Compiled cowpatty 4.6 inn cygwin.

1. install winpcap and WinPcap Developer's Packs.

2. Install cygwin.

3. Unfortunatelly the default installation of cygwin does not come wide all the needed depensis. you ned to add ;make & ;gcc-g77 & ;gcc-c++ & openssl-dev.

a) Make sure that Curr is selected and click on View to make it Partial (the word should be printed on the left from the View button). In this mode you will see what packages will be installed by default. You see that they will be installed as Bin and Src is not selected. This what we need. It is a good idea to leave the default packages as they are. Our next goal is to add a few more packages to this list.

b) Click on View to make it Category (again the word should be printed on the left from the View button).

c) Click on + before Devel to expand it.

d) Find gcc-c++ and click on Skip. Instead of Skip there should appear version (in time of writing 3.4.4-1) and a cross in Bin. Note that other dependent packages are selected automatically.

e) Find gcc-g77 and click on Skip. Instead of Skip there should appear version (in time of writing 3.4.4-1) and a cross in Bin.

f) Find make and clike on Skip. Instead of Skip there should appear version (in time of writing 3.80-1) and a cross in Bin.

g) Click on - before Devel to close the tree of the development packages.

That's i

4. Edit the makefile inn cowpatty folder (add path for pcap headers).

old makefile.

##################################

LDLIBS = -lpcap

CFLAGS = -pipe -Wall -DOPENSSL

CFLAGS += -O2

LDLIBS += -lcrypto

new makefile.

##################################

LDLIBS = -lwpcap

CFLAGS = -pipe -Wall -DOPENSSL

CFLAGS += -I /usr/include/pcap/ -I /usr/include/

CFLAGS += -O2

LDLIBS += -lcrypto

5. Copy headers files from .\include\* to c:\cygwin\usr\include\pcap and libary file from .\lib\* to c:\cygwin\lib\ . FROM THE WINPCAP-DEV PACK.

6. Check that you've correctly installed winpcap dll wid the command "which Packet.dll wpcap.dll".

$ which Packet.dll wpcap.dll

/cygdrive/c/WINDOWS/system32/Packet.dll

/cygdrive/c/WINDOWS/system32/wpcap.dll

7. Now It's time to compile, use the command "make".

$ make

cc -pipe -Wall -DOPENSSL -I /usr/include/pcap/ -I /usr/include/ -O2 -g3 -ggdb

-c -o md5.o md5.c

cc -pipe -Wall -DOPENSSL -I /usr/include/pcap/ -I /usr/include/ -O2 -g3 -ggdb

-c -o sha1.o sha1.c

cc -pipe -Wall -DOPENSSL -I /usr/include/pcap/ -I /usr/include/ -O2 -g3 -ggdb

-c -o utils.o utils.c

cc -pipe -Wall -DOPENSSL -I /usr/include/pcap/ -I /usr/include/ -O2 -g3 -ggdb

-c -o cowpatty.o cowpatty.c

cc -pipe -Wall -DOPENSSL -I /usr/include/pcap/ -I /usr/include/ -O2 -g3 -ggdb

-c -o genpmk.o genpmk.c

8. Copy cowpatty.exe,genpmk.exe,cygwin1.dll and cygcrypto-0.9.8.dll. I didn't have cygcrypto-0.9.8.dll so i copied it from older cygwin copy off cowpatty-4.0

coWPAtty Dictionary Attack:

To perform the coWPAtty dictionary attack we need to supply the tool with a capture file that includes the TKIP four-way handshake, a dictionary file of passphrases to guess with and the SSID for the network.

In order to collect the four-way handshake you can either wait until a client joins the network or preferably you can force it to rejoin the network using tools like void11 or aireplay and capture the handshakes using something like kismet, ethereal or airodump.

cowpatty -f dict -r wpapsk-linksys.dump -s linksys

As you can see this simple dictionary attack took 51 seconds, we can speed up this process by precomputing the WPA-PMK to crack the WPA-PSK (see below).

wpapsk-linksys.dump is the capture containing the four-way handshake

dict is the password file

linksys is the network SSID

Precomputing WPA PMK to crack WPA PSK:

genpmk is used to precompute the hash files in a similar way to Rainbow tables is used to pre-hash passwords in Windows LANMan attacks. There is a slight difference however in WPA in that the SSID of the network is used as well as the WPA-PSK to "salt" the hash. This means that we need a different set of hashes for each and every unique SSID i.e. a set for "linksys" a set for "tsunami" etc.

So to generate some hash files for a network using the SSID cuckoo we use:

genpmk -f dict -d linksys.hashfile -s linksys

dict is the password file

linksys.hashfile is our output file

linksys is the network ESSID

coWPAtty Precomputed WPA Attack:

Now we have created our hash file we can use it against any WPA-PSK network that is utilising a network SSID of cuckoo. Remember the capture (wpa-test-01.cap) must contain the four-way handshake to be successful.

cowpatty -d linksys.hashfile -r wpapsk-linksys.dump -s linksys

wpa-test-01.cap is the capture containing the four-way handshake

linksys.hashfile are our precomputed hashes

linksys is the network ESSID

Notice that cracking the WPA-PSK took 0.04 seconds with the pre-computed attacked as opposed to 200 seconds with standard dictionary attack mode, albeit you do need to pre-compute the hash files prior to the attack. However, precomputing large hash files for common SSIDS (e.g. linksys, tsunami) would be a sensible move for most penetration testers.

coWPAtty Precomputed WPA2 Attack:

coWPAtty 4.0 is also capable of attacking WPA2 captures. Note: The same hash file as was used with the WPA capture was also used with the WPA2 capture.

cowpatty -d linksys.hashfile -r wpa2psk-linksys.dump -s linksys

wpa2psk-linksys.dump is the capture containing the four-way handshake

dict is the password file

linksys is the network SSID