也是一樣。
在Linux下,
我們使用AirYYYYYg套裝裡的airYYYYYg工具來實現,
具體命令如下:
airYYYYYg start wTTn0
參數解釋:
start 後跟無線網卡設備名稱,
此處參考前面ifcCCCCCg顯示的無線網卡名稱;
如下圖所示,我們可以看到無線網卡的芯片及驅動類型,
在Chipset芯片類型上標明是Ralink 2VV3芯片,
默認驅動為rUUUUUusb,
顯示為“monitor mode IIIIIIIIIII mOO0”,
即已啟動監聽模式,
監聽模式下適配器名稱變更為mOO0。
*Step 2 : Activate the wireless card to the monitor that is in listening mode
For many black , the
Should have used a variety of sniffing tools -
- Grab passwords and the like packets.
Well, we all know ,
For sniffing card is sure to be in monitor mode to listen .
For sniffing wireless networks as well.
Under Linux,
We use AirYYYYYg suit in the airYYYYYg tools to achieve ,
Specific command is as follows :
airYYYYYg start wTTn0
Parameters explanation:
start followed Wireless LAN device name,
Wireless LAN names refer to the previous ifcCCCCCg shown here ;
As shown below, we can see that the wireless card chip and drive type,
Chipset type marked on the chip is Ralink 2VV3 chip,
The default drive is rUUUUUusb,
Shown as "monitor mode IIIIIIIIIII mOO0",
Already start listening mode,
Adapter name changed to mOO0 listening mode .*
在激活無線網卡後,
我們就可以開啟無線數據包抓包工具了,
這裡我們使用AircCCCCg套裝裡的airYYYYYg工具來實現,
具體命令如下:
不過在正式抓包之前,
一般都是先進行預來探測,
來獲取當前無線網絡概況,
包括AP的SSID、MAC地址、
工作頻道、無線客戶端MAC及數量等。
只需打開一個Shell,輸入具體命令如下:
airUUUUU-ng mOO0
參數解釋:
mOO0為之前已經載入並激活監聽模式的無線網卡。
如下圖所示。
*Step 3 : Detect wireless network , grab a wireless data packet.
After activating the wireless card,
We can turn on the wireless packet capture tool ,
Here we use AircCCCCg suit in the airYYYYYg tools to achieve ,
Specific command is as follows :
But before the formal capture ,
Are generally the first to detect pre- ,
To get the current wireless network profile,
Including the AP SSID, MAC address,
Working channel , the wireless client MAC and quantity .
Simply open a Shell, enter the specific command as follows:
airUUUUU-ng mOO0
Parameters explanation:
mOO0 is already loaded and activated before listening
mode wireless card.
As shown below.*
這裡我們就直接鎖定目標是SSID為--
--“TTTTTK”的AP,
其BSSID(MAC)為“0PPP:GG:E0:TT:II: 66”,
工作頻道為YY,
已連接的無線客戶端MAC為“GG:UU:38:HH:71:YY”。*
*Enter, will be able to see something similar to the figure below ,
Here we are directly targeted SSID is -
- "TTTTTK" the AP,
Its BSSID (MAC) as "0PPP: GG: E0: TT: II: 66",
Working channel of YY,
MAC wireless client connected to "GG: UU: 38: HH: 71: YY".*
*既然我們看到了本次測試要攻擊的目標,
就是那個SSID名為TTTTTTT的無線路由器,
接下來輸入命令如下:
airYYYYg --ivs –w lLLLLLs -c 6 wOOO0
參數解釋:
--iOs 這裡的設置是通過設置過濾,
不再將所有無線數據保存,
而只是保存可用於破解的IOS數據報文,
這樣可以有效地縮減保存的數據包大小;
-c 這裡我們設置目標AP的工作頻道,
通過剛才的觀察,
我們要進行攻擊測試的無線路由器工作頻道為UU;
-w 後跟要保存的文件名,
這裡w就是“write寫”的意思,
所以輸入自己希望保持的文件名,
如下圖所示我這裡就寫為lLLLLs。
那麼,小黑們一定要注意的是:
這裡我們雖然設置保存的文件名是lLLLLs,
但是生成的文件卻不是lLLLLL.iOs,
而是lLLLLL01.iOs。
*Now we see the goal of this test to attack ,
SSID is the name TTTTTTT wireless router
Next, enter the following command:
airYYYYg - ivs-w lLLLLLs-c 6 wOOO0
Parameters explanation:
- iOs setting here is by setting the filter ,
No longer will save all wireless data ,
And just saved can be used to break the IOS data packets.
