coWPAtty for Windows MAIN:" c# [' V" W5 W: S0 @- t+ L- A" K
5 K5 N0 [0 U" c0 V8 @$ d+ ~0 m"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright. ! j4 _$ I9 I$ ~6 {, C, a1 U, I; k& U" W5 M" M( F
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
) _2 A- Y& _% p& L* K
7 {4 K% j& u, O0 Z/ r+ V% x* X* u& b. U) Q) x+ @4 O2 F1 t" p) q+ ?/ d$ L- F
Local Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
9 b3 @4 E& O' [: O7 [! M3 d2 k6 g2 d& ?# ]5 R
' u8 t9 G) I5 T @+ P! z) r4 Z% w9 T( _9 J4 u
coWPAtty Dictionary Attack
* g- S: W# G0 t) q$ G
; ~7 h4 W' N$ U0 v0 j Precomputing WPA PMK to crack WPA PSK
! l, ?% D4 ~8 _# R8 P8 j8 r
- F% P/ E$ w7 Q$ e7 b- j coWPAtty Precomputed WPA Attack
; i, y# U4 E4 B( [' |% Y7 ~) u$ j
coWPAtty Recomputed WPA2 Attack
$ C( N7 |* e# d. k; S Y5 g2 q$ D! o" P
coWPAtty Tables
; a/ `' N8 @: G+ P! z9 T2 E+ [: [- K- w- b! [$ Y8 ? n4 CcoWPAtty Usage:" l' Q1 y& _/ ]; a, B. K* {( Y) \4 h6 t, k
5 V! ~) Y/ b2 T- G1 @8 S3 _7 Y# c0 H7 [8 b& b! s* x& r
8 g* d6 s' \ R# D6 _9 S h$ p5 \. O
coWPAtty Dictionary Attack:
4 K& x/ w; K. i# G9 a, {2 P& p m( @ Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
- P1 w' M/ g3 g! W9 L9 g1 _6 x5 V$ c, m) e: q+ k# @% d In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
0 u' ]8 p( o- ~% F; \1 z; Y$ Q; @& B7 o7 b* R2 @. e D* h8 P
cowpatty -f dict -r wpapsk-linksys.dump -s linksys
' e! ?0 H5 D0 @# p
) ?( ^7 p2 r" Q6 T9 m* n! Z3 _& H1 X/ P N& ^" Z& O3 n7 V @4 r( b
! C. _! A4 n# V6 P1 Y
, S: ^' f$ N( z, M6 d. m
; ?( u5 \1 I) i/ _5 |! \, A5 T. h5 ^/ s! d; M- }' H" q! g% M/ v% a% e
, Y- t3 \. ?3 J0 D# C8 T k! r4 kAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
, M+ W6 X7 x2 \7 F* Y( K0 F# p/ S9 g6 ?4 U u+ [+ ?. T( D
wpapsk-linksys.dump is the capture containing the four-way handshake
1 G4 P# A/ r" Z# c8 y$ j& x; t0 E7 M( k2 v5 W n. u8 q/ ?
dict is the password file
B& R( A8 E) j5 \
1 N3 v4 M. Z9 N" n2 ulinksys is the network SSID
& b, @' m2 p4 p4 ^1 @6 C; @2 V
8 @7 x- G& A- y% H; {) @2 A; ^3 f: [" z; k3 X6 T3 Z- O; m8 \& Z: `5 P# }- y
Precomputing WPA PMK to crack WPA PSK:& ?( q1 a- w9 ?+ R, ^4 }& y8 k& Z' [# M5 G. U: o1 P. V1 c6 A
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
3 U/ _( a2 V) i: Y/ e
5 j/ J; c% [+ H( w8 i8 z5 ]' V4 E2 p; p1 q8 c! u
! K% Z$ T) {1 O* c5 GSo to generate some hash files for a network using the SSID cuckoo we use:
3 ~: Z! Q. |$ b/ u2 [& |! Y
) v. ~, u) a( Y' W t7 b# H9 u$ n* e0 x' C) z* Z- [1 k* O v. y) J8 ?/ H; `, t
genpmk -f dict -d linksys.hashfile -s linksys
" e: r5 S, a8 M1 L& B! p: ]7 o* _! c' h
; Z; u% [/ x6 S0 G @" V* ?( E: Q' u1 `( T( K g( ~0 A 
) D: G- d1 i0 n v& x5 f* B4 b' r
' t- \0 G7 ~* y# s! Y. s+ H8 `, i2 {: ~0 c: j$ J. @$ v1 K9 E
dict is the password file
$ u! {* J: _; d0 ]
y) P0 o$ Q& Z( Z' mlinksys.hashfile is our output file
& @. F/ ]( q; d* S, k% F" u( X V' o+ `9 `; P linksys is the network ESSID
& l0 O3 {1 ?5 P- I4 j* @* S' S" v8 X; L7 M: j4 E; n! n9 I4 z# l. N: E5 X, X1 |+ b( P. O( b) g- H6 N* U' d1 U
coWPAtty Precomputed WPA Attack:4 z7 T. n" N& j p5 E1 G! A3 g! M& C Q/ ^& G) V7 I! ~. B
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
8 @ f& i$ s1 l+ \; n
* s5 K! i: F) g, w6 ^( Z' W) n7 _ A) X$ P: B
8 i+ ^" r7 d9 h* bcowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
1 D. j" h: y0 Y# N
. w8 {, G( v' j# c8 G! n3 L! ? 
