• Stars
    star
    179
  • Rank 214,039 (Top 5 %)
  • Language
    C
  • License
    BSD 3-Clause "New...
  • Created over 7 years ago
  • Updated about 6 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

coWPAtty: WPA2-PSK Cracking
coWPAtty - Brute-force dictionary attack against WPA-PSK.

Copyright(c) 2004-2018  Joshua Wright <[email protected]>

--------------------------------------------------------------------------------

INTRO

Right off the bat, this code isn't very useful.  The PBKDF2 function makes
4096 SHA-1 passes for each passphrase, which takes quite a bit of time.  On
my Pentium II development system, I'm getting ~4 passphrases/second.
The SHA-1 code I'm using has been optimized to the best of my ability (which
isn't saying that much), but I doubt if it would be possible to optimize it
such that the tool experiences an exponential performance increase.

However, if you are auditing WPA-PSK or WPA2-PSK networks, you can use
this tool to identify weak passphrases that were used to generate the
PMK.  Supply a libpcap capture file that includes the 4-way handshake, a
dictionary file of passphrases to guess with, and the SSID for the
network:

$ ./cowpatty -r eap-test.dump -f dict -s somethingclever
cowpatty 4.0 - WPA-PSK dictionary attack. <[email protected]>

Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack.  Please be patient.

The PSK is "family movie night".

4087 passphrases tested in 59.05 seconds:  69.22 passphrases/second
$

The files "dict" and "eap-test.dump" are included with this distribution
for testing purposes.  If your SSID has spaces or other non-ASCII characters,
enclose it in quotes so the shell doesn't interpret it as multiple parameters.


This tool can also accept dictionary words from STDIN, allowing us to utilize
a tool such as John the Ripper to create lots of word permutations from a
dictionary file:

$ john -wordfile:dictfile -rules -session:johnrestore.dat -stdout:63 | \
   cowpatty -r eap-test.dump -f - -s somethingclever

In the default configuration of John the Ripper, common permutations of
dictionary words will be sent as potential passwords to coWPAtty.  For
example, here is a list of the words John will create from the input word
"password":

jwright@mercury:~$ echo password >word
jwright@mercury:~$ john -session:/tmp/delme -wordfile:word -rules -stdout
password
Password
passwords
password1
Password1
drowssap
1password
PASSWORD
password2
password!
password3
password7
password9
password5
password4
password8
password6
password0
password.
password?
psswrd
drowssaP
Drowssap
passworD
2password
4password
Password2
Password!
Password3
Password9
Password5
Password7
Password4
Password6
Password8
Password.
Password?
Password0
3password
7password
9password
5password
6password
8password
Passwords
passworded
passwording
Passworded
Passwording
words: 49  time: 0:00:00:00 100%  w/s: 49.00  current: Passwording
jwright@mercury:~$

John the Ripper is available at http://www.openwall.com/john/.


Note that it is also possible to mount a precomputed attack against the PSK.
The PBKDF2 algorithm used to generate the PMK takes two non-fixed inputs: the
passphrase and the network SSID.  For a given SSID, we can precompute all the
PMK's from a dictionary file with the "genpmk" tool:

$ ./genpmk
genpmk 1.0 - WPA-PSK precomputation attack. <[email protected]>
genpmk: Must specify a dictionary file with -f
Usage: genpmk [options]

	-f 	Dictionary file
	-d 	Output hash file
	-s 	Network SSID
	-h 	Print this help information and exit
	-v 	Print verbose information (more -v for more verbosity)
	-V 	Print program version and exit

After precomputing the hash file, run cowpatty with the -d argument.
$ ./genpmk -f dict -d hashfile -s somethingclever
genpmk 1.0 - WPA-PSK dictionary attack. <[email protected]>
File hashfile does not exist, creating.
<snip>

4090 passphrases tested in 322.79 seconds:  12.67 passphrases/second
$

Once the hashfile is created with the PMK's, we can use it with cowpatty:

$ ./cowpatty -r eap-test.dump -d hashfile -s somethingclever
cowpatty 3.1 - WPA-PSK dictionary attack. <[email protected]>

Collected all necessary data to mount crack against WPA/PSK passphrase.
Starting dictionary attack.  Please be patient.

The PSK is family movie night".

4087 passphrases tested in 0.21 seconds:  19096.17 passphrases/second
$


The attack isn't accelerated dramatically with the precomputation attack since
we still have to spend the time precomputing the PMK with the genpmk utility,
but we only have to do this once for each SSID.  This allows us to precompute
hash files with common SSID's such as "linksys" and "tsunami".  If you spend
the time precomputing big dictionaries, please drop me a copy.


