WPA / WPA2 PSK Rainbow Tables (n * 4GB) (OUTDATED!)

Aircloud-ng online app: https://aircloud-ng.me

A while ago I’ve decided that I will create pre-computed hash dictionary to myself saving my expensive time while pentesting poorly-secured networks. What is it, and why is it good? Short version: For pre-defined SSID networks you can create a custom dictionary file which has the passphrases inside, but hashed. Why? Because this can speed up the obtain process of the “lost” WPA/WPA2 key of your access point. By speed up I mean it’s much faster than the original, when using a sinlge plain-texted dictionary for various SSID handshakes.

(More about it: http://wirelessdefence.org/Contents/coWPAttyMain.htm)

These hash files are still “under construction”, but once I’ve finished them I am going to publish each of them. These contain (wait for it…) 100 million passphrases (it’s only an 8 digit number for the top SSID names of the world, but still!) and each file will be approximately 4GB large.

For example:

00000000  //line no. 1
00000001  //line no. 2

22439863  //line no. 22.439.864

99999999  //line no. 100.000.000

It takes an awful lot of time to precompute one (since genpmk is a single-threaded program which can not use multi cores. Yes, it’s really slow (takes around two weeks to create only ONE file!))

And why 8 digits of passphrases? We all know how lazy most people are, and that they do not even care enough about security nowadays. So if WPAx requires at least 8 characters long password, they will use EXACTLY 8 characters long password. Not in all cases, but in most of them. Thats’s why penetration testers are here. As I mentioned testing these hash files are only for pre-defined SSID names, so our main target in this case are the weak-setup links. For example a linksys access point with 8 characters long password, which FORTUNATELY contains of only number.

While a 4×2 cores CPU with 24G of RAM crack this linksys AP with 3000 passphrases / sec, with pre-calculated hashes this speed can be increase to 200.000 pass / sec. Yeah, there is very little difference right? We can pretty much see the advantages of the PMK’s now.

List (based on this):

  • Internet

  • Ziggo

  • workgroup

  • test


  In progress ↓

  • null
SSID / Download link dropbox depositfiles torrent screenshot sample capture
  • Belkin54g
  • dlink
  • linksys
  • smc
  • 3Com
  • ZyXEL
  • home
  • default
  • hpsetup
  • wireless
  • network
  • WLAN
  • WiFi
  • ASUS
  • D-LINK
  • Office
  • belkin
  • blank
  • Cisco
  • linksys
9 digit num 1 bill pass 40GB size 32GB compressed curr state: 100%
  • orange
  • Guest
  • eurospot
  • arescom
  • 101
NEW! ↓
  • Gateway
  • Motorola
  • SpeedStream
  • tsunami

The password for each archive is nodeGun_8

Feel free to use it, copy it, distribute it, modify it and whatever you want to do with them. You can find my E-mail address in the About page in case there are any questions or requests.

38 comments so far

  1. Vector on

    Maybe you should create BitTorrent files or magnets for faster distribution? Just an idea.

  2. jameslovecomputers on

    Reblogged this on Connection Reset By Peer and commented:
    For those who have are having problems downloading the 33gb file. Our kind friend over at nodegun.wordpress.com has kindly shared his methods and dictionaries. Informative.

  3. jameslovecomputers on

    Thanks for the effort, appreciate it. :)

  4. Vector on

    You added torrents. Nice.

    I wouldn’t bother with the eduroam ESSID though, as it is a RADIUS-based system for universities and such. No luck there.

  5. Vector on

    The second suggestion is “blank”.

  6. Django on

    Do I need to rename *.pmk to *.txt in order to get it recognized as a wordlist by Cowpatty?

  7. Guido on

    If you need help generating the RT, you can email me

  8. zyklon87 on

    Thanks for these rainbow tables, I would suggest you to use mega.co.nz to host these files, dropbox has disabled your account, as a lot of traffic generated by your account, they suck 1

  9. enaama on

    lecteur pmk not found ??????????? help

    • enaama on

      output file de pmk NETGEAR

  10. ez on

    essid request ‘Internet’ – ~50M huawei ADSL wifi modems around the world :)

  11. Mario on

    Salve…io mi ritrovo con un file di estensione PMK che devo fare lo devo estrarre? se si con quale programma? oppure lo devo usare con cowpatty con questa estensione? fatemi sapere grazie :)

  12. titan on

    thanks great jobs
    i am expecting A to F 0 to 9 table 8 lenth
    example ( A2DF012C)

  13. Mario on

    Hello … I’m left with a file extension PMK I have to do I have to pull out? if you with what program? or do I use it with coWPAtty with this extension? let me know thanks

    • gabekonstantin on

      you do not need to rename the files

      • Mario on

        I have not renamed the file …. I want to know HOW TO USE the file SITECOM8digitNumbers.PMK

  14. gabekonstantin on

    Here you can see examples:
    just use your own hash and pcap file.

  15. bberezovsky on

    Some of those files are 4gb and cowpatty (running on a 32bit processor) has a file size limit of 2gb :( How do you split those files in 2 or three parts ?

    Thanks !

    • gabekonstantin on

      Better get an 64 bit OS to run cowpatty.

    • moa on

      from pyrit bugtracker:
      “For the moment you can use piping to circumvent this problem
      ‘cat bigfile.cow | cowpatty -d – -r whatever.cap -s whatever’ “

  16. randomike43 on

    hello and respect!!!
    nice job.
    i have a question
    can i use the same table for ‘SMC’ and ‘smc’??


    • rikas on

      no same word only i meen simpol [simpol] smc smc…………thanks

  17. randomike43 on

    another question:)
    you use a 100Million Passphrase Dictionary.
    can you post it ? by the way – i can make some other tables with diffrent ssids!

    e.g. dd-wrt

    thx in advance!!

    • rikas on

      cracking same ssid ok,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

  18. iNTRUDER on

    nice work .
    can you please help me create rainbow table for my ssid lists.
    i would thankfully love to learn create rainbow table on my own.
    thanks in advance.

  19. sandip on

    torrent and dropbok link not working…is there any other way to download the files.

  20. thedeadhand on

    If you could give us your password list we could add to your work.

  21. lionking8600 on

    it requires a password, what is it?

    • lol on

      You have the read the post, havent you ? BTW torrent trackers are down

  22. lol on

    btw this is pretty useless – checking a 8 digit pass with oclHashcat is just few minutes, if you have decent gpu (gtx970/980)

  23. martin on

    you may want to use pyrit… instead of cowpatty and then if needed u can export it to cowpatty, but GPU will save you so much time, can u do something with the Movistar_ (client phonenumber)
    as far i know its a 11 digit but my pc ven really good, will took me … 2-3 motnh to compile it … im open to any sugestion im batching all result now 3 days im only 4.5% :(
    would like to work out with someon,e, can open my port and work all togheter

  24. matin150 on

    essid request “Uday”‘baburao’ “AgencyDigiNG””JAQUAR_BSNL”(keyspace=8to10 “alphanumericsymbols”) please!!!!!
    Thanks in advance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: