本帖最后由 smilebomb 于 2010-1-14 23:09 编辑 1 W8 [& ^5 f) _0 m! i2 o
: A5 k; S- h$ \3 d
本人最讨厌这种人9 t0 u9 l( e& u' T% S T
coWPAtty for Windows MAIN:
* v& P: U3 q: {8 [2 X "coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol."
7 a S) `3 l+ d) M- Joshua Wright.
A0 I v7 s6 y/ l; J8 _* L# J9 W! N. @4 P6 l" g* V3 }! Q3 A$ }) A2 x0 @
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s$ ^8 T' {3 V& ]6 f% W8 p( U) _
8 e, Y" X7 [ T5 h/ m V
Local Mirror: Cowpatty-4.0-win32.zip, T+ e; l7 B( y0 n' I
MD5: aa9ead2aacfcc493da3684351425d4c6
9 T: s2 A1 w: }; P g* r1 A! |0 k% Q6 Y' r `4 o) E& G5 s
coWPAtty Dictionary Attack
3 q- f; E! E4 N$ C( w g; R
. ?) F5 x( u7 u! |0 t! }2 _9 XPrecomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]
* B7 V. X! Z% o$ L' `7 Y; K/ wcoWPAtty Precomputed WPA Attack
. O# S# `; W- F1 j/ E# mcoWPAtty Recomputed WPA2 Attack
+ H+ d* V- T3 \. o. X) F1 \, i+ b
coWPAtty Tables w$ ?7 R5 x2 E! x! U
. v4 h* d4 D+ W: M3 _3 q: qcoWPAtty Usage:6 ~$ - s, [" }3 k9 Z/ y
7 `+ T& V' M# D! c; O+ r3 o coWPAtty Dictionary Attack:4 w* Q4 D" |. V O
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network. : |2 f4 O* x, {3 M4 H! \+ y
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
) ~: b( }' D. vcowpatty -f dict -r wpapsk-linksys.dump -s linksys
0 B8 s* E& v6 K" _( R
' D3 t( M+ N" m
! Q0 I/ T/ d x: |5 U. I+ e7 }! a5 {) s: X6 _8 |* {: S1 t4 V
 / e" U0 T" m# [+ y
" @# `" x8 O8 \8 t1 V+ p& `/ a/ r* F: Z; s) W" W$ `
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q0 j$ X- q K I
wpapsk-linksys.dumpis the capture containing the four-way handshake 2 `& g( Q9 b- |$ M
dict is the password file
. {- F; {. ~1 C- l7 N9 \linksys is the network SSID
) i& [ S P( y' K7 p) P0 ^$ c. l( c9 d7 I) i' n" Y/ b8 g
Precomputing WPA PMK to crack WPA PSK:
, ]2 k& ?" D( v: G! n) y0 Bgenpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
M' D' j6 q! d9 N9 o) Q% ^
: \- j1 ~: ~& S9 `
So to generate some hash files for a network using the SSID cuckoo we use: 7 @) @# C* G* b6 c6 L X3 w) i4 ?# O& |" P) }- e% x( X
2 Q- n* U0 t1 d0 i3 w+ C" Y
# r# `- C9 s: M" p3 W: A4 hgenpmk -f dict -d linksys.hashfile -s linksys
! F# Y4 Q+ [: |3 D( p3 e0 X: @) {+ t' r8 @0 T
6 m3 V1 \2 a! D$ d; O$ B, S6 T: P' K$ O5 n) ]! h9 T8 {# _( ~! X4 p! {0 m) s! p$ q, |
9 Q' _& h) Y3 {4 Q: _6 v/ Z& p3 U
% o6 M3 h% n0 D, s- x/ T2 v
dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X
% y1 t! u) j4 u& y2 zlinksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o
% R6 l# @; V* N+ u& w9 mlinksysis the network ESSID
; L) r3 |- l+ g4 I# w1 w2 q0 s: @* O5 C4 N( D
& K( ^' y- F/ A/ ~coWPAtty Precomputed WPA Attack:- z5 |# j1 r d
* [9 S; P+ g2 x: |; {2 J7 V$ M+ v: }Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
3 u1 d; w& R \; l0 n. N* {# \8 I
5 j Y! U1 H& ]) E i5 m: P/ i9 C3 j; h& N- d O6 J' p
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
; ?& {, x+ i/ r9 c3 |( W, L1 N0 G, ^( _/ A$ t
, r$ B9 c7 i9 r; Y% M7 `
) A/ X( j( X; i4 c. ]" P' n5 m5 Y( B
" V5 ?. h) Q8 X! [$ J$ k& C f2 a$ W+ @4 Z) w( b0 d+ H" u8 s8 f+ _+ d6 P' e5 E; p% v% [$ H
wpa-test-01.capis the capture containing the four-way handshake 3 l* t, L i" ~/ I6 u7 a
linksys.hashfile are our precomputed hashes : x" E Y. h; I: ?3 a) x
* ?4 d& U2 ` j+ Flinksys is the network ESSID
. J4 c, Y3 R5 c& L% a* _9 T. b% x6 ]/ }" u, g9 ?
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
% W6 Y2 t* C. v! M7 Z1 S
8 L+ j* h$ c! [( P2 M1 t7 YcoWPAtty Precomputed WPA2 Attack:
9 K, y* c3 n- Y$ OcoWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
, l! @9 Y! ?( d8 N4 scowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
* J* `6 P( J# f4 H. e2 _
 / r, S0 Y; v2 ~" H; @- a1 {
+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B
0 ~4 S1 d2 F$ E# P3 v; h
, Y, R, F1 ]$ P% f' Q# g7 S. Gwpa2psk-linksys.dumpis the capture containing the four-way handshake r0 j+ J0 U0 O
dict is the password file
6 U$ O1 x4 p9 Zlinksys is the network SSID
# [8 l& Y$ V( f$ ?4 v
- x; ^4 u4 i+ o* g) x8 g: u2 Q
- k ]3 |2 t( K3 @% T( pcoWPAtty Tables:" q# T+ c, n. p; [+ W- Q% [. N* O! L8 H6 J3 m4 \% H4 C
The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
# v7 ?6 y$ Q- h% c5 w: T- v
9 P/ W& m2 n# d: x+ z2 N0 Phttp://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V
( u5 e/ }# ]9 e: x7 S$ l6 R, N: `! [1 o; T) M8 o7 c! o1 s
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
* X( W: B( o# V& d2 A/ r: E% \- R* _, O. ?9 Y
0 ?* c5 `/ e: ROr you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-9 14:30
显身卡
