Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Possible to crack WPA rainbow style?

  1. #1
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default Possible to crack WPA rainbow style?

    Hey.
    I've never really gone past the concept of WEP cracking, but now I am exploring the domain of WPA and WPA2 networks. There are a number of tutorials on how to crack WPA e.g. the dictionary attack and stuff, but I was wondering something...

    Is is possible to crack a WPA PSK or WPA2 PSK key the same way as a hash (without a dictionary) by using rtgen (or a similar tool) to generate a number of rainbow tables based on a given SSID and then run rcrack to get the key?
    I have the card in me head, but you have the memory problems?

  2. #2
    Member
    Join Date
    Sep 2008
    Posts
    146

    Default

    Yes, coWPAtty has the abilty to use rainbow tables and at least one or two other cracking progs in BT3 can too. In fact im pretty sure it was Thorn (a honest to goodness internet celebrity! ) who came up with the idea of cracking WPAs with rainbow tables. There is also a repository on the internet of WPA rainbow tables for the top 1000 Essids out there.
    www.renderlab.net/projects/WPA-tables
    unfortunately it weighs in at a hefty 34gigs.
    Morpheus: "You take the blue pill - the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill - you stay in Wonderland and I show you how deep the rabbit-hole goes."

    Neo: "What if I take both?"

    Morpheus: "Don't do that! You end up like Nick Nolte!"

  3. #3
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by Revelati View Post
    Yes, coWPAtty has the abilty to use rainbow tables and at least one or two other cracking progs in BT3 can too. In fact im pretty sure it was Thorn (a honest to goodness internet celebrity! ) who came up with the idea of cracking WPAs with rainbow tables. There is also a repository on the internet of WPA rainbow tables for the top 1000 Essids out there.
    www.renderlab.net/projects/WPA-tables
    unfortunately it weighs in at a hefty 34gigs.
    Yes, I thought up the basic concept, but Renderman, Joshua Wright, and Dragorn did all the heavy lifting. As far as the rest goes, I'm hardly a celebrity, and I'm pretty sure most of the people who know me would think that whole idea pretty damn funny. Thanks for the thought and the laugh though.

    There is a smaller table that is only 7GB, that's also on Renderman's site.
    Thorn
    Stop the TSA now! Boycott the airlines.

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Thorn View Post
    Yes, I thought up the basic concept, but Renderman, Joshua Wright, and Dragorn did all the heavy lifting. As far as the rest goes, I'm hardly a celebrity, and I'm pretty sure most of the people who know me would think that whole idea pretty damn funny. Thanks for the thought and the laugh though.

    There is a smaller table that is only 7GB, that's also on Renderman's site.
    I have that signed picture of you hanging in my office.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by streaker69 View Post
    I have that signed picture of you hanging in my office.
    Hung up right next to the one from Regis Philbin?
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #6
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default

    Let me get this straight. The rainbow tables from render lab are in fact real rainbow tables, and not some lookup tables (like airolib) that have been precomputed for a number of SSID's from a large dictionary file. In this case you don't need a dictionary to crack WPA or to generate your own WPA rainbow tables for a given SSID tho that might take a long time.

    Correct me, if I'm wrong.
    Also, may I ask what the commands are to create WPA/WPA2 rainbow tables for a specified SSID?
    I have the card in me head, but you have the memory problems?

  7. #7
    My life is this forum Barry's Avatar
    Join Date
    Jan 2010
    Posts
    3,817

    Default

    Quote Originally Posted by xCPPx View Post
    Let me get this straight. The rainbow tables from render lab are in fact real rainbow tables, and not some lookup tables (like airolib) that have been precomputed for a number of SSID's from a large dictionary file. In this case you don't need a dictionary to crack WPA or to generate your own WPA rainbow tables for a given SSID tho that might take a long time.

    Correct me, if I'm wrong.
    Also, may I ask what the commands are to create WPA/WPA2 rainbow tables for a specified SSID?
    The answers are on cowpatty's web page.
    Of course, if you really wanted to have some fun, go to Wal-Mart late at night and ask the greeter if they could help you find trashbags, roll of carpet, rope, quicklime, clorox and a shovel. See if they give you any strange looks. --Streaker69

  8. #8
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    Quote Originally Posted by xCPPx View Post
    Let me get this straight. The rainbow tables from render lab are in fact real rainbow tables, and not some lookup tables (like airolib) that have been precomputed for a number of SSID's from a large dictionary file. In this case you don't need a dictionary to crack WPA or to generate your own WPA rainbow tables for a given SSID tho that might take a long time.

