There are no reviews yet. Be the first to send feedback to the community and the maintainers!
coWPAtty - Brute-force dictionary attack against WPA-PSK. Copyright(c) 2004-2018 Joshua Wright <[email protected]> -------------------------------------------------------------------------------- INTRO Right off the bat, this code isn't very useful. The PBKDF2 function makes 4096 SHA-1 passes for each passphrase, which takes quite a bit of time. On my Pentium II development system, I'm getting ~4 passphrases/second. The SHA-1 code I'm using has been optimized to the best of my ability (which isn't saying that much), but I doubt if it would be possible to optimize it such that the tool experiences an exponential performance increase. However, if you are auditing WPA-PSK or WPA2-PSK networks, you can use this tool to identify weak passphrases that were used to generate the PMK. Supply a libpcap capture file that includes the 4-way handshake, a dictionary file of passphrases to guess with, and the SSID for the network: $ ./cowpatty -r eap-test.dump -f dict -s somethingclever cowpatty 4.0 - WPA-PSK dictionary attack. <[email protected]> Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack. Please be patient. The PSK is "family movie night". 4087 passphrases tested in 59.05 seconds: 69.22 passphrases/second $ The files "dict" and "eap-test.dump" are included with this distribution for testing purposes. If your SSID has spaces or other non-ASCII characters, enclose it in quotes so the shell doesn't interpret it as multiple parameters. This tool can also accept dictionary words from STDIN, allowing us to utilize a tool such as John the Ripper to create lots of word permutations from a dictionary file: $ john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \ cowpatty -r eap-test.dump -f - -s somethingclever In the default configuration of John the Ripper, common permutations of dictionary words will be sent as potential passwords to coWPAtty. For example, here is a list of the words John will create from the input word "password": jwright@mercury:~$ echo password >word jwright@mercury:~$ john -session:/tmp/delme -wordfile:word -rules -stdout password Password passwords password1 Password1 drowssap 1password PASSWORD password2 password! password3 password7 password9 password5 password4 password8 password6 password0 password. password? psswrd drowssaP Drowssap passworD 2password 4password Password2 Password! Password3 Password9 Password5 Password7 Password4 Password6 Password8 Password. Password? Password0 3password 7password 9password 5password 6password 8password Passwords passworded passwording Passworded Passwording words: 49 time: 0:00:00:00 100% w/s: 49.00 current: Passwording jwright@mercury:~$ John the Ripper is available at http://www.openwall.com/john/. Note that it is also possible to mount a precomputed attack against the PSK. The PBKDF2 algorithm used to generate the PMK takes two non-fixed inputs: the passphrase and the network SSID. For a given SSID, we can precompute all the PMK's from a dictionary file with the "genpmk" tool: $ ./genpmk genpmk 1.0 - WPA-PSK precomputation attack. <[email protected]> genpmk: Must specify a dictionary file with -f Usage: genpmk [options] -f Dictionary file -d Output hash file -s Network SSID -h Print this help information and exit -v Print verbose information (more -v for more verbosity) -V Print program version and exit After precomputing the hash file, run cowpatty with the -d argument. $ ./genpmk -f dict -d hashfile -s somethingclever genpmk 1.0 - WPA-PSK dictionary attack. <[email protected]> File hashfile does not exist, creating. <snip> 4090 passphrases tested in 322.79 seconds: 12.67 passphrases/second $ Once the hashfile is created with the PMK's, we can use it with cowpatty: $ ./cowpatty -r eap-test.dump -d hashfile -s somethingclever cowpatty 3.1 - WPA-PSK dictionary attack. <[email protected]> Collected all necessary data to mount crack against WPA/PSK passphrase. Starting dictionary attack. Please be patient. The PSK is family movie night". 4087 passphrases tested in 0.21 seconds: 19096.17 passphrases/second $ The attack isn't accelerated dramatically with the precomputation attack since we still have to spend the time precomputing the PMK with the genpmk utility, but we only have to do this once for each SSID. This allows us to precompute hash files with common SSID's such as "linksys" and "tsunami". If you spend the time precomputing big dictionaries, please drop me a copy. REFERENCE See Robert Moskowitz's paper "Weakness in Passphrase Choice in WPA Interface" for more information on WPA-PSK attacks at http://wifinetnews.com/archives/002452.html. THANKS My sincere thanks to dragorn for merging in the assembly SHA1 code, and to Randy Chou for advice on optimizing the pbkdf2 function. Also thanks to renderman for the inspiration to add the precomputation code. Thanks to h1kari and beetle for their respective foo. QUESTIONS, COMMENTS, CONCERNS Please contact [email protected] with any questions, comments or concerns. My PGP key is located at http://802.11ninja.net/pgpkey.html.
asleap
Asleap - Cisco LEAP and Generic MS-CHAPv2 Dictionary Attackkraken
Kraken A5/1 Cracking Project Forkkillerzee
KillerZee: Tools for Attacking and Evaluating Z-Wave NetworksMobileAppReportCard
Microsoft Excel spreadsheets for consistent security evaluation of Android and iOS mobile applicationspptxindex
Create a MS Word index file from PowerPoint notes and slidesbitfit
Recursively validate a starting directory of file contents to identify changes, corrupt dataplistsubtractor
Read a plist file, write out any embedded plist filesbasicblobfinder
Identify Azure blobs using a wordlist of account name and container name stringspptxurlcheck
Parse a PowerPoint PPTX file, extracting all URL's from notes and slides, and test for validitybtfind
Bluetooth Find provides a mechanism with which you can locate and track discoverable Bluetooth devicess3logparse
Simple parser to get useful information from AWS S3 logspcaphistogram
Generate a histogram of TCP and UDP payload bytes from a pcap fileeapmd5pass
Brute force password selection for EAP-MD5 authentication exchangesPatternLockScripts
Recover the Android swipe lock pattern from a gesture.key file.dynapstalker
Colorize Reached Blocks in IDA Pro using DynamoRIO drcov Outputnm2lp
Convert Windows Netmon Monitor Mode Wireless Packet Captures to Libpcap Formatmfsmarthack
Tools for attacking various MIFARE RFID cardstibtle2pcap
Convert TI SmartRF Bluetooth Low Energy Packet Captures to Libpcap Formatnmapsilent
Convert Nmap output for integration with other Project Discovery toolsValidateSigningCertificate
Sample Android code to validate the signing certificate to defeat repackagingpptxurls
Generate a Markdown file of all links in one or more PowerPoint documentsmd5deep
A Python implementation of some md5deep featuresjoswr1ght.github.io
GitHub Pageswwtracked
Export tracked foods from Weight Watchers API to Markdownbss
Bluetooth Stack Smasherhomekitdecode
Read a Wireshark TCP Stream YAML File and Decode HomeKit Datamarkdown-labtemplate
Template for writing labs in Markdown with emphasis on print and electronic access, stylepptxtoc
Generate a ToC PowerPoint slide from an input PowerPoint file using a markup tagTerminalVimOpen
Applescript to open a file in iTerm2+vim for macOSgenip
Generate Lists of IP Addressesrev-transcript2srt
Use a completed data structure for a Rev.com transcript to generate SRT captions.katacoda-scenarios
Katacoda Scenariosriocli
Ranges.io CLI automates cumbersome actions using the APIeql-notebook
Jupyter Notebook for EQLsubtitle-fixup
Use Assembly AI to generate captions for an audio/video file with post-transcription fixup rules.testypie
A simple utility to demonstrate ASLR and PIE on Android using NDKndefurlreader
Read NDEF record with ACR122U on Windows, download and run executableLove Open Source and this site? Check out how you can help us