无线网络参数
Cell 01 - Address: 78:EB:14:B9:96:6E
Channel:13 # 信道
Frequency:2.472 GHz (Channel 13) # 频率
Quality=64/70 Signal level=-46 dBm # 信号强度
Encryption key:on # 加密密钥???
ESSID:"FAST_966E" # wifi标识
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 9 Mb/s
18 Mb/s; 36 Mb/s; 54 Mb/s
Bit Rates:6 Mb/s; 12 Mb/s; 24 Mb/s; 48 Mb/s
Mode:Master # Master模式(用作无线AP) 四种模式(Managed,Master,Ad-hoc,Monitor)...
Extra:tsf=000000f350f206ae
Extra: Last beacon: 236ms ago
IE: Unknown: 0009464153545F39363645
IE: Unknown: 010882848B961224486C
IE: Unknown: 03010D
IE: Unknown: 2A0104
IE: Unknown: 32040C183060
IE: Unknown: 2D1AEE1117FFFF000001000000000000000000000000000000000000
IE: Unknown: 3D160D070600000000000000000000000000000000000000
IE: WPA Version 1 # WPA-1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
IE: IEEE 802.11i/WPA2 Version 1 # WPA2
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
IE: Unknown: 7F080000000000000000
IE: Unknown: 0B05030000127A
IE: Unknown: DD180050F2020101000003A4000027A4000042435E0062322F00
IE: Unknown: 4A0E14000A002C01C800140005001900
IE: Unknown: 0706434E20010D10
IE: Unknown: DD07000C4303000000
基础命令
iwconfig
Iwconfig is similar to ifconfig(8), but is dedicated to the wireless interfaces.
It is used to set the parameters of the network interface which are specific to the wireless operation(frequency).
Iwconfig may also be used to display those parameters,and the wireless statistcs(extracted from /proc/net/wireless).
Usage: iwconfig [interface]
interface essid {NNN|any|on|off} # wireless-name connect
interface mode {managed|ad-hoc|master|...} # 模式
interface freq N.NNN[k|M|G] # 调频
interface channel N # 信道
interface bit {N[k|M|G]|auto|fixed} # speed
interface rate {N[k|M|G]|auto|fixed}
interface enc {NNNN-NNNN|off}
interface key {NNNN-NNNN|off}
interface power {period N|timeout N|saving N|off}
interface nickname NNN
interface nwid {NN|on|off}
interface ap {N|off|auto}
interface txpower {NmW|NdBm|off|auto}
interface sens N
interface retry {limit N|lifetime N}
interface rts {N|auto|fixed|off}
interface frag {N|auto|fixed|off}
interface modulation {11g|11a|CCK|OFDMg|...}
interface commit
Check man pages for more details.
- essid: Set the ESSID. The ESSID is used to identify cells which are part of the same virtual network. As opposed to the AP Address or NWID which define a single cell, the ESSID defines a group of cells connected via repeaters or infrastructure, where the user may roam transparently.
If the ESSID of your network is one of the special keywords(off, on or any), you should use – to escape it.
iwconfig eth0 essid any # 混杂模式
iwconfig eth0 essid "My Network" # 指定essid
iwconfig eth0 essid -- "ANY" # essid为关键字
- nwid: Set the Network ID. As all adjacent wireless networks share the same medium, this parameter is used to differentiate them (create logical colocated networks) and identify nodes belonging to the same cell.
iwconfig eth0 nwid AB34
iwconfig eth0 nwid off
- key/enc[ryption]: Used to manipulate encryption or scrambling keys and security mode.
route
show / manipulate the IP routing table
route [-CFvnNee] [-A family |-4|-6]
route [-v] [-A family |-4|-6] add [-net|-host] target [netmask Nm] [gw Gw] [metric N] [mss M] [window W]
[irtt I] [reject] [mod] [dyn] [reinstate] [[dev] If]
route [-v] [-A family |-4|-6] del [-net|-host] target [gw Gw] [netmask Nm] [metric M] [[dev] If]
route [-V] [--version] [-h] [--help]
# Examples
route add -net 127.0.0.0 netmask 255.0.0.0 metric 1024 dev lo
# adds the normal loopback entry, using netmask 255.0.0.0 and associated with the "lo" device (assuming this device was previously set up correctly with ifconfig(8)).