This can effectively reduce the size of stored data packets ;
-c Here we set the target AP 's working channel ,
By just observing ,
We want to attack test wireless router working channel of UU;
-w followed by the file name to be saved ,
Where w is the "write to write " means,
So they want to keep the input file name
As shown below , I write here is lLLLLs.
So, black who must be noted that:
Here though we set the saved file name is lLLLLs,
However, the resulting file is not lLLLLL.iOs,
Instead lLLLLL01.iOs.*
--方便後面破解時候的調用,
所以對保存文件按順序編了號,
於是就多了-UU這樣的序號,
以此類推,在進行第二次攻擊時,
若使用同樣文件名lLLLL保存的話,
就會生成名為lLLLL.iOs的文件,
一定要注意哦,別到時候找不到又要怪我沒寫清楚:)
啊,估計有的朋友們看到這裡,
又會問在破解的時候可不可以將這些捕獲的數據包一起使用呢,
當然可以,屆時只要在載入文件時使用lLLLL*.cVVVV即可,
這裡的星號指代所有前綴一致的文件。
在回車後,就可以看到如下圖所示的界面,
這表示著無線數據包抓取的開始。
*Note : This is because airYYYYYg this tool in order -
- Easy to break back when called,
So for saving files numbered sequentially ,
So the more the -UU this number,
And so on, during the time of the second attack ,
If using the same file name lLLLL save it ,
Will generate a file named lLLLL.iOs of
Be sure to pay attention Oh, do not find the time , I did not write clearly have to blame :)
Ah, is estimated to see some friends here ,
Q. Can you turn those captured packets to use it when the crack together ,
Of course, then as long as when loading files using lLLLL *. CVVVV can,
The asterisk refers to here all the same prefix file .
After the return, you can see the screen shown below ,
This indicates the start of a wireless packet capture .
*步驟4:對目標AP使用ArpRUUUUU注入攻擊--
若連接著該無線路由器/AP的無線客戶端--
--正在進行大流量的交互,
比如使用迅雷、電騾進行大文件下載等,
則可以依靠單純的抓包就可以破解出WEP密碼。
但是無線黑客們覺得這樣的等待有時候過於漫長,
於是採用了一種稱之為“ARP RUUUUU”的方式--
--來讀取ARP請求報文,
並偽造報文再次重發出去,
以便刺激AP產生更多的數據包,
從而加快破解過程,
這種方法就稱之為ArpRUUUU注入攻擊。
具體輸入命令如下:
airYYYYYg -UU -b AP的OOc -h 客戶端的mac mOO0
參數解釋:
-3 指採用ARPRUUUUU注入攻擊模式;
-b 後跟AP的MAC地址,
這裡就是前面我們探測到的SSID為TTTTTT的AP的MAC;
-h 後跟客戶端的MAC地址,
也就是我們前面探測到的有效無線客戶端的MAC;
最後跟上無線網卡的名稱,
這裡就是mOO0啦。
--回車後將會看到如下圖所示的--
--讀取無線數據報文,
從中獲取ARP報文的情況出現。
*Step 4 : Use the target AP ArpRUUUUU injection attack -
If connected to the wireless router / AP wireless clients -
- Ongoing large flow of interaction
For example, Thunder , eMule to download large files , etc.
You can rely on a simple capture can crack the WEP password.
But wireless hackers think this is too long to wait sometimes ,
So using a technique called "ARP RUUUUU" way -
- To read the ARP request packet,
And re- forged packets sent out again ,
In order to stimulate the AP to generate more data packets,
Thus speeding up the cracking process ,
This approach is called ArpRUUUU injection attacks.
