Has anyone cracked WPA w/o cheating? By cheating I mean inserting the known PSK in the dictionary. I know that the CoWF w/ the help of K. Mitnick has made 40 GB. lookup tables, but obviously acquiring this is like me obtaining a night w/ J. Jameson. As of now I know of no other way around the computational requirements.

BTW I've cracked WEP w/o PTW. I just need to get it down to getting my setup up w/ different cards and to doing it from a dead sleep and completely understanding what Initialization Vectors are. I have almost no background in cryptology, I have "heard" of PRNG and the use of programs to visually display certain generators predictability... sorry I'm slightly buzzed...refer to the first paragraph. -END RAMBLING-

Your use of the word "cheating" is boggling.

Considering you know the length of time it took to construct them WPA-Tables ask yourself this one logical question:

"Would they of spent so much time making the tables if WPA had been cracked like WEP?".

Has anyone cracked WPA w/o cheating? By cheating I mean inserting the known PSK in the dictionary. I know that the CoWF w/ the help of K. Mitnick has made 40 GB. lookup tables, but obviously acquiring this is like me obtaining a night w/ J. Jameson. As of now I know of no other way around the computational requirements.
First of all, using pre-computed tables is not cheating, it's exploiting the time-memory tradeoff. Also, assuming you don't actually know the key, the pre-computed tables won't automatically find your answer. The 40GB tables are based upon the 1,000 most common SSIDs vs. 1 million+ passwords.

The tables are easily obtainable. Either download the torrent (it will probably take you a week to get the 40GB), or we can burn the DVDs for you (at cost to you).

Your use of the word "cheating" is boggling.

Considering you know the length of time it took to construct them WPA-Tables ask yourself this one logical question:

"Would they of spent so much time making the tables if WPA had been cracked like WEP?".

I never said that I thought WPA had been cracked like WEP. Please don't put words in my mouth sir, thank you. Also I use the word cheating humorously, since having the ability to crack any of these was not the intention of the designers. I was hoping you'd be able to catch my sarcasm.

First of all, using pre-computed tables is not cheating, it's exploiting the time-memory tradeoff. Also, assuming you don't actually know the key, the pre-computed tables won't automatically find your answer. The 40GB tables are based upon the 1,000 most common SSIDs vs. 1 million+ passwords.

The tables are easily obtainable. Either download the torrent (it will probably take you a week to get the 40GB), or we can burn the DVDs for you (at cost to you).

First of all I would like to say that I read and respect a lot of the replies you give on these forums and I appreciate your time.

If you'll re-read my original post you'll notice that I referred to inserting a known PSK into the dictionary file, which is completely different than using lookup tables. Also, I never said that using lookup tables was cheating. Thirdly, I know that list of the weirdest most common SSID's comes from Wigle.net.

I actually started a torrent download of the 8GB file. We'll see how long I can wait. Hopefully, it won't come down to me buying DVD's and not because I don't have the money, but because it's kind of inconvenient to you.

Hopefully, I can learn more about the WPA handshake and inspect for anything that may be a weakness to my wifi security. I'm sure plenty of people have looked over the whole thing over and over again though.

Thank you for your time sir. :)

First of all I would like to say that I read and respect a lot of the replies you give on these forums and I appreciate your time.

If you'll re-read my original post you'll notice that I referred to inserting a known PSK into the dictionary file, which is completely different than using lookup tables. Also, I never said that using lookup tables was cheating. Thirdly, I know that list of the weirdest most common SSID's comes from Wigle.net.

I actually started a torrent download of the 8GB file. We'll see how long I can wait. Hopefully, it won't come down to me buying DVD's and not because I don't have the money, but because it's kind of inconvenient to you.

Hopefully, I can learn more about the WPA handshake and inspect for anything that may be a weakness to my wifi security. I'm sure plenty of people have looked over the whole thing over and over again though.

