WPA support

Moderator: BarsMonster

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

WPA support

Post by the_drag0n » Fri Oct 03, 2008 6:41 am

on this site you can generate all wpa keys you want to :

http://www.badtech.org/tools/wpa/index.php

exp :

Code: Select all

ssid : abcd
key : 12345678
hash : 388e078ef7af36ad7f5dd7fd3f0769acded30718888801d998e3ed4598d738a5

ssid : abcdef
key : 12345678
hash : 251c36e3d394e70b6027b04ac04773483c44dc4c135e005b6fcdda0e8beff22d

ssid : asduhk
key : asliaifherf
hash : a4a62d71ed0cf26c63035966e5d8fcb50a4b53ae7a13800f40349c2310ef4bd7

User avatar
BarsMonster
Site Admin
Posts: 1118
Joined: Wed Oct 01, 2008 7:58 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by BarsMonster » Fri Oct 03, 2008 10:31 am

And ssid and hash are known?

kiando
Posts: 64
Joined: Thu Oct 02, 2008 7:30 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by kiando » Fri Oct 03, 2008 10:35 am

Yes, the SSID is the name of your wireless network and I think you receive the hash as a key while in the network. the hash is salted by the SSID.

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Fri Oct 03, 2008 10:43 am

yep.
they are in the capture file.

example: http://rapidshare.com/files/150512459/c ... 1.cap.html (board doesnt support extension :/)
ssid "Entenhausen"

to be opened with wireshark or sth similar

use the following filter : "eapol.keydes.type == 254"
Last edited by the_drag0n on Fri Oct 03, 2008 10:46 am, edited 1 time in total.

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Fri Oct 03, 2008 10:44 am

kiando wrote:Yes, the SSID is the name of your wireless network and I think you receive the hash as a key while in the network. the hash is salted by the SSID.
you recive the hash if you deauth an actual client of the network. he reauths and you capture the hash.
the key is what you want to find ;)

c4p0ne
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by c4p0ne » Mon Oct 06, 2008 6:17 pm

If WPA/(WPA2?) support were to be implemented, what kind of calculation-speed can be generally expected? Thus far, I'm acheiving 641 p/sec on Intel QuadCore which increases to about 2200 p/sec using Nvidia 8800GTX GPU. These results were using EDPR v2.60.187 btw. However I would love to see this supported in a command line utility.

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Mon Oct 06, 2008 6:24 pm

well if bars optimizes the code very well you could expect about 7000 packets with your graphiccard.

Sc00bz
Posts: 136
Joined: Fri Oct 03, 2008 8:28 am
Contact:

Re: WPA support

Post by Sc00bz » Tue Oct 07, 2008 2:44 am

A few myths about WPA-PSK:
* "WPA-PSK rainbow tables" are not rainbow tables they are lists of hashes for given passwords and SSIDs.
* You never have a hash of the password. The hash of the password is just as good as having the password itself. Since you have two choices a password of 8 to 63 letters or 64 hex digits (the hash).
* When you sniff a successful authentication whether from frame injection (deauth-ing) or just waiting you get 2 mac addresses, 2 nonces (salts), "eapolframe" the message, and "keymic" (hmac of message with a key of part of the PTK). You then take a password and generate the PMK (that hash). Use the 2 mac addresses, 2 nonces, and the PMK to generate the PTK. Then hmac of message with a key of part of the PTK and finally compare it to the "keymic."

----------
I don't think "WPA-PSK rainbow tables" are rainbow tables since I don't think it's possible. I tried to download a "rainbow table" for wpa-psk but the files were all blank and named ".hash" so I couldn't tell what these files are. I think the file format of ".hash" is just a list of hashes for passwords and I'm not going to download 33 GiB just to see what one of the files looks like. If you don't believe me or just want proof you'll need to have the 33 GiB of tables and post one of the files name and the first 1 KiB in hex.

If you were just trying to crack a hash you would attack the first 160 bit of the 256 bit hash so you can go 2 times faster since the first 160 bits is calculated separately from the last 96 bits, but both aircrack and cowpatty generate the full 256 bits.

http://www.wi-fiplanet.com/tutorials/ar ... hp/3667586

----------
This is a rough estimate you can probably get 5,800 to 4,800 on a Core2 Quad 3.0 GHz.