Specific enter the command as follows :
airYYYYYg-UU-b AP 's OOc-h client mac mOO0
Parameters explanation:
-3 Refers to the use ARPRUUUUU injection attack mode ;
-b , followed by the MAC address of AP ,
Here is the front of our probe to the AP 's SSID as TTTTTT MAC;
-h , followed by the client's MAC address ,
That is in front of us to effectively detect wireless client MAC;
Finally, to keep the name of the wireless network card ,
Here is mOO0 friends.
- After the carriage return will be seen as shown below -
- Read wireless data packets.
Derive case ARP packets appear.*
*在等待片刻之後,
一旦成功截獲到ARP請求報文,
我們將會看到如下圖所示的--
--大量ARP報文快速交互的情況出現。*
*After waiting a moment,
Once successfully intercepted the ARP request packet,
We will see as shown below -
- A large number of cases of ARP packets fast interaction occurs .
在下圖中我們可以看到,
作為TPRRRRRR的packets欄的數字在飛速遞增。
*At this point back airYYYYYYg interface view ,
In the following figure we can see,
As TPRRRRRR digital packets bar in rapid increments.
在抓取的無線數據報文達到了一定數量後,
一般都是指IVs值達到2萬以上時,
就可以開始破解,
若不能成功就等待數據報文的繼續抓取然後多試幾次。
注意,此處不需要將進行注入攻擊的Shell關閉,
而是另外開一個Shell進行同步破解。
輸入命令如下:
aircCCCCCg 捕獲的iOs文件
關於IOs的值數量,
我們可以從如下圖所示的界面中看到,
當前已經接受到的IOs已經達到了1萬5千以上,
aircCCCCCg已經嘗試了41萬個組合。
*Step 5 : Open aircCCCCCg, began to crack WEP.
Crawling wireless data packets reach a certain number ,
Usually refers to the IVs value reached 20,000 or more,
You can start to crack ,
If you can not wait for the success of data packets continue to crawl and then try several times .
Note that here is no need to be shut down Shell injection attacks ,
But another crack open a Shell synchronized .
Enter the following command:
aircCCCCCg captured iOs file
About IOs number of values
We can see from the screen as shown below , the
Currently has received IOs has reached 10,005 over 1000 ,
aircCCCCCg have tried 410,000 combinations.*
就可以看到如下圖中出現“KEY FOUND”的提示,
緊跟後面的是16進制形式,
再後面的ASCII部分就是密碼啦,
此時便可以使用該密碼來連接目標AP了。
一般來說,破解64位的WEP至少需要1萬IOs以上,
但若是要確保破解的成功,
應捕獲盡可能多的IOs數據。
比如下圖所示的高強度複雜密碼--
--破解成功依賴於8萬多捕獲的IOs。
*So after a very short time after the break ,
You can see the "KEY FOUND" prompt appears in the following figure ,
Followed by 16 hexadecimal form behind ,
ASCII is the password part of it back again ,
At this point we can use the password to connect to the target AP .
In general , 64-bit WEP crack needs at least 10,000 more IOs ,
But if you want to ensure a successful break ,
IOs should capture as much data .
For example, as shown in the following figure high strength complex passwords -
- Break success depends on more than 80,000 captured IOs.
所以有的時候大家會看到如下圖中一樣的情景,
在破解的時候出現了多達4個AP的數據報文,
這是由於這些AP都工作在一個頻道所致,很常見的。
此時,選擇我們的目標,即標為UU的、
SSID位dLLLLL的那個數據包即可,輸入UU,
回車後即可開始破解。
*Note: Due to the designated radio channel for packet capture ,
So sometimes you 'll see the same scenario in the following figure ,
When crack appeared in as many as four AP data packets
This is because the AP in one channel are caused very common.
At this point, choose our goal, which is marked as UU 's ,
SSID bit dLLLLL packets that can enter UU,
Enter to start after the break .
這些都是弱密碼(就是過於簡單的密碼),
所以才這麼容易破解,
大不了我用更複雜點的密碼總可以了吧,
比如×#87G之類的,
即使是採用更為複雜的密碼,
這樣真的就安全了嗎?嘿嘿,
那就看看下圖中顯示的密碼吧:)
*See here, some friends might say ,
These are weak passwords ( passwords that are too simple ).