route add -net 192.56.76.0 netmask 255.255.255.0 metric 1024 dev eth0
# adds a route to the local network 192.56.76.x via "eth0". The word "dev" can be omitted here.
route del default
# deletes the current default route, which is labeled "default" or 0.0.0.0 in the destination field of the current routing table.
route del -net 192.56.76.0 netmask 255.255.255.0
# deletes the route. Since the Linux routing kernel uses classless addressing, you pretty much always have to specify the netmask that is same as as seen in 'route -n' listing.
route add default gw mango
# adds a default route (which will be used if no other route matches).
# All packets using this route will be gatewayed through the address of a node named "mango".
# The device which will actually be used for that route depends on how we can reach "mango" - "mango" must be on directly reachable route.
route add mango sl0
# Adds the route to the host named "mango" via the SLIP interface (assuming that "mango" is the SLIP host).
route add -net 192.57.66.0 netmask 255.255.255.0 gw mango
# This command adds the net "192.57.66.x" to be gatewayed through the former route to the SLIP interface.
route add -net 224.0.0.0 netmask 240.0.0.0 dev eth0
# This is an obscure one documented so people know how to do it. This sets all of the class D (multicast) IP routes to go via "eth0".
# This is the correct normal configuration line with a multicasting kernel.
# -----------------reject-----------------reject------------------------------------------
route add -net 10.0.0.0 netmask 255.0.0.0 metric 1024 reject
# This installs a rejecting route for the private network "10.x.x.x."
route -6 add 2001:0002::/48 metric 1 dev eth0
# This adds a IPv6 route with the specified metric to be directly reachable via eth0.
route相关文件
/proc/net/ipv6_route
/proc/net/route # 16进制表示数值...
/proc/net/rt_cache
arp
manipulate the system ARP cache
arp [-vn] [-H type] [-i if] [-ae] [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifname [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
arp -i eth0 -Ds 10.0.0.2 eth1 pub # This will answer ARP requests for 10.0.0.2 on eth0 with the MAC address for eth1.
arp -i eth1 -d 10.0.0.1 # Delete the ARP table entry for 10.0.0.1 on interface eth1. This will match published proxy ARP entries and permanent entries.
# -s, --set set a new ARP entry
# -d, --delete delete a specified entry
root@yue:/usr/lib/bluetooth# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.1.100 ether f0:c9:d1:74:0e:fb C wlan0
192.168.1.1 ether 78:eb:14:b9:96:6e C wlan0
192.168.1.102 ether 70:79:38:b0:cd:72 C wlan0
arp相关文件
/proc/net/arp
/etc/networks
/etc/hosts
/etc/ethers
常用命令
usage: airmon-ng <start|stop|check> <interface> [channel or frequency] # 开启监听模式
aireplay-ng
aireplay -0 10 -a ap_essid -c client_mac wlan0 # 强制client断开与ap的wifi连接
aireplay-ng -2 -p hex_frame_control_word -c client_mac -b filter_ap_mac -h mac wlan0 # 交互式攻击...
-
0 <count>, --deauth=<count> deauthentication --> 断开wifi连接
This attack sends deauthentication packets to one or more clients which are currently associated with a particular access point.
Deauthenticating clients can be done for a number of reasons: Recovering a hidden ESSID. This is an ESSID which is not being broadcast.
An other term for this is “cloaked” or CapturingWPA/WPA2handshakes by forcing clients to reauthenticate or Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected).
Of course, this attack is totally useless if there are no associated wireless client or on fake authentications. -
1 <delay>, --fakeauth=<delay> 在AP下无连接客户端时,用于wep加密方式。。。获取WPS加密方式下的Pin码
The fake authentication attack allows you to perform the two types ofWEPauthentication (Open System and Shared Key) plus associate with the access point (AP).
