HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 39 guests and 1 member online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Help with wpa/wpa2 rainbowcrack?
EH-Net
May 22, 2013, 02:28:21 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Help with wpa/wpa2 rainbowcrack?  (Read 21498 times)
0 Members and 1 Guest are viewing this topic.
Dissident85
Newbie
*
Offline Offline

Posts: 16



View Profile
« on: April 13, 2008, 07:39:50 PM »
Hi all, I need some help with cracking wpa authentication…

Ok, so from what I can understand, unlike wep, wpa/wpa2 needs to be brute forced attacked, dictionary attacked or cracked using hash tables (rainbow crack). From what I have read using hash tables is the quickest way to do it right???

I have read this article http://www.aircrack-ng.org/doku.php?id=cracking_wpa which tells me how to capture the packets, but that article only goes into dictionary attack, which I have found isn’t that effective.

I wanted to know if someone could point me into the right direction for some articles on how to do the same thing but using hash tables. Or perhaps give me some advice here?

Also, I found a torrent once for some hash tables, one was 35gb and I have lost it and cant find it again. Dose anyone know where I can download some hash tables? Or how do I make my own?
Logged
dean
Guest
« Reply #1 on: April 14, 2008, 06:22:01 PM »
WPA/WAP2 is susceptible to a dictionary attack. Two tools to accomplish this are coWPAtty and Aircrack-ng.

In order to use rainbow tables for cracking WPA/WPA2 you need to generate specific tables based on the SSID of the AP. Each passphrase is hashed 4096 times with SHA-1 and additionally the algorithm is seeded with the SSID and the SSID length. This means that the same passphrase will produce a different key for a different SSID.

To use coWPAtty to generate a table of precomputed hashes use the tool genpmk that is included with the distribution.

./genpmk  -f  wordlist  -d outputfile  -s SSID

Additionally you can pipe the output of John the Ripper to coWPAtty.

All this information is available through Google btw.

Rainbow tables for wpa/wpa2:

http://torrents.lostboxen.net/cowf-wpa-psk-hash-tables-with-cowpatty-4.0_2006-10-19
http://umbra.shmoo.com:6969/

Visit http://www.renderlab.net/projects/WPA-tables/ for more info.

dean
Logged
Dissident85
Newbie
*
Offline Offline

Posts: 16



View Profile
« Reply #2 on: April 14, 2008, 06:38:11 PM »
i know it can all be found on google. most of what you just said i found. but it is always good to ask around as well. make sure i am on the right track.

How practical is it really? I am currently generating lm alpha-numeric rainbow tables and with 4 computers it is taking me 2days. and that only allows for passwords up to 8 characters. So realistically, based on those numbers it could take months/years to crack wpa?

and those Rainbow tables for wpa/wpa2 would it really be worth downloading? as if each network has a different SSID? well unless people leave it as the factory default?
Logged
dean
Guest
« Reply #3 on: April 14, 2008, 07:20:53 PM »
Would they be worth downloading? That's up to you. It's possible that in a pentest you might find a rogue AP that had a default SSID connected to the client's network and so that would be a valid ingress point if the scope allowed it. I generally capture the EAPoL 4-Way handshake and crack it offline. I pipe a custom word list through JTR and use the hybrid mode to generate custom variations of the dictionary words.

Quote
How practical is it really? I am currently generating lm alpha-numeric rainbow tables and with 4 computers it is taking me 2days. and that only allows for passwords up to 8 characters. So realistically, based on those numbers it could take months/years to crack wpa?

Google for time-memory trade-off. The theory behind precomputed hashes. Don't forget that the minimum length for WPA keys is 8 char and while the max is 63, I've never seen longer than about 25 characters or so in an implementation. Anything above 20 chars that is random is probably not going to be cracked. The same limitations for any type of bruteforce/dictionary password attack will apply.
Logged
Dissident85
Newbie
*
Offline Offline

Posts: 16



View Profile
« Reply #4 on: April 14, 2008, 07:59:58 PM »
ok, so excluding the fact if they have a default SSID the quickest/only practical way to crack wpa/wpa2 would be to "pipe a custom word list through JTR and use the hybrid mode to generate custom variations of the dictionary words."

I looked into the "for time-memory trade-off" which would only be useful for a default ssid. there would be no point creating rainbow tables for a one off? right? so i think i might download that 33gb file. it might come in handy.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.09 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.