coWPAtty - Attacking WPA/WPA2-PSK Exchanges

news

screenshotS

March 20 2008

Posted a new version of coWPAtty (4.3) with the following changes:


  1. Added support for IEEE 802.11e QoS frames;

  2. Added support for Mac OSX and FreeBSD platforms;

  3. Added "make install" support;

  4. Removed OpenSSL-independent MD5 support for WPA networks, OpenSSL is now mandatory for coWPAtty.


Code available in the download section below.  Thanks to Dennis Herrmann for the FreeBSD support patch, Thomas d'Otreppe for the "make install" patch, and to Andrew von Nagy for sample QoS packet captures.


October 3 2007

Robin Wood posted a patch for coWPAtty to let it handle radiotap-formatted capture files.  Unfortunately, this did not work very well, as the radiotap header can vary in length across different drivers, and can even change during a single packet capture session.

I’ve updated coWPAtty to a new version to support all versions of radiotap capture files.  See the download section below.


September 21 2007

I haven’t been actively working on coWPAtty, though it remains a useful tool for understanding how WPA-PSK authenticates stations and AP’s, and for auditing the selection of the PSK.


Quick feature summary:

  1. Implementation of an offline dictionary attack against WPA-PSK and WPA2-PSK networks

  2. Can use permutated dictionaries by passing input through STDIN (example in screenshot below using John the Ripper)

  3. Supports accelerated password attacks with precomputed PMK files generated with the “genpmk” tool (included)


Please see the README file for more information.

download

coWPAtty 4.3

  Linux source (103K, MD5:  deccac0763a05ef7014107d347bf9190)

  README


coWPAtty 4.2

  1. Linux source (106K, MD5: 35cfd867940efccae3dcec081b19221a)

  2. README


coWPAtty 4.1

  1. Linux source (102K, MD5: 1f1b49ae1f606c52dc709b1ee8c07bc2)

  2. README

LINKS

Other people have taken the work that I’ve done with coWPAtty, and produced some amazing results:


David Hulton has done some amazing work implementing practical cryptography attacks using FPGA to accelerate common algorithms (such as SHA1).  With an FPGA from Pico Computing, it becomes possible to use the cores he has posted at OpenCiphers to significantly accelerate WPA-PSK/WPA2-PSK cracking.  Way to go h1kari!


RenderMan has put a lot of effort into making precomputed PMK tables available for common SSID’s.  He suggested the precomputed attack to me, I implemented it, and then he took off and turned it into a practical mechanism to exploit these networks.  He was way more motivation than I do.

The Shmoo group hosts the BitTorrent seed for downloading he 33 GB of precomputed PMK tables.


The good guys at the Aircrack-ng project have had support for WPA-PSK cracking for a while, and I understand they’ll be adding their own PMK precomputation support soon.  Their implementation of SHA1 is faster than mine too!