    Correct me, if I'm wrong.
    You've got it.

    Generating a single SSID won't take too long with at modest password list. Theprez98's generated a custom table for a single SSID using the optimized 172,779 wordlist that were used for the CoWF's initial 7GB table. It took him about 30 minutes.

    http://forums.remote-exploit.org/showthread.php?t=7384

    However, generating tables using large passphrase files and/or multiple SSIDs can and a lot of time. Producing WPA Tables is very processor intensive. When we (the Church of WiFI) produced the initial 7GB WPA Rainbow Tables, they were created on a cluster (of approximately 20 servers.) Those tables were computed with a dictionary of ~172,000 words, and it still took over a week.

    The 33GB tables (1 million words) where generated on machines using special FPGA hardware (cost: ~$50k), which were optimized for computing the tables. While FPGA systems are several magnitudes faster than standard processors for this type of work, those tables still took about 3 days to generate.

    Quote Originally Posted by xCPPx View Post
    Also, may I ask what the commands are to create WPA/WPA2 rainbow tables for a specified SSID?
    genpmk is the program, and is provided as part of the coWPAtty package. As Barry said, you can find at all the details on the link he posted.
    Thorn
    Stop the TSA now! Boycott the airlines.

  9. #9
    Senior Member Shatter's Avatar
    Join Date
    Jan 2010
    Posts
    192

    Default

    Now hold on just a sec. I may be missing something, but...

    For some reason I fail to find an answer to my original question in this thread. You all claim that what I asked for is very possible, but at the same time you provide me with means of attacking a WPA network that is different from what I asked for. If you read my posts carefully, you will notice that I asked for means that do not require a word list (or dictionary file, if you would) to work (and I'm not talking about brute-force). As far as I've read, the so-called "rainbow tables" from renderlabs are merely precomputed hash tables from a large wordlist, which means that if the sought passprase is not in the initial dictionary file, the attack will fail.
    The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file.
    coWPAtty/genmpk also generate precomputed hash tables from a specified dictionary file.
    ./genpmk -f dict -d hashfile -s cuckoo
    dict is the password file
    My question was not about precomputing hash tables from a wordlist, but instead whether it is possible to break a WPA/WPA2 passphrase the same (similar) way as a MD5 hash by creating and using rainbow tables. And by saying "Rainbow tables", I mean Rainbow tables as defined in the Wikipedia. As far as I've searched I found no results on this kind of attack, but I guess you can't blame me for asking.

    Rainbowcrack - rainbow table:
    1) initial_value[0] ==(hashed, reduced n-times)==> result[0]
    2) initial_value[1] ==(hashed, reduced n-times)==> result[1]
    3) initial_value[2] ==(hashed, reduced n-times)==> result[2]
    ...

    coWPAtty - precomputed hash tables:
    1) SSID + Password[0] ==(WPA hash)==> Hash[0]
    2) SSID + Password[1] ==(WPA hash)==> Hash[1]
    3) SSID + Password[2] ==(WPA hash)==> Hash[2]
    ...

    The rainbow table generator (rtgen) uses a reduction function to automatically generate a chain of passphrases (out of the current hash) based on a given character set. This is then repeated n-times to form a "rainbow chain" where only the initial value and the ending result are stroed. A large number of such chains form a rainbow table. The same process is then performed on the hash in question and should at some point the computed value match one of the ending results, the passphrase must be somewhere in that chain.

    My question is whether a WPA/WPA2 passphrase can be broken this way by writing an appropriate reduction function and giving an option to specify a SSID as a salt.

    Sorry, if I was beingh a bit rough, I just wanted to clarify a few things including the difference between a precomputed hash table and a rainbow table. I learned that the more specific I try to be, the more confusing I become.

    See ya.
    I have the card in me head, but you have the memory problems?

  10. #10
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    3

    Default

    xCPPx you are totally right!
    They even say so on their first page "This page is to give a little more insight into the methodology and logic behind concieving and building the CoWF WPA-PSK Rainbow Tables (actually they are lookup tables but I just like the term 'rainbow tables' alot.)"
    Just because some geek wants to use those words because they like it they fooled thousands of people and I am one of them. I downloaded the 33 GB and I can say now that it's the most useless thing I ever downloaded, not to mention waste of time.
    The only use I can see for those hashes is that if you happen to spot an ESSID that is among the 1000, and the password happens among the 1 milion, and you are so eager to crack it, you will save 2h (with an Intel 1.86GHz dual core).
    So now google is filled with the wrong keywords leading to that site, making it harder for people who are actually interested if WPA is crackable rainbow style.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •