coWPAtty for Windows MAIN:
3 ~7 j# s, `5 H! k"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright. ) w2 s C- t. i
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
+ s+ C( a* H4 Q* N+ `# y, u
5 L, e7 H5 s! ILocal Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
" n7 K+ Q* z2 d y' n: e
3 l2 ^0 k) l2 ]" {5 \# @$ Q
coWPAtty Dictionary Attack
6 r |, p, j4 D+ x7 r v6 c lPrecomputing WPA PMK to crack WPA PSK
$ [0 Q/ X! I4 l% jcoWPAtty Precomputed WPA Attack
/ c) O8 z& T0 LcoWPAtty Recomputed WPA2 Attack
, G- l0 s' N4 W% JcoWPAtty Tables
j& A, v* ?, v2 R# L+ P
coWPAtty Usage: \/ j3 d2 ^: j6 }! e% O
2 s( B: j* ~8 J w
) D' I6 E( {0 @* t2 V0 m
coWPAtty Dictionary Attack:
+ l, \1 n4 w$ s! ~Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
& c C1 u* m' x1 i# DIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
2 d! Z; Z0 u6 y9 Z* q
cowpatty -f dict -r wpapsk-linksys.dump -s linksys
: v3 `' R8 e7 W! ?
! S$ P9 m% v+ U8 v5 M
, V% b \/ O/ l. r7 D
6 l+ a- ]3 \4 w/ Y7 j! a& J
% [6 o. w! G0 VAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
6 b! H6 W3 y) h* M- @0 y9 h# swpapsk-linksys.dump is the capture containing the four-way handshake
' q# W: D" |* Q/ x- [dict is the password file
, T- s# j" k1 M6 A8 [+ klinksys is the network SSID
# H* r$ h. ^% h, V8 D. C
- z: l2 Z* K! b8 o- S# O1 [+ B9 jPrecomputing WPA PMK to crack WPA PSK:
( Q. v& {! v% {genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
5 s% x! ^; q6 a Z* i1 J3 b
+ h2 P9 s7 u6 k: C5 w, KSo to generate some hash files for a network using the SSID cuckoo we use:
* U. q6 @$ V0 a v; A
/ o4 T' V; G3 F: @/ b2 g4 t) q% E& Ugenpmk -f dict -d linksys.hashfile -s linksys
% C& w* G2 F2 m) b1 S) o
& m d/ ]" T; c- Y: x
. Q+ |- X# j% b4 H6 Z: Y
, z3 ?/ o, J8 E+ ?2 ]' U# zdict is the password file
f& p: ~6 [) [5 i% y
linksys.hashfile is our output file
; Z" a/ q& W r& j! b- |
linksys is the network ESSID
. V5 \2 N+ y/ T s. D4 E
5 P; H5 R! O- x* ^) y }coWPAtty Precomputed WPA Attack:
& p* u: @: B+ m0 n1 `3 wNow wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
! p$ j" c3 H b7 N- r( j5 Y r4 P2 p1 ~. b, m
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
' Q: e' Y" M: A& P' B- u
5 L2 V: N% z& Y& p. V- u: D
2 n( s+ L7 U& l1 T# \: r4 ]
wpa-test-01.cap is the capture containing the four-way handshake
, H, P! W; T' R4 Hlinksys.hashfile are our precomputed hashes
4 s4 Y3 y8 ^* @2 {
linksys is the network ESSID
0 t! w+ m r2 k" I3 Y0 ]) ?/ F4 e
6 _) t4 N ]9 P* Y4 n! a% _! YNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
$ V% O' y! s) ]' @$ g4 z0 ]
5 m$ R5 ]% y3 r7 ]( w+ S1 F EcoWPAtty Precomputed WPA2 Attack:
, d& w2 \6 g0 a( i& U. KcoWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
+ n. C; e! [% \# t9 u3 j0 |cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
* n- r9 K7 H* m+ r' E: \
/ a |- f/ {3 N0 G/ w: @
/ _5 O6 ^4 ?* I" {. w5 \& H% Z/ Zwpa2psk-linksys.dump is the capture containing the four-way handshake
) T; K% X5 }* |; c z# C/ hdict is the password file
9 h1 J8 l6 E3 |4 B
linksys is the network SSID
* B4 g# t2 l2 l7 n* K* j
( W. \% g' t$ e
coWPAtty Tables:
/ P1 j, Q" z+ RThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:2 b! p* g* \% e/ z; w+ `+ @5 J
* m. R) v( \) O% V% `# I
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19
6 t3 J* l; R. N$ t
: v3 P Q3 W/ j' j3 b: x: rA 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/, E2 E$ A6 o8 d8 b$ D
4 r( r* E G6 X2 W! c* [) _; r
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/
) g2 f0 I5 [3 h5 C
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