Background:
Known SSID: "Harkonen"
Captured EAPOL handshake "wpa2.eapol.cap"
Dictionary file: passwords2.txt (~173,000 words)

First example, using cowpatty with a known password list. Real-time hash generation:
bt ~ # cowpatty -f passwords2.txt -r wpa2.eapol.cap -s "Harkonen"
...
44.89 passphrases/second
Second example, first using genpmk to create the hash table ahead of time:
bt ~ # genpmk -f passwords2.txt -d testhash -s "Harkonen"
And now running cowpatty with the pre-computed hash table:
bt ~ # cowpatty -d testhash -r wpa2.eapol.cap -s "Harkonen"
...
172779 passphrases tested in 2.68 seconds: 64563.39 passphrases/second

To test 172,779 passphrases at 44.89 passphrases/second would take 64+ minutes. On the other hand, by creating the hash tables ahead of time (approximate time of generation was 30 minutes), I was able to test all 172,779 passphrases in 2.68 seconds. This is an approximate increase of 3+ orders of magnitude!

(btw, the passphrase was not in the dictionary as I wanted cowpatty to run through all the possibilities).

Very interesting thread you got there prez. Very informative. So it took you about 30 minutes to create the hashes...which shaved you off about ...34 minutes...hmmm....interesting.

Really interesting dear Prez98....

around 35 min for all....it's really short........

64563.39 passphrases/second... it' really fast.... Nice...

This should be in reply to the WPA Brute forcing thread in the specialist>wireless section of the forums, but I'm too noob to post there still.

Prez mentioned a 1mill+ length password file used to create the hash tables in conjuction with the 1k most common ssid's.

A couple questions regarding that:

Would there ever be a situation where the ssid is not known? If we know the ssid and take a day to compile hash tables, wouldn't that be faster than running the hack with 1,000 times the data in the hash list? Or am I misunderstanding the speed at which cowpatty operates a hash table.

To restate the question more clearly - Would it be faster to use the 40GB hash tables with 1,00 ssid's, or to build a hash table for the single ssid in question?

Also, is the 1mill+ password file available for download?

Thank you

-Ethernull

Moved to existing thread.
To restate the question more clearly - Would it be faster to use the 40GB hash tables with 1,000 ssid's, or to build a hash table for the single ssid in question?
Although I haven't tried it myself, based upon the numbers, I suspect that using the hash tables would be considerably faster. That of course assumes that the SSID is among the 1,000 in the list. Also, this assumes that the passphrase is actually in the password file.
Also, is the 1mill+ password file available for download?
This (http://rapidshare.com/files/43703132/passwords2.txt) link should work for you.

well the 2 in conjunction is the best

i use airolib to maintain an essid / pass sqlite database
i precompute this table(so when you add a new essid it's 99, xxxx % computed)

first step is verify if Victim essid is in the list.... if it is launch aircrack in conjonction with database........

if not in list ..... then add essid to database and recompute the table....
it's fast(airolib compute at about 100 k/s) because you have only a number of pmk to compute equal to number of passwords in database ....

then use aircrack with the database.......

hope it's more clear....
im french so it's not easy for me to explain something in english......


for the case you have no ssid , you can do a deaut attack when the client will reconnect you will catch this ssid........

hope helps

does cowpatty only accept eapol.cap file or .cap files too? because when i tried to execute cowpatty to find the passphrase for the WPA-PSK it keep saying the file is corrupt. However, in aircrack i had no problems.:(

does cowpatty only accept eapol.cap file or .cap files too? because when i tried to execute cowpatty to find the passphrase for the WPA-PSK it keep saying the file is corrupt. However, in aircrack i had no problems.:(
The name of the file doesn't matter, as long as it's a standard cap format and it has all four parts of the handshake.

The name of the file doesn't matter, as long as it's a standard cap format and it has all four parts of the handshake.

Will when i did the WPA crack, airodump registered a handshake on the top right corner of the konsole with the MAC of the AP.

Ok..I'm having very similar issues with cowpatty that Funnyman is having, except it says.....

{-=Xploitz=-} ~ # cowpatty -r /root/xploitzpsk-01.cap -d /root/testhash -s "Xploitz Network"
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

End of pcap capture file, incomplete TKIP four-way exchange. Try using a
different capture.
{-=Xploitz=-} ~ #
Now this is bullshit cause I do have a 4 way handshake. I verified it through wireshark. And aircrack will accept this xploitzpsk-01.cap when I run it. Aircrack said....

