Ubuntu
aircrack-ng (package)
macchanger (package)
Intel Wifi Link 5100

Then I just followed these instructions:

I used ‘macchanger –random’ so I would get a new mac address but it was random so can’t be blocked easily. I just made note of the new mac. The adapter was put into monitor mode. I had the key cracked in less than 20 minutes on an empty network (i.e. no one connected at all).

For practical purposes, this is in correct, or at least, impractical.

You could write a rainbow table to compute a PMK with the associated the PSK, which would not be useful against recovering the the WPA2 4-way handshake. It would only be useful if you got the PMK through some other means (like dumping it from the registry). Even then, it’s not useful, because you don’t actually need the PSK to connect to the network. You can actually paste the PMK right into the Windows network setup, which is why the PSK is limited to 63 characters (the PMK is 64 characters, allowing the developer to figure out what you mean – PSK or PMK – just by looking at the length of the input string).

It’s not possible to write a rainbow table to attack the 4-way handshake exchange since the nonces represent uniqueness in the conversation that can’t be precomputed. You could not ascertain, for example, a partial match from a precomputed PMK without the entire PMK itself, making the time/memory trade-off ineffective hear. I think the way cowpatty does PMK precomputation is the best that can be accomplished given the design of WPA (and kudos to the IEEE for providing a reasonable protocol for *consumer* network authentication and key derivation).

-Josh

p.s. For the record, coWPAtty was intended to make fun of WPA, not my code.

P.S. I lied on the not being able to make a rainbow table for the four-way handshake. By “you can’t make a rainbow table for that” I mean you need to do 2^304 times more work (because of the nonce and mac) if you “are the access point” or 2^608 times more work if you aren’t. Which is infeasible for the next 450 years.

Designing PMK rainbow tables would only require someone to define a class of reduction functions that can transform a PMK to a PSK, and of course develop a tool that can generate and interpret these tables. As you say, cowpatty/genpmk only works with lookup tables.

As for your saying that you cannot make rainbow tables “for” the four-way handshake, that doesn’t make sense anyway. The four-way handshake is just used to generate a client’s PTK(s) for the session, and requires both the client station and the access point to already know the PMK beforehand. We’re not concerned about this process or the salts used in this process. We’re only concerned about the PSK-to-PMK hashing process (that is, converting a cleartext passphrase to the big 32-byte hash). The only unpredictable salt used in this hashing process is the SSID (and SSID length, but that is easily dervied from the SSID), which is why there are separate tables for different SSIDs.

Have you heard of pyrit at http://code.google.com/p/pyrit/ for generation for WPA hashes? The power of Stream/Cuda have made much bigger tables possible.