coWPAtty for Windows MAIN:
9 W7 W" J" x7 G( x) G0 y# ["coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright.
+ J# s V) L$ L8 k% X, s
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
8 I# m9 s' q6 ^6 ^
0 o- F" E8 J0 K! D1 NLocal Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
1 H& y9 O! s. L( d0 X- D
' [! \, d) C! Q# n8 }coWPAtty Dictionary Attack
6 @0 R/ P8 U0 J, X3 o) ~$ h8 d& ePrecomputing WPA PMK to crack WPA PSK
: z) G' N B; U5 R k3 S
coWPAtty Precomputed WPA Attack
( U. l/ S! F6 p( v, ncoWPAtty Recomputed WPA2 Attack
# s. ^ D* [ k2 E
coWPAtty Tables
0 t: [2 k5 T$ ^5 o8 D% d$ m: w
coWPAtty Usage:
/ B# v* c! }. ?) X! u
9 o- N+ B& `) Y( Q9 |, B: R6 V7 K! H
) c5 V, }0 J. e* YcoWPAtty Dictionary Attack:0 x5 q# z( ]' j3 h$ @
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
% U: ]& I% v RIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
9 V% h: Z- n, \- M) d' f2 o7 O3 p9 |cowpatty -f dict -r wpapsk-linksys.dump -s linksys
2 J, e# k/ X3 |6 T% B, j9 w# G
5 D/ i- u* M1 [4 x4 M( e
" D6 ^* d# j( D, L+ t: `
, {2 b# M6 _: M; `9 f/ L5 @0 s/ `4 i0 ]/ J- _
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
- \( m9 i% h6 T5 Nwpapsk-linksys.dump is the capture containing the four-way handshake
4 _0 {9 T) a3 h: f
dict is the password file
- e* t# ]# ^2 _9 q" x% p
linksys is the network SSID
3 a7 q$ S7 U6 x
l4 D9 D: \3 Y( C& L5 QPrecomputing WPA PMK to crack WPA PSK:. r+ P, ^% h% |- _+ S* O0 D9 @
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
6 k' I. h9 W& u( \% [* Q
, { O* L2 S! J$ q$ gSo to generate some hash files for a network using the SSID cuckoo we use:
( n8 G. A0 b, W( f+ C: V8 O' M4 R* _
genpmk -f dict -d linksys.hashfile -s linksys
- v5 f9 @4 f; F0 b- V
' |& B' k) \* c1 y% b( i) e6 v1 u8 u
' P* l9 h0 ?' ^, R- i" P3 s+ y: q7 \( g ]& P! q/ [4 A5 i* J. Q
dict is the password file
6 v7 B7 ~0 z8 {linksys.hashfile is our output file
$ m1 G* Z; k" ~5 N1 v* P3 alinksys is the network ESSID
: J3 N. ]- J1 y# J5 L- ?* t# o; I1 ?* J
coWPAtty Precomputed WPA Attack:
# i) [) N. ~ I, A* RNow wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
# [( o' I6 C5 m z7 ?( j: t1 d" L% q
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
. S/ ~# t% f% C, u4 R
- u* c4 u" n* C R F8 s. q- Y/ R5 f5 G5 g
wpa-test-01.cap is the capture containing the four-way handshake
: a; x2 s5 Y' W V+ g
linksys.hashfile are our precomputed hashes
3 `! A& f) g, |6 K$ {# L, i9 Mlinksys is the network ESSID
$ C% t; \# f) w& k* G) h
& A$ U7 _/ J% g2 ~Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
4 e5 i5 J s% h9 k8 G$ ]
/ j/ |1 h# A6 N% L. f3 u
coWPAtty Precomputed WPA2 Attack:
* C0 O# R; G+ a; Y! g8 |coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
; ]9 ~/ X/ L: U; ]; X9 E$ u; I
cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
/ D' f; J0 t7 O
5 U; w/ `7 \8 X" y3 G
0 j9 V; y# ]/ n+ pwpa2psk-linksys.dump is the capture containing the four-way handshake
- G3 s) R5 J2 o9 L0 R5 a6 H
dict is the password file
E% f! J4 N* { {
linksys is the network SSID
( q; y L2 E% r9 p5 w) S
: Y( _' U& ~+ r" W. _: I) l
coWPAtty Tables:
' z5 s( i8 v5 v6 I# N2 E; F5 k& rThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:7 Y, h v, r2 ?9 ]1 A7 y
6 o" r) n6 |8 P, [http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19- N- A R# z2 K& Z5 H
& \7 ~9 w% x; q& N/ U
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
0 U; B$ c. I0 j; A+ j8 A8 [ e0 Z2 p. h% a1 `! N! ^
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ J+ i8 E. K/ W6 |0 h) [& o2 U" t
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