{-=Xploitz=-} ~ # aircrack-ng -w testhash -b 00:18:F8:B5:F2:D6 xploitzpsk-01.cap
Created thread for id 0.
Opening xploitzpsk-01.cap
Read 0 packets.


Aircrack-ng 1.0 r611


[00:00:02] 108 keys tested (49.50 k/s)


Current passphrase: [*viva-voce\Y


Master Key : 0F EE 88 1C 15 6B 0F 15 C5 58 86 3F 05 73 91 D7
96 02 17 6F A1 59 9A AA DA 1C CD 3B 4C D4 CC E0

Transcient Key : 0C D2 41 22 16 37 3F 63 2D 9F FE 6A FE 6F 1A 65
A3 98 EE 09 4F 16 74 6F CD E2 12 92 6F B8 AB CF
13 1A 86 DE 8C 29 F5 ED A6 0B 49 73 8F 0A C1 11
EE 13 9E 35 DC A2 E0 E4 98 8F D7 68 1C 8A 71 22

EAPOL HMAC : D8 B2 15 53 46 CF A7 2C 52 DC 5C 83 CA 79 74 BD

Passphrase not in dictionnary





. Now I've tried deauthing myself.... and I've tried catching the handshake without deauthing by powering up my other laptop and connecting to the internet..I KNOW that not deauthing and powering up my laptop WILL CAPTURE the 4 way handshake in ENTIRETY..i verified this in wireshark as well..but heres the catch...if I substitute my xploitzpsk-01.cap with the test one in /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap the ****er (cowpatty) will work!! WTF??? This would suggest that my capture didn't catch the 4-way handshake..but wireshark says I DID when I opened my xploitzpks-01.cap file!! This is very frustrating because aircrack will let me but cowpatty won't. If there was an cowpatty forum Id post my issues there..but its Church of WIFI and I cant access the regular members forums cause I lack membership. Someone..please throw me a bone here!! Something...anything.:)

[QUOTE=-=Xploitz=-;36311]Ok..I'm having very similar issues with cowpatty that Funnyman is having, except it says.....

{-=Xploitz=-} ~ # cowpatty -r /root/xploitzpsk-01.cap -d /root/testhash -s "Xploitz Network"
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

End of pcap capture file, incomplete TKIP four-way exchange. Try using a
different capture.
{-=Xploitz=-} ~ #


That is exactly the error message cowpatty is giving me xploitz.

Well Funnyman, Im trying to use the new airolib-ng from the makers of aircrack-ng...Shaman has a link for his tutorial here...http://forums.remote-exploit.org/showthread.php?p=36318#post36318 and Im gonna try it with aircrack-ng and see if it works. I wonder if there is an update for cowpatty?? BTY..my encryption ATM is WPA2 Personal with TKIP+AES my airodump screen says WPA2 CCMP PSK Xploitz Network

Looks like 4.0 is the latest version as far as I could find.

Hmmm.... I know I have it somewhere, but which computer, NAS or HDD is it on :confused:

yea..thats whats installed on BT2 Final....

{-=Xploitz=-} ~ # cowpatty
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

You ever tried this method out balding_parrot??

yea..thats whats installed on BT2 Final....

{-=Xploitz=-} ~ # cowpatty
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

You ever tried this method out balding_parrot??

I did try it but came to the same stumbling block you did. I assumed it was something I was doing wrong, but it appears not.

Didn't take enough notice to realise that 4.0 was included though.

But at least you know you have the latest version.

Since theprez98 posted this...hopefully he has tried this and can shed some light on this situation for the 3 of us and the others watching this thread.

@theprez98>>>What are we doing wrong?? And why does this only work with that /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap ??? Is it because that test .cap has edited out all the other junk in the .cap file and only left the handshake? Do we need to edit our capture files to only have the eapol protocol as in this below to match our captures???

