coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol. A while back, Robert Moskowitz published a paper titled "Weakness in Passphrase Choice in WPA Interface" that described a dictionary attack against wireless networks using the TKIP protocol with a pre-shared key (PSK). Supply a libpcap file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network:
$ ./cowpatty -r eap-test.dump -f dict -s somethingclever
coWPAtty 2.0 - WPA-PSK dictionary attack. <firstname.lastname@example.org>
Collected all necessary data to mount crack against passphrase.
Loading words into memory, please be patient ... Done (10201 words).
Starting dictionary attack. Please be patient.
   
The PSK is "family movie night".
Even though the WPA-PSK authentication mechanism was intended to be used solely for consumer networks, there's a surprising number of SMB and Enterprise networks that have adopted it, presumably for its ease of use.
Fortunately, off line dictionary attacks are not terribly effective against WPA-PSK networks, due to the IEEE selection of the pbkdf2 algorithm for PSK hashing. For a dictionary attack to be effective, it must take each dictionary word and perform 4096 iterations of HMAC-SHA1 with two nonce values and the supplicant and authenticator MAC addresses. Joshua Wright optimized the ipad and opad calculations in an attempt to optimize this process, but he was only able to accommodate approximately 70 words/second on a Pentium 4 3.8 GHz system (5570 bogomips). coWPAtty was written for Linux systems; please inform the author if you get it running on other platforms as well. More information is available in the README and FAQ files included in the tarball.