本帖最后由 smilebomb 于 2010-1-14 23:09 编辑
% ]. N3 @% `) Q' S% k! w# M7 k) ]$ M4 Q- u
本人最讨厌这种人4 D1 B+ S9 O. H) y" [+ e* p& E3 T
coWPAtty for Windows MAIN:
0 V# D9 O" H$ Z "coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol."% ]/ k e7 O- K$ y- |
- Joshua Wright.
" L/ l# V$ q+ R5 v, a, w1 P/ I9 W! N. @4 P6 l
# ~4 y" O5 f' F2 m/ k: ~: u Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s
" S# v8 ]* F: e. x: P; [; _5 T! h1 D
Local Mirror: Cowpatty-4.0-win32.zip2 v6 B' Q! r. t1 |0 C! |2 I. w
MD5: aa9ead2aacfcc493da3684351425d4c6
/ Y; s6 S1 }) v) g* A4 A; P g* r1 A! |0 k% Q9 H2 F% C' A& W$ r: _( S
coWPAtty Dictionary Attack
3 q- f; E! E4 N$ C( w g; R" Z* h3 z9 V. N+ g5 o. P! [$ x& ?
Precomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]- M" m: C+ f' ^4 P" R. ^( v+ M7 W
coWPAtty Precomputed WPA Attack 4 l- { ^5 s, h8 u$ b) s. z
coWPAtty Recomputed WPA2 Attack + H+ d* V- T3 \
& S4 w% H6 `5 T7 @: I5 PcoWPAtty Tables w$ ?7 R5 x2 E! x! U9 x" J$ { S# A- ?
coWPAtty Usage:6 ~$
* a" V# N( P6 x. N/ D0 K3 [( m % c: \0 ?, }, @; n
coWPAtty Dictionary Attack:" G; C+ c! z% U+ k/ H0 X: T" z
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network. " c! Q y& J* f4 c0 ?" L: {, g- J
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
o6 H( d7 f( f! A0 G% C* I5 lcowpatty -f dict -r wpapsk-linksys.dump -s linksys
! m; t# ?! O- x- [2 I9 ?
' D3 t( M+ N" m
( q$ f6 O- P7 E6 d. g# P/ S- C8 C: C+ e7 }! a5 {) s
* E# B" r" L! H' [ / e" U0 T" m# [+ y1 ?5 a' c, M" o0 H1 e' y: |1 Y+ j
% y7 b+ q/ `9 h
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q7 p+ }3 L; t9 D- ]
wpapsk-linksys.dumpis the capture containing the four-way handshake : S" s3 \$ O6 y/ z4 Y; J9 t
dict is the password file
. O8 K: F$ H* m- Jlinksys is the network SSID
8 t% Q4 s( w) u, R3 v1 w
0 L! B7 @# D6 F5 _7 BPrecomputing WPA PMK to crack WPA PSK:$ b; n- l9 P) W+ D
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc. 7 X# E' ]; d( R& M% C5 F
7 v0 [' L" [0 |) V% W2 L1 {
So to generate some hash files for a network using the SSID cuckoo we use: 7 @) @# C* G* b6 c6 L X3 w) i4 ? u9 ?/ W# i: X% c c @
2 Q- n* U0 t1 d0 i3 w+ C" Y* G0 i) ]* y; R
genpmk -f dict -d linksys.hashfile -s linksys
4 w6 c% Z0 {3 H& i! t; V3 e0 X: @) {+ t' r8 @0 T
( h) g+ Y1 `" `, [6 T: P' K$ O5 n) ]! h9 T
7 b: z/ x9 f& r* j" e' s
2 p& X* k$ m. o+ k, ^+ ~! m' X
) a4 O6 S1 K% e/ ^+ ` dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X, r' @+ j0 u$ |
linksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o
% i( k& S6 y, O" D) Ulinksysis the network ESSID - e8 C* _1 K; D+ I9 Y8 \3 m
# w1 w2 q0 s: @* O5 C4 N( D
+ I/ e/ K: T9 d6 }( W& q CcoWPAtty Precomputed WPA Attack:- z5 |# j1 r d8 G# d m2 |; T$ b4 z- j5 x* V
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful. 3 u1 d; w& R \; l0 n. N* {# \8 I6 ?' E$ D, `, t
/ W- F+ v/ _9 z& J2 K- U& U
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys + u& o/ z# Y; j6 \0 k! A/ b* [2 s
( W, L1 N0 G, ^( _/ A$ t
$ n7 D7 z% P: \4 v4 A5 B- I
" X8 O) P4 }& A3 z, l3 t
4 c. ]" P' n5 m5 Y( B
$ ?5 [! Z1 A8 h! u$ ]& _4 ?+ @4 Z) w( b0 d+ H" u8 s8 f
" p) N1 q/ ~- t \% q5 Iwpa-test-01.capis the capture containing the four-way handshake
- }, J. Z! ?/ Z5 ^2 Y& Ylinksys.hashfile are our precomputed hashes
: x" E Y. h; I: ?3 a) x
( P6 ~. P( I( ?; D1 p1 Tlinksys is the network ESSID
* N; |9 U" y* r3 p' P$ H) `
8 @( F+ Z" U# C7 j j3 V# qNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
: j7 q* h9 v$ {! g1 o7 z9 b/ L! n4 Y
3 M3 i' Z* x D8 ~- }
coWPAtty Precomputed WPA2 Attack:. Y9 N4 j- B6 y* @( O4 v
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
* M4 x% L2 K' v2 M0 Z3 Mcowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
8 ?7 w8 b+ j( l/ U2 C: N7 W2 t
 # ^' M0 O+ x! k
+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B
, T9 k& O; _* u1 `/ I* q* v
3 c0 R/ v) ^# U3 i3 C- c( Nwpa2psk-linksys.dumpis the capture containing the four-way handshake
y5 k; g4 V4 g' D( n. k7 `dict is the password file
' g. Q8 V! f. Z. E0 v( a1 e7 i6 e
linksys is the network SSID # [8 l& Y$ V( f$ ?4 v
$ ]5 z0 z# u% |7 z3 M* g) x8 g: u2 Q
1 U5 [9 T4 m4 ocoWPAtty Tables:" q# T+ c, n. p; [+ W
& M' j: P& A b; x$ V9 \The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:) u2 H9 f; h' @, b' r0 E
8 R, q# t# H/ a/ \ e* f
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V( _$ e3 h4 X+ V. L0 D0 X
: x7 S$ l6 R, N: `! [
3 ?& ^* w, p6 `- j( gA 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
; V: r: l- _7 |1 B0 ]% \- R* _, O. ?9 Y3 W4 _# n o0 w* t" ]
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-10 01:59
显身卡