This is the printed version of the /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap



No. Time Source Destination Protocol Info
1 0.000000 Netgear_7e:40:80 Broadcast IEEE 802.11 Beacon frame,SN=113,FN=0,BI=250, SSID: "Harkonen"

Frame 1 (96 bytes on wire, 96 bytes captured)
IEEE 802.11
IEEE 802.11 wireless LAN management frame

No. Time Source Destination Protocol Info
2 188.993837 Netgear_7e:40:80 D-Link_fe:32:0c EAPOL Key

Frame 2 (131 bytes on wire, 131 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication

No. Time Source Destination Protocol Info
3 189.442415 D-Link_fe:32:0c Netgear_7e:40:80 EAPOL Key

Frame 3 (153 bytes on wire, 153 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication

No. Time Source Destination Protocol Info
4 189.446004 Netgear_7e:40:80 D-Link_fe:32:0c EAPOL Key[Malformed Packet]

Frame 4 (187 bytes on wire, 187 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication
[Malformed Packet: EAPOL]

No. Time Source Destination Protocol Info
5 189.457265 D-Link_fe:32:0c Netgear_7e:40:80 EAPOL Key

Frame 5 (131 bytes on wire, 131 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication

Since theprez98 posted this...hopefully he has tried this and can shed some light on this situation for the 3 of us and the others watching this thread.

@theprez98>>>What are we doing wrong?? And why does this only work with that /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap ??? Is it because that test .cap has edited out all the other junk in the .cap file and only left the handshake? Do we need to edit our capture files to only have the eapol protocol as in this below to match our captures???

This is the printed version of the /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap



No. Time Source Destination Protocol Info
1 0.000000 Netgear_7e:40:80 Broadcast IEEE 802.11 Beacon frame,SN=113,FN=0,BI=250, SSID: "Harkonen"

Frame 1 (96 bytes on wire, 96 bytes captured)
IEEE 802.11
IEEE 802.11 wireless LAN management frame

No. Time Source Destination Protocol Info
2 188.993837 Netgear_7e:40:80 D-Link_fe:32:0c EAPOL Key

Frame 2 (131 bytes on wire, 131 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication

No. Time Source Destination Protocol Info
3 189.442415 D-Link_fe:32:0c Netgear_7e:40:80 EAPOL Key

Frame 3 (153 bytes on wire, 153 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication

No. Time Source Destination Protocol Info
4 189.446004 Netgear_7e:40:80 D-Link_fe:32:0c EAPOL Key[Malformed Packet]

Frame 4 (187 bytes on wire, 187 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication
[Malformed Packet: EAPOL]

No. Time Source Destination Protocol Info
5 189.457265 D-Link_fe:32:0c Netgear_7e:40:80 EAPOL Key

Frame 5 (131 bytes on wire, 131 bytes captured)
IEEE 802.11
Logical-Link Control
802.1X Authentication

I am wondering if this has anything to do with aircrack-ng dev now compiling without sqlite by default

This may sound weired but i went back and did my WPA crack again, this time i run both airodump-ng and wifi Shark so capture the handshake and i did got a handshake. So i save it and called it wpa2.eapol.cap and WPA-01.cap respectfully. Then i followed theprez98 tutorial and i didn't got any error messages from cowpatty when i run both the commands for using the hash and the dictionary attack.:eek:

This may sound weired but i went back and did my WPA crack again, this time i run both airodump-ng and wifi Shark so capture the handshake and i did got a handshake. So i save it and called it wpa2.eapol.cap and WPA-01.cap respectfully. Then i followed theprez98 tutorial and i didn't got any error messages from cowpatty when i run both the commands for using the hash and the dictionary attack.:eek:

Wait a second...this is good news but I have a question...you made 2 files 1 called
wpa2.eapol.cap

and one called...

WPA-01.cap

Right??

but which one did you use in the tutorial?? And are you sure your not using that wpa2.eapol.cap located in /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap instead of the new one you crerated?? Cause I got that "test" one in that directory to work as well.

Wait a second...this is good news but I have a question...you made 2 files 1 called
wpa2.eapol.cap

and one called...

WPA-01.cap

Right??

but which one did you use in the tutorial?? And are you sure your not using that wpa2.eapol.cap located in /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap instead of the new one you crerated?? Cause I got that "test" one in that directory to work as well.


PS: if you can tell me how to put a picture in my post, i can post a picture of it.
Yes that is correct. i used both of my WPA-PSK (WPA-01.cap and wpa2.eapol.cap) capture files from my crack in the tutorial and I'm 100% sure that i use the wpa2.eapol.cap which i save in the root directory. Here is the command i used:

cowpatty -d HASH -r /root/wpa2.eapol.cap -s "Netager"

where HASH is the hash table i made with genpmk and my own worldlist.

