本帖最后由 smilebomb 于 2010-1-14 23:09 编辑 8 K7 V: K0 E8 q9 X: {) l7 W
1 B F8 S/ @6 H$ X- m9 j B本人最讨厌这种人5 B! c* Y0 X) R- D. v+ M
coWPAtty for Windows MAIN:) P0 V$ f' m$ r$ e+ K
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol."0 n2 l, |( ]1 w
- Joshua Wright.& `( c/ I4 U: i0 A% U
9 W! N. @4 P6 l
, q) Y& |( m( r Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s! @# }+ k0 U1 [8 l- D
# Y/ Z. x o) p- C
Local Mirror: Cowpatty-4.0-win32.zip3 A* e) q1 Q5 j; U, \
MD5: aa9ead2aacfcc493da3684351425d4c6 4 n4 `2 Y; E# i9 P5 u
; P g* r1 A! |0 k% Q7 g6 Q0 N* P2 K7 q. J# n
coWPAtty Dictionary Attack 3 q- f; E! E4 N$ C( w g; R. p5 m, x7 B! J- t0 t
Precomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]
& T, t a- b3 vcoWPAtty Precomputed WPA Attack
' F) x& e8 `7 o7 o4 |5 QcoWPAtty Recomputed WPA2 Attack
+ H+ d* V- T3 \
$ a! V" s9 V' g! ~coWPAtty Tables w$ ?7 R5 x2 E! x! U/ Y* ^6 E$ ~9 U9 a# w6 J
coWPAtty Usage:6 ~$
' V( g3 b# a# ~ @9 W8 z
) _$ O! b: p6 l2 E; r0 g3 P( U coWPAtty Dictionary Attack:
- t, Y, B# B# F7 ZToperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network. . h; ` C2 `1 z, f" h! `
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
3 V2 U1 t- m* Xcowpatty -f dict -r wpapsk-linksys.dump -s linksys
# O9 Z) F2 R) R+ Q1 m6 A' D3 t( M+ N" m
* M- k! d2 A5 X4 ~- X+ e7 }! a5 {) s4 X H6 Q+ O9 F. _, z( W1 R
 / e" U0 T" m# [+ y" L% I" u3 y$ l
" W/ l) L# w% v4 ^- i4 C2 ]% Z
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q h* V/ H( K1 H) w ?
wpapsk-linksys.dumpis the capture containing the four-way handshake
9 p) l8 R2 T# b* C7 w" p8 wdict is the password file
" v6 T& X3 _" N7 s4 ?( ulinksys is the network SSID
; @$ @) ?; I* j! g7 E
7 Y5 C: ^6 F( r5 m5 }+ Z3 `6 EPrecomputing WPA PMK to crack WPA PSK:
; \ _* I9 j+ n- k% g: k# g. n5 k X* Ugenpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc. " t* u' ^, |3 E7 g
0 Z6 G9 {& L6 [5 L! z1 zSo to generate some hash files for a network using the SSID cuckoo we use: 7 @) @# C* G* b6 c6 L X3 w) i4 ?+ @& X/ x7 B/ G# j% J' u
2 Q- n* U0 t1 d0 i3 w+ C" Y
% q# z E; [1 ygenpmk -f dict -d linksys.hashfile -s linksys 6 A$ d; u: _/ m% N
3 e0 X: @) {+ t' r8 @0 T
( ^9 I8 y6 f& z3 @% L& D6 T: P' K$ O5 n) ]! h9 T! b) I& x2 v' [7 H* S* U1 b
; z: x4 D6 s1 h5 d0 I) b
- T# r3 ]5 O8 p dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X
7 y5 m) H: T. c1 q4 z1 ^linksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o) B" k7 K/ w+ x1 s
linksysis the network ESSID
4 X2 \; U5 |, v! T: n+ a# w1 w2 q0 s: @* O5 C4 N( D
7 y9 l8 _8 r& N' Y2 ycoWPAtty Precomputed WPA Attack:- z5 |# j1 r d
% L2 g' S7 N7 z# n* GNow wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
3 u1 d; w& R \; l0 n. N* {# \8 I" d, x* e. W I$ ~
3 q4 l% e& D P7 A3 m2 Ecowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys 2 P# r* L( N! x* ]
( W, L1 N0 G, ^( _/ A$ t& E4 W! `( ]5 P% h% E
0 |( i2 }! Y* t
4 c. ]" P' n5 m5 Y( B
' K* a X* W. J) [/ v3 H/ C+ @4 Z) w( b0 d+ H" u8 s8 f
+ v7 r' K" i0 N& @( mwpa-test-01.capis the capture containing the four-way handshake
2 V& F% U" H, b# olinksys.hashfile are our precomputed hashes
: x" E Y. h; I: ?3 a) x4 q: C5 Z( [- }& ?! Q, ~
linksys is the network ESSID - |, M5 j# i5 U7 i
9 f0 m, l" K* m+ L" {$ cNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers. S) }& M7 |9 {& S- {3 o$ S( B; ~
: {! y$ _# p X8 E) G9 ucoWPAtty Precomputed WPA2 Attack:
& c6 g' f- d9 u) q, f4 D; d+ i* {coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
, l: S1 N$ U' H1 J8 p, E% `- r; ~3 t4 wcowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
: w" T, Z' m# @' `- S( E$ p
; N) \) @/ X) ?9 r+ m' f* `0 N; G+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B' D, L# L. E% L+ Q- c8 C: O3 c" R
: n& u8 e! m( b3 S" w% j' X8 U+ a4 b
wpa2psk-linksys.dumpis the capture containing the four-way handshake ) t& x3 j4 l1 ^- U+ u8 Q
dict is the password file
/ d; N) v7 g" A: S- O5 B6 dlinksys is the network SSID
# [8 l& Y$ V( f$ ?4 v' M, \' x$ Z2 ?$ Z$ e9 T' c
* g) x8 g: u2 Q: N2 m" h9 V1 ?% i+ G: W$ ~
coWPAtty Tables:" q# T+ c, n. p; [+ W/ q/ `# y' B& W1 y
The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:/ z6 D" D7 u9 [ p
: z6 t9 [8 Y, L1 J: Thttp://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V
) e/ n6 e9 b+ V+ _7 ^: x7 S$ l6 R, N: `! [
. e) j: E+ m R u GA 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/8 {, B( X, K! L& O& |/ h
% \- R* _, O. ?9 Y
" V* M7 C# @$ }5 k2 [Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-10 01:59
显身卡
