coWPAtty for Windows MAIN:
9 h3 Q+ o8 U) M& s"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright.
2 K0 D" A* I- {1 v7 r s
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
) X+ e/ _, W) }" k* Z8 m/ U% n# G e& \5 U4 z/ \# R4 O1 M+ O7 E
Local Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
0 m& ~* W5 y7 E) n2 F% k; K! }
+ U3 e* P+ w' y3 Z/ JcoWPAtty Dictionary Attack
: [, ^9 w v8 qPrecomputing WPA PMK to crack WPA PSK
$ H5 w" ~2 ?! \0 ~( X
coWPAtty Precomputed WPA Attack
_9 B2 ~7 W) L; c6 Z; ^0 g5 EcoWPAtty Recomputed WPA2 Attack
! _7 K( b) h. z7 W5 F5 F4 E; n! e
coWPAtty Tables
1 a7 R* X3 H$ c6 M0 l
coWPAtty Usage:
9 {2 I8 S- b7 c/ q1 H- T
8 y; D: U0 W2 Y. E# n) L
+ u; T% l; {, Q6 o" _
coWPAtty Dictionary Attack:/ j& S# H' e: P3 U+ [( U
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
! p1 |0 W6 p1 L3 h [) l1 HIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
! J* u2 ~2 w, h3 |: Scowpatty -f dict -r wpapsk-linksys.dump -s linksys
. d2 i, U+ w1 L' B
. ]" s! P7 K7 d- ^. A& F1 k
/ h+ I5 @+ E+ d4 s; c. M: s1 N
7 O% W! ~: S2 \8 G2 ~$ ^& z5 W! ?$ c
* u7 q$ V9 g+ W- S u2 i8 r4 hAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
* Y) z C, E7 K* K) Lwpapsk-linksys.dump is the capture containing the four-way handshake
) a4 l7 d; o: I/ s2 c& {1 r
dict is the password file
9 `3 u+ C. w0 ~% ylinksys is the network SSID
) j7 p7 `3 C/ E
% _# p2 ]; s' d% F1 X" FPrecomputing WPA PMK to crack WPA PSK:
1 R# ]6 g9 |( E' n `2 bgenpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
& E4 m0 C. J% W# |" H# z) B9 `( Z+ m* H) K& x# D3 M/ n
So to generate some hash files for a network using the SSID cuckoo we use:
7 V4 j8 f% Q3 U% s h9 s- {
- r# h- l: H1 l5 d& _ j, e9 N
genpmk -f dict -d linksys.hashfile -s linksys
; P; N# I" @+ w# K* M& f
* C# b& ~# \, O" _& v
# y: E. ?+ q) c, c4 {- ?9 k
9 \9 O6 k y) j$ \- ?dict is the password file
* Z6 e5 \6 P5 U6 z( Zlinksys.hashfile is our output file
4 `/ J; Z2 _+ x
linksys is the network ESSID
1 q9 u' `9 Y- u6 C. G) E& S7 x& M
$ r5 f9 L: P0 g4 ^+ RcoWPAtty Precomputed WPA Attack:
. J. `# s! e. F7 ^+ V9 k9 i @Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
# p+ ^8 a+ Q# L! D6 @
+ z; I* ^8 f6 M2 J3 ]2 `/ i7 ?cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
8 H, a: c/ ?& ]' s
+ _8 H7 m( [ y+ V" y
% }; P# W. `+ U9 H4 ]wpa-test-01.cap is the capture containing the four-way handshake
2 z5 p# r6 _9 T# x6 h5 Y5 o
linksys.hashfile are our precomputed hashes
% V7 r& @4 ~/ T; g s7 M2 z8 mlinksys is the network ESSID
* U& X( B; x5 u* _( o2 M5 \3 z. ]2 s
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
7 K! G# K# L0 m: d- Y$ i# h- G* w
, e) j$ X. \; ?4 e' j
coWPAtty Precomputed WPA2 Attack:' r% V/ C3 Z) ~
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
: ]% |# I7 I* pcowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
! k" [; d F) ~ e `; Q0 s7 i
. c, c; Z2 I7 l! Z$ f+ o8 _: v4 h% a4 [
wpa2psk-linksys.dump is the capture containing the four-way handshake
, a& c/ \" v8 b" R7 A; U& Zdict is the password file
% T% ?6 ]% _2 w/ ilinksys is the network SSID
0 K, Q- [1 L/ o5 c0 b0 i% y/ Q* }
$ g) } O2 @" V& H8 McoWPAtty Tables:
* C; l: f5 \3 jThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
% \$ K5 s3 |( R+ ?( Y. N% V, V, v2 @( y) Y; T; t6 I
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19" y/ W) C& H% v1 G4 G' Q, j. C# N2 S
9 g+ X3 i1 b) G4 ?0 m0 z
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
. c) x1 ^1 ]$ j& c4 _/ N' M3 |) f" q- g# Y$ J3 r) r
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/" \ H, Q* `- ?! p
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