PS: i don't know how to put a picture in the post otherwise i would has show a picture of it

I can't test this out right this minute..but later on today I will and Ill report success/ failures here.

BTW..to upload a pic here..go to the advanced button while in your post/ reply..and you'll see a paper clip icon..use it and you'll see a pop up..make sure you allow Firefox to accept pop-ups from this forum.

If the pic is 2 big..you'll have to get an account with photobucket and insert the image here in your post from there.

I can't test this out right this minute..but later on today I will and Ill report success/ failures here.

BTW..to upload a pic here..go to the advanced button while in your post/ reply..and you'll see a paper clip icon..use it and you'll see a pop up..make sure you allow Firefox to accept pop-ups from this forum.

If the pic is 2 big..you'll have to get an account with photobucket and insert the image here in your post from there.

Thanks for the howto Xploitz

As you can see that on the left is my captured handshake (163.4KB) and on the right is the BackTrack handshake (802B). Also the modified dates of the two files are different.

PS: I'm using LiveCD

Thanks for the pix..but however..I still get this when I just try a BASIC cowpatty crack..no extras like using genpmk to generate hashes....

{-=Xploitz=-} ~ # cowpatty -r wpa2.eapol-01.cap -f algae.txt -s Xploitz
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

End of pcap capture file, incomplete TKIP four-way exchange. Try using a
different capture.


Every freaking time..incomplete TKIP four-way exchange..heres my wireshark capture...I'm not missing something am I?? To me it looks like I got all of my 4-way handshakes captured..right?:confused::confused:

http://i32.photobucket.com/albums/d25/Pirate1976/EAPOLWireshark.jpg

Thanks for the pix..but however..I still get this when I just try a BASIC cowpatty crack..no extras like using genpmk to generate hashes....

{-=Xploitz=-} ~ # cowpatty -r wpa2.eapol-01.cap -f algae.txt -s Xploitz
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

End of pcap capture file, incomplete TKIP four-way exchange. Try using a
different capture.


Every freaking time..incomplete TKIP four-way exchange..heres my wireshark capture...I'm not missing something am I?? To me it looks like I got all of my 4-way handshakes captured..right?:confused::confused:

What about that malformed packet?

What about that malformed packet?

I notice that in EVERY capture I do. However look at this...this is the wpa2.eapol "test" capture viewed in wireshark thats in my /pentest/wireless/aircrack-ng/test directory..it has the malformed packet as well..so I figured this was normal. Any thoughts between the 2???


http://i32.photobucket.com/albums/d25/Pirate1976/aircrakstestcapture-1.jpg

I notice that in EVERY capture I do. However look at this...this is the wpa2.eapol "test" capture viewed in wireshark thats in my /pentest/wireless/aircrack-ng/test directory..it has the malformed packet as well.
I don't have a clue.

Well, thank you for offering the help anyways. Seems I'm stuck getting this time management stuff to work. Amazingly though..aircrack-ng will accept my wpa2.eapol.cap as a valid handshake..thats what pisses me off and frustrates me the most. I was really looking forward to trying this method out too. Well, I know you don't use WPA2 prez...but thanks for posting this. Maybe I need to "Google" my ass off to find the answer to this question..or find someone here who has more experience with wireshark than I do to help verify my wpa2.eapol.cap has everything its suppose to. But you'd think that at LEAST I'd get 1 complete handshake out of 30 that liked cowpatty.:mad:

BTW if anyone cares to help me go over this capture..heres my full capture...just open with wireshark and add this filter....

eapol.keydes.type == 2

Thanks everyone. :)

http://www.mediafire.com/?2yxn2fbmfzzAnd heres a pic of aircrac-ng working on my SAME wpa2.eapol-01.cap file AND the entire command line used. This proves I got the handshake..but freaking cowpatty HATES ME!!!!

http://i32.photobucket.com/albums/d25/Pirate1976/aircrack-ng.jpg

as soon as i got my nux box open i try to have a look, but if it's malformed why do u use it , why don't you do your own handshake capture ?

i will have a look, i promise

BTW i never use aircrack for wpa but only cowpatty, i really prefer it's way of fonctionning....