' B1 v. J k% a: }7 h# t
$ }6 G8 b) O& W e5 U6 K% G$ z3 ]4 e" V5 \8 f2 ^9 d; F6 }( ?6 V5 l: g3 C5 ^' {
wpa-test-01.cap is the capture containing the four-way handshake
2 t# U& x, C* S: q) h0 T) X8 j# m linksys.hashfile are our precomputed hashes
/ a9 O& B* I7 T: Z
/ N( I! Y% d7 e, s linksys is the network ESSID
7 r! r& ?$ D& r: }. A* ~# C/ H2 ]& U& K) p% t7 j% x
, d/ K: u. o3 D- S7 K* ]: }6 _3 D* o- y, l
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
& b, H9 ]1 B3 F8 W& s, p' @& z Y% g5 j% J8 O+ I, p; {+ z5 j3 P& u1 x
# `. W7 b$ h- v' ?3 z1 ccoWPAtty Precomputed WPA2 Attack:- d( ^7 X: ~* l+ ]0 B
& C4 ^* Q% u2 {) B4 C* xcoWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
+ a p+ K) s2 J3 C% X+ ]& j9 d3 ^+ Y3 p: {; P& A cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
4 y( \, h/ D2 W0 O( S5 h1 x3 v0 F1 M' Z4 k# ~ 
3 y8 E" u [6 T4 X, N) Q0 |3 B! O2 i! \. F/ D+ C% I3 k" {
! \7 L( r4 v' U% b8 N2 Y9 N* U- [" ~# J6 ], c& k7 A+ g wpa2psk-linksys.dump is the capture containing the four-way handshake
* g) ?. p, d2 d. o5 R2 F" s4 O- o: ^4 }! m. ~ dict is the password file
, } c, i6 B: p. G w" ^2 W, h1 {3 V! b% U0 ?+ Y% O linksys is the network SSID
]/ t N9 Y( E) _: e b0 _/ q1 A
- A3 k1 B) G# j! M3 [7 s* g
. Q. c6 ~, ~# j2 y5 n: v9 t6 @# J' Y. P7 t* G, X6 `/ LcoWPAtty Tables: 8 m* B# S. R+ o& U
8 ?! h5 l% \6 E, G3 `" n9 g1 i( ?- AThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
( ~' v, d2 g1 j! B( w0 `+ d& ~3 Z p9 A: H8 d8 ?% c- `& w ^* h, a$ ~; z9 r3 }: U; X
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-191 R$ B' D1 ]1 E5 ~) Y3 h1 H5 ?
2 K9 `" L& E+ T$ x, r& g4 S9 Q6 H6 y# _! P3 J% n. n3 D' v3 E2 k% h4 e
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/$ d5 C" P* g$ p! D, i8 a
3 }: {8 j, z. ]; p) `% S p( R7 `5 l" Z4 m$ V7 z
4 j1 N8 u) d+ W% V' ?2 W% rOr you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/
[复制链接]
IP卡
狗仔卡
发表于 2010-3-20 22:18
显身卡
{:2_31:} {:3_47:} 上当了,全是鸟文!
