Episode 517 – Packet Injection, WPA Attacks, Virtualization

The gang gathers at a dive in Hoboken, NJ during their trip to NYC for the live diggnation and discuss wireless packet injection with airpwn, advancements in WPA-PSK attacks and of course, virtualization.

Download HD Download MP4 Download XviD Download WMV

In an effort to thwart hangovers the gang drops by DC’s Taven in Hoboken to geek out about Wifi and Virtualization over shots and cold ones.

Darren is excited about the recent improvements to both Airpwn and Cowpatty.

Edit: Mubix points out these awesome WPA Tables from Offensive-Security (You know ’em as the BackTrack guys).

Best WPA Tables out there for us with CoWPAtty. (And another little + is they posted the password list they used to generate the tables, which is also an AWESOME password list for cracking all kinds of passwords. 😉

Matt answers some viewers questions and encourages more for an upcoming special.

Shannon has all the deets on this week’s contest and LAN party.


  • ioyou

    Man, I love airpwn.
    I just compiled the new version on my backtrack and i have it running on my neighbors wifi lol.

    He gets pissed every time lol. It redirects him to my backtrack php-cgi apache server and redirects him to rick roll lol

  • Sc00bz

    Just letting you know it is impossible to make rainbow tables for WPA-PSK and have them be of any use. The four-way handshake has two nonces (256 bits each) and two mac addresses for salt. Which means you can’t make a rainbow table for that. Now Winrtgen does have an option to make WPA-PSK tables. This requires you to have the WPA-PSK hash, but if you have the WPA-PSK hash you can already get onto the network so knowing the password is really pointless. Unless the password is changed frequently and you find the pattern, but this will never happen in the real world because you would need to break in multiple times and crack multiple hashes. Also no one changes their wireless key frequently and keeps some pattern to it.

    ** Funny story about passwords **
    At NIU you are required to change your password once a semester. “Your password must be 8 characters long. It must be a mix of numbers and lowercase letters.” (yes I know they are dumb the key space is only 2^41.25 “2.61 trillion” hopefully that’s right) and my English teacher told everyone to do something like fall2009 and then change it to spring09 (yes I know he’s retarded). I’m embarrassed to have graduated from there. Hmm this is a perfect example why you never have passwords that expire because people will just put the current year at the end, increment a number, or if it’s too frequent like at NIU for my English teacher the whole password will be when the password is valid.

    Now what you can do for WPA-PSK is take a list of passwords and pre-calculate the hashes of them and store that. Then when you capture the handshake all you need to do is take a hash do a few hmacs and check the answer. This is exactly how coWPAtty works.

    If you don’t believe me here’s a nice little quote:
    “This page is to give a little more insight into the methodology and logic behind concieving and building the CoWF WPA-PSK Rainbow Tables (actually they are lookup tables but I just like the term ‘rainbow tables’ alot.)” -renderlab.net

  • Investe

    Well, I liked it! It’s something different and sometimes I couldn’t unterstand very well (probably because my english sucks) but I think it’s a good break. It shows you are active, creative and never boring! And I like the fact that you all were kinda drunk at the end…Well done.

  • David

    Sc00bz: There’s no reason why it’s “impossible” to make PMK rainbow tables. A rainbow table is just a more advanced form of lookup table, where instead of mapping each plaintext directly to its hash (as is done in a lookup table), the start of a chain of hashes and reductions is mapped to the end of the chain. Looking up a reduced hash in the rainbow table involves hashing and reducing it incrementally until it matches the endpoint of some chain. This means that the size of the table can be greatly reduced, at the expense of extra computation to look up hashes. Furthermore, the amount of computation tradeoff can be adjusted just by adjusting the chain length.

    Designing PMK rainbow tables would only require someone to define a class of reduction functions that can transform a PMK to a PSK, and of course develop a tool that can generate and interpret these tables. As you say, cowpatty/genpmk only works with lookup tables.

    As for your saying that you cannot make rainbow tables “for” the four-way handshake, that doesn’t make sense anyway. The four-way handshake is just used to generate a client’s PTK(s) for the session, and requires both the client station and the access point to already know the PMK beforehand. We’re not concerned about this process or the salts used in this process. We’re only concerned about the PSK-to-PMK hashing process (that is, converting a cleartext passphrase to the big 32-byte hash). The only unpredictable salt used in this hashing process is the SSID (and SSID length, but that is easily dervied from the SSID), which is why there are separate tables for different SSIDs.

    • fernando

      Hi David,
      I had the same idea, but it has a drawback we can’t overcome.
      We don’t have any initial PMK to apply the reduction function
      and to compare later with the values stored at the table.

