本帖最后由 smilebomb 于 2010-1-14 23:09 编辑
( r4 _6 P. M# t$ x6 \
, w# Y" ~* Y. B本人最讨厌这种人
$ k! Q ?2 E- n4 u( f/ x$ t4 ecoWPAtty for Windows MAIN:7 f8 o. p' U5 l) {" `( U/ W. V
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." o0 y+ `' y. B2 u
- Joshua Wright.7 i& G. K% k& z8 x2 ~5 b o% [2 ^
9 W! N. @4 P6 l$ e2 i9 o0 t6 U: w. p7 E4 b+ g
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s
7 k5 A7 U% h) y4 _( S
. {% K( b3 ~/ ?" a$ eLocal Mirror: Cowpatty-4.0-win32.zip% F$ u: Q4 J9 E$ A$ E6 T
MD5: aa9ead2aacfcc493da3684351425d4c6 " F3 G- l9 v- s2 _" U; x2 _
; P g* r1 A! |0 k% Q
2 M' `% {2 i) U `4 k3 Y; QcoWPAtty Dictionary Attack 3 q- f; E! E4 N$ C( w g; R
O" s. B: r6 D' r% F+ E, { ^' R$ CPrecomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]3 N8 L/ _$ |/ h+ ]+ E
coWPAtty Precomputed WPA Attack ; L+ z2 ~/ o& d* b) I8 k2 d
coWPAtty Recomputed WPA2 Attack + H+ d* V- T3 \
; `: E* E" ?. m9 i+ O& r7 lcoWPAtty Tables w$ ?7 R5 x2 E! x! U
+ w/ O/ C! u3 r# }& hcoWPAtty Usage:6 ~$
: |$ C+ M$ g; m ^8 [
$ u: w ~ I" o/ z4 V; T/ a coWPAtty Dictionary Attack:
! Q' v7 Z, B9 X0 F+ ]% o7 kToperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
" j1 V$ L+ H/ ?In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
, U9 W- H! B# T3 Scowpatty -f dict -r wpapsk-linksys.dump -s linksys
6 d" u/ V$ N1 a! d5 U' D3 t( M+ N" m
( b6 |1 F' x( Y e5 J+ e7 }! a5 {) s
5 l8 O2 x2 P/ J / e" U0 T" m# [+ y
6 K3 t9 w( ^& k% R, }5 E6 } }# u
0 X0 R$ r8 V- u$ V% E2 K. GAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q
8 z; S% o( c$ D: I& ]wpapsk-linksys.dumpis the capture containing the four-way handshake
1 O$ X7 |. i' [/ r1 k( qdict is the password file
1 G) Z t3 ?! i/ F& R% j, B
linksys is the network SSID 2 ^- K6 n9 i& s% p
& _9 f. ^) e2 E; B5 F U; H) cPrecomputing WPA PMK to crack WPA PSK:
; A5 P) l, N% Z% vgenpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
% O7 h" R8 S# ]8 x) X( S
! ^$ J3 M: S0 ]So to generate some hash files for a network using the SSID cuckoo we use:
7 @) @# C* G* b6 c6 L X3 w) i4 ?
! W& U( N; A# }9 q' }2 Q- n* U0 t1 d0 i3 w+ C" Y
$ p; E, s5 S A% A$ q8 T' R9 N! }3 ngenpmk -f dict -d linksys.hashfile -s linksys
0 S! M9 a4 ?; b1 A8 @# Y3 e0 X: @) {+ t' r8 @0 T
& L+ z! F7 C R$ R- X+ e6 T: P' K$ O5 n) ]! h9 T
5 b) G% E- X1 R4 o( L$ F/ ]- K$ w$ I
- F$ q+ [/ u# n3 @. T! m" d, k& O* m4 @ u$ i( a# y R
dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X! E' x% ]( B" u' a- ?: t% l8 s
linksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o
8 p2 L* B. L5 O3 Ulinksysis the network ESSID
( Y7 K& m: W4 W) w+ I# w1 w2 q0 s: @* O5 C4 N( D
2 m* Y# B9 z7 T, b2 m0 {( w! ?coWPAtty Precomputed WPA Attack:- z5 |# j1 r d
4 S: O3 D( ], ~* d& t8 L, H+ r4 mNow wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
3 u1 d; w& R \; l0 n. N* {# \8 I
l) |( Q# a$ g2 G% S8 r) }& H
" j8 p9 h5 p0 P: Dcowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys 7 Z! K3 }: D" Z( ]0 d
( W, L1 N0 G, ^( _/ A$ t# R; B6 K+ _( o% |$ d
* L3 G3 s* r: Y. E; M' M& B8 p4 c. ]" P' n5 m5 Y( B7 {9 J/ V9 E/ z/ a. ?& |. Y
+ @4 Z) w( b0 d+ H" u8 s8 f! Q5 R8 e/ G* s( z" E
wpa-test-01.capis the capture containing the four-way handshake
. V" f# G3 @% I: o4 a% M# ulinksys.hashfile are our precomputed hashes
: x" E Y. h; I: ?3 a) x* A( M8 j8 W: `0 Z. N
linksys is the network ESSID
" Z% U& c- E0 Y; @* E5 C3 Q
3 Q, d& y3 R1 vNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
+ u- L( A$ Z5 i! H6 |2 e; `
3 N. `5 s9 V% T* e2 dcoWPAtty Precomputed WPA2 Attack:7 u7 `3 j/ F3 ]- m8 y
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
2 g6 N, o. U! N) G% |5 Wcowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
1 V7 |8 }5 @0 o) E, A
) `) Q* E$ @5 D0 X, {. @+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B
) j$ F+ z( u( z! ~/ _. `
: I: S3 w8 l$ m. i# }2 s, l& Gwpa2psk-linksys.dumpis the capture containing the four-way handshake 6 J0 U# h* f* m( U
dict is the password file
5 [+ b7 W, i0 `# x/ wlinksys is the network SSID
# [8 l& Y$ V( f$ ?4 v- K: }: s9 |. I/ r. u2 w5 t" @0 j$ {
* g) x8 g: u2 Q
u: W/ [! L: }) n# bcoWPAtty Tables:" q# T+ c, n. p; [+ W
% I, z- C( o0 Z8 c8 YThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
* A! Y4 ]- Z4 ^) M) Q" y1 O. x' }% [! k. N: M6 Q
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V
1 L( h- J$ [1 X4 c: x7 S$ l6 R, N: `! [
# \( o7 q- f# Q2 t0 A! {" B% r& r% XA 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/" x% V) z$ I. j* J, ?2 G
% \- R* _, O. ?9 Y
4 Y: P4 X9 C8 p7 z8 W: ^: N e( dOr you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-9 14:30
显身卡
