coWPAtty for Windows MAIN:
1 _+ q' R( w c+ y3 j1 Y. @"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright.
. B, K+ v) s- Y7 H) W
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html
E6 q* k* ]3 [5 \9 S, k# I3 C7 C0 `, z: _8 J' l
Local Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
9 @! a$ i$ l. g5 J- {* s0 A
+ q: P( _- J- f# ]0 D- M( }
coWPAtty Dictionary Attack
! o( Y" Z8 b, YPrecomputing WPA PMK to crack WPA PSK
# B# J; m) d8 B# \. VcoWPAtty Precomputed WPA Attack
- o' H0 n+ M0 t3 G! Y+ r0 R( U
coWPAtty Recomputed WPA2 Attack
' Q; o0 n, U; ]5 d- |- r3 K! j: H0 I0 ZcoWPAtty Tables
- G; o* B! e( O# \( }
coWPAtty Usage:) H1 r& A6 s/ Y( h$ B
$ j" o3 H" o& \( M
& r' R: b8 u% v( e4 kcoWPAtty Dictionary Attack:+ {+ ~% ]/ u e8 g
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
2 V& f! \0 n- w0 L# y9 D& cIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
& j( c# v: Z3 q& W+ ^% v
cowpatty -f dict -r wpapsk-linksys.dump -s linksys
1 { _9 H# v4 f: G
8 O5 ?' {) T$ K: L
+ a7 ^! F: L7 {5 P; l
" s) `) `' K" p* F; H s8 O7 d
- r. l' m5 {+ R4 t7 P* jAs youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow).
) v! I e3 d9 `0 K! owpapsk-linksys.dump is the capture containing the four-way handshake
( P' R3 m. K1 V0 Z2 l' N
dict is the password file
& q2 _" x% `+ i4 G$ @0 rlinksys is the network SSID
$ k( a. _8 I6 ^4 b
, G- x! N# F8 u0 G- a) ~! z6 s, H: oPrecomputing WPA PMK to crack WPA PSK:
, T5 U5 a9 U- o8 L7 @0 fgenpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
! r+ H, f! o. z. q& G% b) X% a- f2 s
So to generate some hash files for a network using the SSID cuckoo we use:
' X. _! U* r; {/ \ o c! c& x6 o; P
N9 H6 f! e7 s1 p8 `0 O7 Ogenpmk -f dict -d linksys.hashfile -s linksys
+ u" j- J; B1 d" s9 B
4 e! v/ s3 D3 q5 g5 G5 q0 _% l
, d& J1 Z/ U) j Z
& T( ]+ V. E7 o1 `dict is the password file
) T5 l, u+ }6 H: a1 v; K
linksys.hashfile is our output file
" z u% L( E5 i3 S3 mlinksys is the network ESSID
9 t& j! B# I5 q% o- l- r
8 g+ u [- B% [: d! x
coWPAtty Precomputed WPA Attack:7 w ]# x: G, C
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
2 M% h6 b1 D. \& N' t$ V4 W: C
) X8 t; p5 K/ |$ z3 f8 J( |. Ocowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
: B v# H! [# S& X8 T
7 r. h3 y% n H
1 G! i5 d1 N+ ?, [( A# J; Cwpa-test-01.cap is the capture containing the four-way handshake
% o& @6 d- B9 {. M5 K
linksys.hashfile are our precomputed hashes
8 P( D [5 I0 y8 n. p2 J5 T- Y4 ~
linksys is the network ESSID
' q$ }/ G" n. W, K
+ q8 W6 t/ }3 [) Z8 _9 P& M: ENotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
- h' A/ Y+ p0 K! m& K4 J8 ]
' v4 U9 t, ^2 K( d7 j) V) G
coWPAtty Precomputed WPA2 Attack:1 I* S4 Z2 J# c+ l, P( ~! Z! d' W; x# J
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
8 A+ Z) Q8 B1 Ccowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
# s/ K v P7 R l/ q
( B$ a( d, X: C0 e2 g
: i' p8 [" a: _' rwpa2psk-linksys.dump is the capture containing the four-way handshake
: c% a7 c- w7 vdict is the password file
) Z. h& {8 M4 G1 E6 ^linksys is the network SSID
9 r2 S+ u8 J* H+ ^# v& E" p
$ E, ^7 n, G5 ]! u4 J) T# h
coWPAtty Tables: ' C- k6 V5 O$ m1 C( b* V
The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:/ Z# }0 r2 s A. u: `- ?/ ~$ V" ?
0 t+ w7 {5 l5 q: b3 z0 [5 T
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19' j# W- u1 S$ w" n
& T! o$ Q; \6 b z% qA 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/4 E; W: R/ \. I
. P! T6 ]3 Q4 `! q/ Z) gOr you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/, V) i9 g X7 i3 g1 v7 H2 U J& Q
[复制链接]
IP卡
狗仔卡
发表于 2009-8-28 17:55
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