了Aircrack-ng的包装说明
了Aircrack-ng的是802.11 WEP和WPA-PSK密钥破解程序一旦足够的数据包已被抓获,可以恢复键。它实现了标准的FMS攻击和一些优化,像KoreK攻击,以及全新的PTW攻击,从而使攻击快得多相比其他WEP破解工具。 资料来源:http://aircrack-ng.org/
了Aircrack-ng的首页 | 卡利了Aircrack-ng的回购
- 作者:托马斯·德Otreppe,原作:克里斯托夫迪瓦恩
- 许可:GPL第二版
0x01 列入了Aircrack-ng的封装工具
空军基地-NG - 配置假冒接入点:~# airbase-ng --help Airbase-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe Original work: Martin Beck http://www.aircrack-ng.org usage: airbase-ng <options> <replay interface> Options: -a bssid : set Access Point MAC address -i iface : capture packets from this interface -w WEP key : use this WEP key to en-/decrypt packets -h MAC : source mac for MITM mode -f disallow : disallow specified client MACs (default: allow) -W 0|1 : [don't] set WEP flag in beacons 0|1 (default: auto) -q : quiet (do not print statistics) -v : verbose (print more messages) -A : Ad-Hoc Mode (allows other clients to peer) -Y in|out|both : external packet processing -c channel : sets the channel the AP is running on -X : hidden ESSID -s : force shared key authentication (default: auto) -S : set shared key challenge length (default: 128) -L : Caffe-Latte WEP attack (use if driver can't send frags) -N : cfrag WEP attack (recommended) -x nbpps : number of packets per second (default: 100) -y : disables responses to broadcast probes -0 : set all WPA,WEP,open tags. can't be used with -z & -Z -z type : sets WPA1 tags. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104 -Z type : same as -z, but for WPA2 -V type : fake EAPOL 1=MD5 2=SHA1 3=auto -F prefix : write all sent and received frames into pcap file -P : respond to all probes, even when specifying ESSIDs -I interval : sets the beacon interval value in ms -C seconds : enables beaconing of probed ESSID values (requires -P) Filter options: --bssid MAC : BSSID to filter/use --bssids file : read a list of BSSIDs out of that file --client MAC : MAC of client to filter --clients file : read a list of MACs out of that file --essid ESSID : specify a single ESSID (default: default) --essids file : read a list of ESSIDs out of that file --help : Displays this usage screen0x02 了Aircrack-NG - 无线网络密码破解
:~# aircrack-ng --help Aircrack-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: aircrack-ng [options] <.cap / .ivs file(s)> Common options: -a <amode> : force attack mode (1/WEP, 2/WPA-PSK) -e <essid> : target selection: network identifier -b <bssid> : target selection: access point's MAC -p <nbcpu> : # of CPU to use (default: all CPUs) -q : enable quiet mode (no status output) -C <macs> : merge the given APs to a virtual one -l <file> : write key to file Static WEP cracking options: -c : search alpha-numeric characters only -t : search binary coded decimal chr only -h : search the numeric key for Fritz!BOX -d <mask> : use masking of the key (A1:XX:CF:YY) -m <maddr> : MAC address to filter usable packets -n <nbits> : WEP key length : 64/128/152/256/512 -i <index> : WEP key index (1 to 4), default: any -f <fudge> : bruteforce fudge factor, default: 2 -k <korek> : disable one attack method (1 to 17) -x or -x0 : disable bruteforce for last keybytes -x1 : last keybyte bruteforcing (default) -x2 : enable last 2 keybytes bruteforcing -X : disable bruteforce multithreading -y : experimental single bruteforce mode -K : use only old KoreK attacks (pre-PTW) -s : show the key in ASCII while cracking -M <num> : specify maximum number of IVs to use -D : WEP decloak, skips broken keystreams -P <num> : PTW debug: 1: disable Klein, 2: PTW -1 : run only 1 try to crack key with PTW WEP and WPA-PSK cracking options: -w <words> : path to wordlist(s) filename(s) WPA-PSK options: -E <file> : create EWSA Project file v3 -J <file> : create Hashcat Capture file -S : WPA cracking speed test Other options: -u : Displays # of CPUs & MMX/SSE support --help : Displays this usage screen0x03 airdecap-NG - 解密WEP / WPA / WPA2捕获文件
:~# airdecap-ng --help Airdecap-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: airdecap-ng [options] <pcap file> Common options: -l : don't remove the 802.11 header -b <bssid> : access point MAC address filter -e <essid> : target network SSID WEP specific option: -w <key> : target network WEP key in hex WPA specific options: -p <pass> : target network WPA passphrase -k <pmk> : WPA Pairwise Master Key in hex --help : Displays this usage screen0x04 airdecloak-NG - 从PCAP文件删除WEP保护
