wirelessdefence@gmail.com

A UK based Wireless Security Group

coWPAtty

coWPAtty a WPA / WPA2 PSK password cracker

As detailed on the project homepage:

coWPAtty is an implementation of an offline dictionary attack against WPA/WPA2 networks using PSK-based authentication (e.g. WPA-Personal).

Project Home Page: https://www.willhackforsushi.com/?page_id=50

cowpatty Installation

The latest version of cowpatty is available via github: https://github.com/joswr1ght/cowpatty 

However, probably as a result of its age (last updated July 2018) cowpatty proved troublesome to install manually. A simple workaround was to spin-up a Kali instance and utilise their packaged version:

sudo apt install cowpatty

cowpatty in action

To perform a cowpatty dictionary attack we need to supply:

1. A capture file that includes the initial four-way handshake between a client and an Access Point (AP)

2. A dictionary file of potential passphrases

3. The SSID for the target network

Our initial scan revealed our target wireless network:

SSID: wirelessdefence-demo

BSSID: 00:18:39:F7:33:73

channel: 6

Next we create the capture file (wpa2-demo) / start collecting wireless packets using airodump-ng:

sudo airodump-ng wlan1mon --bssid 00:18:39:F7:33:73 --channel 6 -w wpa2-demo

In order to collect the four-way handshake we can either wait until a client joins the network, or preferably force an existing client/station to re-join the network by sending a deauth packet using a tool like aireplay-ng:

sudo aireplay-ng --deauth 1 -a 00:18:39:F7:33:73 -c D8:68:C3:8A:E0:E1 wlan2

Note: We are using a second wireless network card to achieve this (wlan2)

Once the appropriate handshake has been captured using something like airodump-ng the capture file is ready to be passed to cowpatty:

The presence of the “EAPOL” within the “Notes” field details that we have indeed captured EAPOL packets:

Before passing the capture file to cowpatty we quickly confirm with have the complete 4-way handshake by opening the capture in Wireshark (with an “eapol” filter applied):

It is also possible to confirm we have the handshake within cowpatty itself, using the -c switch:

Finally we initiate the passphrase guessing attack within cowpatty:

cowpatty -r wpa2-demo-01.cap -f /pentest/wordlists/pw_topten.txt -s wirelessdefence-demo

We have now successfully cracked the wirelessdefence-demo wireless network’s PSK = “testing123”.