WPA / WPA2 PSK Rainbow Tables (n * 4GB)

A while ago I’ve decided that I will create pre-computed hash dictionary to myself saving my expensive time while pentesting poorly-secured networks. What is it, and why is it good? Short version: For pre-defined SSID networks you can create a custom dictionary file which has the passphrases inside, but hashed. Why? Because this can speed up the obtain process of the “lost” WPA/WPA2 key of your access point. By speed up I mean it’s much faster than the original, when using a sinlge plain-texted dictionary for various SSID handshakes.

(More about it: http://wirelessdefence.org/Contents/coWPAttyMain.htm)

These hash files are still “under construction”, but once I’ve finished them I am going to publish each of them. These contain (wait for it…) 100 million passphrases (it’s only an 8 digit number for the top SSID names of the world, but still!) and each file will be approximately 4GB large.

For example:

00000000  //line no. 1
00000001  //line no. 2

22439863  //line no. 22.439.864

99999999  //line no. 100.000.000

It takes an awful lot of time to precompute one (since genpmk is a single-threaded program which can not use multi cores. Yes, it’s really slow (takes around two weeks to create only ONE file!))

And why 8 digits of passphrases? We all know how lazy most people are, and that they do not even care enough about security nowadays. So if WPAx requires at least 8 characters long password, they will use EXACTLY 8 characters long password. Not in all cases, but in most of them. Thats’s why penetration testers are here. As I mentioned testing these hash files are only for pre-defined SSID names, so our main target in this case are the weak-setup links. For example a linksys access point with 8 characters long password, which FORTUNATELY contains of only number.

While a 4×2 cores CPU with 24G of RAM crack this linksys AP with 3000 passphrases / sec, with pre-calculated hashes this speed can be increase to 200.000 pass / sec. Yeah, there is very little difference right? We can pretty much see the advantages of the PMK’s now.

List (based on this):

SSID / Download link dropbox depositfiles torrent screenshot sample capture
  • Belkin54g
  • dlink
  • linksys
  • smc
  • NETGEAR
  • 3Com
  • ZyXEL
  • home
  • default
  • TP-LINK
  • hpsetup
  • wireless
  • GIGABYTE
  • network
  • WLAN
  • WiFi
  • ASUS
  • D-LINK
  • Office
  • belkin
  • blank
  • Cisco
  • linksys
  • 9 digit num 1 bill pass 40GB size 32GB compressed curr state: 100%
  • SITECOM
  • orange
  • Guest
  • eurospot
  • arescom
  • 101
  • NEW! ↓
  • Gateway
  • Motorola
  • SpeedStream
  • tsunami
  • Internet
  • Ziggo
  • workgroup
  • test
  • ACTIONTEC
  • In progress ↓
  • null
  • The password for each archive is nodeGun_8

    Feel free to use it, copy it, distribute it, modify it and whatever you want to do with them. You can find my E-mail address in the About page in case there are any questions or requests.

    PS: donate me with a referred dropbox registration (http://db.tt/XDrKMvS8), so i can gain more and more spaces and can keep continue uploading these pesky huge files :)

    (You have to install the dropbox application as well to make it work!)

    If I helped you with my dictionaries,

    Follow me on for further updates!

    28 comments so far

    1. Vector on

      Maybe you should create BitTorrent files or magnets for faster distribution? Just an idea.

    2. jameslovecomputers on

      Reblogged this on Connection Reset By Peer and commented:
      For those who have are having problems downloading the 33gb file. Our kind friend over at nodegun.wordpress.com has kindly shared his methods and dictionaries. Informative.

    3. jameslovecomputers on

      Thanks for the effort, appreciate it. :)

    4. Vector on

      You added torrents. Nice.

      I wouldn’t bother with the eduroam ESSID though, as it is a RADIUS-based system for universities and such. No luck there.

    5. Vector on

      The second suggestion is “blank”.

    6. Django on

      Do I need to rename *.pmk to *.txt in order to get it recognized as a wordlist by Cowpatty?

    7. Guido on

      If you need help generating the RT, you can email me

    8. zyklon87 on

      Thanks for these rainbow tables, I would suggest you to use mega.co.nz to host these files, dropbox has disabled your account, as a lot of traffic generated by your account, they suck 1

    9. enaama on

      lecteur pmk not found ??????????? help

      • enaama on

        output file de pmk NETGEAR

    10. ez on

      essid request ‘Internet’ – ~50M huawei ADSL wifi modems around the world :)

    11. Mario on

      Salve…io mi ritrovo con un file di estensione PMK che devo fare lo devo estrarre? se si con quale programma? oppure lo devo usare con cowpatty con questa estensione? fatemi sapere grazie :)

    12. titan on

      thanks great jobs
      i am expecting A to F 0 to 9 table 8 lenth
      example ( A2DF012C)

    13. Mario on

      Hello … I’m left with a file extension PMK I have to do I have to pull out? if you with what program? or do I use it with coWPAtty with this extension? let me know thanks

      • gabekonstantin on

        you do not need to rename the files

        • Mario on

          I have not renamed the file …. I want to know HOW TO USE the file SITECOM8digitNumbers.PMK

    14. gabekonstantin on

      Here you can see examples:
      http://wirelessdefence.org/Contents/coWPAttyMain.htm
      just use your own hash and pcap file.

    15. bberezovsky on

      Some of those files are 4gb and cowpatty (running on a 32bit processor) has a file size limit of 2gb :( How do you split those files in 2 or three parts ?

      Thanks !

      • gabekonstantin on

        Hey,
        Better get an 64 bit OS to run cowpatty.

      • moa on

        from pyrit bugtracker:
        “For the moment you can use piping to circumvent this problem
        ‘cat bigfile.cow | cowpatty -d – -r whatever.cap -s whatever’ “

    16. randomike43 on

      hello and respect!!!
      nice job.
      i have a question
      can i use the same table for ‘SMC’ and ‘smc’??

      thanks!

    17. randomike43 on

      another question:)
      you use a 100Million Passphrase Dictionary.
      can you post it ? by the way – i can make some other tables with diffrent ssids!

      e.g. dd-wrt

      thx in advance!!


    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    Follow

    Get every new post delivered to your Inbox.

    %d bloggers like this: