Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.

htm

1 of 4 5/23/2011 8:08 PM
Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.htm

coWPAtty for Windows MAIN:

"coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." -
Joshua Wright.

Linux Project Homepage: http://www.willhackforsushi.com/Cowpatty.html

Linux tools, Howtos

Local Mirror: Cowpatty-4.0-win32.zip MD5: aa9ead2aacfcc493da3684351425d4c6
Tools Index

Wireless Commands coWPAtty Dictionary Attack

FC6 Build Howto Precomputing WPA PMK to crack WPA PSK

FC5 Build Howto
coWPAtty Precomputed WPA Attack
FC4 Build Howto
coWPAtty Recomputed WPA2 Attack
Live Linux Distros
coWPAtty Tables

Site Search
coWPAtty Usage:

Windows

WIN32 tools, Howtos

Tools Index

General

Miscellaneous WI-FI

Default WI-FI Settings

Rogue AP Howtos

WI-FI Certifications coWPAtty Dictionary Attack:

802.11 Standards To perform the coWPAtty dictionary attack we need to supply the tool with a capture file that includes the TKIP four-way
handshake, a dictionary file of passphrases to guess with and the SSID for the network.
STEP BY STEP Guides

In order to collect the four-way handshake you can either wait until a client joins the network or preferably you can force
Formats / Extensions
it to rejoin the network using tools like void11 or aireplay and capture the handshakes using something like kismet,
WI-FI Home Security ethereal or airodump.

Useful Links cowpatty -f dict -r wpapsk-linksys.dump -s linksys

2 of 4 5/23/2011 8:08 PM
Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.htm

As you can see this simple dictionary attack took 51 seconds, we can speed up this process by precomputing the WPA-PMK
to crack the WPA-PSK (see below).

wpapsk-linksys.dump is the capture containing the four-way handshake

dict is the password file

linksys is the network SSID

Precomputing WPA PMK to crack WPA PSK:

genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in
Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as
the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a
set for "linksys" a set for "tsunami" etc.

So to generate some hash files for a network using the SSID cuckoo we use:

genpmk -f dict -d linksys.hashfile -s linksys

dict is the password file

linksys.hashfile is our output file

linksys is the network ESSID

coWPAtty Precomputed WPA Attack:

Now we have created our hash file we can use it against any WPA-PSK network that is utilising a network SSID of cuckoo.
Remember the capture (wpa-test-01.cap) must contain the four-way handshake to be successful.

cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys

wpa-test-01.cap is the capture containing the four-way handshake

linksys.hashfile are our precomputed hashes

linksys is the network ESSID

3 of 4 5/23/2011 8:08 PM
Wirelessdefence.org http://wirelessdefence.org/Contents/coWPAtty_win32.htm

Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 seconds with
standard dictionary attack mode, albeit you do need to pre-compute the hash files prior to the attack. However,
precomputing large hash files for common SSIDS (e.g. linksys, tsunami) would be a sensible move for most penetration
testers.

coWPAtty Precomputed WPA2 Attack:

coWPAtty 4.0 is also capable of attacking WPA2 captures. Note: The same hash file as was used with the WPA capture was
also used with the WPA2 capture.

cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys

wpa2psk-linksys.dump is the capture containing the four-way handshake

dict is the password file

linksys is the network SSID

coWPAtty Tables:

The Church of Wifi have produced some lookup tables for 1000 SSID's computed against a 170,000 word password
file. The resultant table are approximately 7 Gigabytes in size and can be downloaded via Torrent:

http://torrents.lostboxen.net/cowf-wpa-psk-hash-tables-with-cowpatty-4.0_2006-10-19

A 33 Gigabyte set of tables are also available: http://umbra.shmoo.com:6969/

Or you can buy them via DVD, direct from Renderman (initiator of the project): http://www.renderlab.net/projects
/WPA-tables/

© Copyright 2010 Wirelessdefence.org. All Rights Reserved.

4 of 4 5/23/2011 8:08 PM