Custom Rainbow Table For Known Essid And Key Length

[hocky]

Hello,

here is the scenario: I know the ESSID and the length

of the wpa-psk key(containing only alpha-numeric values and

only capitals).Is it not better to just create a custom rainbow

table based on the above information before brutforce attack?

I thought of the following but i don't know how to implement it:

1) Firstly i make a custom wordlist of words that

- have a length of 10 characters and these characters

are alphanumeric only (only capitals)

i.e. all combinations of (ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789)

2) Combine the known ESSID with that wordlist to generate the rainbow table.

If the above seem valid how do I do it (what software and what

commands do i use)?

thanks

PS: In aircrack-ng I notice the possible use of the essid and

bssid (-s "ESSID" -b "BSSID"). Do these commands when

incorporated make the cracking process faster than using a

precomputaded rainbow table? i.e. is it equivalent to the above

steps 1) & 2). If so which is faster?

[Mr-Protocol]

You need the 4 way handshake for WPA stuff.

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

You may want to research the tool: cowpatty

From how I understand it. You need the 4 way handshake to test your rainbow table against.

Edited January 28, 2011 by Mr-Protocol

[hocky]

You need the 4 way handshake for WPA stuff.

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

You may want to research the tool: cowpatty

From how I understand it. You need the 4 way handshake to test your rainbow table against.

Thanx for the reply MR Protocol,

I forgot to mention that i do have the 4-way handshake (succesfully using airodump-ng in BT4)

so i have my sniff.cap file to test.

I also downloaded the 33GB Rainbow table from the Church of WiFi. I am not sure whether it's a good idea

to check my sniff.cap file against that rainbow table since it does not have my ESSID in it.(Not too sure

but i believe they made it using the top 1000 ESSID's and mine is not included)

So I thought i might make my own rainbow table using my already known ESSID and then check the cap file against it.

Not sure what the file size would be...

Also if the file is too big i believe that i don't need all 26 letters, just ABCDEF1234567890

but maybe that is a very big file (?)

Browsing the internet i run into the following command using "crunch" with "cowpatty" and testing it now.

I do it in vmware so taking even more time to complete. so i am just waiting to see if it works. Have a look

and tell me what you think, when i have the results i will post them in any case.

/pentest/passwords/crunch/./crunch 10 10 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid

[mux]

Read this page:

http://wirelessdefence.org/Contents/coWPAttyMain.htm

Has all the information you need on how to make the rainbow table. You need a wordlist though. My only question is why such a limited ruleset for the wordlist? You do realize the minimum length for WPA PSK's is 8, not 10, right?

[hocky]

Read this page:

http://wirelessdefence.org/Contents/coWPAttyMain.htm

Has all the information you need on how to make the rainbow table. You need a wordlist though. My only question is why such a limited ruleset for the wordlist? You do realize the minimum length for WPA PSK's is 8, not 10, right?

Hi mux, thx for the link. I know the minimum length for wpa is 10 but for a specific brand of routers in my area

I noticed that the company uses a fixed size of 10 which is arrangements of "ABCDEF1234567890".And I know that it

most possibly has the default phrase(wpa-psk) so that is why I use no dictionary.

I am not sure how fast cowpatty is. I ran it in vmware on a 3.4 GHz CPU and noticed something like 1000 keys per 3 seconds.

I also did some math and if they are correct then it's not worth it.

I have 6 letters (ABCDEF) and 10 digits (1234567890). That makes a sum of 16.

The size of each key is 10. So:

16^10 = 1099511627776 combinations(keys)

Cowpatty checks about 1000 combianations every 3 seconds

3 secs checks 1000 keys

x secs checks 1099511627776 keys

x = 0.003 x 1099511627776

= 3298534883,328 secs

= 916259,68981333333333333333333333 hours

= 38177,487075555555555555555555556 days

= 1272,5829025185185185185185185185 months

= 104,59585500152207001522070015221 years

Am I missing something? Is there a better way?

[mux]

Hi mux, thx for the link. I know the minimum length for wpa is 10 but for a specific brand of routers in my area

I noticed that the company uses a fixed size of 10 which is arrangements of "ABCDEF1234567890".And I know that it

most possibly has the default phrase(wpa-psk) so that is why I use no dictionary.

I am not sure how fast cowpatty is. I ran it in vmware on a 3.4 GHz CPU and noticed something like 1000 keys per 3 seconds.

I also did some math and if they are correct then it's not worth it.

I have 6 letters (ABCDEF) and 10 digits (1234567890). That makes a sum of 16.

The size of each key is 10. So:

16^10 = 1099511627776 combinations(keys)

Cowpatty checks about 1000 combianations every 3 seconds

3 secs checks 1000 keys

x secs checks 1099511627776 keys

x = 0.003 x 1099511627776

= 3298534883,328 secs

= 916259,68981333333333333333333333 hours

= 38177,487075555555555555555555556 days

= 1272,5829025185185185185185185185 months

= 104,59585500152207001522070015221 years

Am I missing something? Is there a better way?

For curiosity's sake, I am going to assume you are talking about 2WIREs? If so, then yes, their factory defaults are flawed and you're on the right track. Yes, they're great routers to (legally) test Cowpatty on. No, your math is wrong. First, if you're doing A-F and 0-9, think hex for your math. Second, your baseline for your key checks per minute looks like it is from a normal Cowpatty scan.

I should clear something up right now by saying that Cowpatty isn't using rainbow tables, technically. It is more or less time memory tradeoff using similar concepts as rainbow tables, but I digress.The raw number of keys you will be able to check per second will depend entirely on how fast your machine is. I think Darren was doing around 10,000 keys per second with a 600mhz eeepc awhile back. So yes, it's really, really fast compared to just brute forcing it. What takes a long time is the actual generation of the hashfile. It may be ideal to bash script it if you have quite a few different SSID's to create hash files for.

Quick tip: If you are planning to use this for other routers you may have laying around, I highly suggest you look at the following links for pre-generated hash files:

http://www.hak5.org/forums/index.php?showtopic=12708

http://www.offensive-security.com/wpa-tables/

The difference between the two links are the wordlists they originally used to create the hash files. Church of Wifi used around 1mill or so words/combos. Offensive Security says they used around 49million. Do realize these aren't optimized for 2WIREs obviously, but they're a good start if you find that generating hash keys takes too long and your SSID is available on these pre-generated hashes.

[TAPE]

@ OP

You are looking at crunching through over 36GB of data with that command.. and just using cowpatty like

you are is gonna take a wee while ;)

Check out below link for info on wordlist sizes, but the latest revision of crunch will

show that automatically for you.

(use the -u option to supress that info when piping it through)

Wordlist Sizes

Edited February 3, 2011 by TAPE

[Infiltrator]

Just out of curiosity does Crunch works on multiple CPUs or does it even work with Nvidia Cuda at all?

[TAPE]

To be honest I am not sure, I believed it used the CPUs to the max advantage

however no CUDA support as far as I am aware of.

It is pretty fast anyways and the wordlist generation speed is not going to be

the limiting factor when testing it against WPA passwords.

Its a great tool though, I hope bofh28 will have v3.0 out soon, am testing

latest version (v2.9) and discussing with author, hopefully few quirks will

be ironed out for that update.