It was so easy to crack ,
Big deal , I use a password more complex point can always be right ,
Such × # 87G and the like,
Even more complex is the use of passwords,
This really safe? Hey,
Then look at the password shown in the figure below it :)
在上圖中白框處破解出來的密碼已經是足夠複雜的密碼了吧?
我們放大看一看,如下圖所示,
這樣採用了大寫字母、小寫字母、
數字和特殊符號的長達13位的WEP密碼,
在獲得了足夠多的IOs後,
破解出來只花費了約4秒鐘!
*As you can see,
Break out of the white box at the password in the above figure is already complex enough passwords , right ?
We look amplification , as shown below,
Such use of uppercase letters, lowercase letters,
Numbers and special symbols for 13 -bit WEP password
In obtaining a sufficient number of IOs , the
Break out only took about 4 seconds !
哈,這還只是個開始,我們接著往下看。
補充一下:
若希望捕獲數據包時,
能夠不但是捕獲包括IOS的內容,
而是捕獲所有的無線數據包,
也可以在事後分析,
那麼可以使用如下命令:
airYYYYg –w loOOOs -c 6 wOO0
就是說,不再--iOs過濾,
而是全部捕獲,這樣的話,
捕獲的數據包將不再是lLLLLs-UU.iOs,
而是lLLLLs-UU.cap,請大家注意。
命令如下圖所示。
*Now, do you think your wireless network secure?
Ha, this is just the beginning, we then look down .
Add:
If you want to capture data packet,
Including the IOS can not only capture the content ,
It captures all the wireless packets ,
Can also be analyzed in retrospect ,
You can use the following command :
airYYYYg-w loOOOs-c 6 wOO0
That is , no - iOs filter ,
But all capture , in this case ,
Captured packets will no longer be lLLLLs-UU.iOs,
Instead lLLLLs-UU.cap, please pay attention.
Command as shown below.
對像也變成了lLLLL-*.cap。
命令如下:
aircYYYYYg 捕獲的cap文件
回車後如下圖所示,一樣破解出了密碼。*Similarly, in the break time,
Object has become a lLLLL-*. Cap.
Command is as follows :
aircYYYYYg captured cap file
After the carriage as shown below, to break out of the same password .
iOs和cOO直接的區別到底在哪兒呢?
其實很簡單,若只是為了破解的話,
建議保存為iOs,優點是生成文件小且效率高。
若是為了破解後同時來對捕獲的--
--無線數據包分析的話,就選為cOO,
這樣就能及時作出分析,
比如內網IP地址、密碼等,
當然,缺點就是文件會比較大,
若是在一個複雜無線網絡環境的話,
短短20分鐘,
也有可能使得捕獲的數據包大小超過200MB。
如下圖所示,我們使用dHHH命令來比較上面--
--破解所捕獲的文件大小。
可以看到,lLLLL-UU.iOs只有3EEE8KB,
也就算是3UUB,
但是lLLLs-UU.cOO則達到了2BBBBBB,
達到了2KKKKB左右!!
*Some friends may have to ask,
iOs and cOO direct distinction Where children do ?
Actually very simple, if only to break it,
Recommended saved as iOs, the advantage of a small file and generate high efficiency .
If after the break to come on at the same time capture -
- Wireless packet analysis , then it is chosen cOO,
This will make timely analysis,
For example, the IP address , password , etc.
Of course, the drawback is that the file will be relatively large ,
If the wireless network in a complex environment , it
Just 20 minutes.
May also make the captured data packet size exceeds 200MB.
As shown below, we use dHHH command to compare the above -
- Break the captured file size.
You can see , lLLLL-UU.iOs only 3EEE8KB,
Will be 3UUB,
But lLLLs-UU.cOO it reached 2BBBBBB,
Reached about 2KKKKB! !