:~# airdecloak-ng --help Airdecloak-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: airdecloak-ng [options] options: Mandatory: -i <file> : Input capture file --ssid <ESSID> : ESSID of the network to filter or --bssid <BSSID> : BSSID of the network to filter Optional: --filters <filters> : Apply filters (separated by a comma). Filters: signal: Try to filter based on signal. duplicate_sn: Remove all duplicate sequence numbers for both the AP and the client. duplicate_sn_ap: Remove duplicate sequence number for the AP only. duplicate_sn_client: Remove duplicate sequence number for the client only. consecutive_sn: Filter based on the fact that IV should be consecutive (only for AP). duplicate_iv: Remove all duplicate IV. signal_dup_consec_sn: Use signal (if available), duplicate and consecutive sequence number (filtering is much more precise than using all these filters one by one). --null-packets : Assume that null packets can be cloaked. --disable-base_filter : Do not apply base filter. --drop-frag : Drop fragmented packets --help : Displays this usage screen0x05 airdriver-NG - 提供有关系统上的无线驱动程序的状态信息
:~# airdriver-ng --help Found kernel: 3.3.12-kali1-686-pae.3.12-kali1-686-pae usage: airdriver-ng <command> [drivernumber] valid commands: supported - lists all supported drivers kernel - lists all in-kernel drivers installed - lists all installed drivers loaded - lists all loaded drivers ----------------------------------------------------- insert <drivernum> - inserts a driver load <drivernum> - loads a driver unload <drivernum> - unloads a driver reload <drivernum> - reloads a driver ----------------------------------------------------- compile <drivernum> - compiles a driver install <drivernum> - installs a driver remove <drivernum> - removes a driver ----------------------------------------------------- compile_stack <stacknum> - compiles a stack install_stack <stacknum> - installs a stack remove_stack <stacknum> - removes a stack ----------------------------------------------------- install_firmware <drivernum> - installs the firmware remove_firmware <drivernum> - removes the firmware ----------------------------------------------------- details <drivernum> - prints driver details detect - detects wireless cards0x06 aireplay-NG - 主要功能是产生流量在了Aircrack-ng的后期使用
五0x07 airmon-纳克 - 该脚本可用于启用无线接口监控模式
:~# airmon-ng --help usage: airmon-ng <start|stop|check> <interface> [channel or frequency]0x08 airmon-ZC - 该脚本可用于启用无线接口监控模式
:~# airmon-zc --help usage: airmon-zc <start|stop|check> <interface> [channel or frequency]0x09 airodump中-NG - 用于原始802.11帧的数据包捕获
:~# airodump-ng --help Airodump-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: airodump-ng <options> <interface>[,<interface>,...] Options: --ivs : Save only captured IVs --gpsd : Use GPSd --write <prefix> : Dump file prefix -w : same as --write --beacons : Record all beacons in dump file --update <secs> : Display update delay in seconds --showack : Prints ack/cts/rts statistics -h : Hides known stations for --showack -f <msecs> : Time in ms between hopping channels --berlin <secs> : Time before removing the AP/client from the screen when no more packets are received (Default: 120 seconds) -r <file> : Read packets from that file -x <msecs> : Active Scanning Simulation --manufacturer : Display manufacturer from IEEE OUI list --uptime : Display AP Uptime from Beacon Timestamp --output-format <formats> : Output format. Possible values: pcap, ivs, csv, gps, kismet, netxml --ignore-negative-one : Removes the message that says fixed channel <interface>: -1 Filter options: --encrypt <suite> : Filter APs by cipher suite --netmask <netmask> : Filter APs by mask --bssid <bssid> : Filter APs by BSSID --essid <essid> : Filter APs by ESSID -a : Filter unassociated clients By default, airodump-ng hop on 2.4GHz channels. You can make it capture on other/specific channel(s) by using: --channel <channels> : Capture on specific channels --band <abg> : Band on which airodump-ng should hop -C <frequencies> : Uses these frequencies in MHz to hop --cswitch <method> : Set channel switching method 0 : FIFO (default) 1 : Round Robin 2 : Hop on last -s : same as --cswitch --help : Displays this usage screen0x10 airodump中-NG-OUI更新 - 下载并解析IEEE OUI列表
