python - wpa-handshake with python - 散列困难

Question

我尝试编写一个 Python 程序来计算 WPA 握手，但我在哈希方面遇到了问题。为了比较，我安装了 cowpatty (看看我从哪里开始出错)。

我的 PMK 生成工作正常，但 PTK 计算似乎总是错误的。我不确定我是否必须格式化我的输入(macadresses 和 noces) 或只是将它们作为字符串提供给函数。

我会给你我的路由器信息，这没问题，因为我只是为了测试而设置的。

我的程序如下所示:

import hmac,hashlib,binascii

passPhrase  = "10zZz10ZZzZ"
ssid        = "Netgear 2/158" 
A           = "Pairwise key expansion" 
APmac       = "001e2ae0bdd0"
Clientmac   = "cc08e0620bc8"
ANonce      = "61c9a3f5cdcdf5fae5fd760836b8008c863aa2317022c7a202434554fb38452b"
SNonce      = "60eff10088077f8b03a0e2fc2fc37e1fe1f30f9f7cfbcfb2826f26f3379c4318"
B           = min(APmac,Clientmac)+max(APmac,Clientmac)+min(ANonce,SNonce)+max(ANonce,SNonce)
data="0103005ffe010900200000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"

def customPRF512(key,A,B):
    blen = 64
    i    = 0
    R    = ''
    while i<=((blen*8+159)/160):
        hmacsha1 = hmac.new(key,A+chr(0x00)+B+chr(i),sha)
        i+=1
        R = R+hmacsha1.digest()
    return R[:blen]


pmk = pbkdf2(passPhrase, ssid, 4096, 32) #no sourcecode, since b2a_p(pmk) output fits to those of cowpatty

ptk = customPRF512(pmk,A,B) #the prf-function fits the pseudocode in the ieee, but does not give me the correct output (like cowpatty does)
# and i have no idea why :(

print b2a_p(pmk),"\n\n\n"
print b2a_p(ptk),"\n\n\n"

mic1 = hmac.new(ptk[0:16],data)
print mic1.hexdigest() #should be the mic-calculation, not sure if this is correct...

所需的输出(cowpatty 确认)是:

PMK is
 01b8 09f9 ab2f b5dc 4798 4f52 fb2d 112e
 13d8 4ccb 6b86 d4a7 193e c529 9f85 1c48

Calculated PTK for "10zZz10ZZzZ" is
 bf49 a95f 0494 f444 2716 2f38 696e f8b6 
 428b cf8b a3c6 f0d7 245a d314 a14c 0d18
 efd6 38aa e653 c908 a7ab c648 0a7f 4068
 2479 c970 8aaa abc3 eb7e da28 9d06 d535

Calculated MIC with "10zZz10ZZzZ" is
 4528 2522 bc67 07d6 a70a 0317 a3ed 48f0

也许你们中有人可以告诉我，为什么我的程序根本不起作用。 hmac 函数是否正常工作？我的输入格式错误吗？我必须在任何地方考虑字节顺序吗？感谢您提前抽出时间，如有任何帮助，我将不胜感激!

Answer 1

好吧，我自己弄明白了……更多的是通过绝望的测试和一些运气，而不是成功的研究，这导致没有足够长的时间。我没有使用 MAC 地址和随机数作为字符串，而是不得不解开它们。我用过

a2b_hex() #alternatively unhexlify()

我的最终代码看起来有点像这样，不包括 defs:

import hmac,hashlib,binascii
passPhrase="10zZz10ZZzZ"
ssid        = "Netgear 2/158"
A           = "Pairwise key expansion"
APmac       = a2b_hex("001e2ae0bdd0")
Clientmac   = a2b_hex("cc08e0620bc8")
ANonce      = a2b_hex("61c9a3f5cdcdf5fae5fd760836b8008c863aa2317022c7a202434554fb38452b")
SNonce      = a2b_hex("60eff10088077f8b03a0e2fc2fc37e1fe1f30f9f7cfbcfb2826f26f3379c4318")
B           = min(APmac,Clientmac)+max(APmac,Clientmac)+min(ANonce,SNonce)+max(ANonce,SNonce)
data        = a2b_hex("0103005ffe01090020000000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000")

pmk     = pbkdf2(passPhrase, ssid, 4096, 32) 
ptk     = customPRF512(pmk,A,B)
mic     = hmac.new(ptk[0:16],data)

print "desiredpmk:\t","01b809f9ab2fb5dc47984f52fb2d112e13d84ccb6b86d4a7193ec5299f851c48"
print "pmk:\t\t",b2a_hex(pmk),"\n"
print "desired ptk:\t","bf49a95f0494f44427162f38696ef8b6"
print "ptk:\t\t",b2a_hex(ptk[0:16]),"\n"
print "desired mic:\t","45282522bc6707d6a70a0317a3ed48f0"
print "mic:\t\t",mic.hexdigest(),"\n"

所以我的问题的答案是:是的，哈希函数工作正常，是的，输入格式错误，不，没有字节顺序问题。