Difference between revisions of "WPA Attack"

From ivc wiki
Jump to navigationJump to search
Line 41: Line 41:
These are compiled word lists and readily available.
These are compiled word lists and readily available.


=== List of word lists ===
* '''[http://www.renderlab.net/projects/WPA-tables/ Church of Wifi wordlists]''' - passwords2 (2.1 MB) and 9-final-wordlist (11 MB)
* '''[http://www.renderlab.net/projects/WPA-tables/ Church of Wifi wordlists]''' - passwords2 (2.1 MB) and 9-final-wordlist (11 MB)
* '''[http://www.outpost9.com/files/WordLists.html Outpost9.com]''' ([http://www.outpost9.com/files/wordlists/dic-0294.zip direct]) - dic-0294 (8.04 MB) ([http://forums.remote-exploit.org/bt4beta-howtos/20095-pyrit-cuda-nvidia-tutorial-nvidia-overclock-instructions.html reference])
* '''[http://www.outpost9.com/files/WordLists.html Outpost9.com]''' ([http://www.outpost9.com/files/wordlists/dic-0294.zip direct]) - dic-0294 (8.04 MB) ([http://forums.remote-exploit.org/bt4beta-howtos/20095-pyrit-cuda-nvidia-tutorial-nvidia-overclock-instructions.html reference])
Line 48: Line 49:
** '''[http://forums.remote-exploit.org/general-discussion/15766-huegels-cracking-dictionary-compilation-hcdc.html Huegel's Cracking Dictionary Compilation]''' - Cleaned-up version of Xploitz list
** '''[http://forums.remote-exploit.org/general-discussion/15766-huegels-cracking-dictionary-compilation-hcdc.html Huegel's Cracking Dictionary Compilation]''' - Cleaned-up version of Xploitz list


=== Generating word lists ==
By following simple guidelines a good word-list can be generated. Consider the following:
By following simple guidelines a good word-list can be generated. Consider the following:



Revision as of 20:39, 29 August 2009

WPA is the precursor to WEP and filled a need as a replacement for the fully disclosed and unsecure WEP encryption.

Background

For an excellent explaination, see the Airolib-ng manual.

Tools

  • pyrit blog - Reference manual - Code details
    • Like coWPatty and Airolib-ng
    • Pre-compute PMK keys
    • Internal database over precomputed ESSID and PMK combinations
    • Can export to *.cow (coWPAtty) and *.db (Airolib-ng)
    • GPGPU acceleration
    • Strip out 4-way handshake from capture file
  • coWPAtty Main page - coWPAtty project page - Readme
    • Like Pyrite and Airolib-ng
    • WPA-PSK attack on specific ESSID and captured 4-way handshake dump
    • Passthrough from Pyrite possible (GPGPU acceleration)
    • Pre-computed PMK tables supported
    • genpmk:
      • Generate "Pairwise Master Key" table for a specific ESSID, PMK tables
      • Table-file name should end with *.cow
  • Airolib-nb
    • Like coWPatty and Pyrit
    • Precompute TMK keys and attack WPA/WPA2 handshake captures
    • Internal SQLite3 database
    • Can export and import coWPAtty files

Extra:

Word lists

These are compiled word lists and readily available.

List of word lists

= Generating word lists

By following simple guidelines a good word-list can be generated. Consider the following:

  • Most people use easy to remember passwords, in this case it has to be 8 characters or over in length
  • Append 0-9 to the word, i.e. (word)1, (word)2, (word)3, ..
  • Sequence of numbers are often used, e.g. 123, 321, 999, ..
  • First letter is often upper-case
  • Short words (under 8 characters) are stringed in series of two, e.g. googlegoogle, hellohello, openopen, ..
  • Forename and surname often used

John The Ripper is a great utility to create all the permutations mentioned above. Piping is supported to avoid storing the new words. It has an extended rules engine to build the permutations.

john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \
  cowpatty -r eap-test.dump -f - -s somethingclever [1]

References