coWPAtty - Brute-force dictionary attack against WPA-PSK. Copyright(c) 2004-2005, Joshua Wright $Id: README,v 4.0 2006-07-28 12:23:48 jwright Exp $ -------------------------------------------------------------------------------- INTRO Right off the bat, this code isn't very useful. The PBKDF2 function makes 4096 SHA-1 passes for each passphrase, which takes quite a bit of time. On my Pentium II development system, I'm getting ~4 passphrases/second. The SHA-1 code I'm using has been optimized to the best of my ability (which isn't saying that much), but I doubt if it would be possible to optimize it such that the tool experiences an exponential performance increase. However, if you are auditing WPA-PSK or WPA2-PSK networks, you can use this tool to identify weak passphrases that were used to generate the PMK. Supply a libpcap capture file that includes the 4-way handshake, a dictionary file of passphrases to guess with, and the SSID for the network: $ ./cowpatty -r eap-test.dump -f dict -s somethingclever cowpatty 4.0 - WPA-PSK dictionary attack. Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack. Please be patient. The PSK is "family movie night". 4087 passphrases tested in 59.05 seconds: 69.22 passphrases/second $ The files "dict" and "eap-test.dump" are included with this distribution for testing purposes. If your SSID has spaces or other non-ASCII characters, enclose it in quotes so the shell doesn't interpret it as multiple parameters. This tool can also accept dictionary words from STDIN, allowing us to utilize a tool such as John the Ripper to create lots of word permutations from a dictionary file: $ john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \ cowpatty -r eap-test.dump -f - -s somethingclever In the default configuration of John the Ripper, common permutations of dictionary words will be sent as potential passwords to coWPAtty. For example, here is a list of the words John will create from the input word "password": jwright@mercury:~$ echo password >word jwright@mercury:~$ john -session:/tmp/delme -wordfile:word -rules -stdout password Password passwords password1 Password1 drowssap 1password PASSWORD password2 password! password3 password7 password9 password5 password4 password8 password6 password0 password. password? psswrd drowssaP Drowssap passworD 2password 4password Password2 Password! Password3 Password9 Password5 Password7 Password4 Password6 Password8 Password. Password? Password0 3password 7password 9password 5password 6password 8password Passwords passworded passwording Passworded Passwording words: 49 time: 0:00:00:00 100% w/s: 49.00 current: Passwording jwright@mercury:~$ John the Ripper is available at http://www.openwall.com/john/. Note that it is also possible to mount a precomputed attack against the PSK. The PBKDF2 algorithm used to generate the PMK takes two non-fixed inputs: the passphrase and the network SSID. For a given SSID, we can precompute all the PMK's from a dictionary file with the "genpmk" tool: $ ./genpmk genpmk 1.0 - WPA-PSK precomputation attack. genpmk: Must specify a dictionary file with -f Usage: genpmk [options] -f Dictionary file -d Output hash file -s Network SSID -h Print this help information and exit -v Print verbose information (more -v for more verbosity) -V Print program version and exit After precomputing the hash file, run cowpatty with the -d argument. $ ./genpmk -f dict -d hashfile -s somethingclever genpmk 1.0 - WPA-PSK dictionary attack. File hashfile does not exist, creating. 4090 passphrases tested in 322.79 seconds: 12.67 passphrases/second $ Once the hashfile is created with the PMK's, we can use it with cowpatty: $ ./cowpatty -r eap-test.dump -d hashfile -s somethingclever cowpatty 3.1 - WPA-PSK dictionary attack. Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack. Please be patient. The PSK is family movie night". 4087 passphrases tested in 0.21 seconds: 19096.17 passphrases/second $ The attack isn't accelerated dramatically with the precomputation attack since we still have to spend the time precomputing the PMK with the genpmk utility, but we only have to do this once for each SSID. This allows us to precompute hash files with common SSID's such as "linksys" and "tsunami". If you spend the time precomputing big dictionaries, please drop me a copy. REFERENCE See Robert Moskowitz's paper "Weakness in Passphrase Choice in WPA Interface" for more information on WPA-PSK attacks at http://wifinetnews.com/archives/002452.html. THANKS My sincere thanks to dragorn for merging in the assembly SHA1 code, and to Randy Chou for advice on optimizing the pbkdf2 function. Also thanks to renderman for the inspiration to add the precomputation code. Thanks to h1kari and beetle for their respective foo. QUESTIONS, COMMENTS, CONCERNS Please contact jwright@hasborg.com with any questions, comments or concerns. My PGP key is located at http://802.11ninja.net/pgpkey.html.