安全牛-無線滲透

無線滲透                                                 
與其餘節章獨立，涵蓋面廣，可獨立成課                          
無線技術變化快，難度大                                        
既新鮮4
刺激有壓力山大                                          
    咱們不會研究很深                                          
一半理論 一半實踐                                             
    理論是本章最有價值的部分(aircrack-ng suite做者寫的一本書)
無線技術是本課程難度最大的一章                                
    協議結構

無線技術特色
行業迅猛發展
互聯網的重要入口
邊界模糊
安全實施缺失並且困難
對技術不瞭解而形成配置不當
企業網絡私自接入AP破壞網絡邊界


802.11標準
IEE                                                                       
Intitue of Electrical and Electronics Engineers                           
由通訊航天生物電氣電子等方面的科學家組成，目的是制定標準，指導行業技術的發展，目前成員近40萬人                                              
IEEE分爲不一樣的技術委員會（Committees）,其中80委員會複製lan、man標準的制定
    以太網                                                                
    令牌環網                                                             
    無線局域網                                                            
    網橋


無線                    

應用層                  
表示層                  
會話層                 
傳輸層                  
網絡層                  
數據鏈路層              
    邏輯鏈路控制子層LLC
    媒體訪問控制子層MAC
物理層

注意：802.11工做在物理層與數據鏈路層





IEEE 802.11標準                                                             
802委員會下第11組負責開發無線局域網標準                                     
IEEE 802.1 1 The Original WLAN Standard- 1 Mbit/s and 2 Mbit/w,2.4GHz RF and IR                                                                          
IEEE 802.11 a 54 Mbit/s,5 GHz                                               
IEEE 802.11 b 802.11 Enhancements to Support 5.5 Mbit/s and 11 Mbit/s       
IEEE 802.11 c Bridge Operation Procedure                                    
IEEE 802.11 d International (Country to Country) Roaming Extensions         
IEEE 802.11 e Quality of Service (Qos),Including Packet Bursting            
IEEE 802.11 F Inter -Access Point Protocol                                  
IEEE 802.11 g 54 Mbit/s,2.4 GHz                                             
IEEE 802.11 h Spectrum Managed 802.11 a (5 GHz) for European Compatibility  
IEEE 802.11 i Enhanced Security


無線                                                                
IEEE 802.11 j Extensions for Japan                                  
IEEE 802.11 k Radio Resource Measurement Enhancements               
IEEE 802.11 n Higher Throughput Using Multiple Input,Multiple Ouput  (MIMO) Antennas                                                    
IEEE 802.11 p Wireless Access for the Vehicular Environment (WAVE)  
IEEE 802.11 r Fast BSS Transition (FT)                             
IEEE 802.11 s Mesh Networking,Extended Service Set (ESS)            
IEEE 802.11 T Wireless Performance Prediction (WPP)                 
IEEE 802.11 u Internetworking with Non -802 Networks (i.e.:Cellular)
IEEE 802.11 v wrieless Network Management


無線                                                                
IEEE 802.11 w Protected Management Frames                           
IEEE 802.11 y 3650 - 3700 MHz Operation in the US                   
IEEE 802.11 z Direct Link Setup (DLS) Extensions                    
IEEE 802.11 zm Maintenance of the Standard                          
IEEE 802.11 aa Robust Streatming of Audio Video Transport Streams   
IEEE 802.11 ac Very High Troughput < 6 GHz                          
IEEE 802.11 ad Very High Troughput, 60 GHz                          
IEEE 802.11 ae Qos Management                                       
IEEE 802.11 af TV Whitespace                                        
IEEE 802.11 ah SUb 1 GHz                                            
IEEE 802.11 ai Fast Initial Link Setip