No Shaman..you got it wrong..I am using my own capture..I just renamed it to match the tutorials .cap file (minus the -01 at the end of it.) Its my capture..

I can get the "test" one to work from aircracks pentest directory..just not mine.:(

As you can see that on the left is my captured handshake (163.4KB) and on the right is the BackTrack handshake (802B). Also the modified dates of the two files are different.

PS: I'm using LiveCD


Look at your 4.jpg...........

http://forums.remote-exploit.org/attachment.php?attachmentid=138&d=1185992977 ...The funny thing about this particular screen capture is that you have 2 files of the same name in the same directory...this is impossible!!....

Plus your screen capture is cropped on the right..why?? This is looking very suspicious IMO.

I think your living up to your name as "Funnyman" but I for one didn't think it was funny at all.

Heres the proof that you can't have the same filename in the same directory...



http://i32.photobucket.com/albums/d25/Pirate1976/mytest.png

Care to explain this Mr. "Funnyman"???

Both Xploitz and myself have been sending PM's about this to each other, both of us thought that there was something strange about it.

And then I spotted what was strange about it

Two files with the same name existing in the same folder at the same time.

IMPOSSIBLE

It's not like it's even a good attempt at trying to deceive us.
How on earth did you expect to get away with it.

This is NOT a joke and NOT funny.

PLEASE, I REALLY WOULD LIKE TO HEAR YOUR EXPLANATION OF HOW YOU MANAGED THIS

photoshop...........

are you seriously thinking we are going to believe you ?

or i must relearn all my linux basics if ur right....

well here it's spec topics....maybe you miss your section (look at the last forum....)

photoshop...........

What ! surely you don't mean it's been faked ? what would be the point of that ? :confused:

the only way to get such a screenshot is to fake it !!!!

it's impossible to get such a screenshot with 2 files with 1 name under any OS i think......

just make me think of a layer copypaste under photoshop...

the only way to get such a screenshot is to fake it !!!!

it's impossible to get such a screenshot with 2 files with 1 name under any OS i think......

just make me think of a layer copypaste under photoshop...

Don't take offence, but.....

You really need to work on your english humour, especially sarcasm ;)

It is improving, but sometimes..........

EDIT:

On second thoughts, don't change a thing, sometimes it just makes it better when you miss it

Your great just the way you are

i try .... but i failed....LOL

just want to be a FunnyMan too...

i try .... but i failed....LOL

just want to be a FunnyMan too...

NOW THAT'S FUNNY :cool:

ééé

Xploitz... do you get this malformed packet each time ?
i never get such a packet..........

have you try it against a capture from another ap ?

could it be your ap wich cause that ?

if you capture with another card do you get this malformed eapol in handshake ?

do you get this malformed packet only with wpa2....

i can't help you further on wpa2 because my girls ap don't support wpa2.....

i just do wpa1 test with cowpatty, if i want to test wpa2 i will must go in the wild.............

Xploitz... do you get this malformed packet each time ?

Yes, I do..and when I saw the same one in the /pentest/wireless/aircrack-ng/test/wpa2.eapol.cap capture..I assumed this was normal because they both have the malformed packet.

have you try it against a capture from another ap ?

Unfortunately no. I only own 1 AP, and I don't want to ask my neighbor, cause then I'd probably make him all paranoid of me trying to hack him...and then he'd be all looking at me funny and calling the police 24/7 saying he thinks I'm hacking him on suspision cause I know how to hack..lol So I chose to not let my neighbors know that I possess "skills of our trade". ;)

could it be your ap wich cause that ?

To be honest..I don't possess the knowledge and experience to correctly diagnosis this possibility. Any help on the subject would however be very much anticipated.

if you capture with another card do you get this malformed eapol in handshake ?

This is a good thought. But unfortunately, I have only one card at the moment. I broke my wg111v2..well actually my cat did..lol. And I have broadcom..but I don't think it would be "reliable".

do you get this malformed packet only with wpa2....

I haven't tried cowpatty with WPA personal ...but again..VERY good suggestion. Tomorrow I will make this suggestion TOP priority. Thanks for the excellent suggestion.

i can't help you further on wpa2 because my girls ap don't support wpa2.....

Thats fine Shaman. You have provided me with more than enough excellent options I didn't even think about. THANK YOU SO VERY, VERY, VERY, much for taking the time to assist me. Much respect to you Niko.:)

i just do wpa1 test with cowpatty, if i want to test wpa2 i will must go in the wild.............

