SniffAir是一個開源的無線安全框架,可幫助你輕鬆解析被動收集的無線數據併發起復雜的無線滲透測試。此外,它還可以處理大型的或多個pcap文件,執行交叉檢查和流量分析,以尋找潛在的安全漏洞。除了預先構建查詢外,SniffAir還允許用戶創建自定義的查詢來分析存儲在後端SQL數據庫中的無線數據。SniffAir使用查詢提取數據並將此用於無線滲透測試報告中。這些數據還可被用來作爲模塊設置複雜的無線攻擊包含在SniffAir中。順帶一提,SniffAir框架是由@Tyl0us和@theDarracott共同開發的。
安裝
SniffAir是基於Python 2.7開發的
已測試支持的系統包括Kali Linux,Debian和Ubuntu。
安裝請運行setup.sh腳本
$./setup.sh
使用
% * ., % % ( ,# (..# % /@@@@@&, *@@% &@, @@# /@@@@@@@@@ [email protected]@@@@@@@@. ,/ # # (%%%* % (.(. [email protected]@ &@@@@@@%. [email protected]@& *&@ %@@@@. &@, @@% %@@,,,,,,, ,@@,,,,,,, .( % % %%# # % # ,@@ @@(,,,#@@@. %@% %@@(@@. &@, @@% %@@ ,@@ /* # /*, %.,, ,@@ @@* #@@ ,@@& %@@ ,@@* &@, @@% %@@ ,@@ .# //#(, (, ,@@ @@* &@% [email protected]@@@@. %@@ [email protected]@( &@, @@% %@@%%%%%%* ,@@%%%%%%# (# ##. ,@@ @@&%%%@@@% *@@@@ %@@ [email protected]@/ &@, @@% %@@,,,,,, ,@@,,,,,,. %#####% ,@@ @@(,,%@@% @@% %@@ @@( &@, @@% %@@ ,@@ % (*/ # ,@@ @@* @@@ %@% %@@ @@&&@, @@% %@@ ,@@ % # .# .# ,@@ @@* @@% [email protected]@&/,,#@@@ %@@ &@@@, @@% %@@ ,@@ /(* /(# ,@@ @@* @@# *%@@@&* *%# ,%# #%/ *%# %% #############. .%# #%. .%% (@Tyl0us & @theDarracott) >> [default]# help Commands ======== workspace 管理工作區(創建,列出,加載,刪除) live_capture 啓動有效的無線接口以收集要解析的無線pakcets(需要提供接口名稱) offline_capture 開始使用pcap文件解析無線數據包。使用pcapdump會更好(需要提供完整路徑) offline_capture_list 開始使用pcap文件列表解析無線數據包。使用pcapdump會更好(需要提供完整路徑) query 對活動工作區的內容執行查詢 help 顯示幫助菜單 clear 清屏 show 顯示錶的內容,所有表或可用模塊的特定信息 inscope 添加ESSID到scope。inscope [ESSID] SSID_Info 顯示與inscope SSIDS相關的所有信息(即所有BSSID,Channels 和 Encrpytion) use 使用SniffAir模塊 info 顯示所選模塊的所有變量信息 set 在模塊中設置變量
首先,使用命令workspace create 或workspace load 命令創建或加載新/現有的工作空間。查看現有工作空間,可以使用workspace list命令,刪除工作空間可以使用workspace delete 。
>> [default]# workspace Manages workspaces Command Option: workspaces [create|list|load|delete] >> [default]# workspace create demo [+] Workspace demo created
使用offline_capture 命令,從pcap文件將數據加載到指定的工作空間。如果要加載pcap文件列表,請使用offline_capture_list <包含pcap名稱列表文件的完整路徑>命令。使用live_capture 命令可以捕獲實時的無線流量。
>> [demo]# offline_capture /root/sniffair/demo.pcapdump [+] Importing /root/sniffair/demo.pcapdump \ [+] Completed [+] Cleaning Up Duplicates [+] ESSIDs Observed
show 命令
show命令將會爲我們顯示錶內容,所有表或可用模塊的特定信息。使用語法如下:
>> [demo]# show table AP +------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------+ | ID | ESSID | BSSID | VENDOR | CHAN | PWR | ENC | CIPHER | AUTH | |------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------| | 1 | HoneyPot | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 4 | -17 | WPA2 | TKIP | MGT | | 2 | Demo | 80:2a:a8:##:##:## | Ubiquiti Networks Inc. | 11 | -19 | WPA2 | CCMP | PSK | | 3 | Demo5ghz | 82:2a:a8:##:##:## | Unknown | 36 | -27 | WPA2 | CCMP | PSK | | 4 | HoneyPot1 | c4:6e:1f:##:##:## | TP-LINK TECHNOLOGIES CO. LTD. | 36 | -29 | WPA2 | TKIP | PSK | | 5 | BELL456 | 44:e9:dd:##:##:## | Sagemcom Broadband SAS | 6 | -73 | WPA2 | CCMP | PSK | +------+-----------+-------------------+-------------------------------+--------+-------+-------+----------+--------+ >> [demo]# show SSIDS --------- HoneyPot Demo HoneyPot1 BELL456 Hidden Demo5ghz ---------
query命令可根據指定參數顯示唯一的數據集。query命令的使用語法與sql相同。
Inscope
inscope 命令可用於將SSID添加到inscope表中,將所有相關數據加載到inscope_AP,inscope_proberequests和inscope_proberesponses表。要查看所有inscope SSIDS的摘要,請運行SSID_Info命令。
模塊
模塊可用於分析工作空間中包含的數據,或使用命令執行無線攻擊。對於某些模塊,可能需要設置其他變量。可以使用set命令set 進行設置:
>> [demo]# show modules Available Modules ================= [+] Auto EAP - Automated Brute-Force Login Attack Against EAP Networks [+] Auto PSK - Automated Brute-Force Passphrase Attack Against PSK Networks [+] AP Hunter - Discover Access Point Within a Certain Range Using a Specific Type of Encrpytion [+] Captive Portal - Web Based Login Portal to Capture User Entered Credentials (Runs as an OPEN Network) [+] Certificate Generator - Generates a Certificate Used by Evil Twin Attacks [+] Exporter - Exports Data Stored in a Workspace to a CSV File [+] Evil Twin - Creates a Fake Access Point, Clients Connect to Divulging MSCHAP Hashes or Cleartext Passwords [+] Handshaker - Parses Database or .pcapdump Files Extracting the Pre-Shared Handshake for Password Guessing (Hashcat or JTR Format) [+] Mac Changer - Changes The Mac Address of an Interface [+] Probe Packet - Sends Out Deauth Packets Targeting SSID(s) [+] Proof Packet - Parses Database or .pcapdump Files Extracting all Packets Related to the Inscope SSDIS [+] Hidden SSID - Discovers the Names of HIDDEN SSIDS [+] Suspicious AP - Looks for Access Points that: Is On Different Channel, use a Different Vendor or Encrpytion Type Then the Rest of The Network [+] Wigle Search SSID - Queries wigle for SSID (i.e. Bob's wifi) [+] Wigle Search MAC - Queries wigle for all observations of a single mac address >> [demo]# >> [demo]# use Captive Portal >> [demo][Captive Portal]# info Globally Set Varibles ===================== Module: Captive Portal Interface: SSID: Channel: Template: Cisco (More to be added soon) >> [demo][Captive Portal]# set Interface wlan0 >> [demo][Captive Portal]# set SSID demo >> [demo][Captive Portal]# set Channel 1 >> [demo][Captive Portal]# info Globally Set Varibles ===================== Module: Captive Portal Interface: wlan0 SSID: demo Channel: 1 Template: Cisco (More to be added soon) >> [demo][Captive Portal]#
設置所有變量後,執行exploit或run命令運行攻擊。
導出
使用Exporter模塊導出存儲在工作空間表中的所有信息到指定路徑。