As part of my series on
hacking Wi-Fi, I want to demonstrate another excellent piece of
hacking software for cracking WPA2-PSK passwords. In this tutorial, we'll use a piece of software
developed by wireless security researcher Joshua Wright called cowpatty (often stylized as coWPAtty). This app
simplifies and speeds up the dictionary/hybrid attack against WPA2 passwords,
so let's get to it!
Step 1:
Find Cowpatty
Cowpatty is one of the hundreds of pieces of
software that are included in the Backtrack & Kali suite
of software. For some reason, it was not placed in the /pentest/wireless directory, but instead was left
in the /usr/local/bin directory, so let's navigate there.
·
cd
/usr/local/bin
Because cowpatty is in the /usr/local/bin directory and this directory should
be in your PATH, we should be able to run it from any directory in BackTrack.
Step 2:
Find the Cowpatty Help Screen
To get a
brief rundown of the cowpatty options, simply type:
·
cowpatty
Kali Linux will provide you a brief help screen. Take a note that cowpatty requires all of
the following.
·
a
word list
·
a
file where the password hash has been captured
·
the
SSID of the target AP
Step 3:
Place the Wireless Adapter in Monitor Mode
Just as in cracking with
aircrack-ng, we need to put the wireless adapter into monitor mode.
·
airmon-ng
start wlan0
Step 4:
Start a Capture File
Next, we
need to start a capture file where the hashed password will be stored when we
capture the 4-way handshake.
·
airodump-ng
--bssid 00:25:9C:97:4F:48 -c 9 -w cowpatty mon0
This will start a dump on the selected AP (00:25:9C:97:4F:48), on the selected channel (-c 9) and save the the hash in a file named cowcrack.
Step 5:
Capture the Handshake
Now when
someone connects to the AP, we'll capture the hash and airdump-ng will show us
it has been captured in the upper right-hand corner.
Step 6:
Run the Cowpatty
Now that
we have the hash of the password, we can use it with cowpatty and our wordlist
to crack the hash.
·
cowpatty
-f /pentest/passwords/wordlists/darkc0de.lst -r /root/cowcrack-01.cap -s
Mandela2
As you
can see in the screenshot above, cowpatty is generating a hash of every word on
our wordlist with the SSID as a seed and comparing it to the captured hash.
When the hashes match, it dsplays the password of the AP.
Step 7:
Make Your Own Hash
Although
running cowpatty can be rather simple, it can also be very slow. The password
hash is hashed with SHA1 with a seed of the SSID. This means that the same
password on different SSIDs will generate different hashes. This prevents us
from simply using a rainbow table against all APs. Cowpatty must take the
password list you provide and compute the hash with the SSID for each word.
This is very CPU intensive and slow.
Cowpatty now supports using a pre-computed hash
file rather than a plain-text word file, making the cracking of the WPA2-PSK
password 1000x faster! Pre-computed hash files are available from the Church of
WiFi, and these pre-computed hash files are generated
using 172,000 dictionary file and the 1,000 most popular SSIDs. As useful as
this is, if your SSID is not in that 1,000, the hash list really doesn't help
us.
In that case, we need to generate our own hashes
for our target SSID. We can do this by using an application called genpmk. We can generate our hash file for the
"darkcode" wordlist for the SSID "Mandela2" by typing:
·
genpmk
-f /pentest/passwords/wordlists/darkc0de.lst -d hashes -s Mandela2
Step 8:
Using Our Hash
Once we
have generated our hashes for the particular SSIDs, we can then crack the
password with cowpatty by typing:
·
cowpatty
-d hashfile -r dumpfile -s ssid
No comments:
Post a comment