Only if it's legal Niko. I don't want to see you get arrested trying to help me understand cowpatty with WPA2 troubleshooting.;)

i was thinking take my truck and go a friend who own a cybercafé....
maybe he can allow me to test wpa2...........

i surely wont do something illegal....

even if the french police is at caveman age for computer crimes.....

btw this is wireshark wpa1 handshake
http://img299.imageshack.us/my.php?image=wiresharkzx7.png (http://img299.imageshack.us/my.php?image=wiresharkzx7.png)

like you see there is no malformed packet...

i was thinking take my truck and go a friend who own a cybercafé....
maybe he can allow me to test wpa2...........


Cool Niko!! I'd appreciate that.:)



btw this is wireshark wpa1 handshake
http://img299.imageshack.us/my.php?image=wiresharkzx7.png (http://img299.imageshack.us/my.php?image=wiresharkzx7.png)

like you see there is no malformed packet...

Yep your right...294 packets...46 data packets..and 0 malformed packets. Good capture. Hmm...I am currious to see yours or someone elses wpa2 captures...

BTW Niko..Im using WPA2 Personal with TKIP+AES ;)
Also...what type of WPA you using on this capture?? TKIP or..AES??

wpa 1 personal + TKIP

wpa 1 personal + TKIP

SUCCESS!!!!! FINALLY!!!:) ....

I KNEW it wasn't operator error, (No pun intended at -~operator~-)

Its cowpatty and WPA2. I just changed my encryption to WPA with TKIP..and no problems with cowpatty. See below!!!

http://i32.photobucket.com/albums/d25/Pirate1976/testing.png

And heres my wireshark view of the capture..notice no malformed packets???

http://i32.photobucket.com/albums/d25/Pirate1976/w.png



After viewing this and expecially the first picture in this post..you notice cowpatty says....cowpatty 4.0 - WPA-PSK dictionary attack.

It doesn't even mention WPA2!! But the cowpatty site at http://www.wirelessdefence.org/Contents/coWPAttyMain.htm

says....


UPDATE August 2006: coWPAtty 4.0 (http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=95) is now available from the churchofwifi (includes WPA2 cracking capabilities)

But I beg to differ. I cant get WPA2 to work with cowpatty. Shaman, if you can still go to your friends AP and try this with WPA2 TKIP + AES...let me know if you could get it to work ok..

Looks like another mystery solved by -=Xploitz=- with the help of Shamans suggestions and balding_parrots aide. Thanks guys!!!;)

BTW..This was done without Photoshop. ;-)

yeah......my question about wpa2 was not innocent.....
i was nearly sure.....

glad to see i was right...so i NEED to go test it on a wpa2 myself to see if i get corrupted packet(wich is not a cowpatty error...)

i think cowpatty is ok, the pb is in the capture itself.....

maybe airodump pb.....

because if it was cowpatty we never see those corrupted packet in wireshark....so IT MUST BE A CAPTURE PB NOT AN ANALIZING PROCESS PB

weird...........really :confused::confused::confused:

yeah......my question about wpa2 was not innocent.....
i was nearly sure.....

glad to see i was right...so i NEED to go test it on a wpa2 myself to see if i get corrupted packet(wich is not a cowpatty error...)

i think cowpatty is ok, the pb is in the capture itself.....

maybe airodump pb.....

because if it was cowpatty we never see those corrupted packet in wireshark....so IT MUST BE A CAPTURE PB NOT AN ANALIZING PROCESS PB

weird...........really

I see your point Niko. The reason I said cowpatty was at fault with WPA2 is because aircrack-ng will accept my handshake with my WPA2 capture. But yes, the malformed packet I get with my WPA2 captures is really odd. I can't explain why its always 1 malformed packet. Well, at least I know Im not incompetent now..lol. And for a minute I really was thinking that that damn no0bie Funnyman knew something I didn't. lol:D Why would someone lie about something like thah anyways?? Trying to show me off maybe?:confused: Oh well...I look forward to your WPA2 TKIP+AES captures and success / failures with cowpatty. Thanks again Niko for the great suggestions old friend. http://forums.remote-exploit.org/images/icons/icon14.gif

Ze Frenchie strikes again!! :D

do you know this one ?
http://www.personalwireless.org/tools/tables/ssid_unique_worldwide.zip
42M expended ;)

im computing the new essid i get against my 300000 passwords database

i dedicate a 100 Go HD on a desktop box TL50core2duo with 2 go of ram for that and only that....but it stills slow....:confused:

Thanks for the d/l ..I just got it. ;)

BTW..with a system setup the way you say it is..how in the world is the word slow even mentioned?? It should go lightning fast huh?

never reach more than 180/s

i was expecting more

Really good work guys.