平常使用                                                                             
IEEE 802.11 - The original WLAN standard                                              
IEEE 802.11 a - UP to 54 Mbit/s on 5 GHz                                              
IEEE 802.11 b - 5.5 Mbit/s and 11 Mbit/s  on 2.4 GHz                                  
IEEE 802.11 g - Up to 54 Mbit/s  on 2.4 GHz.Backward compatible with 802.11b          
IEEE 802.11 i - Provides enhanced security                                            
IEEE 802.11 n - Provides higher throughput with Multiple Input/Multiple Output (MIMO)


802.11                                                    
發佈於1997年                                              
速率1Mbps或2Mbps                                          
紅外線傳輸介質（未實現）                                  
無線射頻信號編碼（調製）（radio frequencies）             
    Direct-Sequence Spread-Spectrum (DSSS)-----直序擴頻   
    Frequency Hopping Spread-Spectrum (FHSS)-----跳頻擴頻
媒體訪問方式-----CSMA/CA c=b+log2 (1+s/n)                 
    根據算法偵聽必定時長                                  
    發送數據前發包聲明                                    
Request to Send/Clear to Send (RTS/CTS)



802.11b                                       
Complementary Code Keying (CCK)-----補充代碼鍵
    5.5 and 11 Mbit/s                         
    2.4GHz band (2.4GHz - 2.485GHz)           
    14個重疊的信道channels                    
    每一個信道22MHz寬帶                         
    只有三個徹底不重疊的信道                  
美國 -1 to 11 (2.412 GHz - 2.462 GHz)         
歐洲 -1 to 13 (2.412 GHz - 2.472 GHz)         
日本 -1 to 14 (2.412 GHz - 2.482 GHz)


802.11A                                                           
與802.11b幾乎同時發佈                                             
    因設備價格問題一直沒有獲得普遍使用                            
使用5GHz寬帶                                                      
    2.4GHz寬帶干擾源多（微波、藍牙、無繩電話）                    
    5HGz頻率有更多寬帶空間，可容納更多不重疊的信道                
    Orthogonal Frequency-Division Multiplexing (OFDM)信號調製方法
        正交頻分複用技術                                          
  更高速率54Mbps，每一個信道20MHz寬帶                             
  變頻                                                          
       5.15-5.35GHz室內                                          
        5.7-5.8GHz室外


802.11G                                                      
2.4GHz                                                        
Orthogonal Frequency-Division Multiplexing (OFDM)信號調製方法
與802.11a速率相同                                             
可全局江蘇，向後兼容802.11b,並切換爲CCK信號調製方法           
每一個信號20/22MHz寬帶

802.11N                                                   
2.4或5 GHz頻率                                            
    300Mbps最高600Mbps                                    
    Multiple-Input Multiple-Output (MIMO)多進多出通訊技術
    多天線，多無線電波，獨立收發信號                      
    可使用40MHz信道款單是數據傳輸速率翻倍               
全802.11n設備網絡中，可使用新報文格式，是速率達到最大   
每一個信道20/40MHz寬帶



無線網運行模式和無線網硬件設備及基本概念

無線網絡運行模式                      
Infrastructure                        
    AP 維護SSID                       
Ad-Hoc                                
    STA 維護SSID                      
Service Set Identifier(SSID)          
    AP每秒鐘約10次經過Beacon幀廣播SSID
    客戶端鏈接到無線網絡後也會宣告SSID


802.11                                                          
Infrastructure                                                  
    至少包含一個AP和一個STAT    ION，造成一個Basic Service Set (BSS)
    AP練級到有限網絡，稱爲Distribution System (DS)              
    鏈接到同一個DS的多個AP造成一個Extend Service Set (ESS)


AD-HOC                                      
也被稱爲Independent Basic Service Set (IBSS)
有至少2個STAs直接通訊組成                   
也稱爲peer to peer模式                      
其中一個STA負責AP的工做                     
    經過beacon廣播SSID                      
    對其餘STAs進行身份驗證


WIRELESS DISTRIBUTION SYSTEM (WDS)          
與有線DS相似，只是經過無線鏈接的多個AP組成的網絡
    Bridging------只有AP間彼此通訊              
    Repeating-----容許全部AP和STA進行通訊