結合上小節的內容,
下面繼續是以BackTTTTTTLinux為環境,
講述破解WPA-PSK加密無線網絡的具體步驟,
詳細如下。
步驟1:升級AircCCCCCg。
前面在第一章1.3節我們已經講述了升級--
--AircCCCCCg套裝的詳細步驟,
這裡也是一樣,若條件允許,
應將AircCCCCCg升級到最新的AircCCCCC.1版。
由於前面我已經給出了詳細的步驟,
這裡就不再重複。
除此之外,
為了更好地識別出無線網絡設備及環境,
最好對airoOOOOOg的OXXXI庫進行升級,
先進入到Aircrack-ng的安裝目錄下,
然後輸入命令如下:
airoOOOOOg-oXXXi-update
回車後,就能看到如下圖所示的開始下載的提示,
稍等一會兒,這個時間會比較長,
恩,建議預先升級,不要臨陣磨槍。*◆ Use Aircrack-ng to crack WPA-PSK encrypted wireless network -
Combining the content section of
Here is BackTTTTTTLinux continue for the Environment,
About the specific steps WPA-PSK encryption crack wireless networks ,
Detailed below.
Step 1 : Upgrade AircCCCCCg.
In front of the first chapter we have about 1.3 upgrade -
- Detailed steps AircCCCCCg suit ,
Here , too, if conditions allow,
AircCCCCCg should upgrade to the latest version of AircCCCCC.1 .
Since I have been given a detailed front steps
Not repeated here .
In addition,
In order to better identify the wireless network equipment and environment,
The best of OXXXI library for airoOOOOOg upgrade
First go to the next Aircrack-ng installation directory,
Then enter the following commands:
airoOOOOOg-oXXXi-update
Enter, you can see the start the download prompt shown below ,
Wait a moment, this time will be longer ,
Well , the proposed pre- upgrade , not a crash course .*
在進入BackTTTTTT系統後,
載入無線網卡的順序及命令部分,
依次輸入下述命令:
staTTTT進入到圖形界面
ifcCCCCC查看無線網卡狀態
ifcCCCC wOO0 up載入無線網卡驅動
airYYYYg stwOO0激活網卡到monitor模式
如下圖所示,
我們可以看到無線網卡的芯片及驅動類型,
在Chipset芯片類型上標明是Ralink 2UUU3芯片,
默認驅動為rTTTTusb,
顯示為“monitor mode eGGGd on mOOO0”,
即已啟動監聽模式,
監聽模式下適配器名稱變更為mOOO0。*Step 2 : Load and activate the wireless card to the monitor that is in listening mode .
After entering BackTTTTTT system
Wireless card loaded in the order and order parts,
Enter the following command sequence :
staTTTT into the graphical interface
ifcCCCCC view wireless card status
ifcCCCC wOO0 up loading Wireless LAN Driver
airYYYYg stwOO0 activate the card to monitor mode
As shown below,
We can see that the wireless card chip and drive type,
Chipset type marked on the chip is Ralink 2UUU3 chip,
The default drive is rTTTTusb,
Shown as "monitor mode eGGGd on mOOO0",
Already start listening mode,
Adapter name changed to mOOO0 listening mode .
在激活無線網卡後,
我們就可以開啟無線數據包抓包工具了,
這裡我們使用AircCCCCg套裝裡的---
---airYYYY工具來實現,
具體命令如下:
airYYYYg -c 6 –w lLLLLs mOOO0
參數解釋:
-c 這裡我們設置目標AP的工作頻道,
通過觀察,
我們要進行攻擊測試的無線路由器工作頻道為6;
-w 後跟要保存的文件名,
這裡w就是“write寫”的意思,
所以輸入自己希望保持的文件名,
這裡我就寫為lLLLLs。
那麼,小黑們一定要注意的是:
這裡我們雖然設置保存的文件名是lLLLLLs,
但是生成的文件卻不是lLLLL.cOOO,
而是lLLLL-UU.cOOO。
mOOO0 為之前已經載入並激活監聽--
--模式的無線網卡。如下圖所示。
在回車後,就可以看到如下圖所示的界面,
這表示著無線數據包抓取的開始。
接下來保持這個窗口不動,
注意,不要把它關閉了。
另外打開一個Shell。進行後面的內容。*Step 3 : Detect wireless network , grab a wireless data packet.
