Академический Документы
Профессиональный Документы
Культура Документы
htm
1 of 4 5/23/2011 8:08 PM
Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.htm
"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." -
Joshua Wright.
Site Search
coWPAtty Usage:
Windows
Tools Index
General
Miscellaneous WI-FI
Rogue AP Howtos
In order to collect the four-way handshake you can either wait until a client joins the network or preferably you can force
Formats / Extensions
it to rejoin the network using tools like void11 or aireplay and capture the handshakes using something like kismet,
WI-FI Home Security ethereal or airodump.
2 of 4 5/23/2011 8:08 PM
Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.htm
As you can see this simple dictionary attack took 51 seconds, we can speed up this process by precomputing the WPA-PMK
to crack the WPA-PSK (see below).
genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in
Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as
the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a
set for "linksys" a set for "tsunami" etc.
So to generate some hash files for a network using the SSID cuckoo we use:
Now we have created our hash file we can use it against any WPA-PSK network that is utilising a network SSID of cuckoo.
Remember the capture (wpa-test-01.cap) must contain the four-way handshake to be successful.
3 of 4 5/23/2011 8:08 PM
Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.htm
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 seconds with
standard dictionary attack mode, albeit you do need to pre-compute the hash files prior to the attack. However,
precomputing large hash files for common SSIDS (e.g. linksys, tsunami) would be a sensible move for most penetration
testers.
coWPAtty 4.0 is also capable of attacking WPA2 captures. Note: The same hash file as was used with the WPA capture was
also used with the WPA2 capture.
coWPAtty Tables:
The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password
file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:
http://torrents.lostboxen.net/cowf-wpa-psk-hash-tables-with-cowpatty-4.0_2006-10-19
Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects
/WPA-tables/
4 of 4 5/23/2011 8:08 PM