{"id":284,"date":"2009-06-04T11:02:59","date_gmt":"2009-06-04T15:02:59","guid":{"rendered":"http:\/\/www.willhackforsushi.com\/?p=284"},"modified":"2009-08-06T10:04:35","modified_gmt":"2009-08-06T14:04:35","slug":"cowpatty-45","status":"publish","type":"post","link":"https:\/\/www.willhackforsushi.com\/?p=284","title":{"rendered":"Cowpatty 4.5"},"content":{"rendered":"<p>After too much time I have posted coWPAtty 4.5 with several fixes and a couple of new features:<\/p>\n<ul>\n<li>Fewer restrictions on collecting the data needed to mount an attack.\u00a0 The default behavior requires all 4 frames of the 4-way handshake to mount an attack.\u00a0 If you specify &#8220;-2&#8221; on the command-line, coWPAtty will only require frames 1 and 2 of the 4-way handshake to mount an attack.\u00a0 More on this below.<\/li>\n<li>Validate that the needed information is present to mount an attack, without launching the attack (the &#8220;-c&#8221; option).\u00a0 This was requested by Pure Hate for an awesome project he gave me a preview on.\u00a0 I&#8217;m hoping details of this project will be public soon.<\/li>\n<\/ul>\n<p>The &#8220;-2&#8221; option also includes fewer restrictions for validating the content of the packet capture.\u00a0 This was implemented by a patch submitted by Nathan Grennan, accommodating some AP&#8217;s that do not strictly adhere to the IEEE 802.11i\/IEEE 802.11-2007 specification.<\/p>\n<p>Removing the restriction of needing all 4 frames of the 4-way handshake to mount an attack has some interesting implications.\u00a0 First, packet captures taken while channel hopping often miss parts of the 4-way handshake, since they can hop in the middle of the 4-way handshake exchange.\u00a0 Relying on only frames 1 and 2 gives you a better chance of catching the needed data even if you are channel hopping.<\/p>\n<div id=\"attachment_285\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/www.willhackforsushi.com\/wp-content\/uploads\/2009\/06\/cowpatty-dash-2.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-285\" class=\"size-medium wp-image-285\" title=\"cowpatty example\" src=\"http:\/\/www.willhackforsushi.com\/wp-content\/uploads\/2009\/06\/cowpatty-dash-2-300x194.jpg\" alt=\"coWPAtty &quot;-2&quot; utilization example\" width=\"300\" height=\"194\" srcset=\"https:\/\/www.willhackforsushi.com\/wp-content\/uploads\/2009\/06\/cowpatty-dash-2-300x194.jpg 300w, https:\/\/www.willhackforsushi.com\/wp-content\/uploads\/2009\/06\/cowpatty-dash-2-150x97.jpg 150w, https:\/\/www.willhackforsushi.com\/wp-content\/uploads\/2009\/06\/cowpatty-dash-2.jpg 666w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-285\" class=\"wp-caption-text\">coWPAtty &quot;-2&quot; utilization example<\/p><\/div>\n<p>Second, it provides the ability for an attacker to mount an attack against a client even if they aren&#8217;t within range of their target network (for example, a WPA2-PSK user is at the airport).\u00a0\u00a0\u00a0 Consider the following illustration:<\/p>\n<div style=\"width: 490px\" class=\"wp-caption aligncenter\"><a href=\"http:\/\/www.willhackforsushi.com\/images\/client-attack.jpg\"><img loading=\"lazy\" decoding=\"async\" alt=\"Cowpatty Attack Scenarios\" src=\"http:\/\/www.willhackforsushi.com\/images\/client-attack-480x242.jpg\" title=\"cowpatty attack scenarios\" width=\"480\" height=\"242\" \/><\/a><p class=\"wp-caption-text\">Cowpatty Attack Scenarios<\/p><\/div>\n<p>On the left is an example of what I consider a traditional WPA2-PSK attack.\u00a0 The attacker gets within physical proximity of the target network and waits for (or coerces) the 4-way handshake between an AP and a valid client system.<\/p>\n<p>On the right, however, is a less-understood attack scenario.\u00a0 In the 4-way handshake, the client system authenticates first, sending a HMAC-MIC of frame 2 to the AP.\u00a0 If an attacker impersonates the legitimate SSID of the network, they are able to send Frame 1 of the 4-way handshake (no authentication) and observe the HMAC-MIC of frame 2.\u00a0 At frame 2, the attacker has everything they need to recover the PSK (now with cowpatty&#8217;s &#8220;-2&#8221; option).\u00a0 Frame 3 fails validation by the client, but by that point, it&#8217;s too late.<\/p>\n<p>In practice, I&#8217;m testing this using HostAP running on my attack workstation, but that&#8217;s not even necessary.\u00a0 Simply take any SOHO AP, configure the SSID to reflect that of your vistim with any pre-shared key and observe the exchange between the victim and the imposter AP, supplying the packet capture to coWPAtty with the &#8220;-2&#8221; option.<\/p>\n<p>My transition to work for <a href=\"http:\/\/www.inguardians.com\" target=\"_blank\">InGuardians<\/a> has given me a chance to spend more time on penetration tests.  As a result, I&#8217;ve started to change my mind about the value of &#8220;weaponized&#8221; attack tools.  If the tool isn&#8217;t reliable, works under many circumstances and flexible enough to withstand an error or two, it takes much longer to be useful, and that costs your customer more.  I&#8217;m using this as a motivator to make tools more effective, capable of demonstrating a point, and thereby allowing you to providing greater value to your customer.<\/p>\n<p>I&#8217;d love to hear comments and questions. Please add a comment below, or <a href=\"http:\/\/www.willhackforsushi.com\/?page_id=87\">send me a note<\/a>.<\/p>\n<p>-Josh<\/p>\n","protected":false},"excerpt":{"rendered":"<p>After too much time I have posted coWPAtty 4.5 with several fixes and a couple of new features: Fewer restrictions on collecting the data needed to mount an attack.\u00a0 The default behavior requires all 4 frames of the 4-way handshake &hellip; <a href=\"https:\/\/www.willhackforsushi.com\/?p=284\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,13,7,10],"tags":[],"class_list":["post-284","post","type-post","status-publish","format-standard","hentry","category-4","category-penetration-testing","category-security","category-tool"],"_links":{"self":[{"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=\/wp\/v2\/posts\/284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=284"}],"version-history":[{"count":11,"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=\/wp\/v2\/posts\/284\/revisions"}],"predecessor-version":[{"id":379,"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=\/wp\/v2\/posts\/284\/revisions\/379"}],"wp:attachment":[{"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.willhackforsushi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}