      In a ordinary TMTO attack, the initial attacked value would be a block ciphered with an unknown key (which maps to a known cleartext block) or a hash value which maps to a unknown password. But, we don’t have such a value in this case.

      Also, the passphrase is “salted” with the ESSID of the network, so we would have to build a separate table for each different ESSID, that renders the attack impracticable the most of the times.

      Best regards,

  • Eric

    Just an FYI, you don’t want to consider the bare metal hypervisor in ESXi (or ESX) for ANYTHING that you would like audio for. It’s not supported. Also, there’s a limitation of 6 pseudo PCI devices, and the display always takes up one, so you are really limited to 5. For a little more flexibility in those situations, use Microsoft Virtual PC, or VMWare Workstation. I hadn’t actually played with VMWare Workstation until I got the license for passing the VCP exam, but I actually like it!

  • Sc00bz

    David, you missed the most important part of that “just letting you know it is impossible to make rainbow tables for WPA-PSK and have them be of any use.” Let’s say you have a PMK rainbow table for the correct SSID. Now all you need is the PMK to use the rainbow table, but if you have the PMK you can already get onto the network. So knowing the PSK is not useful.

    P.S. I lied on the not being able to make a rainbow table for the four-way handshake. By “you can’t make a rainbow table for that” I mean you need to do 2^304 times more work (because of the nonce and mac) if you “are the access point” or 2^608 times more work if you aren’t. Which is infeasible for the next 450 years.

  • Joshua Wright

    David said “Sc00bz: There’s no reason why it’s “impossible” to make PMK rainbow tables.”

    For practical purposes, this is in correct, or at least, impractical.

    You could write a rainbow table to compute a PMK with the associated the PSK, which would not be useful against recovering the the WPA2 4-way handshake. It would only be useful if you got the PMK through some other means (like dumping it from the registry). Even then, it’s not useful, because you don’t actually need the PSK to connect to the network. You can actually paste the PMK right into the Windows network setup, which is why the PSK is limited to 63 characters (the PMK is 64 characters, allowing the developer to figure out what you mean – PSK or PMK – just by looking at the length of the input string).

    It’s not possible to write a rainbow table to attack the 4-way handshake exchange since the nonces represent uniqueness in the conversation that can’t be precomputed. You could not ascertain, for example, a partial match from a precomputed PMK without the entire PMK itself, making the time/memory trade-off ineffective hear. I think the way cowpatty does PMK precomputation is the best that can be accomplished given the design of WPA (and kudos to the IEEE for providing a reasonable protocol for *consumer* network authentication and key derivation).


    p.s. For the record, coWPAtty was intended to make fun of WPA, not my code. 🙂


    THIS episode i have downloaded twice (xvid & avi) both downloads have the megabytes there but don’t play, other episodes do, also the embedded video doesn’t play…..is it just me or is there a wee glitch in the system….?

  • Shinji

    I don’t know about WPA (havn’t tried personally) but I don’t even need Backtrack for Wireless hacking. Here is what I used…

    aircrack-ng (package)
    macchanger (package)
    Intel Wifi Link 5100

    Then I just followed these instructions:

    I used ‘macchanger –random’ so I would get a new mac address but it was random so can’t be blocked easily. I just made note of the new mac. The adapter was put into monitor mode. I had the key cracked in less than 20 minutes on an empty network (i.e. no one connected at all).

  • Matt

    You guys need to be drinking faster… you did like a whole show on 1 glass of beer. Blue moon is the heat so drink it. Don’t let it get warm. Shame on you all.

  • more isntagram followers free

    Helpful Solutions to Break Free Financially – The first strategy that should be utilized
    by anyone in a tough financial spot is to get started on budgeting better more isntagram followers free this is really a record from the exchange
    rate involving the chinese renminbi and.

  • Verified Hostgator Coupon Code November

    Some may think t?at the managed hosting serv?ce is more or less same as the service of dedicated managed host?ng.
    In general shared hosting will ?? inappropriate for users who require
    extensive software development outsi?e what the hosting
    provider supports. This could pose both a physical and
    moral problem for the owne?s of the children’s website.
    Don’t forget that should y?u need more ?f ‘whate?er they are offering’ you can up?rade at a later stage; it is a tad more diffic?lt to downgrade.
    A dedicated hosting service, de?icated ser?er, or managed hosting service is a type of Internet
    hosting in which the client leases an entire server not shared with
    anyone else. Typically, shared hosting plans sta?t at $5 –
    $20 per month. The loa? ?n 1 se?ver is usually well balanced by installing a d?fferent server.
    T?is is the most popular web hosting server for websites. Configuration: With a
    shared host, one will not have many options in the way of changing their settings.
    Since there are not many resources to create advanced web?ites with a fr?e ho?ting service, it’s best for
    personal sites, such as those for famil? or hobbies.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>