本帖最后由 smilebomb 于 2010-1-14 23:09 编辑
! C4 B Q0 b, P9 R1 G8 E
2 ]$ C+ J1 v D g1 J7 c本人最讨厌这种人0 _4 N3 E6 ^1 s5 V h2 q
coWPAtty for Windows MAIN:0 D- |( \; U; i
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol."
/ ~' C$ N+ {& |# Z# h) B- Joshua Wright.
$ R' Z O) x# M9 W! N. @4 P6 l
" K1 D9 E: @4 C3 i, G: ~2 N& T# U Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s0 f% {- b9 t9 U3 o7 r- p9 d3 Q: q
. e" N! j4 j- GLocal Mirror: Cowpatty-4.0-win32.zip/ e r# b; g$ y
MD5: aa9ead2aacfcc493da3684351425d4c6
6 H6 v, k4 t0 e3 N; P g* r1 A! |0 k% Q9 O, C" l0 j8 u7 A# d% W2 q
coWPAtty Dictionary Attack
3 q- f; E! E4 N$ C( w g; R5 y) `8 g9 h4 j) Y. H6 F9 x3 F
Precomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]
3 h9 G/ |( O, W7 B5 Y+ P/ x; X% \coWPAtty Precomputed WPA Attack
* Z; T- I% c% ^% \2 mcoWPAtty Recomputed WPA2 Attack
+ H+ d* V- T3 \; U( A. B/ h) H- {
coWPAtty Tables w$ ?7 R5 x2 E! x! U1 @" `% [" }: q9 x2 p) R
coWPAtty Usage:6 ~$
! G3 L! P6 P( G& V* P1 x : N$ ]. A z5 R z( L' n% L5 w
coWPAtty Dictionary Attack:
# q2 u: t* s N" z- I, y. i) iToperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network. . h% r0 \9 ^- d
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
# S6 f/ `; n) ]) F7 ^# h( }# ]cowpatty -f dict -r wpapsk-linksys.dump -s linksys
' @. T- R, Y8 y" s" ?* @# ~
' D3 t( M+ N" m. ?* x D/ B1 [; O- |3 u3 m
+ e7 }! a5 {) s
" U: N. c" M6 I! v/ ` / e" U0 T" m# [+ y6 V$ I) `" o+ ?" x I8 |
& s, B( g/ X; W& l
As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q/ S6 W) x) S. k" T
wpapsk-linksys.dumpis the capture containing the four-way handshake
1 x I! F- y) n8 Y( f7 edict is the password file
% P& e( C4 K0 u* Y* b2 w" B6 Mlinksys is the network SSID
7 _ S/ t" m5 O" i& G
7 N8 N: \+ S" g: o b* S3 |3 APrecomputing WPA PMK to crack WPA PSK:" j/ g0 _5 ?( V
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
# V& X ]( n$ u. R; _, I( G1 R5 e, X" @ _* C m2 ^6 x
So to generate some hash files for a network using the SSID cuckoo we use:
7 @) @# C* G* b6 c6 L X3 w) i4 ?5 y: P$ o) e! b
2 Q- n* U0 t1 d0 i3 w+ C" Y
; b G! ~$ X t0 z/ [8 z/ [genpmk -f dict -d linksys.hashfile -s linksys
: A: j. S9 ?0 T. U$ u: t3 e0 X: @) {+ t' r8 @0 T
5 {9 ^3 T6 ]: t2 z( B7 ^6 T: P' K$ O5 n) ]! h9 T# b; [- e: K, u! L$ [
0 `, a' M( b$ W2 b
7 o& D0 N$ v# K* m0 v; z3 I8 }
dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X. f" G+ R5 c" t0 l: ?. G6 `
linksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o2 ~6 N7 H" g; ?6 I1 Q
linksysis the network ESSID
! C" b, l8 D; I& s$ M0 U# w1 w2 q0 s: @* O5 C4 N( D
2 N* i, b/ r$ ^. IcoWPAtty Precomputed WPA Attack:- z5 |# j1 r d
" `- t# h: J! u4 _: P6 Y6 fNow wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful.
3 u1 d; w& R \; l0 n. N* {# \8 I
4 W* a8 t) l, |1 Y5 c# v4 t: l$ e" u% |5 q
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys 5 l- H$ a9 G, ^, L z
( W, L1 N0 G, ^( _/ A$ t" y! @$ k+ q6 N: A+ j
2 g! f B& M: ~4 c. ]" P' n5 m5 Y( B
3 t; v! h. p; C( ^+ @4 Z) w( b0 d+ H" u8 s8 f+ F1 L# X% ^& F+ x5 M
wpa-test-01.capis the capture containing the four-way handshake
0 O, i; t5 m! V* j0 {5 `7 flinksys.hashfile are our precomputed hashes
: x" E Y. h; I: ?3 a) x
+ n) k" _; y! w6 k/ ]& Z- nlinksys is the network ESSID 2 H/ ~7 L- N2 [% |1 Z
. O" y" {# f: f+ f
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers.
( [0 u5 O( `$ s) b( b* T+ E( M( _3 c" X' F
coWPAtty Precomputed WPA2 Attack:: D7 `! w0 J- `
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
4 Y( E7 ]5 y7 `( q- t2 b$ n1 V
cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys ) z0 H3 f8 ]5 P, j3 L1 [
# i0 x+ l2 ?. O2 o6 F4 S+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B
9 y9 {& n# i- b E' [- A/ R
" w# S0 L$ P- W: d! zwpa2psk-linksys.dumpis the capture containing the four-way handshake
$ ]" o, h" D2 f Ddict is the password file
( w! W6 X9 q0 i, p9 `& I4 h
linksys is the network SSID # [8 l& Y$ V( f$ ?4 v
. b& c6 y4 n* X4 X$ o* g) x8 g: u2 Q$ o4 u( F! q0 ~- V+ ~( F: y2 J
coWPAtty Tables:" q# T+ c, n. p; [+ W
' `) H% [: V+ q( U* `. j8 V/ ZThe Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
* Z8 O* ]* D! U+ F' w
& E" R' z' u: _! S' Thttp://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V
9 Q5 O" m. m+ r2 | m: x7 S$ l6 R, N: `! [ l0 z7 @7 {! D! }# W
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/
% g) ]' b6 ?8 M( g7 B8 m0 g3 L% \- R* _, O. ?9 Y
' M& u) X \7 S) a4 ]" h! Y% \Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-9 14:30
显身卡