MONITOR MODR                                        
Monitor不是一種真的無線模式                         
    可是對無線滲透相當重要                          
    容許無線網卡沒有任何篩選的(802.11包頭)          
    與有線網絡的混雜模式能夠類比                    
    合適的網卡和驅動不但能夠monitor，更能夠injection


Ommnipeek  抓包軟件
抓不到802.11的


無線網硬件設備及基礎概念
1.無線網卡準備              
物理機運行kali           
虛擬機運行kali            
  外置USB無線網卡       
    TL-WN722N （我的建議）
    dmesg                
    iwconfig


查看系統變化的信息
dmesg -T

查看無線網卡
iwconfig

2.選擇無線網卡                      
這是個痛苦或受挫的過程            
無線網卡的芯片信號成敗的關鍵      
臺式機                            
    USB無線網卡（不支持擴展天線）
    PCMCIA (16bit已停產802.11b)   
    Cardbus (32bit PCMCIA 8.0標準)
    Express Cards                 
    MiniPCI                       
    MINIpCI Express               
    PCI接口卡


選擇無線網卡                                                                        
發送功率：遠程鏈接                                                                     
接收靈敏性：適當下降靈敏度，接收效果更佳                                                
經驗但不是鐵律                                                                          
   Atheros或Realtek芯片                                                                
    沒有神器                                                                            
    兼容aircrack-ng suite                                                               
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters


選擇無線網卡                                                
無線滲透網卡沒有所謂標準，可是Aircrack-ng suite 做者給出建議
Alfa Networks AWUS036H無線網卡                              
    Realtek 8187芯片                                        
    1000mW發送功率                                          
    天線: RP-SMA                                            
        可擴展

芯片。驅動。



無線技術概念


略


 Linux無線協議棧及配置命令
802.11協議棧                    
leee80211                       
    iwconfig                    
    iwlist                      
mac80211                        
    iw


無線網卡配置                    
查看無線網卡                    
    ifconfig                    
    iwconfig                    
    iw list                     
信道頻道                        
    iwlist wlan2 frequency      
    iw list

實戰
iw list  

無線網卡配置                                            
掃描附近AP                                              
    iw dev wlan2 scan | grep SSID                       
    iw dev wlan2 scan | egrep "DS\ Parameter\ set|SSID"
    iwlist wlan2 scanning | egrep "ESSID|Channel"       
添加刪除幀聽端口                                        
    service network-manager stop                        
    iw dev wlan2 interface add wlan2mon type monitor    
        tcpdump -s 0 -i wlan2mon -p                     
    iw dev wlan2mon interface del


實戰
掃描周圍無線
iw dev wlan2 scan
掃描周圍ssid的名稱
iw dev wlan0 scan | grep SSID
掃描周圍無線所處的信道，名稱
iw dev wlan2 scan | egrep "DS\ Parameter\ set|SSID"
掃描周圍無線所處的信道，頻率，名稱
iwlist wlan2 scanning | egrep "ESSID|Channel"
設置monitor模式
service network-manager stop   
iw dev wlan2 interface add wlan2mon type monitor    
查看monitor模式是否設置成功
iwconfig
ifconfig
ifconfig -a
ifconfig wlan0 up
ifconfig wlan0mon up
ifconfig
tcpdump -i wlan0mon -s 0 -w dump.cap
刪除網卡
iw dev wlan0mon interface del

查看當前狀態
service network-manager status
關閉
service network-manager stop
添加到啓動文件
vi  .bashrc
重啓以後,查看是否自啓
reboot
service network-manager status

步驟
ifconfig
ifconfig -a
ifconfig wlan0 up
iw dev wlan0 interface add wlan0mon type monitor
ifconfig wlan0mon up
iwconfig

802.11                                                  
協議棧                                                  
    http://www.kernel.org/doc/htmldocs/80211/index.html
無線驅動                                                
    http://linuxwireless.org/en/users/Drivers/

 

 

 

任務54  radiotap