[流量分析]Aircrack-ng分析无线流量包

Aircrack-ng是无线攻击工具，Kali自带
aircrack-ng --help #查看帮助

1.6 - (C) 2006-2020 Thomas d'Otreppe

https://www.aircrack-ng.org
usage: aircrack-ng [options] <input file(s)>
Common options:
    -a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
    -e <essid> : target selection: network identifier
    -b <bssid> : target selection: access point's MAC
    -p <nbcpu> : # of CPU to use  (default: all CPUs)
    -q         : enable quiet mode (no status output)
    -C <macs>  : merge the given APs to a virtual one
    -l <file>  : write key to file. Overwrites file.
Static WEP cracking options:
    -c         : search alpha-numeric characters only
    -t         : search binary coded decimal chr only
    -h         : search the numeric key for Fritz!BOX
    -d <mask>  : use masking of the key (A1:XX:CF:YY)
    -m <maddr> : MAC address to filter usable packets
    -n <nbits> : WEP key length :  64/128/152/256/512
    -i <index> : WEP key index (1 to 4), default: any
    -f <fudge> : bruteforce fudge factor,  default: 2
    -k <korek> : disable one attack method  (1 to 17)
    -x or -x0  : disable bruteforce for last keybytes
    -x1        : last keybyte bruteforcing  (default)
    -x2        : enable last  2 keybytes bruteforcing
    -X         : disable  bruteforce   multithreading
    -y         : experimental  single bruteforce mode
    -K         : use only old KoreK attacks (pre-PTW)
    -s         : show the key in ASCII while cracking
    -M <num>   : specify maximum number of IVs to use
    -D         : WEP decloak, skips broken keystreams
    -P <num>   : PTW debug:  1: disable Klein, 2: PTW
    -1         : run only 1 try to crack key with PTW
    -V         : run in visual inspection mode
WEP and WPA-PSK cracking options:
    -w <words> : path to wordlist(s) filename(s)
    -N <file>  : path to new session filename
    -R <file>  : path to existing session filename
WPA-PSK options:
    -E <file>  : create EWSA Project file v3
    -I <str>   : PMKID string (hashcat -m 16800)
    -j <file>  : create Hashcat v3.6+ file (HCCAPX)
    -J <file>  : create Hashcat file (HCCAP)
    -S         : WPA cracking speed test
    -Z <sec>   : WPA cracking speed test length of
                 execution.
    -r <DB>    : path to airolib-ng database
                 (Cannot be used with -w)
SIMD selection:
    --simd-list       : Show a list of the available
                        SIMD architectures, for this
                        machine.
    --simd=<option>   : Use specific SIMD architecture.
    <option> may be one of the following, depending on
    your platform:
                 generic
                 avx512
                 avx2
                 avx
                 sse2
                 altivec
                 power8
                 asimd
                 neon
Other options:
    -u         : Displays # of CPUs & SIMD support
    --help     : Displays this usage screen

aircrack-ng XXX.pcap #查看ESSID，ESSID用’ESSID‘替换过了

root@Tracker:~/liuliang# aircrack-ng  XXX.cap
Reading packets, please wait...
Opening XXX.cap
Read 2986 packets.
   #  BSSID              ESSID                     Encryption
   1  F4:EE:14:4B:94:6C  ESSID                    WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening XXX.cap
Read 2986 packets.
1 potential targets
Please specify a dictionary (option -w).

aircrack-ng -w password.txt XXX.cap #爆破获取密码，密码用********替换过了

root@Tracker:~/liuliang# aircrack-ng -w password.txt XXX.cap 
Reading packets, please wait...
Opening XXX.cap
Read 2986 packets.
   #  BSSID              ESSID                     Encryption
   1  F4:EE:14:4B:94:6C  ESSID                    WPA (1 handshake)
Choosing first network as target.
Reading packets, please wait...
Opening XXX.cap
Read 2986 packets.
1 potential targets
                               Aircrack-ng 1.6 
      [00:00:00] 5/10 keys tested (266.55 k/s) 
      Time left: 0 seconds                                      50.00%
                           KEY FOUND! [ ******** ]
      Master Key     : A5 3D F9 E4 2D 93 76 C8 A1 FB 22 38 CA 13 DF 3A 
                       BB D0 8D 09 A6 99 74 59 A4 8F 90 2B 63 F2 76 D5 

      Transient Key  : 2C B5 8B 75 2F EC 0B D0 92 C8 E4 34 55 05 E4 94 
                       99 60 83 17 21 78 00 3A BE ED 57 5D 3F AA 4E A2 
                       AC 0E E6 B1 64 63 FB D7 32 DB 85 F7 D5 FB 28 1E 
                       CF 2E A6 97 0A 55 60 16 4C 07 1A D0 6C 00 00 00 
      EAPOL HMAC     : 7A 35 0F D2 80 CB FF 4E 31 F8 1B EB EF 5E EC 00 
root@Tracker:~/liuliang#

airdecap-ng -e ESSID -p ******** filename.pcap

root@Tracker:~/liuliang# airdecap-ng  -e ESSID -p ********  XXX.cap
Total number of stations seen            5
Total number of packets read          2986
Total number of WEP data packets         0
Total number of WPA data packets       580
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets       528
Number of bad TKIP (WPA) packets         0
Number of bad CCMP (WPA) packets         0
root@Tracker:~/liuliang# ls
1.log  XXX.cap  _XXX-dec.cap.extracted  hhh   md5  output   XXX-dec.cap  1.py   essid.txt  http  mima.txt  password.txt #此时会发现多出XXX-dec.cap

此时用Wireshark正常分析XXX-dec.cap即可。

Donate