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Tue Oct 07, 2008 7:29 am

Sc00bz wrote: I don't think "WPA-PSK rainbow tables" are rainbow tables since I don't think it's possible. I tried to download a "rainbow table" for wpa-psk but the files were all blank and named ".hash" so I couldn't tell what these files are. I think the file format of ".hash"

these files were made to be used with cowpatty. they are not "rainbowtables" and they were never called rainbowtables.
the only prog which tells you to be generating rainbowtables is winrtgen.
there is also to generate a mysql db for wpa with airolib i think.
well in fakt all of these methods are very slow but building these databases or hash files makes it at least a bit faster.

Sc00bz
Posts: 136
Joined: Fri Oct 03, 2008 8:28 am
Contact:

Re: WPA support

Post by Sc00bz » Tue Oct 07, 2008 9:40 am

Well I was getting my info from http://www.renderlab.net/projects/WPA-tables/ which is the first site for "wpa psk tables" in google. Hmm you do get a lot more sites with "wpa psk -rainbow tables" than "wpa psk rainbow tables." At least there are a good about of people that know the difference.

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Fri Oct 10, 2008 4:24 pm

elcomsoft has updatet its software to also support wpa gpu cracking now:
http://www.elcomsoft.com/news/268.html

according to them it could be 100 times faster which is prob a bit blown up or just for quad sli x280xt ;)

Spaztikdude
Posts: 16
Joined: Thu Oct 16, 2008 1:27 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by Spaztikdude » Thu Oct 16, 2008 1:31 am

Well, I get around 6200 per second with a 9800GT... (Same as a 8800GT, but with different bios)

The problem is, it's only bruteforce. Theres no dictionary option for WPA in at the moment.

It sort of bottlenecks at exactly 6199 for some reason.
Last edited by Spaztikdude on Fri Oct 17, 2008 10:51 am, edited 1 time in total.

c4p0ne
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by c4p0ne » Thu Oct 16, 2008 6:59 pm

Massive improvment! However, still wayyy too slow for practical cracking of >8 character passes... :wall: :(
Attachments
stillabysmallyslow.png
Results using EDPR (v2.71.192)

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Thu Oct 16, 2008 8:37 pm

11k now thats alot.
somehow mine doesnt use cpu to crack wpa ...
anyway if we used this distributed it will be way more effectiv ;)

hardfalcon
Posts: 32
Joined: Thu Oct 09, 2008 11:33 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by hardfalcon » Thu Oct 16, 2008 9:59 pm

Sure they aren't simply faking this to make people buy their stuff instead of just using BarsWF?

A direct benchmark where both tools have to find the same password with the same settings (as far as possible) would be very interesting I think... (Of course I do hope Elcomsoft is NOT faking this).

Sc00bz
Posts: 136
Joined: Fri Oct 03, 2008 8:28 am
Contact:

Re: WPA support

Post by Sc00bz » Thu Oct 16, 2008 11:38 pm

What would they be faking? The numbers? Why only 11k on GTX260? A computer with two quad cores can almost get that (pretty sure).
Sc00bz wrote:This is a rough estimate you can probably get 5,800 to 4,800 on a Core2 Quad 3.0 GHz.
I forget if I took into account the fact that SHA1 needs 5 registers plus 1 temp register and to interlace 3 SHA1s nicely you'll need 18 registers but there are only 16 registers. Good news is if/when SSE5 comes out it will speed up WPA a lot since each of the first 16 rounds have 2 rotates and the last 64 rounds use 3 rotates. SSE5 has an instruction, PROTD, that does a rotate which saves 3 instructions/rotate.

User avatar
BarsMonster
Site Admin
Posts: 1118
Joined: Wed Oct 01, 2008 7:58 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by BarsMonster » Thu Oct 16, 2008 11:54 pm

Hmm... Looks like SSE5 is AMD extension :-(
It would be sad if Intel would not support it

Sc00bz
Posts: 136
Joined: Fri Oct 03, 2008 8:28 am
Contact:

Re: WPA support

Post by Sc00bz » Fri Oct 17, 2008 12:25 am

Intel won't be supporting SSE5 because they are going with AVX which will have 3 operand instructions and 128 bit integer instructions and future versions will have 256 bit and 512 bit integer instructions.

c4p0ne
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by c4p0ne » Fri Oct 17, 2008 10:10 am

That is NOT fake. The screen shot is from MY actual machine. :mrgreen:

:edit:

And by the way those figures are inaccurate. This particular hash is WPA1 and on a Core2Quad ALONE the maximum I've ever gotten is <700 pw/s. The screenshot above is where GPU (Nvidia 260 Core216) is involved. The speed jumps from 620 pw/s (Quadcore CPU alone) to >11,000 pw/s (w/GPU). Elcomsoft have truly optimized GPU for WPA/WPA2, and I expect ti to become even more optimized in future versions.

