本帖最后由 smilebomb 于 2010-1-14 23:09 编辑 ; H7 g% R; m7 [) ?
+ _8 P+ y, Y6 R6 k4 t- z7 [本人最讨厌这种人6 Q: \3 w! ~3 t3 k/ d9 x- K
coWPAtty for Windows MAIN:, u" s* C- t j, w( @3 v" {
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." j3 ]8 o8 b* B5 w
- Joshua Wright.4 L! v9 U3 O5 G4 n! l
9 W! N. @4 P6 l' [7 |0 g, A, Q( U7 A# F
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s
! T9 ^& \0 ?& v0 }5 F; m
8 k# W7 o( j2 ]( {; FLocal Mirror: Cowpatty-4.0-win32.zip
, ^- Q; A8 ~) j2 k! y j: ]MD5: aa9ead2aacfcc493da3684351425d4c6 , J6 z% h7 L( s- w/ Z0 Z
; P g* r1 A! |0 k% Q4 u+ q7 V# x# ]
coWPAtty Dictionary Attack 3 q- f; E! E4 N$ C( w g; R
+ S* S8 k# J1 vPrecomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]
( y0 Z$ C" ]9 |. r& s6 gcoWPAtty Precomputed WPA Attack
/ v4 g. S! w' R* m! M. J" VcoWPAtty Recomputed WPA2 Attack
+ H+ d* V- T3 \. k7 m8 G/ R h, o9 Z, f
coWPAtty Tables w$ ?7 R5 x2 E! x! U
5 X( w/ t0 ^6 F5 i3 f9 p5 ocoWPAtty Usage:6 ~$
7 U0 C" W* F4 [6 ^: ^/ c3 X
4 H* y+ Q2 h5 E# ? coWPAtty Dictionary Attack:6 P7 U' `) b2 `2 c/ h
Toperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network.
5 W/ B) q( g9 V3 U gIn orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
0 [# X! B' U9 C) J/ ccowpatty -f dict -r wpapsk-linksys.dump -s linksys
^" l5 b {9 `5 O- v; s' D3 t( M+ N" m3 |! b D/ a5 j& c6 b7 h9 q
+ e7 }! a5 {) s" _9 ~, [, `5 Y% I$ K
 / e" U0 T" m# [+ y
) U( d- \; X5 c" _' v1 l# ^( {; R7 i/ X% W" f
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q3 K2 _5 _3 B ^7 _- O
wpapsk-linksys.dumpis the capture containing the four-way handshake % e# b+ G" Z5 ?3 C: B1 n
dict is the password file
, g3 m9 E. n( A5 rlinksys is the network SSID
* L* Z6 w- f8 z
; ?3 q+ x6 r: O9 G* kPrecomputing WPA PMK to crack WPA PSK:. T! b( Q+ N ]) k9 \0 g( _
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
0 }: W' p$ s+ u* P, T. e! E9 ^
1 s C: O7 \( d7 S0 }5 j7 V+ O
So to generate some hash files for a network using the SSID cuckoo we use: 7 @) @# C* G* b6 c6 L X3 w) i4 ?- z$ R1 Q+ W: g% V* Q% L% \
2 Q- n* U0 t1 d0 i3 w+ C" Y
- Q, e% v0 [4 x4 B( e/ U" sgenpmk -f dict -d linksys.hashfile -s linksys
3 ] L+ A4 b% i& j5 J3 e0 X: @) {+ t' r8 @0 T
( e. Z$ {# z1 L* ^) W6 T: P' K$ O5 n) ]! h9 T
. m B {) R% ]6 N* `* r9 X" a/ a
/ ]9 V% ]6 Q8 o% y; B: T3 W! S1 W4 n
& ^; x0 @7 @+ I) ?$ W, Y
dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X
& k% b3 L2 `% r1 A* ilinksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o
0 z9 P9 U4 l# ^( Hlinksysis the network ESSID ' k+ l+ s+ ~# `7 u
# w1 w2 q0 s: @* O5 C4 N( D/ R% l' p8 T, b
coWPAtty Precomputed WPA Attack:- z5 |# j1 r d% V7 K) d" B& a
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful. 3 u1 d; w& R \; l0 n. N* {# \8 I
: F k, T. ~& I1 Q! F4 P# b3 X% j
% C! k+ C7 W& N5 s* \cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys 1 W/ H. o" o) H3 J9 G
( W, L1 N0 G, ^( _/ A$ t' R: e! C8 ^9 i. T
8 C; O' ^0 o1 i) B6 t: j. f
4 c. ]" P' n5 m5 Y( B
. v! }9 }, y( b+ @4 Z) w( b0 d+ H" u8 s8 f
9 v% ^% w4 \, q' X& I% i8 Z; U Dwpa-test-01.capis the capture containing the four-way handshake l2 k, \# @) G7 r6 \0 O
linksys.hashfile are our precomputed hashes : x" E Y. h; I: ?3 a) x
/ L- c" ]9 l4 L0 a0 D6 @linksys is the network ESSID
1 Z+ m: V: _2 _, k m) T- L i
0 o8 R: y/ }9 h, C/ INotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
) ], E2 n, P6 w3 o) R/ t
& d3 y2 e5 b( M& V# e4 OcoWPAtty Precomputed WPA2 Attack:4 T+ }4 n4 `0 M' X
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture. + d+ D0 i8 p% j4 I+ p
cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys 1 U8 `% X. z6 j# ?; h
* F h s# u9 \+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B
' Y) {& U1 T6 x* \# I* n6 H6 H# `& v% S
wpa2psk-linksys.dumpis the capture containing the four-way handshake $ R5 g* ~4 I% z- F
dict is the password file
/ O% s0 J9 D* P# Q# Slinksys is the network SSID
# [8 l& Y$ V( f$ ?4 v
; C; d7 L3 D C* g) x8 g: u2 Q$ I7 \0 z+ @, N- s; e( x
coWPAtty Tables:" q# T+ c, n. p; [+ W
1 u w! Y' b7 a. G0 Q( B3 IThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:* M- U3 M$ l# g7 m2 j- i
\0 _9 \0 X$ d9 R8 y! M3 \" ~http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V
6 R- ]0 Q t+ }9 D: x7 S$ l6 R, N: `! [
+ ?/ c4 e+ Z, M! w% V. i$ rA 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
% z( ]3 z( e8 g9 ~. f0 h( d" h+ S% \- R* _, O. ?9 Y3 y0 A$ e4 K$ D
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-10 01:59
显身卡
