coWPAtty for Windows MAIN:- n& |, t2 ]# n$ N) c* Q/ [( s
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright. - i% ?( q: D' Z' M: C9 t. D* \4 H
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
2 b [, ^8 ]! j0 y% n% `
- R2 y! w ?/ f* S$ TLocal Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
9 A9 k) n% \. d w) R& |
: M" q' |, ] Y0 F l8 U. [/ ]coWPAtty Dictionary Attack
2 B- X- D( D3 @2 T, r# r1 z
Precomputing WPA PMK to crack WPA PSK
" S& Q1 @$ C- r: ~1 G0 f+ CcoWPAtty Precomputed WPA Attack
" m) w0 i; E" S& D; D" T, W
coWPAtty Recomputed WPA2 Attack
% c0 I9 B, ^& X! Q, ccoWPAtty Tables
1 q4 ?8 u( C" a {; N3 A$ e$ p
coWPAtty Usage:# X' \' {8 n% x: O7 Y/ L7 ?
$ x$ q: q& ]5 }4 H
7 m+ M- @/ C/ r+ p" w5 R: DcoWPAtty Dictionary Attack:+ o; t; X! D! R" \0 J) O# ~$ B
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
1 A/ D" b# z. ]6 `
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
& y2 \* `: ~, j
cowpatty -f dict -r wpapsk-linksys.dump -s linksys
: w$ ?! ~. D. b' f
; a0 i9 p _ M5 Z& _* V" A
' Q+ t4 Z, n3 a: ^% e9 _
7 |! D6 Z3 _% D8 A1 b& t# d
& D! A, I: c: kAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
7 u+ m4 f) l6 Mwpapsk-linksys.dump is the capture containing the four-way handshake
" m4 k" n# a5 [+ j$ u+ c
dict is the password file
* U. D3 B6 w% Y1 y4 L) Y, alinksys is the network SSID
: D, {$ Q; G# u) ]* A6 r6 O h9 o% X" r- i/ [
Precomputing WPA PMK to crack WPA PSK:+ Y/ t) ^$ v5 Y. a* |# [
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
/ S! D* }" D/ P5 O- e7 H, G2 u* k( m
. |5 ]. @" g( B7 zSo to generate some hash files for a network using the SSID cuckoo we use:
7 ~6 ?* H- F7 [% d1 s2 U+ p* ~- b: |) v& h
genpmk -f dict -d linksys.hashfile -s linksys
: a1 b$ p) t5 Q) W) B. J! W5 S
7 y- G* A8 a( e1 h: I. m* ^
, n' C4 Z# @( ]' ^) D
: T- {, x: q# Jdict is the password file
* y, \( W9 d0 j' n' b& V
linksys.hashfile is our output file
/ M4 Y. u; t1 d5 G2 L8 B
linksys is the network ESSID
; p* r+ L4 O% V4 Q
% q5 z! S0 f" g$ a. _7 p$ DcoWPAtty Precomputed WPA Attack:* A* f3 u* F7 ^, _# r$ G
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
. Q7 M$ y% R5 s! r5 o' ^2 B5 A% z, X+ K+ T
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
9 G; A1 l+ e! P0 q$ b; J4 A- `
( f* O5 |' U8 Z6 o6 W9 H, Z4 e+ R" V3 b; S U" d% O
wpa-test-01.cap is the capture containing the four-way handshake
% p& [- P( z! l3 s
linksys.hashfile are our precomputed hashes
' B9 J6 s% I4 g( E% I
linksys is the network ESSID
+ J+ V8 ?5 o0 ?& D
* ]9 r5 T! |, Y9 sNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
4 C9 i: S+ O& w! G! g
8 y8 m# M) O: w; d5 ?/ jcoWPAtty Precomputed WPA2 Attack:
7 _/ S, W+ C2 s' n3 ^6 W wcoWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
, }7 u: |9 g9 n# E# Y j! rcowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
7 D9 u8 p/ W, U% b
* m# T9 K$ W: ~7 }1 E3 X
" j9 T* j8 E& Swpa2psk-linksys.dump is the capture containing the four-way handshake
' A0 M* F2 V' d* a( e) k$ bdict is the password file
8 Z. `( K! F+ }" g
linksys is the network SSID
2 h3 N+ {" \, F( P' P, A3 x7 E* t. v7 w$ G3 n3 x2 z
coWPAtty Tables: - [: S& G; d8 r# [% J( m
The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:) n6 q3 D! P6 }% k& b
7 J( }5 m9 P. X+ L% f/ }9 v( Vhttp://torrents.lostboxen.net/co ... atty-4.0_2006-10-19: a0 @( h& x$ y6 t% o1 _
3 G1 |- j; f& p+ J* U8 }3 b; S0 g
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
* G- i8 s0 Z$ h7 h0 }# Q: Z5 v2 V+ ^2 ~; K3 \- A
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/
1 V8 U, x$ G" b
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