coWPAtty for Windows MAIN:
" y3 Y: Z- f$ ^"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright. ; h2 L1 L( M% |1 ?6 ?6 ?
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
9 y( T7 }! X9 I/ ^8 ~* v5 T0 ]& M( m) t: G
Local Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
( f, N$ g* }. O5 m* J8 s' C6 W% I( N& p1 W1 H K; R
coWPAtty Dictionary Attack
" V0 p: M H+ y3 @8 J8 ~Precomputing WPA PMK to crack WPA PSK
5 x: k& b" K! E4 C
coWPAtty Precomputed WPA Attack
9 u+ ^3 q" y6 x NcoWPAtty Recomputed WPA2 Attack
/ w* w' \1 C2 p$ j, |, t) ?! d4 _( ?
coWPAtty Tables
: [" B; f3 `& N# ^7 u* u
coWPAtty Usage:/ @; q$ _- O8 {* {! N& C8 d, N
* ^3 S" O! F1 i2 U: Q
O \% i, p9 O$ e5 lcoWPAtty Dictionary Attack:4 `5 A: B; B& Y) P/ ~
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
% o& I- F) ~# M2 Y3 K0 u: G+ ^$ w
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
6 f* n `8 N4 [1 t
cowpatty -f dict -r wpapsk-linksys.dump -s linksys
+ s8 N I, z1 m' \/ N
6 Q; | V" q% q
1 f% N+ L' ?8 X( [" o$ e& P
8 I" P) S h5 u- @9 V+ D
+ R* d$ | i/ M9 x6 p8 r2 C& \As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
: A2 Z% X4 @( z2 m0 g4 Y
wpapsk-linksys.dump is the capture containing the four-way handshake
, Z6 p7 w5 m# ]# g Z
dict is the password file
9 p3 d0 P% q" d4 ]linksys is the network SSID
8 C# R: }0 T' y _* g7 I- Y+ H8 s [1 J' O$ V
Precomputing WPA PMK to crack WPA PSK:
+ K0 w& R) z. [. d& o& Qgenpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
6 V! e- J" l8 _+ Y
4 R3 M5 d+ P# ~7 qSo to generate some hash files for a network using the SSID cuckoo we use:
: Q( `. n4 S- @$ F$ y& ^$ D0 ^% t( @) p, M) V! [( I1 G
genpmk -f dict -d linksys.hashfile -s linksys
# k4 u/ B4 h- [7 g' y
. h6 K- d, v/ y$ ~
; h$ Q% i0 ~0 |
; a- @1 S" U# M8 z% u' h# D7 m7 h: E
dict is the password file
; _2 M# [% b( K
linksys.hashfile is our output file
9 l/ z# @% Z5 [
linksys is the network ESSID
% I0 j. P" o \1 @' p0 f7 a" M" u5 g5 v$ X3 _) \
coWPAtty Precomputed WPA Attack:7 M9 F' w5 y6 k# Y8 a
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
$ K8 W) D5 B! b
0 k8 H7 t$ N. W3 f6 L9 ]) D' t! Ecowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
% v! M9 D5 e; p( g& q
# }% c' x8 J% ^( j/ |2 ? [
v' @/ b6 O# e) m2 m, f" ^, Kwpa-test-01.cap is the capture containing the four-way handshake
+ t* L* G- |# a" }
linksys.hashfile are our precomputed hashes
. q5 ^6 P: N4 `linksys is the network ESSID
! D* W- L# a( y ?+ t) v* e( ? Y
5 {+ ?/ h w" g/ r% `Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
2 ~) k5 P2 u% D3 Q1 W
, Z' C! \' e6 {; F- L, ScoWPAtty Precomputed WPA2 Attack:+ b# ^. ?# _9 F, Q& W0 Z6 O3 U- C
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
$ F, @1 [& {+ z& I
cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
# i1 l* g; t9 @, {- K# t
3 q }6 ?1 g" f# U' q$ x" b$ b5 k \0 w( o1 o
wpa2psk-linksys.dump is the capture containing the four-way handshake
- v" ]0 ^ _1 K" }& z* N/ I; ?dict is the password file
/ N& i' O5 y: r) Y* `- w4 olinksys is the network SSID
* `6 W3 _6 `0 P) A- ?
" u, t% N# L7 C& V% wcoWPAtty Tables:
+ [# `7 j. H# ]% f7 KThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
6 D7 y' F6 T* ]7 b' \
$ a ~: w: h3 L- d6 jhttp://torrents.lostboxen.net/co ... atty-4.0_2006-10-19' B) {2 a# {' ~" f* m0 V8 x
) w' ]+ K6 o: }9 G* l
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/; f) Q) c. c1 L& x
7 @7 T! P0 W1 v' f* z
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/5 i6 i) p5 H. Q7 ~4 n5 E
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