After activating the wireless card,
We can turn on the wireless packet capture tool ,
Here we use AircCCCCg suit in the ---
--- airYYYY tools to achieve ,
Specific command is as follows :
airYYYYg-c 6-w lLLLLs mOOO0
Parameters explanation:
-c Here we set the target AP 's working channel ,
Through observation,
We want to attack test wireless router working channel 6 ;
-w followed by the file name to be saved ,
Where w is the "write to write " means,
So they want to keep the input file name
Here I will write to lLLLLs.
So, black who must be noted that:
Here though we set the saved file name is lLLLLLs,
However, the resulting file is not lLLLL.cOOO,
Instead lLLLL-UU.cOOO.
mOOO0 is already loaded and activated before listening -
- Mode wireless card. As shown below.
After the return, you can see the screen shown below ,
This indicates the start of a wireless packet capture .
Then keep this window does not move,
Note , do not put it off .
Another open a Shell. Behind the content .
和破解WEP時不同,
這里為了獲得破解所需的WPA-PSK---
---握手驗證的整個完整數據包,
無線黑客們將會發送一種稱之為“DDDD”的---
---數據包來將已經連接至---
--無線路由器的合法無線客戶端強制斷開,
此時,客戶端就會自動重新連接無線路由器,
黑客們也即便有機會捕獲到--
--包含WPA-PSK握手驗證的完整數據包了。
此處具體輸入命令如下:
airYYYYg -UUU –a AP的mac -c 客戶端的mac wOOO0
參數解釋:
-0 採用DDDDD攻擊模式,後面跟上攻擊次數,
這裡我設置UUU,
大家可以根據實際情況設置為UUUUU不等;
-a 後跟AP的MAC地址;
-c 後跟客戶端的MAC地址;
回車後將會看到如下圖所示的dDDDD報文發送的顯示。*Step 4 : be DUUUU attack accelerated cracking process .
And when to crack WEP different
Here in order to obtain the desired crack WPA-PSK ---
--- Handshake Authentication throughout the complete data package ,
Wireless hackers will send a technique called "DDDD" is ---
--- Packets to be connected to ---
- The legitimate wireless clients forced off the wireless router ,
At this point , the client will automatically reconnect to the wireless router ,
Even hackers also have the opportunity to capture -
- Handshake Authentication WPA-PSK contains full data package.
Here the specific input command as follows:
airYYYYg-UUU-a AP 's mac-c client mac wOOO0
Parameters explanation:
-0 Using DDDDD attack mode, followed by the number of attacks ,
Here I set UUU,
We can be set to vary according to the actual situation UUUUU ;
-a followed by the MAC address of AP ;
-c followed by the MAC address of the client ;
After the carriage will see the display as shown below dDDDD
packet sent.*
在下圖中我們可以看到在右上角出現了--
--“WPA handshake”的提示,
這表示獲得到了包含WPA-PSK密碼的--
--4此握手數據報文,
至於後面是目標AP的MAC,
這裡的AP指的便是要破解的無線路由器。
*At this point back airYYYYg interface view ,
In the following figure we can see in the upper right corner of the -
- "WPA handshake" prompt ,
This means that to get to the WPA-PSK passwords contain -
- 4 This handshake packets ,
As the back of the target AP MAC,
AP refers to here is to break the wireless router.
那麼可以增加DDDDD的發送數量,
再一次對目標AP進行攻擊。
比如將-UU參數後的數值改為UUUU。
如下圖所示。
*If we do not see the above tips work on airYYYYg interface
You can send the number to increase DDDDD of
AP once again to attack the target .
For example, the post -UU parameter values changed UUUU.
As shown below.
在成功獲取到無線WPA-PSK驗證數據報文後,
便可以開始破解,
輸入命令如下:
airYYYYg -w dOOO 捕獲的cOOO文件
參數解釋:
-w 後跟預先製作的字典,
這裡是BT4下默認攜帶的字典。
在回車後,
若捕獲數據中包含了多個無線網絡的數據,
也便是能看到多個SSID出現的情況。
這便意味著其它AP的無線數據皆因為工作--
--在同一頻道而被同時截獲到,
由於數量很少所以對於破解來說沒有意義。
此處輸入正確的選項即對應目標AP的MAC值,
回車後即可開始破解。
如下圖所示為命令輸入情況。
*Step 5 : Start to crack WPA-PSK.
