|
|
| |
Credit:
The information has been provided by Joshua Wright.
The tool can be obtained from: http://www.remote-exploit.org/
|
| |
coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol. A while back, Robert Moskowitz published a paper titled "Weakness in Passphrase Choice in WPA Interface" that described a dictionary attack against wireless networks using the TKIP protocol with a pre-shared key (PSK). Supply a libpcap file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network:
$ ./cowpatty -r eap-test.dump -f dict -s somethingclever
coWPAtty 2.0 - WPA-PSK dictionary attack. <jwright@hasborg.com>
Collected all necessary data to mount crack against passphrase.
Loading words into memory, please be patient ... Done (10201 words).
Starting dictionary attack. Please be patient.
[1000] [2000] [3000] [4000]
The PSK is "family movie night".
Even though the WPA-PSK authentication mechanism was intended to be used solely for consumer networks, there's a surprising number of SMB and Enterprise networks that have adopted it, presumably for its ease of use.
Fortunately, off line dictionary attacks are not terribly effective against WPA-PSK networks, due to the IEEE selection of the pbkdf2 algorithm for PSK hashing. For a dictionary attack to be effective, it must take each dictionary word and perform 4096 iterations of HMAC-SHA1 with two nonce values and the supplicant and authenticator MAC addresses. Joshua Wright optimized the ipad and opad calculations in an attempt to optimize this process, but he was only able to accommodate approximately 70 words/second on a Pentium 4 3.8 GHz system (5570 bogomips). coWPAtty was written for Linux systems; please inform the author if you get it running on other platforms as well. More information is available in the README and FAQ files included in the tarball.
|
| Subject:
|
jus wonderin |
Date: |
12 Feb. 2006 |
| From: |
cyaneyed |
| what if the psk isn't a dictionary word. ie it's in another language or if its a name that isn't the dictionary. |
|
| Subject:
|
Then it wont work. |
Date: |
16 Mar. 2006 |
| From: |
David |
| Dictionary attacks use words. The cracker will have to brute force it if it's not a regular word, or a word with some easy variation. If it were like "e;password"e; then it's cracked in no time. If it were like "e;p@ssw*$d"e; then it will take some time. And if it were like "e;f5xm4qJVgyhGn3y0ffCKfThM7dnICPMkLe2UDR99i9fuh1GqEoCyfnmvpRgPon9"e; then it will take a lot of time. |
|
| Subject:
|
Wardriving with Cowpatty |
Date: |
7 Apr. 2006 |
| From: |
Eirik |
| The last passphrase in David's comment above illustrates what administrators should employ to mitigate risks from a malicious user with Cowpatty or the like. I'm curious as to what trend we might find regarding passphrase usage and the ultimate effectiveness of using Cowpatty to crack a deployment. It would be interesting to see the results tallied up on the effectiveness of Cowpatty in some random wardriving through an SMB campus of offices. |
|
| Subject:
|
NA |
Date: |
20 Apr. 2006 |
| From: |
NA |
| Can it read pcap dumps? |
|
| Subject:
|
wpa |
Date: |
8 Jun. 2006 |
| From: |
sycoswarhotmail.com |
| how do u preform the crack i have audior which has cowpatty, how do i iniciate the attack on the wpa? |
|
| Subject:
|
need to know more how dictionary attack works |
Date: |
4 Aug. 2006 |
| From: |
tinatona4meyahoo.com |
| i want all the tips about how dictionary attack works,i have got a lot of cracking on my system and want some to do some work against them. |
|
| Subject:
|
wpa |
Date: |
13 Aug. 2007 |
| From: |
vanvee |
| Theres a step by step here http://www.ciscopress.com/articles/article.asp?p=370636&rl=1 but you?l need a lot of help and u will have to download other helpers. |
|
|
|
|
