.

Help with wpa/wpa2 rainbowcrack?

<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Sun Apr 13, 2008 7:39 pm

Help with wpa/wpa2 rainbowcrack?

Hi all, I need some help with cracking wpa authentication…

Ok, so from what I can understand, unlike wep, wpa/wpa2 needs to be brute forced attacked, dictionary attacked or cracked using hash tables (rainbow crack). From what I have read using hash tables is the quickest way to do it right???

I have read this article http://www.aircrack-ng.org/doku.php?id=cracking_wpa which tells me how to capture the packets, but that article only goes into dictionary attack, which I have found isn’t that effective.

I wanted to know if someone could point me into the right direction for some articles on how to do the same thing but using hash tables. Or perhaps give me some advice here?

Also, I found a torrent once for some hash tables, one was 35gb and I have lost it and cant find it again. Dose anyone know where I can download some hash tables? Or how do I make my own?
<<

dean

Post Mon Apr 14, 2008 6:22 pm

Re: Help with wpa/wpa2 rainbowcrack?

WPA/WAP2 is susceptible to a dictionary attack. Two tools to accomplish this are coWPAtty and Aircrack-ng.

In order to use rainbow tables for cracking WPA/WPA2 you need to generate specific tables based on the SSID of the AP. Each passphrase is hashed 4096 times with SHA-1 and additionally the algorithm is seeded with the SSID and the SSID length. This means that the same passphrase will produce a different key for a different SSID.

To use coWPAtty to generate a table of precomputed hashes use the tool genpmk that is included with the distribution.

./genpmk  -f  wordlist  -d outputfile  -s SSID

Additionally you can pipe the output of John the Ripper to coWPAtty.

All this information is available through Google btw.

Rainbow tables for wpa/wpa2:

http://torrents.lostboxen.net/cowf-wpa- ... 2006-10-19
http://umbra.shmoo.com:6969/

Visit http://www.renderlab.net/projects/WPA-tables/ for more info.

dean
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Mon Apr 14, 2008 6:38 pm

Re: Help with wpa/wpa2 rainbowcrack?

i know it can all be found on google. most of what you just said i found. but it is always good to ask around as well. make sure i am on the right track.

How practical is it really? I am currently generating lm alpha-numeric rainbow tables and with 4 computers it is taking me 2days. and that only allows for passwords up to 8 characters. So realistically, based on those numbers it could take months/years to crack wpa?

and those Rainbow tables for wpa/wpa2 would it really be worth downloading? as if each network has a different SSID? well unless people leave it as the factory default?
<<

dean

Post Mon Apr 14, 2008 7:20 pm

Re: Help with wpa/wpa2 rainbowcrack?

Would they be worth downloading? That's up to you. It's possible that in a pentest you might find a rogue AP that had a default SSID connected to the client's network and so that would be a valid ingress point if the scope allowed it. I generally capture the EAPoL 4-Way handshake and crack it offline. I pipe a custom word list through JTR and use the hybrid mode to generate custom variations of the dictionary words.

How practical is it really? I am currently generating lm alpha-numeric rainbow tables and with 4 computers it is taking me 2days. and that only allows for passwords up to 8 characters. So realistically, based on those numbers it could take months/years to crack wpa?


Google for time-memory trade-off. The theory behind precomputed hashes. Don't forget that the minimum length for WPA keys is 8 char and while the max is 63, I've never seen longer than about 25 characters or so in an implementation. Anything above 20 chars that is random is probably not going to be cracked. The same limitations for any type of bruteforce/dictionary password attack will apply.
<<

Loic

User avatar

Newbie
Newbie

Posts: 16

Joined: Mon Mar 24, 2008 6:04 pm

Location: Sydney

Post Mon Apr 14, 2008 7:59 pm

Re: Help with wpa/wpa2 rainbowcrack?

ok, so excluding the fact if they have a default SSID the quickest/only practical way to crack wpa/wpa2 would be to "pipe a custom word list through JTR and use the hybrid mode to generate custom variations of the dictionary words."

I looked into the "for time-memory trade-off" which would only be useful for a default ssid. there would be no point creating rainbow tables for a one off? right? so i think i might download that 33gb file. it might come in handy.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software