Thank you for your time sir. :)
I understand what you're saying. I did read your post, and I know what you mean about inserting the key into the dictionary file. And I know that this is what you meant by "cheating". Of course, if you already know the key, then it's not really cheating, is it? ;)

Right now, pre-computed tables are the only known way to significantly speed up an attack against WPA. The tables we have produced are nice, but if your target SSID is not there, it doesn't really help. That's where the genpmk tool comes in. If you already know your target SSID, you can use genpmk and the 1 million+ passwords to create your own tables based on that SSID. It might take a day (or more), but again, given the time-memory tradeoff, that's likely to be much faster than computing all the possibilities on the fly.

I have been seeding both the 7GB tables and the 40GB tables for months. Most of the time, either one or both are actively uploading. I don't have specific numbers, but we have pushed out a significant number of copies of both. The 7GB tables should take 2 days or so. As for the larger tables, depending upon your bandwidth and ISP, it may take a week or more. Unfortunately, we're working within those limitations.

Trust me when I say that burning DVDs (or even copying to their external USB drive) is not inconvenient for us. We have pre-burned copies especially for this purpose, and frankly speaking, it helps us to make a few bucks for other projects. So that's not really a problem.

I do appreciate your comments, we are here primarily for learning and awareness, and if we can get that out, the rest will take care of itself.

One of these days, I'm going to have to send you or Render some cash to get the dvds. After the week and a half it took to download my file was corrupted. Would be nice if you guys compresses it with something that was a little more wide spread. ;)

One of these days, I'm going to have to send you or Render some cash to get the dvds. After the week and a half it took to download my file was corrupted. Would be nice if you guys compresses it with something that was a little more wide spread. ;)
It might be easier just to send an external drive...

It might be easier just to send an external drive...

You guys have a computer with firewire?

You guys have a computer with firewire?
My desktop has Firewire, which is good since my original iPod was Firewire vice USB.

On the topic of cracking WPA, I have a wordlist that I would like to use with cowpatty (or another WPA brute force cracker that you recommend), however, I am unsure of how to capture the correct 4 packets that make up the 4way handshake. What filters should I use? Am I on the right track?

I have a HUGE wordlist, not the largest I'm sure, but its got millions of words using different languages and modifiers for number and case combinations.

I have it on a CD-R and on my HDD. What is the best way to utilize it?

I am looking for the exact method to go about capturing the correct packets and using the correct pass cracker with the exact command line

Any help I would greatly appreciate guys. You all seem to know what you're talking about here.

THanks,

Mike

On the topic of cracking WPA, I have a wordlist that I would like to use with cowpatty (or another WPA brute force cracker that you recommend), however, I am unsure of how to capture the correct 4 packets that make up the 4way handshake. What filters should I use? Am I on the right track?

I have a HUGE wordlist, not the largest I'm sure, but its got millions of words using different languages and modifiers for number and case combinations.

I have it on a CD-R and on my HDD. What is the best way to utilize it?

I am looking for the exact method to go about capturing the correct packets and using the correct pass cracker with the exact command line

Any help I would greatly appreciate guys. You all seem to know what you're talking about here.

THanks,

Mike


It'll be here (http://www.google.com/search?q=wpa2+cowpatty) somewhere.

On the topic of cracking WPA, I have a wordlist that I would like to use with cowpatty (or another WPA brute force cracker that you recommend), however, I am unsure of how to capture the correct 4 packets that make up the 4way handshake. What filters should I use? Am I on the right track?

I have a HUGE wordlist, not the largest I'm sure, but its got millions of words using different languages and modifiers for number and case combinations.

I have it on a CD-R and on my HDD. What is the best way to utilize it?

I am looking for the exact method to go about capturing the correct packets and using the correct pass cracker with the exact command line

Any help I would greatly appreciate guys. You all seem to know what you're talking about here.

THanks,

Mike

Aireplay, Deauthentication, 4-way handshake, EAPOL, Cowpatty.