airodump中-NG-OUI-更新下载并解析IEEE OUI列表。0x11 airolib-NG - 专为存储和管理ESSID和密码列表
:~# airolib-ng --help Airolib-ng 1.2 beta3 - (C) 2007, 2008, 2009 ebfe http://www.aircrack-ng.org Usage: airolib-ng <database> <operation> [options] Operations: --stats : Output information about the database. --sql <sql> : Execute specified SQL statement. --clean [all] : Clean the database from old junk. 'all' will also reduce filesize if possible and run an integrity check. --batch : Start batch-processing all combinations of ESSIDs and passwords. --verify [all] : Verify a set of randomly chosen PMKs. If 'all' is given, all invalid PMK will be deleted. --import [essid|passwd] <file> : Import a text file as a list of ESSIDs or passwords. --import cowpatty <file> : Import a cowpatty file. --export cowpatty <essid> <file> : Export to a cowpatty file.0x12 airserv-NG - 无线网卡服务器
:~# airserv-ng --help airserv-ng: invalid option -- '-' Airserv-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau http://www.aircrack-ng.org Usage: airserv-ng <options> Options: -h : This help screen -p <port> : TCP port to listen on (default:666) -d <iface> : Wifi interface to use -c <chan> : Channel to use -v <level> : Debug level (1 to 3; default: 1)0x13 airtun-NG - 虚拟通道接口的创造者
:~# airtun-ng --help Airtun-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe Original work: Martin Beck http://www.aircrack-ng.org usage: airtun-ng <options> <replay interface> -x nbpps : number of packets per second (default: 100) -a bssid : set Access Point MAC address : In WDS Mode this sets the Receiver -i iface : capture packets from this interface -y file : read PRGA from this file -w wepkey : use this WEP-KEY to encrypt packets -t tods : send frames to AP (1) or to client (0) : or tunnel them into a WDS/Bridge (2) -r file : read frames out of pcap file WDS/Bridge Mode options: -s transmitter : set Transmitter MAC address for WDS Mode -b : bidirectional mode. This enables communication : in Transmitter's AND Receiver's networks. : Works only if you can see both stations. Repeater options: --repeat : activates repeat mode --bssid <mac> : BSSID to repeat --netmask <mask> : netmask for BSSID filter --help : Displays this usage screen0x14 besside-NG - 自动破解WEP和WPA网络
:~# besside-ng --help besside-ng: invalid option -- '-' Besside-ng 1.2 beta3 - (C) 2010 Andrea Bittau http://www.aircrack-ng.org Usage: besside-ng [options] <interface> Options: -b <victim mac> : Victim BSSID -s <WPA server> : Upload wpa.cap for cracking -c <chan> : chanlock -p <pps> : flood rate -W : WPA only -v : verbose, -vv for more, etc. -h : This help screen0x15 哥们-NG
:~# buddy-ng -h Buddy-ng 1.2 beta3 - (C) 2007,2008 Andrea Bittau http://www.aircrack-ng.org Usage: buddy-ng <options> Options: -h : This help screen -p : Don't drop privileges0x16 easside-NG - 一个自动神奇的工具,它可以让你通过一个WEP加密的接入点通信
:~# easside-ng -h Easside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau http://www.aircrack-ng.org Usage: easside-ng <options> Options: -h : This help screen -v <victim mac> : Victim BSSID -m <src mac> : Source MAC address -i <ip> : Source IP address -r <router ip> : Router IP address -s <buddy ip> : Buddy-ng IP address (mandatory) -f <iface> : Interface to use (mandatory) -c <channel> : Lock card to this channel -n : Determine Internet IP only0x17 ivstools - 此工具手柄.ivs文件。您可以合并或转换。
:~# ivstools ivsTools 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: ivstools --convert <pcap file> <ivs output file> Extract ivs from a pcap file ivstools --merge <ivs file 1> <ivs file 2> .. <output file> Merge ivs files0x18 的kstats
:~# kstats usage: kstats <ivs file> <104-bit key>0x19 makeivs-NG - 生成初始向量
:~# makeivs-ng --help makeivs-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: makeivs-ng [options] Common options: -b <bssid> : Set access point MAC address -f <num> : Number of first IV -k <key> : Target network WEP key in hex -s <num> : Seed used to setup random generator -w <file> : Filename to write IVs into -c <num> : Number of IVs to generate -d <num> : Percentage of dupe IVs -e <num> : Percentage of erroneous keystreams -l <num> : Length of keystreams -n : Ignores ignores weak IVs -p : Uses prng algorithm to generate IVs --help : Displays this usage screen0x20 packetforge-纳克 - 创建随后可以用于注射的加密数据包
