欺负是一款简洁的无线审计程序:它允许测试 WPS PIN针对我的路由器或接入点,这样我就能知道它是否足够安全。例如:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370000
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[+] Loading randomized pins from '/root/.bully/pins'
[+] Index of starting pin number is '6337228'
[+] Last State = 'NoAssoc' Next pin '85389380'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '75329389'
[+] Rx( M5 ) = 'Pin1Bad' Next pin '99129385'
...
^C
Saved session to '/root/.bully/112233445566.run'
如你所见(请注意“随机密码”),PIN 码的检查是根据WPS 规范(所以它们似乎没有逻辑顺序)。
如果我想继续测试,完全没有问题:同样的命令行自动产生:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3
[!] Restoring session from '/root/.bully/112233445566.run'
...
^C
但有时有趣的部分是不保留 8 位 PIN 的 WPS 规范(关于校验和等),但是全部测试(也称为暴力破解模式)。
示例(请注意“顺序模式”)从 PIN 开始63370000:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370000
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[+] Index of starting pin number is '63370000'
[+] Last State = 'NoAssoc' Next pin '63370000'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370001'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370002'
^C
Saved session to '/root/.bully/8c0ca32a2751.run'
问题就来了,因为如果测试中止(或断开连接,或计算机挂起……等),而我希望继续稍后:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370000
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[!] Restoring session from '/root/.bully/8c0ca32a2751.run'
[+] Index of starting pin number is '63370000'
[+] Last State = 'NoAssoc' Next pin '63370000'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370001'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370002'
看起来(注意从重新开始的顺序63370000)Restoring session from是表现不正常。
奇怪的是,测试所有数字可能要花上几个小时甚至几天的时间,因此恢复任务在这里非常重要。我该怎么做才能从程序上次停止的位置继续进行 WPS PIN 测试?
答案1
找到最后一个 PIN从存储进度文件测试(最后一行的第一个数字直到“:”):
$ tail /root/.bully/112233445566.run
# session ended 2014-04-27 03:08:48 with signal 2
63370002:63370002:1::
您可以使用以下方法直接提取它cut:
$ tail /root/.bully/112233445566.run -n 1 | cut -d ":" -f 1
63370002
和继续从那里:
$ sudo bully mon0 --bssid 11:22:33:44:55:66 -v 3 --bruteforce --pin 63370002
[!] Bully v1.0-22 - WPS vulnerability assessment utility
[+] Switching interface 'mon0' to channel '6'
[!] Starting pin specified, defaulting to sequential mode
[!] Using 'AA:BB:CC:DD:EE:FF' for the source MAC address
[+] Datalink type set to '127', radiotap headers present
[+] Scanning for beacon from '11:22:33:44:55:66' on channel '6'
[+] Got beacon for 'NoamChomsky' (11:22:33:44:55:66)
[!] Restoring session from '/root/.bully/8c0ca32a2751.run'
[+] Index of starting pin number is '63370002'
[+] Last State = 'NoAssoc' Next pin '63370002'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370003'
[+] Rx( M7 ) = 'Pin2Bad' Next pin '63370004'
我认为“恢复会话”消息在这里没有任何意义,但无论如何你都可以解决问题。