Difference between revisions of "WPA Attack"
From ivc wiki
Jump to navigationJump to search
Line 74: | Line 74: | ||
* [http://forums.remote-exploit.org/ Remote-Exploit forums] - Great community and resource | * [http://forums.remote-exploit.org/ Remote-Exploit forums] - Great community and resource | ||
* [http://forums.remote-exploit.org/wireless/7384-benefits-time-memory-trade-off-cowpatty.html Benefits of Time-Memory Trade-Off in coWPAtty] | * [http://forums.remote-exploit.org/wireless/7384-benefits-time-memory-trade-off-cowpatty.html Benefits of Time-Memory Trade-Off in coWPAtty] | ||
* [http://synjunkie.blogspot.com/2008/01/creating-custom-password-lists.html Creating custom password lists from | * [http://synjunkie.blogspot.com/2008/01/creating-custom-password-lists.html Creating custom password lists from webpages] | ||
* [http://forums.remote-exploit.org/bt4beta-howtos/20095-pyrit-cuda-nvidia-tutorial-nvidia-overclock-instructions.html pyrit CUDA nvidia Tutorial + Nvidia overclock instructions] | * [http://forums.remote-exploit.org/bt4beta-howtos/20095-pyrit-cuda-nvidia-tutorial-nvidia-overclock-instructions.html pyrit CUDA nvidia Tutorial + Nvidia overclock instructions] | ||
* [http://forums.remote-exploit.org/backtrack-4-howto/24213-bt4-pre-final-ati-guide.html BT4 (pre)final ATI guide] | * [http://forums.remote-exploit.org/backtrack-4-howto/24213-bt4-pre-final-ati-guide.html BT4 (pre)final ATI guide] | ||
* [http://znuh.blogspot.com/2009/01/wpa-cracking-with-amd-stream-and-radeon.html WPA cracking with AMD Stream and a Radeon HD4870 by Znuh] | * [http://znuh.blogspot.com/2009/01/wpa-cracking-with-amd-stream-and-radeon.html WPA cracking with AMD Stream and a Radeon HD4870 by Znuh] |
Revision as of 23:29, 29 August 2009
WPA is the precursor to WEP and filled a need as a replacement for the fully disclosed and unsecure WEP encryption.
Background
For an excellent explaination, see the Airolib-ng manual.
Tools
- pyrit blog - Reference manual - Code details
- Like coWPatty and Airolib-ng
- Pre-compute PMK keys
- Import compressed (.gz) files
- Supports stdin (i.e. John the Ripper piping)
- Internal database over precomputed ESSID and PMK combinations
- Export PMK to coWPAtty (*.cow ) and Airolib-ng (*.db) supported files
- GPGPU acceleration
- Strip out 4-way handshake from capture file
- coWPAtty Main page - coWPAtty project page - Readme
- Like Pyrite and Airolib-ng
- WPA-PSK attack on specific ESSID and captured 4-way handshake dump
- Passthrough from Pyrite possible (GPGPU acceleration)
- Pre-computed PMK tables supported
- genpmk:
- Generate "Pairwise Master Key" table for a specific ESSID, PMK tables
- Table-file name should end with *.cow
- Airolib-nb
- Like coWPatty and Pyrit
- Precompute TMK keys and attack WPA/WPA2 handshake captures
- Internal SQLite3 database
- Can export and import coWPAtty files
Extra:
- Church of Wifi wpa-psk rainbow tables
- Pre-computed TMK key tables, 1 million words computed for the top 1000 SSID's
- 7 and 33 GB torrents
- Hak5 single tables downloads
Word lists
List of word lists
These are compiled word lists and readily available.
- Church of Wifi wordlists - passwords2 (2.1 MB) and 9-final-wordlist (11 MB)
- Outpost9.com (direct) - dic-0294 (8.04 MB) (reference)
- Openwall wordlists - Multiple languages, small fee
- The Argon various wordlists - There are WPA versions of these lists, see Xploitz below
- Xploitz Master Password Collection
- Huegel's Cracking Dictionary Compilation - Cleaned-up version of Xploitz list
Generating word lists
By following simple guidelines a good word-list can be generated. Consider the following:
- Most people use easy to remember passwords, in this case it has to be 8 characters or over in length
- Append 0-9 to the word, i.e. (word)1, (word)2, (word)3, ..
- Sequence of numbers are often used, e.g. 123, 321, 999, ..
- First letter is often upper-case
- Short words (under 8 characters) are stringed in series of two, e.g. googlegoogle, hellohello, openopen, ..
- Forename and surname often used
John The Ripper and Raptor 3 are great utilities to create all the permutations mentioned above. JTP can pipe the data to avoid having to save the new stream. JTR has an extended rules engine to build the permutations.
john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \ cowpatty -r eap-test.dump -f - -s somethingclever [1]
Tools
References
- Cracking WPA FAST with video cards
- Remote-Exploit forums - Great community and resource
- Benefits of Time-Memory Trade-Off in coWPAtty
- Creating custom password lists from webpages
- pyrit CUDA nvidia Tutorial + Nvidia overclock instructions
- BT4 (pre)final ATI guide
- WPA cracking with AMD Stream and a Radeon HD4870 by Znuh