Church of Wifi WPA-PSK Rainbow Tables

[d4rkfe4r]

Thank god i have the WD Passport HDD Velcroed to my laptop!

And for all the n00bs out there who dont even know how to crap WEP i suggest looking at Gerix-Wifi-Cracker. It also supports WPA but I havent done much testing with it since I started using it.

I did it in about 3 minutes and 30 seconds and there was little traffic over the AP. I know WEP isnt difficult but its for the noobies out there :P

I wish this was out when I was first starting.. would have saved a lotta time :D

[digininja]

some help guys ???

If you are using CoWPAtty then just run it without any parameters and check the options, it only needs 3 of the about 9 available if I remember correctly.

[Oni]

Been thinking (or not thinking) about this as I sent off $17 to a certain American though sadly realising only later that a certain UK company who isn't BT load their routers with WPA TKIP, a random array of 8 characters and add 5 random numbers to the SSID. Most people who buy said routers from this company tend not to bother changing. Easiest way to hack? Photograph the router :P

Still, its fun to 'think' about such things ;) Need a UK based set of tables. Wonder what the most common 1000 SSIDs are?

[digininja]

I reckon with a bit of effort you could work it out from Wigle http://wigle.net/gps/gps/main

A lot of people buy APs and set standard names so the COWF tables are useful but remember they are built on a dictionary and are not a complete set so people who but a little bit of thought into a password should be immune to them.

[barry99705]

I reckon with a bit of effort you could work it out from Wigle http://wigle.net/gps/gps/main

A lot of people buy APs and set standard names so the COWF tables are useful but remember they are built on a dictionary and are not a complete set so people who but a little bit of thought into a password should be immune to them.

When the COWF tables were created, the dictionary lookup was the only feasible way to test the security of a specific access point. Technically it still is. No one is going to make a dictionary with "a random array of 8 characters and add 5 random numbers to the SSID" in it. It'd take way to damn long to compute every possible permutation, and then you'd find you don't have enough space to keep the resulting file. The whole point of the COWF's files was to show; 1 That wpa has a usable vulnerability. 2 That dictionary passwords, i.e. real words, are a bad idea for passwords. They're not the end all be all of wpa cracking. Since the files were made, computer's have gotten faster. I'm pretty sure at the time the fastest desktop processor was a dual core pentium 4. Since then GPU based applications have come into existence. Multi-GPU cracking applications have also come into existence, just see pureh@te over at the BackTrack forums for this one. He's still using a specific word list though. He has about 450 million words on a machine with several Nvidia 295 GTX video cards running in parallel. The church used a cluster of FPGA boards and took about 3 days to generate the files. Had it not been for the FPGA cluster the same files would have taken over a month to generate at the current processor speed.

[Oni]

Wao! That page is awesome! I was using Wififofum with Google Earth but this is really cool! :) Top tip!

Yes, I get the cracking thing. I wanted to try with CUDA but my Geforce 8800GTS probably isn't up to it these days.

There seems to be a sweet spot for this. If a router asks you for a password and you are a standard user then you are probably in. If you are like my previous landlord and have no interest in things and let Sky do it all, then dictionary attacks wont work as the SSID is SKY<XXXXX> with a random 8 character password on WPA. You move in, you get a bit of paper with it written on. No-one can be arsed to change such things so ignorance (or apathy) is stronger than "a little bit of knowledge" on the subject.

Interesting though. I think I'll probably still play with CUDA and the Church's tables

[Oni]

Slightly off topic I know, but what this suggests to me is better intelligence gathering is needed on my part. The Wigle link is a good one though and I suspect goes someway towards this. The other problem I ahve is when you are, say, at a conference, using wireshark to see what's going on is like staring at the sun. Im wondering about good ways of cutting down the search space to do intelligent analysis.

Just had a thought for another script. Some mashup between Shodan, Google Maps, GPS and Wigle. ;)

Fun times! :D

[CamelToes]

HAK5 = n00b welcomed

Make sure the card you're using supports going into prism mode. I know this may seem obvious but its the main thing ppl overlook when starting with wireless pen testing.

Driver patches for the cards may be needed and are available with the tar, svn and directly in the wiki for aircrack-ng.

I will be posting tutorials on my blog about this in the near future, starting with cracking WEP (easy peasy).

