11-11-2012, 04:48 AM
Wow I never knew WPA2 used HMAC. I thought it was just a simple hash.
Still confused though.
What I'm getting so far is that there is an initial HMAC operation where the PMK is the key and the ESSID the data.
And another one where the previous result is used as a key and the hashed PTK as the data.
Meaning that since the hashed PTK is known(handshake capture), the key has to be guessed.
Which still begs the question. How are rainbow tables generated? the result of HMAC is a hash and AFAIK, the PTK is different each time a handshake occurs which makes the final hash different each time a handshake occurs.
Having never used rainbow tables to crack WPA2 before, it's starting to sound like they're just used to speed up the cracking process slightly.
Still confused though.
Quote:There is a final HMAC transformation which uses MD5 in WPA1 and SHA1 in WPA2 (its the only difference between them). This time the key is the the result of the 4096 iteration (truncated) and the data is all the stuff from above you already mentioned.
What I'm getting so far is that there is an initial HMAC operation where the PMK is the key and the ESSID the data.
And another one where the previous result is used as a key and the hashed PTK as the data.
Meaning that since the hashed PTK is known(handshake capture), the key has to be guessed.
Which still begs the question. How are rainbow tables generated? the result of HMAC is a hash and AFAIK, the PTK is different each time a handshake occurs which makes the final hash different each time a handshake occurs.
Having never used rainbow tables to crack WPA2 before, it's starting to sound like they're just used to speed up the cracking process slightly.