:~# packetforge-ng --help Packetforge-ng 1.2 beta3 - (C) 2006-2013 Thomas d'Otreppe Original work: Martin Beck http://www.aircrack-ng.org Usage: packetforge-ng <mode> <options> Forge options: -p <fctrl> : set frame control word (hex) -a <bssid> : set Access Point MAC address -c <dmac> : set Destination MAC address -h <smac> : set Source MAC address -j : set FromDS bit -o : clear ToDS bit -e : disables WEP encryption -k <ip[:port]> : set Destination IP [Port] -l <ip[:port]> : set Source IP [Port] -t ttl : set Time To Live -w <file> : write packet to this pcap file -s <size> : specify size of null packet -n <packets> : set number of packets to generate Source options: -r <file> : read packet from this raw file -y <file> : read PRGA from this file Modes: --arp : forge an ARP packet (-0) --udp : forge an UDP packet (-1) --icmp : forge an ICMP packet (-2) --null : build a null packet (-3) --custom : build a custom packet (-9) --help : Displays this usage screen0x21 tkiptun-NG - 这个工具能够注入几帧到WPA TKIP网络的QoS
:~# tkiptun-ng --help Tkiptun-ng 1.2 beta3 - (C) 2008-2013 Thomas d'Otreppe http://www.aircrack-ng.org usage: tkiptun-ng <options> <replay interface> Filter options: -d dmac : MAC address, Destination -s smac : MAC address, Source -m len : minimum packet length (default: 80) -n len : maximum packet length (default: 80) -t tods : frame control, To DS bit -f fromds : frame control, From DS bit -D : disable AP detection -Z : select packets manually Replay options: -x nbpps : number of packets per second -a bssid : set Access Point MAC address -c dmac : set Destination MAC address -h smac : set Source MAC address -e essid : set target AP SSID -M sec : MIC error timout in seconds [60] Debug options: -K prga : keystream for continuation -y file : keystream-file for continuation -j : inject FromDS packets -P pmk : pmk for verification/vuln testing -p psk : psk to calculate pmk with essid source options: -i iface : capture packets from this interface -r file : extract packets from this pcap file --help : Displays this usage screen0x22 wesside-NG - 自动神奇的工具,它集成了多种技术来无缝地获得一个WEP密钥
:~# wesside-ng -h Wesside-ng 1.2 beta3 - (C) 2007, 2008, 2009 Andrea Bittau http://www.aircrack-ng.org Usage: wesside-ng <options> Options: -h : This help screen -i <iface> : Interface to use (mandatory) -m <my ip> : My IP address -n <net ip> : Network IP address -a <mymac> : Source MAC Address -c : Do not crack the key -p <min prga> : Minimum bytes of PRGA to gather -v <victim mac> : Victim BSSID -t <threshold> : Cracking threshold -f <max chan> : Highest scanned chan (default: 11) -k <txnum> : Ignore acks and tx txnum times0x23 wpaclean - 从PCAP文件中删除多余的数据
:~# wpaclean Usage: wpaclean <out.cap> <in.cap> [in2.cap] [...]0x24 airdriver-ng的用法示例
:~# airdriver-ng detect USB devices (generic detection): Bus 002 Device 009: ID 0846:9001 NetGear, Inc. WN111(v2) RangeMax Next Wireless [Atheros AR9170+AR9101] Bus 001 Device 012: ID 050d:0017 Belkin Components B8T017 Bluetooth+EDR 2.1 Bus 001 Device 005: ID 0e0f:0008 VMware, Inc.0x25 airmon-ng的用法示例
开始 (开始), 无线接口 (为wlan0) 上监视模式以所需信道 (6):
:~# airmon-ng start wlan0 6
Interface Chipset Driver
wlan0 2-2: Atheros carl9170 - [phy4]
(monitor mode enabled on mon0)
0x26 airodump中 - ng的用法示例
嗅探上信道 6(-c 6), 上一个BSSID过滤 (-bssid 38:60:77:23:B1:CB) 写入捕获 到 磁盘 (-w捕获),使用 监控模式接口 (MON0):
:~# airodump-ng -c 6 --bssid 38:60:77:23:B1:CB -w capture mon0
CH 6 ][ Elapsed: 4 s ][ 2014-05-15 17:21
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
38:60:77:23:B1:CB -79 0 7 0 0 6 54e WPA2 CCMP PSK 6EA10E
BSSID STATION PWR Rate Lost Frames Probe
0x27 了Aircrack-ng的用法示例
使用所提供的词库 (-w /usr/share/wordlists/nmap.lst), 试图破解的捕获文件 (捕获01.cap) 密码:
:~# aircrack-ng -w /usr/share/wordlists/nmap.lst capture-01.cap
Opening capture-01.cap
Read 2 packets.
# BSSID ESSID Encryption
1 38:60:77:23:B1:CB 6EA10E No data - WEP or WPA
Choosing first network as target.
Opening capture-01.cap
原文来自https://www.hackfun.org/kali-tools/aircrack-ng_zh.html。转载请注明原出处,商用请联系原作者授权。