Wednesday, August 18, 2010

WPA rainbow tables with cowpatty and aircrack-ng suite

No introduction necessary. If you do not know what a rainbow table is then you will just have to use google or read some of my previous posts.

[using cowpatty suite]
# ./ genpmk -f wordlist.lst -d hash_tables.lst -s "linksys" //Generates a salted rainbow table using the wordlist file and the ssid name "linksys"

# ./cowpatty -d hash_tables.lst -s "linksys" -r wpa.pcap //command to crack the WPA key using the rainbowtable and the pcap file


[using aircrack-ng suite]
# airolib-ng table.db --import essid ssids.lst // creates a new database and imports the ssids to be used as salts
# airolib-ng table.db --import passwd wordlist.lst //imports the wordlist/passwords into the database
# airolib-ng table.db --batch //performs all the necessary processing of the essid and password combination
# airolib-ng table.db --verify //verifies the integrity of the ssid/password pairs

# aircrack-ng -r table.db wpa.pcap //command to crack the WPA key using the rainbowtable and the pcap file

16 comments:

  1. Not trying to be critical but the red is a bit hard to read on the eyes. Either way nice writeup and keep up the good work.

    ReplyDelete
  2. Thanks for the feedback. I'll try to figure things out with the colors and fonts

    ReplyDelete
  3. Thanks for the examples on genpmk! In the event that my wordlist is in a different format other than .lst, lets say .txt, can I use genpmk to generate the hash? If not, can I simply change the format of the .txt file to .lst?

    Also, are quotations needed on any SSID, regardless if spaces and non alphanumerical characters exist or not?

    ReplyDelete
  4. Justin,

    The wordlist can be .txt or whatever extension you want as long as you have a file that has a list of passwords, each on a new line. And the quotes aern't really necessary. I just do it for good practise. :)

    ReplyDelete
    Replies
    1. To add a note to aerokid240, the main thing is that the file is ASCII. As long as the text inside is in ASCII format the extension doesn't matter. The format of the file is purely on the inside. The name is just a container. I can take an MP3 and name it wordlist.txt but it's still an MP3.

      In general .lst, .txt and .log are expected to be ASCII format. Maybe that is helpful to someone...

      Delete
  5. Something cool I've just found with this is if something happens while creating your salted table - for instance your computer locks up where - for whatever reason the process gets interrupted part of the way through?

    To pick up where you left off, just rerun the --batch command on the table that you were just working on. It doesn't start everything over from the beginning, which is awesome because of how unbelievably long it can take to make these. :P

    In other-words, I just had this scenario happen and I'm pretty happy all my progress so far was for nothing.

    Thanks very much for all this by the way, I've been using your commands a lot, especially the airolib-ng ones which I'm referring to about resuming in case anyone else has the same problem.

    ReplyDelete
  6. all my progress so far *wasn't for nothing

    is what I meant

    ReplyDelete
  7. also, you can --verify your table while it's being made - which, if the number of ssids being put into the table is small - 5 for example, given what verify tells you, you can get a feel for where you're at in your table creation = how far along.

    ex: if it lists 4 out of 5 of the ssids in the table while you're making the table and 1 of the ssids is a low number, depending on what you want to guess at comparing it to the others - it could/would mean that it's done with making the tables for 3 ssids, half way through the 4th one, #5 that isn't even listed, it hasn't started working on yet.

    When you use verify in a separate window while it's working on the table - it pauses it/locks the table creation out while it separately verifies the table, then it immediately resumes what it was doing after it's done verifying and giving you the info/unlocks it = goes back to work.

    ReplyDelete
  8. the ssid list being small regarding my above comment is actually neither here nor there in regards to gauging how far along the table is in being created. It was just an example, in fact I would imagine it might be even easier deciphering how far along your table is in being completely created with a larger ssid list.

    From what I can tell it takes that much longer with each added ssid though.

    5 ssids vs 10 ssid = 2x as long to create - probably fairly obvious info to most, at least about what I just wrote - but it wasn't to me so my trial and errors, etc. are hopefully somebody else's gain out in cyberspace along with all the above invaluable information.

    That's more than enough out of me :p

    Happy rainbow-ing!

    ReplyDelete
  9. Awesome feedback my friend. You've definitly informed me about something i didn't really know about. Then again i don't use this tool that often but still grood to know. Thank you.

    ReplyDelete
  10. Thanks! no problem, you're welcome.

    Just as an extra thing to add I *just* found - if a person wants to use more than one table against the same .ivs file using aircrack-ng, how to do it is=

    aircrack-ng -r table1.db -r table2.db -table3.db capture.ivs

    using -r at the beginning of each table/new table, no commas in-between like when using multiple wordlists and using spaces of course.

    I'm a bit obsessed at the moment, haha :D

    I imagine sometime soon I'll be trying to find something better to use against 4wayhandshakes, something using rainbow tables, like using premade tables? (not salted before hand but maybe salting them in the moment?)

    I'm not sure if that exists or if I'm really making sense. I figure using premade tables - if it's possible to salt them in the moment, that's one less step compared to a strait dictionary attack that has to do everything in the moment.

    and so in turn slower than having full salted tables based on a given ssid but faster than just using a wordlist against an .ivs file, for instance - aircrack-ng -w wordlist.txt capture.ivs

    Do you know what I'm getting at or what I'm talking about by any chance? Or what I might be looking for? It could just be wishful thinking too, I have no idea.

    Anyway, no problem again about sharing these discoveries to add to the conversation that's helped me quite a bit actually. If you happen to know what I might be specifically looking for, please leave it here somebody, anybody and let me know. Thanks!

    Happy rainbows! :D

    ReplyDelete
  11. *aircrack-ng -r table1.db -r table2.db -r table3.db capture.ivs

    correction of the example above for using multiple tables vs .ivs file

    (using aircrack-ng 1.2 beta2)

    ReplyDelete
  12. Woops, ummm...

    scratch that above about the using multiple tables at once. I spoke way too soon, it's all wrong,

    it still just uses one of them. It doesn't crash the program though so maybe that's some kind of step closer? Anyway, back to the drawing board - I enjoy tinkering with this stuff - like adult legos - only that hack.

    ReplyDelete
  13. I have found quotations necessary for an SSID that have a space.

    ReplyDelete
    Replies
    1. That's correct my friend. Having the quotes wrapped around the ssid is ABSOLUTELY important.

      Delete