Tutorial on using downloaded WPA_PSK rainbow tables with airolib

WPA-PSK

Rainbow Tables can be used to crack the Pre-Shared Keys of WPA. The Church of WIFIhttp://www.churchofwifi.org and http://www.hak5.org has
a 40GB torrent of Rainbow Tables that use ~1,000,000 words for a total of approximately 40GB of hash tables for the top 1000 SSID's.

Download the Rainbow Tables

http://www.renderlab.net/projects/WPA-tables/

http://rainbowtables.shmoo.com/

http://www.freerainbowtables.com

You will need a torrent client as BackTrack 4 does not come with one. To install all you need to do is:

# apt-get install bittorrent

# btdownloadcurses --url http://rainbowtables.shmoo.com/95896A255A82D1FE8B6A2BFFC098B735058B30D7.torrent
Make sure you have at least 175GB of free disk space before you try this (37GB for the lzma file, 42GB for the tar file, 42GB for the individual files, and approximately 100MB for each import into the final database). Of course you can delete the lzma file
once your have the tar file, and then delete the tar file once you have untarred the files and directories.

Airolib

To install the rainbow table in airolib for BackTrack 3 or BackTrack 4:

# lzma 1. -d wpa_tables.tar.lzma

The decompression will take awhile depending on fast your processor is.

# tar -x wpa.tar

Create database with Airolib

# airolib-ng dbname --import cowpatty /path/to/file/you/want/to/import for example

# airolib-ng dbname --import cowpatty /mnt/usb/wordlist/wpa_psk-h1kari_renderman/xaa-0

/2WIRE044

You will see:

Reading header...

Reading...

Updating references...

Writing...

# airolib-ng dbname --stats

There are 1 ESSIDs and 995759 passwords in the database. 995759 out of 995759 possible combinations have been computed (100%).

ESSID Priority Done

2WIRE044 64 100.0

Now the odds of your SSID being in this database are probably not good. You can check the SSID.txt file that came with the torrent for your SSID. If your SSID is not in the database you can add it. To add a SSID you need to create a text file that has all of
the SSIDs you want to add. Airolib won't accept a SSID from the command line. Then you import the file:

# airolib-ng dbname --import essid newssid.txt

Reading file...

Writing...

Done.

# cat newssid.txt

Test1

Test2

Test3

#airolib-ng dbname --stats

There are 5 ESSIDs and 995759 passwords in the database. 1991518 out of 4978795 possible combinations have been computed (40%).

ESSID Priority Done

2WIRE044 64 100.0

2WIRE047 64 100.0

Test1 64 0.0

Test2 64 0.0

Test3 64 0.0

Finally start batch processing to compute the hashes for the new SSIDs.

# airolib-ng test --batch

This will take a long time depending on your processor speed. The nice thing is once it is done the table can be used over and over thus speeding up future attacks. To use the rainbow table do:

# aircrack-ng -r dbname wpa.cap

Pyrit

Pyrit is a GPU aware Rainbow Table generator geared specifically for WPA-PSK and WPA2-PSK password testing. Pureh@te has the definitive guide available at http://www.backtrack-linux.org/
documents/BACKTRACK_CUDA_v2.0.pdf

Distributed Password cracking

You can have a very fast computer but is not a match for 10 computer working on the problem. That is distributed processing. Each node in the cluster gets to work on a small part of the problem. There is a central node or server to coordinate the work.

John the Ripper

The Openwall wiki http://openwall.info/wiki/john/parallelization has a great article on the various
attempts to add distributed processing capabilities to John the Ripper.

Medussa (not a typo this is not Medusa)

There is some well written documentation on how to compile and use Medussa athttp://www.krazyworks.com/distributed-password-cracking-with-medussa/ .
It appears that Medussa hasn't seen any updates since 2004 but still appears to work fine. BackTrack 4 doesn't ship with gmp so you must do:

# apt-get install libgmp3-dev

Which will download the missing dependency and its dependencies. Gmp is required to do high precision math. It has nothing to do with gimp. Medussa supports unixcrypt. It also supports md5 (FreeBSD, Linux, Cisco) and sharaw. MD5 is slow and sharaw works on
SHA1 with no salting.

Using a GPU

Cuda is an acronym for Compute Unified Device Architecture. NVIDIA developed cuda as a parallel computing architecture which allows users to use their graphics card (if supported by cuda) to process data instead of their CPUs. ATI also has hardware and software
that you can use to accelerate your nongraphical applications. ATI's solution is called Stream.

CPUs are designed for general purpose number crunching. As encryption has become more common place Intel and AMD have added instructions to their processors to make certain algo- rithms perform faster. Intel has added 6 instructions to some of their processors
in an effort to increase the speed of the processing AES encryption and decryption. There are also 2 instructions for AES key expansion. These instructions, once used by software, will increase the speed of cracking of AES. However these instructions pale
in comparison to a graphics card. A graphics card does nothing but compute large numbers and that is basically all encryption is, the computing of large prime numbers.

Cuda - Nvidia

The definitive guide was written by pureh@te and can be downloaded from http://www.backtrack-linux.org/
documents/BACKTRACK_CUDA_v2.0.pdf As the title says cuda is supported on NVIDIA cards. It is possible to run cuda applications on ATI cards however the results have been disappointing. If you have an ATI see the next section. BackTrack 4 has several cuda
enabled applications. Pyrit is probably the most used.

출처 : http://www.airdemon.net/wordlists3.html
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

First I obtained the 33gig rainbow table from renderlab.net/projects/WPA-tables

A 7 gig table is also available but i opted for larger table took me 4 days.

Please keep in mind while doing all this decompression this is a 33 gig file so you need alot of space so I hope you are working with a 250gig hard drive like i am.

When file is downloaded you get wpa_psk-h1kari_renderman.tar.lzma first you have to extract the .lzma portion first i used 7zip sdk version on windows.

After downloading 7zip lzma version i put in C:/ root directory then pull up a

dos prompt cd point it to your 7zip lzma folder.

llzma.exe d "folder of the wpa_psk-h1kari_renderman.tar.lzma file"]

after file has been decompressed you will be let with
wpa_psk-h1kari_renderman.tar]


Now you have to decompress the .tar you can do this on you linux box but i did mine on my windows box with peazip.

I opened peazip and extracted the .tar and the end of the extraction you will have 9 folders these folders contain the pre-compiled Hashes.

That was the hard part now all you have to do is know what essid you are looking for I assume you are Auditing your OWN NETWORK because if you are not it is ILLEGAL jail time is at end of road.

now all you have to do is look in each folder you will find a file.txt it list the essid's associated for that folder.

so:first


airolib-ng "(testdb) <-- Database to be created" init

airolib-ng testdb import cowpatty " the essid file in the folder you want"

ex: airolib-ng testdb import cowpatty /mnt/sdb1/psk/ae-0/linksys


you will then get reading and writing to DB


now do a

airolib-ng testdb stats


you should see you Essid of choice and computed 100%

Send me a message if you need any help.