WPA Attack

WPA is the precursor to WEP and filled a need as a replacement for the fully disclosed and unsecure WEP encryption.

Background

For an excellent explaination, see the Airolib-ng manual.

• The twilight of Wi-Fi Protected Access
• IEEE 802.11i Wikipedia page

Tools

• pyrit blog - Reference manual - Code details
  • Like coWPatty and Airolib-ng
  • Pre-compute PMK keys
  • Import compressed (.gz) files
  • Supports stdin (i.e. John the Ripper piping)
  • Internal database over precomputed ESSID and PMK combinations
  • Export PMK to coWPAtty (*.cow ) and Airolib-ng (*.db) supported files
  • GPGPU acceleration
  • Strip out 4-way handshake from capture file

• coWPAtty Main page - coWPAtty project page - Readme
  • Like Pyrite and Airolib-ng
  • WPA-PSK attack on specific ESSID and captured 4-way handshake dump
  • Passthrough from Pyrite possible (GPGPU acceleration)
  • Pre-computed PMK tables supported
  • genpmk:
    • Generate "Pairwise Master Key" table for a specific ESSID, PMK tables
    • Table-file name should end with *.cow

• Airolib-nb
  • Like coWPatty and Pyrit
  • Precompute TMK keys and attack WPA/WPA2 handshake captures
  • Internal SQLite3 database
  • Can export and import coWPAtty files

Extra:

• Church of Wifi wpa-psk rainbow tables
  • Pre-computed TMK key tables, 1 million words computed for the top 1000 SSID's
  • 7 and 33 GB torrents
  • Hak5 single tables downloads

Word lists

List of word lists

These are compiled word lists and readily available.

• Church of Wifi wordlists - passwords2 (2.1 MB) and 9-final-wordlist (11 MB)
• Outpost9.com (direct) - dic-0294 (8.04 MB) (reference)
• Openwall wordlists - Multiple languages, small fee
• The Argon various wordlists - There are WPA versions of these lists, see Xploitz below
• Xploitz Master Password Collection
  • Huegel's Cracking Dictionary Compilation - Cleaned-up version of Xploitz list

Generating word lists

By following simple guidelines a good word-list can be generated. Consider the following:

• Most people use easy to remember passwords, in this case it has to be 8 characters or over in length
• Append 0-9 to the word, i.e. (word)1, (word)2, (word)3, ..
• Sequence of numbers are often used, e.g. 123, 321, 999, ..
• First letter is often upper-case
• Short words (under 8 characters) are stringed in series of two, e.g. googlegoogle, hellohello, openopen, ..
• Forename and surname often used

John The Ripper is a great utility to create all the permutations mentioned above. Piping is supported to avoid storing the new words. It has an extended rules engine to build the permutations.

john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \
  cowpatty -r eap-test.dump -f - -s somethingclever [1]

References

• Cracking WPA FAST with video cards
• Remote-Exploit forums - Great community and resource
• Benefits of Time-Memory Trade-Off in coWPAtty
• Creating Custom Password Lists
• pyrit CUDA nvidia Tutorial + Nvidia overclock instructions
• BT4 (pre)final ATI guide
• WPA cracking with AMD Stream and a Radeon HD4870 by Znuh