I too am having a tough time with this BackTrack4 and VMware + Compact Wireless-G USB Network Adapter with SpeedBooster / Linksys Wireless-G PCI Adapter, I have a wireless connection to the internet i get from both or either of them, but the BackTrack4 doesnt seem to see either of them, yet i can still google etc. though BT4. I am currently trying to seek out info on what cards, usb it accepts but so far am not doing so good lol. I seen the utube tutour but i am so far epic fail, so far i have installed BT4 from iso using VMware 7.0 which i also installed. I dont know what I am doing wrong :( . i just want to figure out how to do WPA-PSK and WPA, WEP. this is frustrating, any help would be greatly appecaited thanks. :( this is where i am seeing tutorial http://www.youtube.com/watch?v=v-m296QQpDc...=1&index=25

[CamelToes]

I too am having a tough time with this BackTrack4 and VMware + Compact Wireless-G USB Network Adapter with SpeedBooster / Linksys Wireless-G PCI Adapter, I have a wireless connection to the internet i get from both or either of them, but the BackTrack4 doesnt seem to see either of them, yet i can still google etc. though BT4. I am currently trying to seek out info on what cards, usb it accepts but so far am not doing so good lol. I seen the utube tutour but i am so far epic fail, so far i have installed BT4 from iso using VMware 7.0 which i also installed. I dont know what I am doing wrong :( . i just want to figure out how to do WPA-PSK and WPA, WEP. this is frustrating, any help would be greatly appecaited thanks. :( this is where i am seeing tutorial http://www.youtube.com/watch?v=v-m296QQpDc...=1&index=25

Hey I have been doing some checking starting with my network adapters, I opened my desktop up and removed my pci WIFI card / Linksys Wireless-G PCI Adapter model WMP54G, but whats intresting is there is other numbers on it that read like this: FCC ID: Q87-WMP54GV4 and just below that one, is this one also: IC: 3839A-WMP54GV4. Now here is where I am getting lost, the other adapter (USB) / Compact Wireless-G USB Network Adapter with SpeedBooster / shows on its back side this model: WUSB54GC / and on this site it says that if its silver in color (which it is) its v1. So ok they are both listed as ones that work. So now I am completely lost and have no idea why they're not working. So there is this site showing compatible cards and adapters, drivers etc. I will link the start of the articall on link 1 but link 2 is actually where I am seeing this info. Link 1 / http://www.aircrack-ng.org/doku.php?id=com...b571fa2026e61f3 and Link 2 / http://www.aircrack-ng.org/doku.php?id=compatibility_drivers I really hope someone can help me :( I am lost lol.

Edited April 29, 2010 by CamelToes

[kcorrupt]

I have a 3+ GB dictionary file, was wondering how long and how large of a file I would create using cowpatty to create a table for specific ssid

also wondering if I can use CUDA to help create the table,

Running Intel Quad-Core along with Nvidia GPU

[Infiltrator]

I have a 3+ GB dictionary file, was wondering how long and how large of a file I would create using cowpatty to create a table for specific ssid

also wondering if I can use CUDA to help create the table,

Running Intel Quad-Core along with Nvidia GPU

I've been meaning to ask this question before. But couldn't seem to find a definitive answer.

[barry99705]

I've been meaning to ask this question before. But couldn't seem to find a definitive answer.

It will most likely crash. Cowpatty has issues with files over 2Gb.

[roro4465]

Thanks for Great post

your are the best

I wonder how we can run all dictionary one after one or we should type it manually

for Example :

aircrack-ng wpa-01.cap -w /downloadeddic/2

This will run Dictionary 2

What about 101 and 102 and the rest in the same folder ? did I had to type after the first one end this

aircrack-ng wpa-01.cap -w /downloadeddic/101

and do the same for the rest ?

Thanks and waiting for you

Edited June 10, 2010 by roro4465

[Infiltrator]

It will most likely crash. Cowpatty has issues with files over 2Gb.

So what tool would be efficient enough to generate WAP-PSK rainbow tables? I have been looking around the net but could not find something worth to try.

The only thing that seems to be available is the rainbow tables, which can be downloaded from almost anywhere on the net.

Edited June 11, 2010 by Infiltrator

[nully]

I have a 3+ GB dictionary file, was wondering how long and how large of a file I would create using cowpatty to create a table for specific ssid

also wondering if I can use CUDA to help create the table,

Running Intel Quad-Core along with Nvidia GPU

Depends on how many words are in the dictionary. Personally, i like pyrit with cuda... on a 8 core amd 2.4ghz & a gts 250, i get 10,000~ pmk/s

uhh.. completely borked numbers here, but 3gb is 3221225472 bytes.. so uhh.. / by 10000, 322123 seconds, 90 hours? But im bad at math, i could be wrong.

