- 包含各种功能的工具套件
- 网络监测
- 嗅探抓包
- 包注入
- 密码破解
-------------------------突破网络边界-----------------
0x1 .aircrack-ng基础
service network-manager stop airmon-ng #列出驱动信息、芯片信息 airmon-ng check #监测与该软件可能起冲突的进程,后面直接加kill就行! airmon-ng check kill -----------准备就绪,启动侦听---------- airmon-ng start wlan0 #airmon-ng stop wlan0mon iwconfig iwlist wlan0mon channel #查看监听网口所在的channel
#启动monitor后的mon MAC地址变为前面是真实模式下地址后面为一长串假的00-00-00-00-00-00..
0x2 airodump-ng抓包
有了监听网卡我们既可以抓无线数据包了,当然你可以用wireshark or tcpdump,but这些数据包太多分析太复杂...
这个套件提供了一个专门的抓包工具。
对了,其实上面在开启监听的时候可以加一个信道号指定工作信道:airmon-ng start wlan0 1
开始抓包:
airodump-ng wlan0mon #ctrl+c终止
airodump-ng wlan0mon -c 1 --bssid 00:11:22:33:44:55 -w file.cap #指定信道、AP—MAC 、保存数据包
airodump-ng wlan0mon -c 1 --bssid 00:11:22:33:44:55 -w file.cap --ivs #只保存ivs
#注意这时运行这个命令,即使你指定了信道但是抓包还是会不限于信道而是在所有信道里轮训!
参数解释:
#若bssid是(not associated)而probes的参数就是xxx :意思就是这个客户端以前连过的AP名称即ESSID (隐私泄露)
#附排错信息:
不显示任何AP和STA信息:
- 物理机使用内置无线网卡确保bios已启用
- 确认无线网卡在正常managed模式下正常工作
- 尝试禁用network-manager服务
- 尝试卸载rmmod和重新加载modprobe驱动
工作一段时间后airodump-ng无法继续抓包
- airmon-ng check kill
- 确认wpa_supplicant进程已停止
0x3 aireplay-ng注入
root@kali:~# aireplay-ng Aireplay-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe http://www.aircrack-ng.org usage: aireplay-ng <options> <replay interface> Filter options: -b bssid : MAC address, Access Point -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length -n len : maximum packet length -u type : frame control, type field -v subt : frame control, subtype field -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -w iswep : frame control, WEP bit -D : disable AP detection Replay options: -x nbpps : number of packets per second -p fctrl : set frame control word (hex) -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -g value : change ring buffer size (default: 8) -F : choose first matching packet Fakeauth attack options: -e essid : set target AP SSID -o npckts : number of packets per burst (0=auto, default: 1) -q sec : seconds between keep-alives -Q : send reassociation requests -y prga : keystream for shared key auth -T n : exit after retry fake auth request n time Arp Replay attack options: -j : inject FromDS packets Fragmentation attack options: -k IP : set destination IP in fragments -l IP : set source IP in fragments Test attack options: -B : activates the bitrate test Source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file Miscellaneous options: -R : disable /dev/rtc usage --ignore-negative-one : if the interface's channel can't be determined, ignore the mismatch, needed for unpatched cfg80211 Attack modes (numbers can still be used): --deauth count : deauthenticate 1 or all stations (-0) --fakeauth delay : fake authentication with AP (-1) --interactive : interactive frame selection (-2) --arpreplay : standard ARP-request replay (-3) --chopchop : decrypt/chopchop WEP packet (-4) --fragment : generates valid keystream (-5) --caffe-latte : query a client for new IVs (-6) --cfrag : fragments against a client (-7) --migmode : attacks WPA migration mode (-8) --test : tests injection and quality (-9) --help : Displays this usage screen