coWPAtty for Windows MAIN:, M. e- O: L/ T. D9 b
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright. 2 @2 m! A) c- j) M
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
3 H; t% j- z) Y _* S! @/ ]
6 c$ U% y" T; `2 ^9 K* KLocal Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
3 E+ g7 B1 }9 G$ O
% \ n6 e- K/ ]9 d: d! i# B6 B/ U
coWPAtty Dictionary Attack
% |. B# C+ r; K( `* e$ P
Precomputing WPA PMK to crack WPA PSK
5 D+ `( h2 H2 m) p1 {coWPAtty Precomputed WPA Attack
- n- F$ e2 f% icoWPAtty Recomputed WPA2 Attack
9 {% k# Q6 u- K* ecoWPAtty Tables
$ A- n8 C" b5 ^+ D& }; X) Z6 r
coWPAtty Usage:
2 J. A4 p1 U- n2 R4 D% }8 ~
* N1 A$ V" M, X! q6 A/ [6 T
3 U% r# {& M2 b3 y8 l% T2 ^coWPAtty Dictionary Attack:; L9 \" L8 s+ v' U, c
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
4 j( E+ `( [' {6 n4 UIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
* c5 f1 A1 e; A5 [6 j scowpatty -f dict -r wpapsk-linksys.dump -s linksys
( o) [; b8 }9 ?! i$ l" n" i# r6 P
2 P+ W2 M+ Y- }7 G* p( {9 u
$ K/ [! a" U' Q, v I v
/ f( z* U3 `/ e# f
( Y1 z$ S8 r( Y) D% C& B7 S+ W
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
. k% h+ @& s" X" \wpapsk-linksys.dump is the capture containing the four-way handshake
: T4 l j. \/ ?+ S& w1 ^* M7 fdict is the password file
- P4 X0 j' @8 o/ T$ M* o" C& F' B: |
linksys is the network SSID
8 R% |: o7 @% M4 a& \
8 C" `! S8 H# K" J/ E# R( g
Precomputing WPA PMK to crack WPA PSK:8 H4 N3 x& k9 g* t
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
; u7 }- i* @* C, Q
, D& I( R& V& ]" Q. j: q
So to generate some hash files for a network using the SSID cuckoo we use:
3 t3 y$ e q+ ^5 L$ q5 U% G9 ^
+ j# o: v% I* ^1 L$ [genpmk -f dict -d linksys.hashfile -s linksys
7 u- u; L2 }, S. ^$ p
9 C8 N$ D) Z K9 b7 K" O
! B2 O" u1 ?- K% X- R, V$ F2 z6 }
( d+ S+ P; h$ Z" D7 j4 D3 ~dict is the password file
# w' K7 w6 H$ p7 A1 h4 llinksys.hashfile is our output file
r& L( Q/ M2 Q+ F+ H. |! O
linksys is the network ESSID
! [' K- k. G- n
6 N3 i6 o8 O7 S* q, KcoWPAtty Precomputed WPA Attack:9 U. p: B6 [( h/ B B1 ~
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
9 Q9 V4 @6 u* Z5 v! H9 j* C' ^- ?1 R* |6 e8 C' S+ ]
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
4 B8 Z& B/ g N: d" B
]+ }9 j2 S5 a* v/ B$ |' [/ p R' {, N- L4 Y1 U5 M
wpa-test-01.cap is the capture containing the four-way handshake
" d: m' j3 i; @% B. C; tlinksys.hashfile are our precomputed hashes
0 y6 P) j1 z# jlinksys is the network ESSID
6 I- D9 G+ b+ C% L! y
. b1 s" o" s4 qNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
5 w+ x ~7 E0 F% {; A% u& _
' M3 s5 p) R. p, I. |2 ]' k8 ?coWPAtty Precomputed WPA2 Attack:$ V) e% m% {3 L4 f k
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
3 C4 _) v. H5 ` p$ gcowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
/ v S- e! G6 p7 X: D* R
& s9 M R3 h7 s! n- p$ r( x+ s% ]5 L2 \' w' z, l6 u
wpa2psk-linksys.dump is the capture containing the four-way handshake
# j0 z% ^- ^9 R* S0 o% p
dict is the password file
% }( ^. U7 e/ q6 D4 llinksys is the network SSID
: X. p, o: I7 l5 K# E
( N; F( u; w- e4 Z7 Z- E$ ]
coWPAtty Tables: - V d i8 d X% L* X1 H
The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:% _" {' m P$ i: f
J! N( B2 |7 f2 ]0 K
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19( l! m& L$ M# z* r8 B
1 Z4 N7 I0 m0 J* b+ p7 [
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
& M* N- y+ S8 _! H; \9 z W
$ @8 a! D/ i; NOr you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/
; P/ H& w+ E3 F0 u' r$ s
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