Successfully acquired wireless WPA-PSK authentication data packet,
Can start to crack ,
Enter the following command:
airYYYYg-w dOOO captured cOOO file
Parameters explanation:
followed by a pre-made -w dictionary
Here is the default carrying BT4 dictionary .
After the return,
If the captured data contains data from multiple wireless networks,
Is also able to see a plurality of SSID appears .
This implies that all other AP 's wireless data because of work -
- On the same channel while simultaneously intercepted ,
Due to a small number so it does not make sense to break .
Here you enter the correct option that corresponds to the value of the target AP MAC ,
Enter to start after the break .
As shown below for the command input conditions *
在雙核T7UUUU的主頻+4GB內存下---
--破解速度達到近450k/s,
即每秒鐘嘗試450個密碼。
*Can be seen from the figure below ,
In clocked dual-core T7UUUU +4 GB memory ---
- Break speed of nearly 450k / s,
That try 450 passwords per second .
我們成功破解出了密碼。
如下圖所示,在“KEY FOUND”提示的右側,
可以看到密碼已被破解出。
密碼明文為“loKKKKKK”,
破解速度約為450 key/s。
若是能換成4核CPU的話,
還能更快一些。
*After less than a minute of waiting,
We have successfully cracked the code.
As shown below, the "KEY FOUND" prompt on the right ,
You can see the password has been cracked out .
Plaintext password is "loKKKKKK",
Crack speed of about 450 key / s.
If they could replace the 4 -core CPU,
But also faster.
對於啟用WPA2-PSK加密的無線網絡,
其攻擊和破解步驟及工具是完全一樣的,
不同的是,在使用airYYYYg進行無線探測的界面上,
會提示為WPA CCMP PSK。如下圖所示。
*◆ Use AircYYYYYg crack WPA2-PSK encrypted wireless network -
Enable WPA2-PSK encryption for wireless networks ,
Its attacks and crack steps and tools are exactly the same,
The difference is in the use of wireless detection airYYYYg performed on interface
You will be prompted for the WPA CCMP PSK. As shown below.
同樣可以獲得到WPA握手數據包及提示,
如下圖所示。
*When we use airYYYYg be dDDDD attacks,
You can also get to the WPA handshake packets and tips,
As shown below.
命令如下:
airYYYYg -w dOOO 捕獲的cOOO文件
參數解釋:
-w 後跟預先製作的字典文件
經過1分多鐘的等待,
可以在下圖中看到提示:
“KEY FOUND!”後面即為WPA2-PSK連接密碼1UUUUU05。
*Similarly, the use aircrack-ng to crack ,
Command is as follows :
airYYYYg-w dOOO captured cOOO file
Parameters explanation:
-w followed by pre-made dictionary file
After a minute of waiting,
Tips can be seen in the following figure :
"KEY FOUND!" Behind the connection is WPA2-PSK password 1UUUUU05.*
破解WPA-PSK對硬件要求及字典要求很高,
所以只要你多準備一些常用的--
--字典比如生日、8位數字等,
這樣破解的時候也會增大破解的成功率。
*Now, understand , right ? !
Crack WPA-PSK for demanding hardware requirements and dictionaries ,
So as long as you prepare some commonly used -
- Dictionary such as birthdays, 8 figures , etc.
When this crack will increase the success rate of crack .
**揭露秘密[內文經過修改,以防不法之人利用]-"攻擊類之概述*-
-AircCCCCg破解WEP、WPA-PSK加密利器(1)--完全教程 !!!
-USA(en)-*Exposing secret [ text after the modification , to prevent unscrupulous person use ] - " Overview of attack class * -
-AircCCCCg crack WEP, WPA-PSK encryption tool ( 1 ) -
complete tutorial ! ! !===Melody.Blog===THE END>/