I apologize for having abandoned this thread for a week or so. I bought an AWUS036H (ALFA USB) and have been struggling to get it recognized in vmware by BT2F, but thats another topic.

thePrez98, I didn't realize you were already associated w/ CoWF. Nice geocities website. So yeah, I should probably send y'all a hard drive.

To dig further on the WPA topic, I don't know much about fuzzing but w/o authenticating to a WPA WAP or in the process of attempting to auth how does code handle input. I mean are there any preliminary processes, calls, or calls made that have nothing to do with authentication. What exactly is sent in the clear? What are constants and variables in those packets. EAPoL? How exactly is it used (specification).

If I can learn more about fuzzing and WPA processes/specification and vendor implementations maybe some headway can be made.

BTW - please let me know if someone has already made headway on this. I don't want to reinvent the wheel just help it roll.

Also - WAP firmware --> ? Written in C#/C/C++ ? --> open the .bin --> Load into IDAPro maybe?
IDK, my crazy thoughts w/o schooling.

thePrez98, I didn't realize you were already associated w/ CoWF. Nice geocities website. So yeah, I should probably send y'all a hard drive.
I'm guessing when you say geocities you're referring to my personal homepage as opposed to the Church of WiFi homepage? I have been meaning to update it for a while now (years really) but am too lazy to care too much about writing even more HTML. ;)

Oh shit!! Don't tell Streaker the COWF looks like a geocities site! He'll call someone and reverse the flow!:eek:

I'm guessing when you say geocities you're referring to my personal homepage as opposed to the Church of WiFi homepage? I have been meaning to update it for a while now (years really) but am too lazy to care too much about writing even more HTML. ;)

Yes I did mean your Geocities page. I mean all I did was check the links page, see your name, click, and visit your site. I wanted to learn HTML back in '00, but hand coding HTML is rare nowadays ...and, anybody can make a decent page w/ WYSIWYG apps. I like networking more.

BTW... I liked your site, because it reminded me of when in '98, (I was in High school) I tried to make an Angel Fire page and I remember all of the %&^$'ing ad's, and I was like **** this. But your's looks pretty nice for a geocities page.

Aireplay, Deauthentication, 4-way handshake, EAPOL, Cowpatty.

Actually, I've found that in BT2, cowpatty fails to think it has a complete handshake when some EAPOL frames appear "malformed" whereas aircrack-ng can take the same handshake and work just fine.

I can post links to example dumps, if need be. Haven't really examined them closely myself. Been meaning to tell Josh about it.

So for now, and for me, it's been aireplay-ng, airodump-ng, then aircrack-ng, voila.

Sincerely,

Beetle

If I can learn more about fuzzing and WPA processes/specification and vendor implementations maybe some headway can be made.

Fuzzing 802.1x is what you want to do.

The quick place to start would be with modifying source of wpa_supplicant to spew some garbage and watch what happens with some APs or authentication server implementations (FreeRADIUS, Cisco ACS, MS ACS, etc). The longer road is to build a fuzzer from scratch that spews malformed EAPOL stuff. Look at LORCON before you start completely from scratch. Because this might not be too timing sensitive, you could get away with using ruby-lorcon for this even.

Another place to play is examining the 802.1x state machine to determine if there's any manipulation in state that leads to authentication abuse / misuse.

There's a presentation Rodney Thayer and I made a few years back called "Radical Realm of RADIUS, 802.1x, and You" that might give you some ideas. Or bore you to death. heh.

Hope this info helps. Take care.

Sincerely,

Beetle

Actually, I've found that in BT2, cowpatty fails to think it has a complete handshake when some EAPOL frames appear "malformed" whereas aircrack-ng can take the same handshake and work just fine.

I can post links to example dumps, if need be. Haven't really examined them closely myself. Been meaning to tell Josh about it.

So for now, and for me, it's been aireplay-ng, airodump-ng, then aircrack-ng, voila.

Sincerely,

Beetle
Good to know...maybe some sort of bug? Who knows.