From wireless security to intranet penetration

What can I do after the Internet? : Http://www.bkjia.com/Article/201405/304310.html, I do not know you have seen? You may also have heard about the hot-rising vro security vulnerabilities. Do you think your vro is still safe? :) the security of your vro is getting hotter and hotter. If something goes wrong, you must be beaten, so today, I will give you the knowledge of wireless network security under shoes and science. Do you think it is safe to add a secret? Break through this first line of defense, with a smile, a wood, and WiFi in your hands, I have ~

1. Powerful weapons

As the saying goes, it's hard to get a cup of cake without rice. This requires hardware support. You need to buy a USB wireless network card. Of course, the network card does not work as needed. The specific chip provides better support for the cracking algorithm. For more information, see AR9271, 8187L, and RT3070. From my practical experience, the virtual flags of 8187 and 3070 are serious, and the signals of 9271 are more authentic. After the hardware is finished, it is the turn of the Software. You can choose the famous kali penetration testing system. It feels a little useless. In fact, you can simply use the customized version of cdlinux, which is very popular on the Internet, more than 100 M has already integrated many WiFi cracking tools for you. If kali is used, you need to manually install the deb package. We do not recommend using "bare metal" such as Ubuntu. It doesn't matter if you don't bother installing all the dependent packages. Common tools include minidwep-gtk, feedingbottle, inflator, and reaver. In kali, you must install it manually except for the integrated reaver. Run the dpkg-I xx. deb command. The tools I mentioned have been integrated in cdlinux. These tools depend on aircrack-ng, where minidwep-gtk and feedingbootle are the GUI versions of aircrack-ng, and inflator is the GUI version of reaver.

2. "seckill" WEP Encryption

Rice is ready, ready to go off the pot, connect the wireless network card to the virtual machine, and start working. First, under ifconfig, confirm to recognize the wireless network card wlanx ~

Since it is popular science, let's start with the oldest WEP encryption. This encryption method is rarely seen now. If you find that the wep encryption signal is used around, it will be cool, if you cannot take it, you will be despised. The wep encryption method has inherent algorithm defects. As long as enough data packets are captured, the Wi-Fi plaintext password can be restored. For more information about algorithm security, see Google. Wep can be easily implemented using minidwep-gtk. Here I will use minidwep to describe it, because the operation is simple, automatic, and feedingbottle is similar, but it is slightly difficult to be suitable for students. Enable minidwep, scan the signal, and select wep for the encryption method encryption. Run lanch, drink saliva, and other passwords ~

See the key, that is the password you want. No matter how complicated the password is, cracking is only a matter of time. You only need to wait. Feedingbottle is similar to minidwep, But you need to learn more about the working principle of aircrack-ng kit in order to be flexible.

That is to say, wep encryption belongs to the second-kill level, but you still need to face the brutal reality of wpa. The problem is that you like to set a weak password for Wi-Fi. You can use the dictionary to fix the password like Evi1m0. Think about your Wi-Fi password :)

3. WPA encryption Countermeasure

Two methods are available for WPA password cracking:

• Capture the WPA handshake package and run the dictionary to determine the success rate.

• It takes time for reaver to raise the pin code, but if it is feasible, the password can be cracked.

 

3.1 packet capture attack

Let's talk about the first one. Grasp the bag and run the dictionary. It mainly depends on the fact that your dictionary is not powerful. It's time to spell the character. It's the same as cracking wep, select the signal point lanch to start packet capture. When packet capture is performed, the router must be used by users to prevent the other party from going offline due to attacks, capture the four handshake packets for WPA authentication during Automatic reconnection. If you haven't found an online client, you won't be able to catch the package. You can only try again when someone is using it.

The following prompt is displayed, indicating that the packet has been captured successfully. Copy the packet and use EWSA to verify whether it is a complete handshake package. The complete handshake information must be included in the four handshakes to be used for cracking.

Only valid data packets are prompted for dictionary cracking. data packets like the following can be used.

Next let's get out of the hash artifact, hashcat. Some may wonder why I don't need to use ewsa to directly run the dictionary, because hashcat is much more efficient than ewsa and has many powerful functions, if the dictionary does not run the password, you can continue using flexible and variable brute force rules. We recommend that you use hashcat-GUI for beginners. The interface operations are much simpler. The wpa encryption method is not as vulnerable as wep encryption. If you are wrong, you may like to use weak passwords. refer to the following examples ~

• 8-digit pure number

• Local Fixed Line

• Local mobile phone number

• Weak Password (1234567890, etc)

Are you lying down? These are the pace of seckilling in minutes. In particular, the local mobile phone number is the most popular password for most people. Among the 16 Wi-Fi passwords I cracked, 13 were mobile phone numbers or fixed phone numbers. In fact, hashcat is also the software used to run the wpa password called by minidwep, but in the virtual machine, the efficiency can be imagined. You can use a video card to run hashcat outside the host, which improves the efficiency exponentially. The usage of hashcat will not be described in detail, Baidu will have it ~

3.2 spam code attack

Next, we will focus on the second method to crack wpa encryption and use reaver to run the pin code. Most wireless routers have a WPS fast connection function. As long as you enter the correct pin Management Code of the router during the connection, you can automatically negotiate the key to connect to WiFi according to the algorithm. This pin code is an 8-bit pure number. The first 4 digits and the last 4 digits are verified separately, the 8th bits are the verification codes (the first seven bits can be used according to a certain algorithm ). That is to say, if you want to raise this pin code, you only need 10 ^ 4 + 10 ^ 3 = 11000 times. reaver is the tool for this errand. As long as the vro has enabled the WPS function and does not lock the WPS mechanism, you can try the Correct pin code. After obtaining the pin code, you can get the wpa password. In most cases, the WPS function is enabled at the factory of the router :). However, it should be noted that some routers will be locked when the pin code is tried or error multiple times. In this case, the first type of packet capture password can only be used.

The following describes how to use reaver.

Enable the hybrid mode of the network card, and run the airmon-ng start wlan1 command. If the monitor mode enabled on mon0 is displayed, the network card is successfully enabled. Run the wash-I mon0-C command to search for the ap that supports WPS. In the figure, the BSSID is the mac address of the ap, the channel is the channel, and the received signal value. The smaller the number, the stronger the signal. The WPS Locked is the locking mechanism of the WPS, And the ESSID is the signal name. Select an ap with a stronger signal without the WPS locking mechanism, and then use reaver to crack the attack. The signal difference is inefficient and may cause packet loss. errors may occur from time to time. Pay attention to parameter adjustment.

List several common reaver Parameters

 

-I listener Interface Name Nic monitoring interface, usually mon0-b target mac address AP MAC address-a automatic detection target AP optimal configuration-S using the smallest DH key, it can increase the cracking speed-vv shows more non-serious warnings-d is the delay, and the idle time of every exhaustive call is set to 1 second-t, that is, timeout, timeout: the maximum time required to wait for feedback.-c specifies the channel. You can easily find the four or eight bits of the signal-p PIN code (if it is 7 bits, 8th bits are automatically supplemented) -N does not send NACK information (if the pin remains unchanged, you can try this parameter)-n always sends NACK to the target AP

 

For example

Reaver-I mon0-B 00: 11: 22: 33: 44: 55-a-S-d 3-t 3-vv-c 6

It is particularly important to adjust the-d and-t parameters according to the feedback from reaver. If the pin speed is too fast, the pin will die and an infinite error will be reported, that is, it will die, you can only restart the vro. Especially when the signal is poor, pay attention to this point.

Then shake some dry goods:

The-S parameter cannot be added to some routers of the communications department and Dlink. Otherwise, the Correct pin code is not displayed. If a signal reaches 99.99% or no password is generated, you can remove the-S parameter. Alternatively, you can use wireshark to analyze the package before running reaver to determine the router brand.

When the signal is bad, the Correct pin code may be missing if the verification is unsuccessful. You only need to specify the-n parameter.

If you are not sure about the rhythm pin, you can try to use mdk3 to attack the target router and force the router owner to restart the router.

The first six MAC addresses of the wireless router are C83A35, 00B00C (tengda), or 081075,081076 (which can be used in the detection section). You can calculate the Correct pin code based on the last six digits of the MAC, the built-in scientific calculator can be used for accurate calculation.

Turn the calculator into a programmer type and select the hexadecimal format, for example, the MAC address 08: 10: 76: 0F: B3: 5C. Take the last six digits, after the input, select decimal to calculate the first seven digits of the pin code. Then, use the-p parameter to specify the 7-bit pin code to exit the password. The 8th-bit program will automatically complete the password.

To sum up, if WEP is used for encryption, you can use minidwep to hang a password. If wpa is used, you can capture the handshake bag, run the dictionary with hashcat, and run the pin code with reaver, if hashcat is done, turn off reaver. Otherwise, you can wait for it honestly. The average reaver speed will take half a day to stay overnight, therefore, reaver is suitable for Fixed-Point serving. ==# here we will not repeat the inflator usage. reaver's interface version is easier to operate. If you have mastered the reaver of the command line, inflator is easy to use.

4. left-side

In addition, a opportunistic approach is provided to obtain the Wi-Fi password with the WiFi universal key, provided that the root Android phone is already in use. I believe everyone is familiar with the WiFi universal key. The WiFi universal key obtains the password shared by others from the server to connect to the WiFi. After being disconnected, the password is cleared. The key point is that the Wi-Fi password is stored in/data/misc/WiFi/wpa_supplicant.conf on the local machine during the connection process. We can forcibly terminate the wifi universal key process, the password will be permanently saved. In this case, use the File Manager such as re or es browser to open/data/misc/wifi/wpa_supplicant.conf and you will see the password.

You can also install an app, search for the WiFi connection manager, and press and hold the display password. root permissions are required.

 

I will talk about it here. If you have any other ideas, please add them. If you master the above methods, more than 80 percent of WiFi encryption can be easily broken through, I promise, do you want me to show you my WiFi password book ;)

5. Preventive measures

After breaking through this first line of defense, you will be in the same LAN as the other party. What can you do at this time? arp spoofing, Trojan, metasploit, you know, there is no privacy at all, keke, be careful when you look at the door

When science popularization is complete, we need to talk about anti-cracking measures. After all, it is very dangerous to have an uninvited guest in your lan. You will know what the goddess said. It's okay to choose wpa for encryption. The password should be strong enough, and weak passwords should be weak. Well, just like wujt @ 396900 * & a slightly powerful password like this ~ However, do not forget to disable the WPS function of the router in the settings. In the vro settings such as tplink, it is called the QSS Function ~ Do not share your Wi-Fi password ~! In theory, your WiFi is unbreakable unless he uses a supercomputer to run your password ;)

Next episode notice ~ Would you like to put a sense of presence in someone else's lan? It is said that non-trivial hackers are not good hackers. In the next episode, I will explain to you the trivial matter of defending themselves in the wireless LAN.