[barry99705]

So what tool would be efficient enough to generate WAP-PSK rainbow tables? I have been looking around the net but could not find something worth to try.

The only thing that seems to be available is the rainbow tables, which can be downloaded from almost anywhere on the net.

Split the dictionary file in smaller parts. Or like the post above, use pyrit with several nvidia cards and skip the tables completely.

[Infiltrator]

Split the dictionary file in smaller parts. Or like the post above, use pyrit with several nvidia cards and skip the tables completely.

I have tried using WinRTGer.exe for generating the WPA-PSK tables but it doesn't support multicore CPUs, so I will give your suggestion a try.

Thanks Barry99705

Edited June 17, 2010 by Infiltrator

[barry99705]

I have tried using WinRTGer.exe for generating the WPA-PSK tables but it doesn't support multicore CPUs, so I will give your suggestion a try.

Thanks Barry99705

Hey dude. This doesn't pertain to wpa, but gives you an idea on the power of gpu based tools.

http://www.question-defense.com/2010/06/20...en-cl#more-6240

[Infiltrator]

Hey dude. This doesn't pertain to wpa, but gives you an idea on the power of gpu based tools.

http://www.question-defense.com/2010/06/20...en-cl#more-6240

Yeah I know there are lot of things you can achieve with the raw power of the GPUs nowaday.

I've been using some opensource tools to crack WinRAR passwords, though it takes time but its hell a lot faster, than the CPU's raw power alone.

Now image setting up a clustered computer system with Cuda that's super computing.

[barry99705]

Yeah I know there are lot of things you can achieve with the raw power of the GPUs nowaday.

I've been using some opensource tools to crack WinRAR passwords, though it takes time but its hell a lot faster, than the CPU's raw power alone.

Now image setting up a clustered computer system with Cuda that's super computing.

The guy that runs that site, Purehate from the backtrack forums, does just that. I forget what card he's using, but it's one of the dual gpu cards, his server has four of them in it. One of those cards costs more than the computer I call my "gaming" computer.....

[xdorisx]

Which one of these files would one use if the SSID is empty?

There are a bunch of different ones, are they meant for a network with the

SSID set to "<no SSID visible>" (example) or is it meant for a network with no SSID?

[barry99705]

Which one of these files would one use if the SSID is empty?

There are a bunch of different ones, are they meant for a network with the

SSID set to "<no SSID visible>" (example) or is it meant for a network with no SSID?

There's a ssid, you're just not seeing it. I'm not sure if you can make a network without one. Never tried though.

[Infiltrator]

Which one of these files would one use if the SSID is empty?

There are a bunch of different ones, are they meant for a network with the

SSID set to "<no SSID visible>" (example) or is it meant for a network with no SSID?

All wireless must have a unique SSID, if you don't want it to be visible to others, simply disable SSID broadcasting. Disabling it won't make it totally invisible. Kismet can still be used to search for non broadcasting SSIDs.

So if security is a concern for you, use WPA and make the pass-phrase a hard one to guess. That way not even rainbow tables can crack it.

Edited July 5, 2010 by Infiltrator

[CamelToes]

Hey I have been doing some checking starting with my network adapters, I opened my desktop up and removed my pci WIFI card / Linksys Wireless-G PCI Adapter model WMP54G, but whats intresting is there is other numbers on it that read like this: FCC ID: Q87-WMP54GV4 and just below that one, is this one also: IC: 3839A-WMP54GV4. Now here is where I am getting lost, the other adapter (USB) / Compact Wireless-G USB Network Adapter with SpeedBooster / shows on its back side this model: WUSB54GC / and on this site it says that if its silver in color (which it is) its v1. So ok they are both listed as ones that work. So now I am completely lost and have no idea why they're not working. So there is this site showing compatible cards and adapters, drivers etc. I will link the start of the articall on link 1 but link 2 is actually where I am seeing this info. Link 1 / http://www.aircrack-ng.org/doku.php?id=com...b571fa2026e61f3 and Link 2 / http://www.aircrack-ng.org/doku.php?id=compatibility_drivers I really hope someone can help me :( I am lost lol.

Wow this was an awesome learning exp. but am now looking at the WPA, sounds fun.

[Infiltrator]

Wow this was an awesome learning exp. but am now looking at the WPA, sounds fun.

And it doesn't stop honey, there are lots more to learn too.