REFERENCE

See Robert Moskowitz's paper "Weakness in Passphrase Choice in WPA Interface"
for more information on WPA-PSK attacks at 
http://wifinetnews.com/archives/002452.html.


THANKS

My sincere thanks to dragorn for merging in the assembly SHA1 code, and to
Randy Chou for advice on optimizing the pbkdf2 function.  Also thanks to
renderman for the inspiration to add the precomputation code.  Thanks to h1kari
and beetle for their respective foo.


QUESTIONS, COMMENTS, CONCERNS

Please contact [email protected] with any questions, comments or concerns.
My PGP key is located at http://802.11ninja.net/pgpkey.html.

More Repositories

1

asleap

Asleap - Cisco LEAP and Generic MS-CHAPv2 Dictionary Attack
C
81
star
2

kraken

Kraken A5/1 Cracking Project Fork
C++
62
star
3

killerzee

KillerZee: Tools for Attacking and Evaluating Z-Wave Networks
Python
54
star
4

MobileAppReportCard

Microsoft Excel spreadsheets for consistent security evaluation of Android and iOS mobile applications
50
star
5

pptxindex

Create a MS Word index file from PowerPoint notes and slides
Python
41
star
6

bitfit

Recursively validate a starting directory of file contents to identify changes, corrupt data
Python
37
star
7

plistsubtractor

Read a plist file, write out any embedded plist files
Python
34
star
8

basicblobfinder

Identify Azure blobs using a wordlist of account name and container name strings
Python
31
star
9

pptxurlcheck

Parse a PowerPoint PPTX file, extracting all URL's from notes and slides, and test for validity
Python
26
star
10

btfind

Bluetooth Find provides a mechanism with which you can locate and track discoverable Bluetooth devices
Python
25
star
11

s3logparse

Simple parser to get useful information from AWS S3 logs
Python
24
star
12

pcaphistogram

Generate a histogram of TCP and UDP payload bytes from a pcap file
Python
23
star
13

eapmd5pass

Brute force password selection for EAP-MD5 authentication exchanges
C
21
star
14

PatternLockScripts

Recover the Android swipe lock pattern from a gesture.key file.
Python
20
star
15

dynapstalker

Colorize Reached Blocks in IDA Pro using DynamoRIO drcov Output
Python
19
star
16

nm2lp

Convert Windows Netmon Monitor Mode Wireless Packet Captures to Libpcap Format
C
15
star
17

mfsmarthack

Tools for attacking various MIFARE RFID cards
C
14
star
18

tibtle2pcap

Convert TI SmartRF Bluetooth Low Energy Packet Captures to Libpcap Format
Python
14
star
19

nmapsilent

Convert Nmap output for integration with other Project Discovery tools
Python
14
star
20

ValidateSigningCertificate

Sample Android code to validate the signing certificate to defeat repackaging
Java
9
star
21

pptxurls

Generate a Markdown file of all links in one or more PowerPoint documents
Python
6
star
22

md5deep

A Python implementation of some md5deep features
Python
6
star
23

joswr1ght.github.io

GitHub Pages
PowerShell
6
star
24

wwtracked

Export tracked foods from Weight Watchers API to Markdown
Python
6
star
25

bss

Bluetooth Stack Smasher
C
4
star
26

homekitdecode

Read a Wireshark TCP Stream YAML File and Decode HomeKit Data
Python
4
star
27

markdown-labtemplate

Template for writing labs in Markdown with emphasis on print and electronic access, style
CSS
4
star
28

pptxtoc

Generate a ToC PowerPoint slide from an input PowerPoint file using a markup tag
Python
3
star
29

TerminalVimOpen

Applescript to open a file in iTerm2+vim for macOS
AppleScript
2
star
30

genip

Generate Lists of IP Addresses
C
2
star
31

rev-transcript2srt

Use a completed data structure for a Rev.com transcript to generate SRT captions.
Python
1
star
32

katacoda-scenarios

Katacoda Scenarios
1
star
33

riocli

Ranges.io CLI automates cumbersome actions using the API
Python
1
star
34

eql-notebook

Jupyter Notebook for EQL
Jupyter Notebook
1
star
35

subtitle-fixup

Use Assembly AI to generate captions for an audio/video file with post-transcription fixup rules.
Python
1
star
36

testypie

A simple utility to demonstrate ASLR and PIE on Android using NDK
C
1
star
37

ndefurlreader

Read NDEF record with ACR122U on Windows, download and run executable
Python
1
star