Of course, in my screenshot, I am not using any of the other boxes I have around. It is only using 1 machine. EDPR can do distributed cracking on WPA/2 hashes though! I can probably get up to 50,000 pw/s if i used all the machines I have at my disposal.... Unfortunately, 50k pw/s is still disgustingly slow for "brute-force" type of attacks on WPA/2. It would be excellent for some kind of wordlist/dictionary attack but Elcomsoft stupidly don't support this yet, even after SO long. :(

Sc00bz
Posts: 136
Joined: Fri Oct 03, 2008 8:28 am
Contact:

Re: WPA support

Post by Sc00bz » Fri Oct 17, 2008 9:39 pm

They could have "passwords_check_last_interval / interval * 1.05" that will make the numbers 5% higher than what they really are.

Also there are ways to unknowingly do this like setting a timer for 500 ms and doing "passwords_check_last_interval / 0.500" I'm pretty sure Windows will over time have less calls to that function than 2 per second making the number of passwords checked per second higher.

hardfalcon
Posts: 32
Joined: Thu Oct 09, 2008 11:33 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by hardfalcon » Fri Oct 17, 2008 9:59 pm

Sc00bz: That's exactly what I meant. There I said that a benchmark of the 2 tools would be interesting. Simply measure the real time they need with some external tool, and see what comes out.

User avatar
Igor
Posts: 19
Joined: Sun Nov 09, 2008 12:22 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by Igor » Sun Nov 09, 2008 1:11 pm

There's an opensource project around, called pyrit, it provides the speed for quite a number of cards right on the front page. It does around 10k on a GTX260, a bit more than 11k on a GTX280.

However, Aircapture claims they can do 75000 on a single FPGA and build systems with up to 210 FPGAs. 1.5 billion/sec - but that's still slow for 8 digits, especially if you want to include some symbols.

The FPGA-cards they use looks very much like a Pico E16 Express-Card, which includes a Virtex-5 LX50.

I think they sell it for around 2000$? Can't really remember at the moment. There's not really a big price advantage over the GTX260, since about seven of them reach around the same speed as the FPGA and are at around 270$. But you'll need almost no energy in comparison and can carry the thing around ...

User avatar
the_drag0n
Posts: 217
Joined: Thu Oct 02, 2008 6:48 am
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by the_drag0n » Sun Nov 09, 2008 1:16 pm

i think we can forget wpa for a while as in 4 or 5 days there will be a new method presented which is told to be able to crack WPA TKIP or WPA1.
cant wait for it ! ;)

User avatar
Igor
Posts: 19
Joined: Sun Nov 09, 2008 12:22 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by Igor » Sun Nov 09, 2008 1:38 pm

the_drag0n wrote:i think we can forget wpa for a while as in 4 or 5 days there will be a new method presented which is told to be able to crack WPA TKIP or WPA1.
cant wait for it ! ;)
You're referring to tkiptun-ng? Doesn't this only work against WPA and not WPA2 since WPA2 uses AES?

[EDIT] Sorry, I can't read - that's exactly what you wrote
Last edited by Igor on Sun Nov 09, 2008 8:21 pm, edited 1 time in total.

hardfalcon
Posts: 32
Joined: Thu Oct 09, 2008 11:33 pm
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Re: WPA support

Post by hardfalcon » Sun Nov 09, 2008 3:38 pm

Igor: I guess this one would be more interesting:
http://www.picocomputing.com/products/s ... luster.php

If I understand the specs on their site right, they achieve 5,6 billion DES keys per second with only one or two cards. Now imagine what will happen if you got enough money and put in 15 more cards... :crazy:

Post Reply
[phpBB Debug] PHP Warning: in file [ROOT]/vendor/twig/twig/lib/Twig/Extension/Core.php on line 1266: count(): Parameter must be an array or an object that implements Countable

Who is online

Users browsing this forum: No registered users and 1 guest