Difference between revisions of "WPA Attack"

From ivc wiki
Jump to navigationJump to search
Line 49: Line 49:
** '''[http://forums.remote-exploit.org/general-discussion/15766-huegels-cracking-dictionary-compilation-hcdc.html Huegel's Cracking Dictionary Compilation]''' - Cleaned-up version of Xploitz list
** '''[http://forums.remote-exploit.org/general-discussion/15766-huegels-cracking-dictionary-compilation-hcdc.html Huegel's Cracking Dictionary Compilation]''' - Cleaned-up version of Xploitz list


=== Generating word lists ==
=== Generating word lists ===
By following simple guidelines a good word-list can be generated. Consider the following:
By following simple guidelines a good word-list can be generated. Consider the following:



Revision as of 20:39, 29 August 2009

WPA is the precursor to WEP and filled a need as a replacement for the fully disclosed and unsecure WEP encryption.

Background

For an excellent explaination, see the Airolib-ng manual.

Tools

  • pyrit blog - Reference manual - Code details
    • Like coWPatty and Airolib-ng
    • Pre-compute PMK keys
    • Internal database over precomputed ESSID and PMK combinations
    • Can export to *.cow (coWPAtty) and *.db (Airolib-ng)
    • GPGPU acceleration
    • Strip out 4-way handshake from capture file
  • coWPAtty Main page - coWPAtty project page - Readme
    • Like Pyrite and Airolib-ng
    • WPA-PSK attack on specific ESSID and captured 4-way handshake dump
    • Passthrough from Pyrite possible (GPGPU acceleration)
    • Pre-computed PMK tables supported
    • genpmk:
      • Generate "Pairwise Master Key" table for a specific ESSID, PMK tables
      • Table-file name should end with *.cow
  • Airolib-nb
    • Like coWPatty and Pyrit
    • Precompute TMK keys and attack WPA/WPA2 handshake captures
    • Internal SQLite3 database
    • Can export and import coWPAtty files

Extra:

Word lists

These are compiled word lists and readily available.

List of word lists

Generating word lists

By following simple guidelines a good word-list can be generated. Consider the following:

  • Most people use easy to remember passwords, in this case it has to be 8 characters or over in length
  • Append 0-9 to the word, i.e. (word)1, (word)2, (word)3, ..
  • Sequence of numbers are often used, e.g. 123, 321, 999, ..
  • First letter is often upper-case
  • Short words (under 8 characters) are stringed in series of two, e.g. googlegoogle, hellohello, openopen, ..
  • Forename and surname often used

John The Ripper is a great utility to create all the permutations mentioned above. Piping is supported to avoid storing the new words. It has an extended rules engine to build the permutations.

john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \
  cowpatty -r eap-test.dump -f - -s somethingclever [1]

References