coWPAtty for Windows MAIN:
- y: u( p1 g0 L2 N6 B( y# ?"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright.
& u5 X( g( {5 u# Z
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
2 T9 q' Q, F9 q/ v! v1 ^$ W
* D# [: ?! T( v
Local Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
\( X7 }# {0 g; R7 }# m1 Q
, {$ t5 X! H4 u5 E4 WcoWPAtty Dictionary Attack
2 G* k: ~; h1 E( J% l' z9 r/ s
Precomputing WPA PMK to crack WPA PSK
; X, `" \& \! d3 _% J! @
coWPAtty Precomputed WPA Attack
" n/ t$ B p8 M+ x3 i" y7 zcoWPAtty Recomputed WPA2 Attack
4 F' b7 y4 b4 B G; M7 _2 }coWPAtty Tables
; y9 ?+ b! [" }1 T5 {) ^* ?
coWPAtty Usage:
4 Q% ~; y% d5 l3 o' g3 h
8 e! ~* @9 U5 u. i, A0 v6 r1 c: t# v
4 S3 t$ i$ B" ]1 |
coWPAtty Dictionary Attack:! Z. n8 q4 o% K8 Q# O
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
Z$ B9 S. J8 R2 @: }3 M& b1 uIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
. ~! q' [, A: zcowpatty -f dict -r wpapsk-linksys.dump -s linksys
- p: W' m% {/ w, Y+ _* Z3 R
. p9 r' l8 p. S: P- }6 a( m) a1 `
; W* H2 D& T- ?5 f& w# K
6 M/ n0 a! Y. ]1 Y3 R3 P+ |
9 |3 W4 I7 m6 Z+ O, MAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
1 d0 g' ?- r" Z3 lwpapsk-linksys.dump is the capture containing the four-way handshake
$ l4 Y7 {1 y8 r8 adict is the password file
, m( b8 M0 }4 |3 R) {linksys is the network SSID
4 s7 K$ f. I* @7 a
2 j. Z1 F5 r6 B$ w6 u
Precomputing WPA PMK to crack WPA PSK:( t' p/ h$ `/ q- c
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
. m% d2 Q+ Z, G1 j5 @7 L2 C2 G
Z( m6 Q; n1 e4 T+ [% N, f- i( [: @So to generate some hash files for a network using the SSID cuckoo we use:
# J& |$ y, ^% ^6 a9 t4 y( d# R: g8 K0 x7 Q2 ?4 Y% D
genpmk -f dict -d linksys.hashfile -s linksys
1 i- H! `. o9 E6 S4 z2 U
6 f/ s" J( K6 U! g) w4 r
8 `+ {( @ H* z+ b( o! L' \- Y5 t
& U7 `3 a; k9 w( z6 a4 |6 l
dict is the password file
0 W# y* ]2 L) [
linksys.hashfile is our output file
8 k6 w9 y* Y, s4 t2 `( e+ t U* g
linksys is the network ESSID
% a6 D# S+ v9 g$ v6 D& B, t: ]- P& i) Z6 j
coWPAtty Precomputed WPA Attack:
* k c7 q: @# ~9 t- {/ qNow wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
, b. H! e6 A. ^. n1 j! L
8 X$ v- r; j; ]( c/ d7 h
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
5 m6 @% g! H4 z! Q9 n$ S
: f y+ c' s( {8 e1 r" J1 P" }( c) F% l& A/ M! m8 {( y
wpa-test-01.cap is the capture containing the four-way handshake
: [. p4 f1 b0 u# ]2 R8 ?! Ylinksys.hashfile are our precomputed hashes
8 v' I' l" F, j. \* s) K
linksys is the network ESSID
# u" ~/ _+ c( C/ Q7 J, |5 G3 W* |' m8 R; x5 ^+ R- z
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
4 [) ^! g( @8 B
% Q% v5 a C+ j2 z( h0 x9 UcoWPAtty Precomputed WPA2 Attack:, d2 n4 m% c) F6 R5 @
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
! W" u# x( T! Z/ u1 S
cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
5 E' M9 P3 d* J0 q
, G0 O4 W$ r( n% P
- m: J2 Y0 N& c! A/ z: p
wpa2psk-linksys.dump is the capture containing the four-way handshake
6 P) I' M0 G# L! A0 [$ vdict is the password file
8 s2 L5 [2 x( z9 W3 |linksys is the network SSID
& U, F/ N" E& ^4 G
6 f4 M$ v5 u: W8 R, {2 R% zcoWPAtty Tables:
0 J) y1 c6 L8 N/ B6 j" ?. JThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:2 @5 `1 k) L7 o9 k M
2 K8 g: e+ _9 a+ c: Y) D# fhttp://torrents.lostboxen.net/co ... atty-4.0_2006-10-19
: R+ v) W7 Z0 j: J# \: A# U7 L7 {7 d3 j0 i! _
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
* X' ~$ ^% v9 s4 s
- w* D8 I! z \( E; y" q- COr you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/7 D% D' y- M1 u. Y
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