Will have a proper look later if I get chance, if not then tomorrow.

Look at your 4.jpg...........

http://forums.remote-exploit.org/attachment.php?attachmentid=138&d=1185992977 ...The funny thing about this particular screen capture is that you have 2 files of the same name in the same directory...this is impossible!!....

Plus your screen capture is cropped on the right..why?? This is looking very suspicious IMO.

I think your living up to your name as "Funnyman" but I for one didn't think it was funny at all.

Heres the proof that you can't have the same filename in the same directory...



http://i32.photobucket.com/albums/d25/Pirate1976/mytest.png

Care to explain this Mr. "Funnyman"???

That is very correct Xploitz that you can't have two same filename in the same directory but with all that frustration with cowpatty you forgot that they are not the same files and they don't have the same filename; my filename has a space after the "p" in .cap where it is illustration in this example with a star wpa.eapol.cap* and the original WPA handshake filename is without any space after the "p" in the .cap. So there you have it. If you want more evidence, then look at the modified dates.

If you still don't believe me, then i am happy to go and capture a WPA handshake again and post a picture of it or a video of me save the two "same" files with "same" filename.

PS: i did post a picture of my WAP-01.cap file in action with cowpatty didn't said anything about that?.

PS: i did post a picture of my WAP-01.cap file in action with cowpatty didn't said anything about that?.


Thats because I got it to work with WPA..not WPA2..this is possible..but with WPA2....no success by me or b_p.

BTW what is WAP-01, a new protocol ???? MouAAAAAAAA:D:D:D you make me think you don't know well what you are talking about....

calm down the trick with the name seems to be possible i just do it last minute

you add the space after the extension......and effectively there are 2 files which seems to be same name but are not because of this space...

really it works so my apologies....FunnyMan

no it dosent.....I tried it shaman.


http://i32.photobucket.com/albums/d25/Pirate1976/gg.png

**** me....it does work ........but with .cap extensions not .txt extensions..........SOAB!!!!:mad::mad:

Mother ****er..I owe you an apology as well FunnyMan..looks like the jokes on me. You cant do it with .txt files which was what I was doing.....I didn't even think to try it with .cap files........SHIT!!!:mad:

it works with many files, i bet all
i try .sh
.txt

bug of KDE file manager ? i don't think it's possible under gnome

it works with many files, i bet all
i try .sh
.txt

bug of KDE file manager ? i don't think it's possible under gnome



look at my pic above..its a .txt..and I couldn't do it with a space after the name.

http://img182.imageshack.us/img182/474/testht3.th.png (http://img182.imageshack.us/my.php?image=testht3.png)


i got 3 TEST.txt and IPW......SH

ÉÉ one with 1 space, one with 2 spaces after extension, i click rename after adding the space at the end when manager complain for the names....

so it works really

So I see..I don't understand though why I can't do it with .txt extensions though...hhmmm...

oh well..

I apologized to him. Even I make mistakes. Just usually not this big of one..Again sorry FunnyMan...see PM

BTW what is WAP-01, a new protocol ???? MouAAAAAAAA:D:D:D you make me think you don't know well what you are talking about....

I accept your guys apologies and I'm glad that my name was cleared:).


PS:Shaman you should know too well that I like many other people do sometimes make mistakes when typing.

I accept your guys apologies and I'm glad that my name was cleared:).



Good to hear that Funnyman. I need for you to do me a favor please. Could you upload a COMPLETE copy of your wpa2.eapol.cap capture. I want to compare mine and yours to help me figure out where I'm going wrong..if you don't mind please. I uploaded mine to mediafire.com in a post way up above..on the first page I believe..if you could do the same and give me the link...Id appreciate it a lot. Thanks Funnyman.;)

Good to hear that Funnyman. I need for you to do me a favor please. Could you upload a COMPLETE copy of your wpa2.eapol.cap capture. I want to compare mine and yours to help me figure out where I'm going wrong..if you don't mind please. I uploaded mint to mediafire.com in a post way up above..on the first page I believe..if you could do the same and give me the link...Id appreciate it a lot. Thanks Funnyman.;)

Sure Xploitz :cool:

Ok, so not to dig up a thread that hasn't been active in some time, but just needed someone to confirm for me about cowpatty 4.0 and WPA(1) AES caps.