This is only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be noted that the fake authentication attack does NOT generate any ARP packets.
Fake authentication cannot be used to authenticate/associate withWPA/WPA2Access Points. -
2, --interactive
This attack allows you to choose a specific packet for replaying (injecting). The attack can obtain packets to replay from two sources.
The first being a live flow of packets from your wireless card. The second being from a pcap file.
Reading from a file is an often overlooked feature of aireplay-ng. This allows you read packets from other capture sessions or quite often, various attacks generate pcap files for easy reuse. A common use of reading a file containing a packet your created with packetforge-ng. -
3, --arpreplay
The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably.
The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV.
The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs.
It is all these new IVs which allow you to determine theWEPkey. -
4, --chopchop
This attack, when successful, can decrypt aWEPdata packet without knowing the key. It can even work against dynamicWEP.
This attack does not recover theWEPkey itself, but merely reveals the plaintext. However, some access points are not vulnerable to this attack.
Some may seem vulnerable at first but actually drop data packets shorter that 60 bytes. If the access point drops packets shorter than 42 bytes, aireplay tries to guess the rest of the missing data, as far as the headers are predictable. If an IP packet is captured, it
additionally checks if the checksum of the header is correct after guessing the missing parts of it. This attack requires at least oneWEPdata packet. -
5, --fragment
This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm).
This attack does not recover theWEPkey itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks.
It requires at least one data packet to be received from the access point in order to initiate the attack. -
6, --caffe-latte
In general, for an attack to work, the attacker has to be in the range of an AP and a connected client (fake or real). Caffe Latte attacks allows one to gather enough packets to crack aWEPkey without the need of an AP, it just need a client to be in range. -
7, --cfrag
This attack turns IP or ARP packets from a client into ARP request against the client. This attack works especially well against ad-hoc networks. As well it can be used against softAP clients and normal AP clients. -
8, --migmode
This attack works against Cisco Aironet access points configured inWPAMigration Mode, which enables bothWPAandWEPclients to associate to an access point using the same Service Set Identifier (SSID). The program listens for aWEP-encapsulatedbroadcast ARP packet, bitflips it to make it into an ARP coming from the attacker’s MAC address and retransmits it to the access point.
This, in turn, causes the access point to repeat the ARP packet with a new IV and also to forward the ARP reply to the attacker with a new IV.
The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IV as does ARP reply forwarded to the attacker by the access point. It is all these new IVs which allow you to determine theWEPkey.
airodump-ng
WLAN通常有3个不同的频段(frequency):2.4GHz,3.6GHz,4.9/5.0GHz,每个频段均有多个信道(channel)
无论何时一块网卡只能连接一个信道,不能同时调谐到多个信道,即不能同时对多个信道同时抓包,而airodump提供了自动调频
airodump-ng is used for packet capturing of raw 802.11 frames for the intent of using them with aircrack-ng.
If you have a GPS receiver connected to the computer, airodump-ng is capable of logging the coordinates of the found access points. Additionally, airodump-ng writes out a text file containing the details of all access points and clients seen.
usage: airodump-ng <options> <interface>[,<interface>,...]
options:
--ivs : Save only captured IVs # WEP/WPS 初始向量
--write <prefix> : Dump file prefix # 待写入的文件名前缀
-w : same as --write
--beacons : Record all beacons in dump file # 信标帧。。。
--update <secs> : Display update delay in seconds
--showack : Prints ack/cts/rts statistics # rts/cts帧用于建立链接 ack
-h : Hides known stations for --showack
-r <file> : Read packets from that file # en
-x <msecs> : Active Scanning Simulation
--manufacturer : Display manufacturer from IEEE OUI list # 制造商... vendor, manufacturer
--uptime : Display AP Uptime from Beacon Timestamp
--wps : Display WPS information (if any)
airodump-ng wlan0mon
airodump-ng --bssid ap_mac -c channel_id -w ./ap_name wlan0mon
来源:CSDN
作者:guanyue.space
链接:https://blog.csdn.net/qq_34620855/article/details/103746526