8/02/2012

How to generate rainbow tables for CoWPAtty/Pyrit

First a little lesson on lookup tables.

Dictionary attacks is a very slow process.
The passphrase is hashed 4096 times with SHA-1 and 256 bits of the output is the resulting hash, then the output hash is compared to the hash in the key exchange (handshake).
My own laptop is able to do 450 PMK/s.

But in lookup tables, the hash is already there to comparison with the key exchange hash, so the process is ALOT faster!
This all sounds great, huh? There has to be a catch.

And there is, the mentioned WPA output hash is salted with it's ESSID, so the table you create is only vulnerable to the ESSID you salted the table with. Therefore, you should only make tables for common ESSID's. As the time it takes to make one, is wasted when it can only be used once.

The Church of WiFi, has already made a big lookup table with the 1000 most commonly used ESSID's, based on their own wordlist, that table can come in handy when wardriving, on an airport etc. so I recommend downloading that (link in the end of guide).

But back to the guide.
(In my example I use the church of WiFi's wordlist's, plus some words I've added myself)

You will need two things:
- Genpmk (included in coWPAtty package).
- A dictionary file.
- Time.

1. Open up a terminal and cd to the directory where your wordlist is placed (optional). In my example:

Code:
cd Desktop/

2. Use genpmk to generate the lookup table. In my example I am creating the table AndroidAPRainbowTable salted with ESSID AndroidAP, and the wordlist mentioned above.
Code:
genpmk -f RenderlabWordList.lst -s AndroidAP -d AndroidAPRainbowTable

The -f is for the dictionary file. -s is for the ESSID (SSID) -d is for the output file.

Your terminal should look like this:
[Image: genpmkthread.png]

Now you'll have to wait. This will take some time, depending on how big your dictionary file is. Genpmk is a single threaded program, so it can't take advantage of all 8 cores on you fancy new 8 core CPU.

When it's done it should look something like this:
[Image: genpmkfinished.png]

When I was finished with this table, I used it againt a handshake I captured from my phones hotspot feature. In Pyrit, (CoWPAtty wouldn't accept my handshake), I got a wopping 720.000 PMK/s, on the same laptop as I mentioned above, which means I walked through the dictionary in 1,5 second. Now, that's fast!

Source: http://www.renderlab.net/projects/WPA-tables/

Here is a script, and 1000 most used SSIDs for mass-generating of tables: http://adf.ly/Ar5E4
You have to edit the script to the wordlist you are using, remove "./" in front of genpmk and replace "passwords2.txt" with your decired wordlist.
Posted by kl.

Ingen kommentarer:

Legg inn en kommentar

Abonner på: Legg inn kommentarer (Atom)