preface ： Watch Tencent class WiFi Attack and defense （Web security / Penetration test / White hat hacker / network security ） Some knowledge gained in the course , Knowledge is very old , Should be 2015 Year , And only about password cracking , The following content is gone .
WiFi Safety gossip
Besides myself, I wifi
There are loopholes in itself , There are loopholes in the router itself . For hackers ,wifi Attack is the most efficient and reliable shortcut to the intranet , attack wifi after , Equivalent to taking a shortcut , The traditional hacker attack penetration process is the server --》 firewall --》 end user , Now it's directly to the user , And the firewall can't detect it .
When wifi After being attacked by hackers , You may encounter illegal occupation of broadband , Privacy exposure （ adopt arp/dns Deceptive hijacking , Analyze users' online traffic ）, Account hijacked （ By setting up phishing websites , Stealing user account ）, Computer is invaded （ Invade the host ）……
Wireless penetration topology
Small network topology , use wep/wpa/wpa2 authentication .
Enterprise class network topology , use web/802.1x authentication .
Wireless security terminology
Encryption standards include
web： It's not safe , Challenge and response based authentication protocol , use rc4 encryption algorithm . Just grab enough ivs package , Can be cracked .
wpa： use TKIP/RC4 encryption algorithm , The attack method is to grab the handshake packet , Use dictionary brute force to crack .
wpa2： use TKIP/AES encryption algorithm , The attack method is to grab the handshake packet , Use dictionary brute force to crack .
Penetration test environment
The attack opportunity is known first wifi Password for , Then try to attack cisco Router , And then treat another computer under the same LAN as a broiler .
Wireless routing settings ： Including dial-up Internet access , Set up wireless wifi, set up DHCP
Setting of attacker ： install ubantu of linux, There are many built-in wireless attacks and information collection software that can be used directly . If the attacker does not have a built-in network card, it needs to install a wireless network card and supporting drivers , If it is a laptop host, it has a built-in network card , But there is no built-in network card in the virtual machine , So you need an external network card .
WiFi Infiltrate stampede
* First use wifi Hot spot scanning , such as wirelessmon（win Stable operation under ）,network stumbler,inssider,wifi hack
aio（ A tool set ,win7 It's more reliable ,iso Run as file administrator ） etc .
Then according to the order of penetration attack , Formulate attack process according to wireless encryption strength , attack wep of wifi hotspot , attack wpa/wpa2 open wps Functional wifi hotspot , attack wpa/wpa2 With customer connection wifi hotspot , attack wpa/wpa2 No customer connected wifi hotspot .
* install wirelessmon after , Displayed ap Refers to the wireless access node , Namely AccessPoint Abbreviation of ,AP It is a wireless base platform , and WIFI Belong to the same category ,WIFI
That is, hot spots , wireless AP Devices that are expansion hotspots
. Channel is frequency band , It is a data signal transmission channel with wireless signal as the transmission carrier . As specified , The channels used in China are 13 individual , use 1-13 channel . More devices on the same channel ,WiFi The weaker the signal is , So if you want to make the family WiFi High quality , You have to change your home WiFi With the surrounding WiFi Use the same channel . For example, own household 1 Channel No , Everyone around uses it 2 Channel No , Then it's okay , But if more and more people around use it 1 Channel No , that WiFi The signal will be affected , Eventually affect their own home network .
* After scanning through the tool, you need to know what is not encrypted , Connectable wifi
, Which can be broken in the simplest way , Are there any open wps Functional ? Is there a customer connected to me wifi upper ?
* wirelessmon Can scan out hidden wifi Account number of name , You should fill in this form manually when connecting wifi Security level of .
WiFi Password cracking
1. WEP Password cracking of type a encryption method - Catch enough IVS package .
---- Cracking tools are minidwep-gtk,feedingbottle,inflator1.0 Other tools .
---- use minidwep-gtk stay linux inside , The scanned information and wirelessmon It's similar .minidwep-gtk The principle of the tool is to grab enough IVS Crack the password after the package , here minidwep-gtk Has been trying to crack wifi password , If wifi No client access , Will forge customer access , The cracking speed is slower ; If wifi With password access , And the access provider has been doing data inflow ping One ip If , The cracking speed is faster .
2. WPA/WPA2 Password cracking - use EWSA and Miniweip
---- Or use minidwep-gtk, Encryption mode selection WPA/WPA2, Then select L start-up . As long as there is wifi User access and data flow , You will find it WPA Handshake bag . It will be embedded in the graphics card to run the password , So the speed is relatively fast .
----EWSA The usage of is to import the handshake package （ from minidwep-gtk Obtained in the software ）, Then create a new dictionary option , Load one cpu Dictionary , Can run out of the password . If there is no handshake, the package will not work .
3. WPS Password cracking of vulnerability - use Reaver Exhaustively PIN
Some routers are set to QSS Function on , Used directly by others PIN Code connection . This is also easier to crack . Direct use minidwep-gtk The tool scans the tail patch with wps Account of , Then select reaver Give the password to ping come out .
WiFi Intranet Penetration
Crack hidden SSID hotspot
bypass MAC Filter limits
bypass DHCP Turn off restrictions
Wireless bridging solves the weakness of new numbers
LAN traffic speed limit
MITM Intermediary penetration to achieve account acquisition
Phishing website realizes account acquisition
Wireless router password burst
WiFi Security defense 15 Rules and regulations