coWPAtty Dictionary Attack:
To perform the coWPAtty dictionary attack we need to supply the tool with a capture file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network.
In order to collect the four-way handshake you can either wait until a client joins the network or preferably you can force it to rejoin the network using tools like void11 or aireplay and capture the handshakes using something like kismet, ethereal or airodump.
cowpatty -f dict -r wpapsk-linksys.dump -s linksys
As you can see this simple dictionary attack took 51 seconds, we can speed up this process by precomputing the WPA-PMK to crack the WPA-PSK (see below).
wpapsk-linksys.dump is the capture containing the four-way handshake
dict is the password file
linksys is the network SSID
Precomputing WPA PMK to crack WPA PSK:
genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc.
So to generate some hash files for a network using the SSID cuckoo we use:
genpmk -f dict -d linksys.hashfile -s linksys
dict is the password file
linksys.hashfile is our output file
linksys is the network ESSID
coWPAtty Precomputed WPA Attack:
Now we have created our hash file we can use it against any WPA-PSK network that is utilising a network SSID of cuckoo. Remember the capture (wpa-test-01.cap) must contain the four-way handshake to be successful.
cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys
wpa-test-01.cap is the capture containing the four-way handshake
linksys.hashfile are our precomputed hashes
linksys is the network ESSID
Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 seconds with standard dictionary attack mode, albeit you do need to pre-compute the hash files prior to the attack. However, precomputing large hash files for common SSIDS (e.g. linksys, tsunami) would be a sensible move for most penetration testers.
coWPAtty Precomputed WPA2 Attack:
coWPAtty 4.0 is also capable of attacking WPA2 captures. Note: The same hash file as was used with the WPA capture was also used with the WPA2 capture.
cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys
wpa2psk-linksys.dump is the capture containing the four-way handshake
dict is the password file
linksys is the network SSID