Basically i was beating my head against a wall much like xploitz was, i followed the thread pulled down cowpatty 4.0 compiled it, ran it, still got the same thing (end of pcap capture file, incomplete TKIP four-way exchange. Try using a different capture). Should i take that to mean (the tkip that is) cowpatty cant do WPA AES? Because i cahnged my wap back over to TKIP and it worked like a charm.

I can get hashes to work, i can get airolib to work, but damned if i can get a good WPA AES capture (i verified the 4part handshake is there)......:(

the only one i had pb was wpa2/aes

wap1/aes no pb

Hate to dig up an old thread. Read through this whole thread and didn't really see a solution/reason to the problem so figured i'd post this. Not 100% sure if this applies because you are all saying you have received a complete handshake capture, and verified it with wireshark. But I was running into the same problem, and found this article: http://www.wolfslair.nl/php/modules.php?name=Content&pa=showpage&pid=15 (look at the "interesting observations" section)

I did a deauth after my laptop was already connected (instead of trying to capture it when I joined the network) and it worked. Sorry if this is way off, just trying to help :D

Cowpatty will not recognize WPA2 handshakes, but aircrack will. This is one of the reasons I find the aircrack suite superior, well apart from the fact that it simply is faster as well. Cowpatty has not been updated in ages, whereas aircrack is still under development and receives frequent upgrades.

Why do they claim it works for WPA2 then??

"NOTE: coWPAtty 4.0 and above also include WPA2 attack capabilities (usage remains the same)."

http://wirelessdefence.org/Contents/coWPAttyMain.htm

Why do they claim it works for WPA2 then??

"NOTE: coWPAtty 4.0 and above also include WPA2 attack capabilities (usage remains the same)."

http://wirelessdefence.org/Contents/coWPAttyMain.htm

I am sorry, I should have specified that I was talking about WPA2 AES. Cowpatty will work with WPA2 TKIP, but AES is as far as I know still not supported.

Cowpatty will crack WPA2 AES-TKIP captures. The problem is that there is a bug in their code where cowpatty will not recognize AES packets as a legit EAPOL packet. The problem is around lines 416 and 432 of the cowpatty.c file.

My initial reaction to your findings is that there must be some bad programming going on behind the scenes.

Here are the two options we're considering:

Option 1: Run an algorithm which produces combinations, and write each combination to a dictionary file, then execute a program that processes each word in the dictionary file to see if it's the correct password.

Option 2: Run an algorithm which produces combinations, and process each word to see if it's the correct password.

The code for Option 1 would work as follows:

FileHandle f = CreateFile("dict.txt");

for loop (blah blah)
{
CreateNextCombination();

WriteCombinationToFile(f);
}

CloseFile(f);

FileHandle f = OpenFile("dict.txt");

for loop (blah blah)
{
ReadCombinationFromFile();

TestCombinationToSeeIfCorrect();
}


If we look at the second option however, it's far simpler:


for loop (blah blah)
{
CreateNextCombination();
TestCombinationToSeeIfCorrect();
}


I would expect this shorter code to run way way way faster because it doesn't have to execute hundreds (if not thousands) of instructions just to read and write from a file.

If Option 1 is working out faster for you, then there's a BIG problem with how the second one is coded. BIG BIG BIG problem.

Actually I'd like to prove this. How about I create a dictionary file that has every combination of lowercase four-letter words (aaaa, aaab, aaac, aaad, up to zzzz). I'll use aircrack-ng to try out this password file on a WPA handshake. Next thing I'll do is download the source code for aircrack-ng and alter it so that instead of reading a word from a file, it simply calculates on-the-fly.

I'll calculate how long it takes to produce the dictionary file and also crack the password, and I'll compare this to the "on-the-fly" version. My prediction is that the latter will be a hell of a lot faster. If it isn't a hell of a lot faster it would go against every morsel of computer knowledge I have.